From 0f2a143ad8c8b0981e6e5f27e535ae1cb74ca157 Mon Sep 17 00:00:00 2001 From: Silvino Silva Date: Wed, 10 Apr 2019 23:40:02 +0000 Subject: fix core configure user groups --- core/configure.html | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/core/configure.html b/core/configure.html index 90c97ea..0387c4e 100644 --- a/core/configure.html +++ b/core/configure.html @@ -186,7 +186,7 @@ 
         # useradd -U -m -k /etc/skel -s /bin/bash username
-        # usermod -G adm,wheel,audio,video username
+        # usermod -G adm,wheel,audio,video,users username
         # passwd username
-- cgit 1.4.1-2-gfad0 From c432a9f7e5e2faccf09d3465266f08561299acf1 Mon Sep 17 00:00:00 2001 From: Silvino Silva Date: Wed, 10 Apr 2019 23:56:32 +0000 Subject: fix dev git default editor --- dev/git/install.html | 1 + tools/conf/etc/skel/.gitconfig | 1 + 2 files changed, 2 insertions(+) diff --git a/dev/git/install.html b/dev/git/install.html index 6a42abd..16311ed 100644 --- a/dev/git/install.html +++ b/dev/git/install.html @@ -22,6 +22,7 @@ 
     $ git config --global user.name "User Name"
     $ git config --global user.email user@devbox
+    $ git config --global core.editor "vim"

If you want to disable pager / paging you can set globally;

diff --git a/tools/conf/etc/skel/.gitconfig b/tools/conf/etc/skel/.gitconfig index f96ecf7..3af5f03 100644 --- a/tools/conf/etc/skel/.gitconfig +++ b/tools/conf/etc/skel/.gitconfig @@ -1,5 +1,6 @@ [core] pager = less -F -X + editor = vim [diff] tool = vimdiff [merge] -- cgit 1.4.1-2-gfad0 From f5971b13ab41c1131c796b509c06165e6e8fe6bf Mon Sep 17 00:00:00 2001 From: Silvino Silva Date: Sun, 2 Jun 2019 19:07:17 +0000 Subject: core and skel revision --- core/conf/rc.d/iptables | 7 ++- core/network.html | 111 ++++++++++++++++++++++++++++++++--------- tools/conf/etc/skel/.gitconfig | 1 + tools/conf/etc/skel/.vimrc | 6 ++- tools/conf/etc/skel/.xinitrc | 16 +++--- 5 files changed, 106 insertions(+), 35 deletions(-) diff --git a/core/conf/rc.d/iptables b/core/conf/rc.d/iptables index 9471f99..d4f9ebc 100644 --- a/core/conf/rc.d/iptables +++ b/core/conf/rc.d/iptables @@ -8,20 +8,25 @@ case $1 in ipt_tables case $TYPE in bridge) + + ## load bridge configuration source /etc/iptables/ipt-bridge.sh ## log everything else and drop ipt_log iptables-save > /etc/iptables/bridge.v4 + ;; server) + + ## load server configuration source /etc/iptables/iptables-conf.sh ## log everything else and drop ipt_log - iptables-save > /etc/iptables/net.v4 + iptables-save > /etc/iptables/server.v4 ;; esac ;; diff --git a/core/network.html b/core/network.html index 5913845..18dd220 100644 --- a/core/network.html +++ b/core/network.html @@ -286,52 +286,115 @@ -c, --set-counters packets bytes -

2.3.3.1. Server iptables

-

Adjust iptables.sh with - your network configuration then run it;

+

2.3.3.1. Iptable scripts

+ +

/etc/rc.d/iptables sources + host configuration and create tables with rules that later are + used to match packages.

+ + 
+        source /etc/iptables/ipt-conf.sh
+        source /etc/iptables/ipt-firewall.sh
+
+        case $1 in
+            start)
+                ipt_clear
+                ipt_tables
+                case $TYPE in
+                    bridge)
+
+                    ## load bridge configuration
+                    source /etc/iptables/ipt-bridge.sh
+
+                    ## log everything else and drop
+                    ipt_log
+
+                    iptables-save > /etc/iptables/bridge.v4
+                    ;;
+                    server)
+
+
+                    ## load server configuration
+                    source /etc/iptables/iptables-conf.sh
+
+                    ## log everything else and drop
+                    ipt_log
+
+                    iptables-save > /etc/iptables/server.v4
+                    ;;
+                esac
+                ;;
+            stop)
+
+                ipt_clear
+                ;;
+            restart)
+                $0 stop
+                $0 start
+                ;;
+            *)
+                echo "Usage: $0 [start|stop|restart]"
+                ;;
+        esac
+
+ +

2.3.3.2. Server iptables

+ +

Adjust /etc/iptables/ipt-conf.sh + with your network configuration, edit /etc/iptables/ipt-server.sh matching rules with interfaces.

Default configuration;

-    server)
+        echo "setting server network..."
+
+        # Unlimited on loopback
+        $IPT -A INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
+        $IPT -A OUTPUT -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
+        $IPT -A INPUT -i lo -s ${PUB_IP} -d ${PUB_IP} -j ACCEPT
+        $IPT -A OUTPUT -o lo -s ${PUB_IP} -d ${PUB_IP} -j ACCEPT
 
-        echo "Setting server network..."
         ####### Input Chain ######
         $IPT -A INPUT -j blocker
 
-	$IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -s ${DNS} -j cli_dns_in
-	$IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -s ${BR_NET} -j srv_https_in
-	$IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -s ${BR_NET} -j srv_ssh_in
-	$IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -s ${BR_NET} -j srv_git_in
-	$IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -j cli_https_in
+        $IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -s ${DNS} -j cli_dns_in
+        $IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -s ${BR_NET} -j srv_https_in
+        $IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -s ${BR_NET} -j srv_ssh_in
+        $IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -s ${BR_NET} -j srv_git_in
+        #$IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -s ${BR_NET} -j cli_http_in
+
+
+        $IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -j srv_https_in
+        $IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -j cli_https_in
+        $IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -j srv_ssh_in
+        $IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -j srv_git_in
 
         ####### Output Chain ######
         $IPT -A OUTPUT -j blocker
 
-	$IPT -A OUTPUT -o ${PUB_IF} -d ${DNS} -s ${PUB_IP} -j cli_dns_out
-	$IPT -A OUTPUT -o ${PUB_IF} -d ${BR_NET} -s ${PUB_IP} -j srv_https_out
-	$IPT -A OUTPUT -o ${PUB_IF} -d ${BR_NET} -s ${PUB_IP} -j srv_ssh_out
-	$IPT -A OUTPUT -o ${PUB_IF} -d ${BR_NET} -s ${PUB_IP} -j srv_git_out
-	$IPT -A OUTPUT -o ${PUB_IF} -s ${PUB_IP} -j cli_https_out
+        $IPT -A OUTPUT -o ${PUB_IF} -d ${DNS} -s ${PUB_IP} -j cli_dns_out
+        #$IPT -A OUTPUT -o ${PUB_IF} -d ${BR_NET} -s ${PUB_IP} -j cli_http_out
+        $IPT -A OUTPUT -o ${PUB_IF} -d ${BR_NET} -s ${PUB_IP} -j srv_https_out
+        $IPT -A OUTPUT -o ${PUB_IF} -d ${BR_NET} -s ${PUB_IP} -j srv_ssh_out
+        $IPT -A OUTPUT -o ${PUB_IF} -d ${BR_NET} -s ${PUB_IP} -j srv_git_out
 
-        ## log everything else and drop
-        iptables_log
+        $IPT -A OUTPUT -o ${PUB_IF} -s ${PUB_IP} -j cli_https_out
+        $IPT -A OUTPUT -o ${PUB_IF} -s ${PUB_IP} -j srv_https_out
 
-        iptables-save > /etc/iptables/net.v4
-        exit 0
-
-        ;;
+        $IPT -A OUTPUT -o ${PUB_IF} -d ${BR_NET} -j srv_ssh_out
+        $IPT -A OUTPUT -o ${PUB_IF} -d ${BR_NET} -j srv_git_out
+ 
         # bash core/scripts/iptables.sh
-

2.3.3.2. Client iptables

+

2.3.3.3. Client iptables

-

2.3.3.3. Bridge iptables

+

2.3.3.4. Bridge iptables

         $IPT -A FORWARD -j blocker
@@ -351,7 +414,7 @@
 
         $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out ${PUB_IF} -j cli_https_out
         $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j cli_https_in
-       
+       

 
         
2.3.4. Wpa and dhcpd

 
diff --git a/tools/conf/etc/skel/.gitconfig b/tools/conf/etc/skel/.gitconfig
index 3af5f03..730d8d9 100644
--- a/tools/conf/etc/skel/.gitconfig
+++ b/tools/conf/etc/skel/.gitconfig
@@ -5,5 +5,6 @@
 	tool = vimdiff
 [merge]
 	tool = vimdiff
+	conflictstyle = diff3
 [difftool]
 	prompt = false
diff --git a/tools/conf/etc/skel/.vimrc b/tools/conf/etc/skel/.vimrc
index 2a45faf..0a3656d 100644
--- a/tools/conf/etc/skel/.vimrc
+++ b/tools/conf/etc/skel/.vimrc
@@ -110,7 +110,9 @@ map  :tabprevious
 map  :tabnext
 "
 "" Show Line Numbers
-set nu
+"" set nu
+"" Show Relative Line Numbers
+set relativenumber
 "set complete=.,b,u,]
 "set wildmode=longest,list:longest
 "set completeopt=menu,preview
@@ -145,7 +147,7 @@ autocmd BufWinLeave * call clearmatches()
 "" Finally, if you want an indent to correspond to a single tab, you should also use:
 ""set shiftwidth=4
 "" For indents that consist of 4 space characters but are entered with the tab key:
-set tabstop=8 softtabstop=0 expandtab shiftwidth=4 smarttab
+set tabstop=4 softtabstop=0 expandtab shiftwidth=4 smarttab
 "set list
 "" set past gives problems with tabs
 "" set paste
diff --git a/tools/conf/etc/skel/.xinitrc b/tools/conf/etc/skel/.xinitrc
index 6ccd340..379a315 100644
--- a/tools/conf/etc/skel/.xinitrc
+++ b/tools/conf/etc/skel/.xinitrc
@@ -1,13 +1,13 @@
-## Start the window manager
-
-xrandr -s 1366x768
-#xrandr --dpi 100
-#xrandr --output eDP1 --mode 1366x768
+#xrandr --output eDP1 --mode 1024x768
+#xrandr -s 1366x768
+#xrandr --dpi 73
+#xrandr --dpi 96
 #xgamma -gamma 0.8
-#syndaemon -d
 setxkbmap dvorak
+#syndaemon -d
+#
+## Start the window manager
 
 #exec openbox-session
-#exec dwm
-exec spectrwm
 #exec start-mate
+exec spectrwm
-- 
cgit 1.4.1-2-gfad0


From b6f024f50fc0b5708bcea0bd26f1bc5cee3e78fc Mon Sep 17 00:00:00 2001
From: Silvino Silva 
Date: Wed, 5 Jun 2019 14:32:37 +0000
Subject: initial system install on encrypted disk

---
 core/install.html | 101 +++++++++++++++++++++++++++++++++++-------------------
 1 file changed, 65 insertions(+), 36 deletions(-)

diff --git a/core/install.html b/core/install.html
index dfe218a..65b9148 100644
--- a/core/install.html
+++ b/core/install.html
@@ -43,13 +43,14 @@
         
1.1.2. Prepare target

 
         
Prepare disk or target location where new system will
-        be installed. Follow steps describe how to create efi and
-        separate partitions such as;
-        bios grub, EFI, boot, root, var, usr, swap and home.
+        be installed. Follow steps describe how to create efi system,
+        for bios_boot systems is only needed the boot partition in
+        the beginning of the disk and can use ext4 file system for example.
         For more information about gpt partitions table read
-        devil-detail grub2 on gpt.
-        Script setup-target.sh
-        creates follow partitions;

+        devil-detail grub2 on gpt. Script setup-target.sh help to create partitions
+        scripts.

+
+        

 
         
Create gpt label and set unit size to use;

 
@@ -93,14 +94,40 @@
 
         
/

 
+        
There are different ways to achieve disk encryption,
+        the method described uses cryptosetup to create cryptodevice
+        with lvm inside containing
+        root and other partitions such as;
+        var, usr, swap and home.
+
+        
+        (parted) mkpart primary 1132 100%
+        (parted) set 4 lvm on
+        

+
+        
Create encrypted block for lvm;

+
+        
+        # modprobe dm-crypt
+        # cryptsetup luksFormat /dev/sda4
+        # cryptsetup luksOpen /dev/sda4 cryptlvm
+        

+
+        
Create physical group and volume group;

+
+        
+        # pvcreate /dev/mapper/cryptlvm
+        vgcreate vg_system /dev/mapper/cryptlvm
+        

+
         
Core collection installation on root partition uses
         approximately 2G. Partition with 8G-20G is recommended
         for a server or desktop with dedicated ports partition
         or using only compiled packages. Partition size 20G;

 
+
         
-        (parted) mkpart primary ext4 1132 21132
-        (parted) name 4 root
+        # lvcreate -L 20G -n lv_root vg_system
         

 
         
/var

@@ -109,8 +136,7 @@
         system is configured. Partition size 2G;

 
         
-        (parted) mkpart primary ext4 21132 23132
-        (parted) name 5 var
+        # lvcreate -L 2G -n lv_var vg_system
         

 
         
Swap (ram)

@@ -119,27 +145,19 @@
         memory ram, ports system will be configured to build on ram.
         To build firefox is necessary at least 34G. Partition size 4G;

 
-        
Is better to create swap partition later using
-        lvm.

-
         
-        (parted) mkpart primary linux-swap 23132 27132
-        (parted) name 6 swap
+        # lvcreate -L 4G -n lv_swap vg_system
         

 
 
         
/home

 
-        
Home partition on desktop fill the rest of disk
-        space while on server this partition can be unnecessary.
+        
On desktop fill the rest of disk space while on server
+        this partition can be replaced with /srv.
         Fill the rest of disk space;

 
-        
Is better to create home partition later using
-        lvm.

-
         
-        (parted) mkpart primary ext4 27132 100%
-        (parted) name 7 home
+        # lvcreate -L 120G -n lv_home vg_system
         

 
         
Create filesystems

@@ -147,10 +165,10 @@
         
         $ sudo mkfs.fat -F 32 /dev/sda2
         $ sudo mkfs.ext4      /dev/sda3
-        $ sudo mkfs.ext4      /dev/sda4
-        $ sudo mkfs.ext4      /dev/sda5
-        $ sudo mkswap	      /dev/sda6
-        $ sudo mkfs.ext4      /dev/sda7
+        $ sudo mkfs.ext4      /dev/vg_system/lv_root
+        $ sudo mkfs.ext4      /dev/vg_system/lv_var
+        $ sudo mkswap	      /dev/vg_system/lv_swap
+        $ sudo mkfs.ext4      /dev/vg_system/lv_home
         

 
         
1.1.3. Prepare Install

@@ -161,19 +179,19 @@
         setup-core.sh
         configure host metadata and setup ports;

 
-	
Export target root partition;

+        
Export target root partition;

 
-	
-	$ export BLK_ROOT=/dev/sda
-	

+        
+        $ export BLK_ROOT=/dev/vg_system/lv_root
+        

 
-	
Export target root directory you want to install;

+        
Export target root directory you want to install;

 
         
         $ export CHROOT=/mnt
         

 
-	
If you are installing to a directory and not partitions you don't need to mount;

+        
If you are installing to a directory and not partitions you don't need to mount;

 
         
         $ sudo mount $BLK_ROOT $CHROOT
@@ -192,11 +210,11 @@
         $ sudo mkdir -p $CHROOT/tmp
         $ sudo mkdir -p $CHROOT/proc
         $ sudo mkdir -p $CHROOT/sys
-	

+
-

If partition layout is different or target is a directory is not necessary to mount, create only the directories;

+

If partition layout is different or target is a directory is not necessary to mount, create only the directories;

- 
+        
         $ sudo mount $BLK_BOOT $CHROOT/boot
         $ sudo mkdir -p $CHROOT/boot/efi
         $ sudo mount $BLK_EFI $CHROOT/boot/efi
@@ -297,6 +315,17 @@
         pkgadd /usr/ports/packages/efivar#*
         pkgadd /usr/ports/packages/efibootmgr#*
         pkgadd /usr/ports/packages/dosfstools#*
+        pkgadd /usr/ports/packages/ported#*
+        pkgadd /usr/ports/packages/libgcrypt#*
+        pkgadd /usr/ports/packages/cryptsetup#*
+        pkgadd /usr/ports/packages/popt#*
+        pkgadd /usr/ports/packages/libgpg-error#*
+        pkgadd /usr/ports/packages/libevent#*
+        pkgadd /usr/ports/packages/libtirpc#*
+        pkgadd /usr/ports/packages/git#*
+        pkgadd /usr/ports/packages/tmux#*
+        pkgadd /usr/ports/packages/prt-utils#*
+        pkgadd /usr/ports/packages/elfutils#*
         

 
         
@@ -344,7 +373,7 @@
 
         Core OS Index
         
This is part of the Hive System Documentation.
-        Copyright (C) 2018
+        Copyright (C) 2019
         Hive Team.
         See the file Gnu Free Documentation License
         for copying conditions.

-- 
cgit 1.4.1-2-gfad0


From 91c23096800cfd1a31cd24f6eae93f6d037d5661 Mon Sep 17 00:00:00 2001
From: Silvino Silva 
Date: Wed, 5 Jun 2019 15:54:52 +0100
Subject: core install fixed script names

---
 core/install.html | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/core/install.html b/core/install.html
index 69a82cf..dfe218a 100644
--- a/core/install.html
+++ b/core/install.html
@@ -156,9 +156,10 @@
         
1.1.3. Prepare Install

 
         
From now on script
-        setup-install.sh
-        create file systems, install packages, configure host
-        metadata and setup ports;

+        setup-target.sh
+        create file systems, install-core.sh install core packages and
+        setup-core.sh
+        configure host metadata and setup ports;

 
 	
Export target root partition;

 
-- 
cgit 1.4.1-2-gfad0


From 175b83995519059948b5d2e9da4a76c7ab070bc3 Mon Sep 17 00:00:00 2001
From: Silvino Silva 
Date: Wed, 5 Jun 2019 23:03:43 +0000
Subject: fix core script setup-target.sh

---
 core/scripts/setup-target.sh | 55 ++++++++++++++++++++++++--------------------
 1 file changed, 30 insertions(+), 25 deletions(-)

diff --git a/core/scripts/setup-target.sh b/core/scripts/setup-target.sh
index ecbe018..69b8640 100755
--- a/core/scripts/setup-target.sh
+++ b/core/scripts/setup-target.sh
@@ -1,6 +1,7 @@
 #!/bin/sh
 
-DEV=/dev
+DEV=/dev/sda
+VG=vg_system
 
 SETUP_TARGET="print"
 CHROOT="/mnt"
@@ -13,22 +14,21 @@ SCRIPTPATH=$(dirname "$SCRIPT")
 DIR=$(dirname "$SCRIPTPATH");
 DIR_LOCAL="$(dirname $(dirname ${DIR}))/local";
 
-ISO_FILE="${DIR_LOCAL}/crux-3.4.iso"
-
 ##read BLK_EFI
 BLK_EFI="${DEV}2"
 ##read BLK_BOOT
 BLK_BOOT="${DEV}3"
 ##read BLK_ROOT
-BLK_ROOT="${DEV}4"
+BLK_CRYPT="${DEV}4"
+BLK_ROOT="/dev/$VG/lv_root"
 ##read BLK_VAR
-BLK_VAR="${DEV}5"
+BLK_VAR="/dev/${VG}/lv_var"
 ##read BLK_USR
-BLK_USR="${DEV}6"
+#BLK_USR="${DEV}6"
 ##read BLK_SWP
-BLK_SWP="${DEV}7"
+BLK_SWP="/dev/${VG}/lv_swap"
 ##read BLK_HOME
-BLK_HOME="${DEV}8"
+BLK_HOME="/dev/${VG}/lv_home"
 
 
 # First we define the function
@@ -64,16 +64,21 @@ partition_target () {
         set 2 boot on \
         mkpart primary ext4 125 1128 \
         name 3 boot \
-        mkpart primary ext4 1128 5128 \
-        name 4 root \
-        mkpart primary ext4 5128 6128 \
-        name 5 var \
-        mkpart primary ext4 6128 14128 \
-        name 6 usr \
-        mkpart primary linux-swap 14128 18128 \
-        name 7 swap \
-        mkpart primary ext4 18128 100% \
-        name 8 home
+        mkpart primary 1128 100% \
+        set 4 lvm on
+
+    modprobe dm-crypt
+    cryptsetup luksFormat ${BLK_CRYPT}
+    cryptsetup luksOpen ${BLK_CRYPT} cryptlvm
+
+    pvcreate /dev/mapper/cryptlvm
+    vgcreate ${VG} /dev/mapper/cryptlvm
+
+    lvcreate -L 20G -n lv_root ${VG}
+    lvcreate -L 4G -n lv_var ${VG}
+    lvcreate -L 8G -n lv_swap ${VG}
+    lvcreate -L 120G -n lv_home ${VG}
+
 }
 
 mount_target () {
@@ -85,8 +90,8 @@ mount_target () {
     mkfs.ext4 $BLK_ROOT
     echo "1.1.2 Creating File System on $BLK_VAR with ext4:"
     mkfs.ext4 $BLK_VAR
-    echo "1.1.2 Creating File System on $BLK_USR with ext4:"
-    mkfs.ext4 $BLK_USR
+    #echo "1.1.2 Creating File System on $BLK_USR with ext4:"
+    #mkfs.ext4 $BLK_USR
     echo "1.1.2 Creating Swap File System on $BLK_SWP:"
     mkswap $BLK_SWP
     echo "1.1.2 Creating File System on $BLK_HOME with ext4:"
@@ -104,8 +109,8 @@ mount_target () {
     mkdir -p $CHROOT/var
     mount $BLK_VAR $CHROOT/var
 
-    mkdir -p $CHROOT/usr
-    mount $BLK_USR $CHROOT/usr
+    #mkdir -p $CHROOT/usr
+    #mount $BLK_USR $CHROOT/usr
 
     mkdir -p $CHROOT/home
     mount $BLK_HOME $CHROOT/home
@@ -152,16 +157,16 @@ enable_target () {
 print_target() {
     echo "Device: $DEV"
     echo "CHROOT: $CHROOT"
-    echo "ISO_FILE: $ISO_FILE"
-    echo "Option Selected: $SETUP_TARGET\n"
+    echo "Option Selected: $SETUP_TARGET"
 
     echo "1.1.2 EFI block; ($BLK_EFI)"
     echo "1.1.2 boot block; ($BLK_BOOT)"
+    echo "1.1.2 cryptlvm block; ($BLK_CRYPT)"
     echo "1.1.2 root block; ($BLK_ROOT)"
     echo "1.1.2 var block; ($BLK_VAR)"
     echo "1.1.2 usr block; ($BLK_USR)"
     echo "1.1.2 swap block; ($BLK_SWP)"
-    echo "1.1.2 home block; ($BLK_HOME)\n"
+    echo "1.1.2 home block; ($BLK_HOME)"
 
 
 }
-- 
cgit 1.4.1-2-gfad0


From b0d9f669aa8032e63ea7dc8e2eebe6fe022129b8 Mon Sep 17 00:00:00 2001
From: Silvino Silva 
Date: Thu, 6 Jun 2019 12:28:05 +0100
Subject: added core default grub config

---
 core/conf/default/grub | 4 ++++
 1 file changed, 4 insertions(+)
 create mode 100644 core/conf/default/grub

diff --git a/core/conf/default/grub b/core/conf/default/grub
new file mode 100644
index 0000000..cc7934a
--- /dev/null
+++ b/core/conf/default/grub
@@ -0,0 +1,4 @@
+GRUB_DISABLE_LINUX_UUID=false
+GRUB_ENABLE_LINUX_LABEL=false
+GRUB_CMDLINE_LINUX="rd.luks.uuid=luks-15f15024-e994-43e3-9de4-694ba94aaf7f rd.lvm.lv=vg_system/lv_root"
+GRUB_ENABLE_CRYPTODISK=y
-- 
cgit 1.4.1-2-gfad0


From 045ea9a3815a56609af07a3c7d9df6fcc18910a5 Mon Sep 17 00:00:00 2001
From: Silvino Silva 
Date: Fri, 7 Jun 2019 23:39:05 +0000
Subject: iptables scripts revision

---
 core/conf/iptables/ipt-bridge.sh   | 220 +++++++++++++++----------------------
 core/conf/iptables/ipt-conf.sh     |   7 +-
 core/conf/iptables/ipt-firewall.sh |   2 -
 core/conf/iptables/ipt-server.sh   |  10 ++
 core/conf/rc.d/iptables            |  76 ++++++++++---
 5 files changed, 161 insertions(+), 154 deletions(-)

diff --git a/core/conf/iptables/ipt-bridge.sh b/core/conf/iptables/ipt-bridge.sh
index fa987a5..a54cbf2 100644
--- a/core/conf/iptables/ipt-bridge.sh
+++ b/core/conf/iptables/ipt-bridge.sh
@@ -1,7 +1,9 @@
 #!/bin/bash
-
-echo "setting bridge ${BR_IF} network..."
-echo 1 > /proc/sys/net/ipv4/ip_forward
+echo "setting bridge network..."
+source /etc/iptables/ipt-conf.sh
+source /etc/iptables/ipt-firewall.sh
+ipt_clear
+ipt_tables
 
 # Unlimited on loopback
 $IPT -A INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
@@ -9,174 +11,126 @@ $IPT -A OUTPUT -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
 $IPT -A INPUT -i lo -s ${PUB_IP} -d ${PUB_IP} -j ACCEPT
 $IPT -A OUTPUT -o lo -s ${PUB_IP} -d ${PUB_IP} -j ACCEPT
 
-####### NAT Prerouting Chain  ######
+######## NAT Prerouting Chain  ######
 #$IPT -t nat -A PREROUTING -i ${WIFI_IF} -p udp --dport 53 --sport 1024:65535 -j DNAT --to 10.0.0.254:53
-#$IPT -t nat -A PREROUTING -i ${WIFI_IF} -p tcp --dport 53 --sport 1024:65535 -j DNAT --to 10.0.0.254:53
-$IPT -t nat -A PREROUTING -i ${WIFI_IF} -p tcp --dport 443 --sport 1024:65535 -j DNAT --to 10.0.0.4:443
-#$IPT -t nat -A PREROUTING -j LOG --log-level 7 --log-prefix "iptables: PREROUTING: "
-
-####### Forward Chain  ######
-$IPT -A FORWARD -j blocker
-$IPT -A FORWARD -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
-$IPT -A FORWARD -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
-
-$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -s ${BR_NET} -d ${BR_NET} -j ACCEPT
-
-# Allow access from bridge to gateway wifi interface
-$IPT -A FORWARD -i ${WIFI_IF} -o ${BR_IF} -j cli_http_in
-$IPT -A FORWARD -i ${BR_IF} -o ${WIFI_IF} -j cli_http_out
-$IPT -A FORWARD -i ${WIFI_IF} -o ${BR_IF} -j cli_https_in
-$IPT -A FORWARD -i ${BR_IF} -o ${WIFI_IF} -j cli_https_out
-$IPT -A FORWARD -i ${WIFI_IF} -o ${BR_IF} -j cli_ftp_in
-$IPT -A FORWARD -i ${BR_IF} -o ${WIFI_IF} -j cli_ftp_out
+##$IPT -t nat -A PREROUTING -i ${WIFI_IF} -p tcp --dport 53 --sport 1024:65535 -j DNAT --to 10.0.0.254:53
+#$IPT -t nat -A PREROUTING -i ${WIFI_IF} -p tcp --dport 443 --sport 1024:65535 -j DNAT --to 10.0.0.4:443
+##$IPT -t nat -A PREROUTING -j LOG --log-level 7 --log-prefix "iptables: PREROUTING: "
 
-#$IPT -A FORWARD -i ${WIFI_IF} -o ${BR_IF} -j srv_dns_in
-#$IPT -A FORWARD -i ${BR_IF} -o ${WIFI_IF} -j srv_dns_out
-$IPT -A FORWARD -i ${WIFI_IF} -o ${BR_IF} -j srv_https_in
-$IPT -A FORWARD -i ${BR_IF} -o ${WIFI_IF} -j srv_https_out
-
-# allow output from BR_NET to external
-$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -s ${BR_NET} -j ACCEPT
-
-# allow input from public bridged interface facing Internet 
-$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} -d ${BR_NET} -j cli_http_in
-$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} -d ${BR_NET} -j cli_https_in
-$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} -d ${BR_NET} -j cli_git_in
-$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} -d ${BR_NET} -j cli_ftp_in
-
-######## Forward TAP2 ssh, http and https  ######
-#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j srv_ssh_in
-#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out ${PUB_IF} -j srv_ssh_out
+######## Forward Chain  ######
+#$IPT -A FORWARD -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
+#$IPT -A FORWARD -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
 #
-$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j srv_http_in
-$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out ${PUB_IF} -j srv_http_out
-
-$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j srv_https_in
-$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out ${PUB_IF} -j srv_https_out
+## Allow all for BR_NET
+$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -s ${BR_NET} -d ${BR_NET} -j ACCEPT
 
+## DHCP
+$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -s 0.0.0.0 -d 255.255.255.255 -j srv_dhcp
 
-#Less noise
-$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF}  -p udp --dport 519 --sport 520 -j DROP
+## Allow access from bridge to gateway wifi interface
+#$IPT -A FORWARD -i ${WIFI_IF} -o ${BR_IF} -j cli_http_in
+#$IPT -A FORWARD -i ${BR_IF} -o ${WIFI_IF} -j cli_http_out
+#$IPT -A FORWARD -i ${WIFI_IF} -o ${BR_IF} -j cli_https_in
+#$IPT -A FORWARD -i ${BR_IF} -o ${WIFI_IF} -j cli_https_out
+#$IPT -A FORWARD -i ${WIFI_IF} -o ${BR_IF} -j cli_ftp_in
+#$IPT -A FORWARD -i ${BR_IF} -o ${WIFI_IF} -j cli_ftp_out
 
+##$IPT -A FORWARD -i ${WIFI_IF} -o ${BR_IF} -j srv_dns_in
+##$IPT -A FORWARD -i ${BR_IF} -o ${WIFI_IF} -j srv_dns_out
+#$IPT -A FORWARD -i ${WIFI_IF} -o ${BR_IF} -j srv_https_in
+#$IPT -A FORWARD -i ${BR_IF} -o ${WIFI_IF} -j srv_https_out
 
-#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap1 --physdev-out tap2 -s ${BR_NET} -d ${BR_NET} -j ACCEPT
-#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out tap1 -s ${BR_NET} -d ${BR_NET} -j ACCEPT
-#
-#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap1 --physdev-out tap3 -s ${BR_NET} -d ${BR_NET} -j ACCEPT
-#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap3 --physdev-out tap1 -s ${BR_NET} -d ${BR_NET} -j ACCEPT
-#
-#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap3 --physdev-out tap2 -s ${BR_NET} -d ${BR_NET} -j ACCEPT
-#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out tap3 -s ${BR_NET} -d ${BR_NET} -j ACCEPT
-#
-#
-# Tap1
-#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap1 -j cli_http_in
-#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap1 --physdev-out ${PUB_IF} -j cli_http_out
-#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap1 -j cli_https_in
-#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap1 --physdev-out ${PUB_IF} -j cli_https_out
-#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap1 -j cli_ftp_in
-#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap1 --physdev-out ${PUB_IF} -j cli_ftp_out
-#
-#
-## Tap3
-#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap3 --physdev-out ${PUB_IF} -j cli_git_out
-#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap3 -j cli_git_in
-#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap3 -j cli_http_in
-#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap3 --physdev-out ${PUB_IF} -j cli_http_out
-#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap3 --physdev-out ${PUB_IF} -j cli_https_out
-#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap3 -j cli_https_in
-#
-#
-# Tap1, Tap2 and Tap3 can access external https
-
-#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out ${PUB_IF} -j cli_https_out
-#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j cli_https_in
-
+## allow output from BR_NET to external
+$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -s ${BR_NET} -j ACCEPT
 
+$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} -s ${DNS} -d ${PUB_IP} -j cli_dns_in
+$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} -d 10.0.0.4 -j srv_http_in
+$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} -d 10.0.0.4 -j srv_https_in
+$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} -d 10.0.0.4 -j srv_ssh_in
+$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} -d 10.0.0.4 -j srv_git_in
+$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} -p tcp --sport 443 --dport 1024:65535 -j ACCEPT
 
-#
-#        #$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j srv_rip
-#
-#        $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out ${PUB_IF} -j srv_dhcp
-#        $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j srv_dhcp
+##Less noise
+#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF}  -p udp --dport 519 --sport 520 -j DROP
 
-#
-####### Input Chain ######
+######## Input Chain ######
 $IPT -A INPUT -j blocker
-#Less noise
-$IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -p tcp  --sport 3030 --dport 1024:65535 -j DROP
-$IPT -A INPUT -i ${WIFI_IF} -p udp  --sport 137 --dport 137 -j DROP
-$IPT -A INPUT -i ${WIFI_IF} -p udp  --sport 138 --dport 138 -j DROP
 
-$IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -s ${BR_NET} -j srv_icmp
-$IPT -A INPUT -i ${BR_IF} -d ${WIFI_NET} -s ${BR_NET} -j srv_icmp
+##Less noise
+$IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -p tcp  --sport 3030 --dport 1024:65535 -j DROP
+#$IPT -A INPUT -i ${BR_IF} -m physdev --physdev-in ${PUB_IF} -s ${GW} -p udp  --sport 137 --dport 137 -j ACCEPT
+#$IPT -A INPUT -i ${BR_IF} -m physdev --physdev-in ${PUB_IF} -s ${GW} -p udp  --sport 137 --dport 137 -j ACCEPT
+#$IPT -A INPUT -i ${BR_IF} -s ${BR_NET} -d 10.255.255.255 -p udp --sport 520 --dport 520 -j ACCEPT
+#$IPT -A INPUT -i ${WIFI_IF} -p udp  --sport 137 --dport 137 -j ACCEPT
+#$IPT -A INPUT -i ${WIFI_IF} -p udp  --sport 138 --dport 138 -j ACCEPT
 
-$IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -s ${BR_NET} -j srv_dns_in
-$IPT -A INPUT -i ${WIFI_IF} -d ${PUB_IP} -s ${WIFI_NET} -j srv_dns_in
-$IPT -A INPUT -i ${WIFI_IF} -s ${WIFI_NET} -d ${WIFI_NET} -j srv_dns_in
-  
 $IPT -A INPUT -i ${BR_IF} -j srv_dhcp
-$IPT -A INPUT -i ${BR_IF} -s ${GW} -d ${PUB_IP}  -j srv_dhcp
+$IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -s ${BR_NET} -j srv_dns_in
+$IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -s ${BR_NET} -j srv_icmp
 
 $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -s ${DNS} -j cli_dns_in
 $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -j cli_https_in
-$IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -j cli_http_in
 $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -j cli_git_in
 $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -j cli_ssh_in
 $IPT -A INPUT -i ${BR_IF} -m physdev --physdev-in tap3 -d ${PUB_IP} -j srv_ssh_in
 
-$IPT -A INPUT -i ${WIFI_IF} -s ${DNS} -j cli_dns_in
-$IPT -A INPUT -i ${WIFI_IF} -j cli_https_in
-$IPT -A INPUT -i ${WIFI_IF} -j cli_http_in
-$IPT -A INPUT -i ${WIFI_IF} -j cli_git_in
-$IPT -A INPUT -i ${WIFI_IF} -j cli_ssh_in
+#$IPT -A INPUT -i ${BR_IF} -m physdev --physdev-in ${WIFI_IF} -d ${PUB_IP} -s ${BR_NET} -j srv_icmp
+#$IPT -A INPUT -i ${WIFI_IF} -d ${PUB_IP} -s ${WIFI_NET} -j srv_dns_in
+#$IPT -A INPUT -i ${BR_IF} -s ${GW} -d ${PUB_IP}  -j srv_dhcp
+#$IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -j cli_http_in
+#$IPT -A INPUT -i ${WIFI_IF} -s ${DNS} -j cli_dns_in
+#$IPT -A INPUT -i ${WIFI_IF} -j cli_https_in
+#$IPT -A INPUT -i ${WIFI_IF} -j cli_http_in
+#$IPT -A INPUT -i ${WIFI_IF} -j cli_git_in
+#$IPT -A INPUT -i ${WIFI_IF} -j cli_ssh_in
 
-# c2.ank /iso -> c9.ank /srv/qemu/iso
-$IPT -A INPUT -i ${BR_IF} -m physdev --physdev-in tap2 -d ${PUB_IP} -j srv_http_in
-# hyperbola servers
-$IPT -A INPUT -p tcp --dport 1024:65535 --sport 50100 -m state --state RELATED,ESTABLISHED -j ACCEPT
+## PXE server
+#$IPT -A INPUT -i ${BR_IF} -p udp -d ${PUB_IP} -s ${BR_NET} --dport 69 --sport 1024:65535 -j ACCEPT
+#$IPT -A INPUT -i ${BR_IF} -p udp -d ${PUB_IP} -s ${BR_NET} --dport 1024:65535 --sport 1024:65535 -j ACCEPT
 
-####### Output Chain ######
-$IPT -A OUTPUT -j blocker
+######## Output Chain ######
 
-#Less noise
+##Less noise
 $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -p tcp --dport 3030 --sport 1024:65535 -j DROP
 
-$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${DNS} -j cli_dns_out
+$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j srv_dhcp
 $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j srv_dns_out
 $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j srv_ssh_out
-$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j srv_icmp
-$IPT -A OUTPUT -o ${BR_IF} -s ${WIFI_NET} -d ${BR_NET} -j srv_icmp
+$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -j srv_git_out
+$IPT -A OUTPUT -o ${BR_IF} -j srv_icmp
+#$IPT -A OUTPUT -o ${PUB_IF} -j srv_icmp
 
+$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${DNS} -j cli_dns_out
 $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j cli_ssh_out
 $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j cli_git_out
 $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j cli_http_out
 
-$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j srv_dhcp
 $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -j cli_https_out
-$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -j cli_http_out
 $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -j cli_git_out
+$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -j cli_http_out
 
-$IPT -A OUTPUT -o ${WIFI_IF} -d ${DNS} -j cli_dns_out
-$IPT -A OUTPUT -o ${WIFI_IF} -d ${WIFI_NET} -j srv_dns_out
-$IPT -A OUTPUT -o ${WIFI_IF} -j srv_dns_out
+#$IPT -A OUTPUT -o ${WIFI_IF} -d ${DNS} -j cli_dns_out
+#$IPT -A OUTPUT -o ${WIFI_IF} -d ${WIFI_NET} -j srv_dns_out
+#$IPT -A OUTPUT -o ${WIFI_IF} -j srv_dns_out
 
-$IPT -A OUTPUT -o ${WIFI_IF} -j cli_ssh_out
-$IPT -A OUTPUT -o ${WIFI_IF} -j cli_git_out
-$IPT -A OUTPUT -o ${WIFI_IF} -j cli_https_out
-$IPT -A OUTPUT -o ${WIFI_IF} -j cli_http_out
+#$IPT -A OUTPUT -o ${WIFI_IF} -j cli_ssh_out
+#$IPT -A OUTPUT -o ${WIFI_IF} -j cli_git_out
+#$IPT -A OUTPUT -o ${WIFI_IF} -j cli_https_out
+#$IPT -A OUTPUT -o ${WIFI_IF} -j cli_http_out
+#$IPT -A OUTPUT -o ${WIFI_IF} -j srv_icmp
 
-# Hyperbola servers
-$IPT -A OUTPUT -p tcp --sport 1024:65535 --dport 50100 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-# c2.ank /iso -> c9.ank /srv/qemu/iso
-$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d 10.0.0.4  -j srv_http_out
+## PXE Server
+#$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -p udp --dport 1024:65535 --sport 1024:65535 -j ACCEPT
 
-####### PostRouting Chain ######
-#Less noise
-#$IPT -t nat -A POSTROUTING -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
-#$IPT -t nat -A POSTROUTING -o ${BR_IF} -s ${PUB_IP} -p tcp --dport 443 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
-#$IPT -t nat -A POSTROUTING -o ${BR_IF} -s ${PUB_IP} -d ${DNS} -p udp --dport 53 --sport 1024:65535 -j ACCEPT
+######## PostRouting Chain ######
+##Less noise
+##$IPT -t nat -A POSTROUTING -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
+##$IPT -t nat -A POSTROUTING -o ${BR_IF} -s ${PUB_IP} -p tcp --dport 443 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
+##$IPT -t nat -A POSTROUTING -o ${BR_IF} -s ${PUB_IP} -d ${DNS} -p udp --dport 53 --sport 1024:65535 -j ACCEPT
+#$IPT -t nat -A POSTROUTING -o ${WIFI_IF} -j MASQUERADE
+##$IPT -t nat -A POSTROUTING -j LOG --log-level 7 --log-prefix "iptables: POSTROUTING: "
 
-$IPT -t nat -A POSTROUTING -o ${WIFI_IF} -j MASQUERADE
+## log everything else and drop
+ipt_log
 
-#$IPT -t nat -A POSTROUTING -j LOG --log-level 7 --log-prefix "iptables: POSTROUTING: "
+iptables-save > /etc/iptables/bridge.v4
diff --git a/core/conf/iptables/ipt-conf.sh b/core/conf/iptables/ipt-conf.sh
index 52669dc..c3dac16 100644
--- a/core/conf/iptables/ipt-conf.sh
+++ b/core/conf/iptables/ipt-conf.sh
@@ -1,6 +1,6 @@
 #!/bin/bash
-TYPE=bridge
-#TYPE=server
+
+IPT="/usr/sbin/iptables"
 
 SPAMLIST="blockedip"
 SPAMDROPMSG="BLOCKED IP DROP"
@@ -19,4 +19,5 @@ PUB_IF="enp8s0"
 
 # private interface for virtual/internal
 WIFI_IF="wlp7s0"
-WIFI_NET="192.168.1.0/24"
+#WIFI_NET="192.168.1.0/24"
+WIFI_NET="10.0.0.0/8"
diff --git a/core/conf/iptables/ipt-firewall.sh b/core/conf/iptables/ipt-firewall.sh
index 6ea613a..12c3834 100644
--- a/core/conf/iptables/ipt-firewall.sh
+++ b/core/conf/iptables/ipt-firewall.sh
@@ -1,7 +1,5 @@
 #!/bin/bash
 
-IPT="/usr/sbin/iptables"
-
 ipt_clear () {
     echo "clear all iptables tables"
 
diff --git a/core/conf/iptables/ipt-server.sh b/core/conf/iptables/ipt-server.sh
index 225fd31..027cd11 100644
--- a/core/conf/iptables/ipt-server.sh
+++ b/core/conf/iptables/ipt-server.sh
@@ -1,10 +1,15 @@
 echo "setting server network..."
+source /etc/iptables/ipt-conf.sh
+source /etc/iptables/ipt-firewall.sh
+ipt_clear
+ipt_tables
 
 # Unlimited on loopback
 $IPT -A INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
 $IPT -A OUTPUT -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
 $IPT -A INPUT -i lo -s ${PUB_IP} -d ${PUB_IP} -j ACCEPT
 $IPT -A OUTPUT -o lo -s ${PUB_IP} -d ${PUB_IP} -j ACCEPT
+$IPT -A OUTPUT -o lo -s ${PUB_IP} -d 10.255.255.255 -j ACCEPT
 
 ####### Input Chain ######
 $IPT -A INPUT -j blocker
@@ -35,3 +40,8 @@ $IPT -A OUTPUT -o ${PUB_IF} -s ${PUB_IP} -j srv_https_out
 
 $IPT -A OUTPUT -o ${PUB_IF} -d ${BR_NET} -j srv_ssh_out
 $IPT -A OUTPUT -o ${PUB_IF} -d ${BR_NET} -j srv_git_out
+
+## log everything else and drop
+ipt_log
+
+iptables-save > /etc/iptables/server.v4
diff --git a/core/conf/rc.d/iptables b/core/conf/rc.d/iptables
index d4f9ebc..f8896cc 100644
--- a/core/conf/rc.d/iptables
+++ b/core/conf/rc.d/iptables
@@ -1,38 +1,82 @@
 
-source /etc/iptables/ipt-conf.sh
-source /etc/iptables/ipt-firewall.sh
+IPT="/usr/sbin/iptables"
+TYPE=bridge
+#TYPE=server
+#TYPE=open
+
 
 case $1 in
 	start)
-		ipt_clear
-		ipt_tables
+        echo "clear all iptables tables"
+
+        ${IPT} -F
+        ${IPT} -X
+        ${IPT} -t nat -F
+        ${IPT} -t nat -X
+        ${IPT} -t mangle -F
+        ${IPT} -t mangle -X
+        ${IPT} -t raw -F
+        ${IPT} -t raw -X
+        ${IPT} -t security -F
+        ${IPT} -t security -X
+
+        # Set Default Rules
+        ${IPT} -P INPUT DROP
+        ${IPT} -P FORWARD DROP
+        ${IPT} -P OUTPUT DROP
+
+        ${IPT} -A INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
+        ${IPT} -A OUTPUT -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
+
+
 		case $TYPE in
 		    bridge)
 
-            ## load bridge configuration
-			source /etc/iptables/ipt-bridge.sh
-
-			## log everything else and drop
-			ipt_log
+            echo "setting bridge ${BR_IF} network..."
+            echo 1 > /proc/sys/net/ipv4/ip_forward
 
-			iptables-save > /etc/iptables/bridge.v4
+            ## load bridge configuration
+            iptables-restore /etc/iptables/bridge.v4
 
-			;;
+   			;;
 		    server)
 
             ## load server configuration
-			source /etc/iptables/iptables-conf.sh
+            iptables-restore /etc/iptables/server.v4
+
+			;;
+		    open)
 
-			## log everything else and drop
-			ipt_log
+            ## load client configuration
+            iptables-restore /etc/iptables/open.v4
 
-			iptables-save > /etc/iptables/server.v4
 			;;
+
 		esac
 		;;
 	stop)
 
-		ipt_clear
+        echo "clear all iptables tables"
+
+        ${IPT} -F
+        ${IPT} -X
+        ${IPT} -t nat -F
+        ${IPT} -t nat -X
+        ${IPT} -t mangle -F
+        ${IPT} -t mangle -X
+        ${IPT} -t raw -F
+        ${IPT} -t raw -X
+        ${IPT} -t security -F
+        ${IPT} -t security -X
+
+        # Set Default Rules
+        ${IPT} -P INPUT DROP
+        ${IPT} -P FORWARD DROP
+        ${IPT} -P OUTPUT DROP
+
+        ${IPT} -A INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
+        ${IPT} -A OUTPUT -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
+
 		;;
 	restart)
 		$0 stop
-- 
cgit 1.4.1-2-gfad0


From f905c797c8f2ec87a8aa641a44c49fc1d0a23ebe Mon Sep 17 00:00:00 2001
From: Silvino 
Date: Sat, 8 Jun 2019 01:49:10 +0100
Subject: core network better iptables documentation

---
 core/conf/iptables/ipt-bridge.sh |   6 +-
 core/conf/iptables/ipt-open.sh   |  47 +++++++++
 core/conf/iptables/ipt-server.sh |  13 ++-
 core/conf/iptables/open.v4       | 210 +++++++++++++++++++++++++++++++++++++++
 core/conf/iptables/server.v4     | 204 +++++++++++++++++++++++++++++++++++++
 core/conf/rc.d/iptables          | 110 ++++++++------------
 core/index.html                  |   1 +
 core/network.html                | 191 ++++++++---------------------------
 tools/wireless.html              |  10 +-
 9 files changed, 566 insertions(+), 226 deletions(-)
 create mode 100644 core/conf/iptables/ipt-open.sh
 create mode 100644 core/conf/iptables/open.v4
 create mode 100644 core/conf/iptables/server.v4

diff --git a/core/conf/iptables/ipt-bridge.sh b/core/conf/iptables/ipt-bridge.sh
index a54cbf2..cd93687 100644
--- a/core/conf/iptables/ipt-bridge.sh
+++ b/core/conf/iptables/ipt-bridge.sh
@@ -1,7 +1,7 @@
 #!/bin/bash
 echo "setting bridge network..."
-source /etc/iptables/ipt-conf.sh
-source /etc/iptables/ipt-firewall.sh
+source ipt-conf.sh
+source ipt-firewall.sh
 ipt_clear
 ipt_tables
 
@@ -133,4 +133,4 @@ $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -j cli_http_out
 ## log everything else and drop
 ipt_log
 
-iptables-save > /etc/iptables/bridge.v4
+iptables-save > bridge.v4
diff --git a/core/conf/iptables/ipt-open.sh b/core/conf/iptables/ipt-open.sh
new file mode 100644
index 0000000..3ef1254
--- /dev/null
+++ b/core/conf/iptables/ipt-open.sh
@@ -0,0 +1,47 @@
+#!/bin/bash
+
+echo "setting client network..."
+source ipt-conf.sh
+source ipt-firewall.sh
+ipt_clear
+ipt_tables
+
+# Unlimited on loopback
+$IPT -A INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
+$IPT -A OUTPUT -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
+
+####### Input Chain ######
+$IPT -A INPUT -j blocker
+
+$IPT -A INPUT -i ${PUB_IF} -j cli_dns_in
+$IPT -A INPUT -i ${PUB_IF} -j cli_http_in
+$IPT -A INPUT -i ${PUB_IF} -j cli_https_in
+$IPT -A INPUT -i ${PUB_IF} -j cli_git_in
+$IPT -A INPUT -i ${PUB_IF} -j cli_ssh_in
+$IPT -A INPUT -i ${PUB_IF} -j srv_icmp
+$IPT -A INPUT -i ${PUB_IF} -j cli_pops_in
+$IPT -A INPUT -i ${PUB_IF} -j cli_smtps_in
+$IPT -A INPUT -i ${PUB_IF} -j cli_irc_in
+$IPT -A INPUT -i ${PUB_IF} -j cli_ftp_in
+$IPT -A INPUT -i ${PUB_IF} -j cli_gpg_in
+
+
+####### Output Chain ######
+$IPT -A OUTPUT -j blocker
+
+$IPT -A OUTPUT -o ${PUB_IF} -j cli_dns_out
+$IPT -A OUTPUT -o ${PUB_IF} -j cli_https_out
+$IPT -A OUTPUT -o ${PUB_IF} -j cli_ssh_out
+$IPT -A OUTPUT -o ${PUB_IF} -j cli_git_out
+$IPT -A OUTPUT -o ${PUB_IF} -j cli_git_out
+$IPT -A OUTPUT -o ${PUB_IF} -j srv_icmp
+$IPT -A OUTPUT -o ${PUB_IF} -j cli_pops_out
+$IPT -A OUTPUT -o ${PUB_IF} -j cli_smtps_out
+$IPT -A OUTPUT -o ${PUB_IF} -j cli_irc_out
+$IPT -A OUTPUT -o ${PUB_IF} -j cli_ftp_out
+$IPT -A OUTPUT -o ${PUB_IF} -j cli_gpg_out
+
+## log everything else and drop
+ipt_log
+
+iptables-save > open.v4
diff --git a/core/conf/iptables/ipt-server.sh b/core/conf/iptables/ipt-server.sh
index 027cd11..370db60 100644
--- a/core/conf/iptables/ipt-server.sh
+++ b/core/conf/iptables/ipt-server.sh
@@ -1,15 +1,14 @@
-echo "setting server network..."
-source /etc/iptables/ipt-conf.sh
-source /etc/iptables/ipt-firewall.sh
+echo "setting server iptables ..."
+source ipt-conf.sh
+source ipt-firewall.sh
 ipt_clear
 ipt_tables
 
 # Unlimited on loopback
 $IPT -A INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
 $IPT -A OUTPUT -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
-$IPT -A INPUT -i lo -s ${PUB_IP} -d ${PUB_IP} -j ACCEPT
-$IPT -A OUTPUT -o lo -s ${PUB_IP} -d ${PUB_IP} -j ACCEPT
-$IPT -A OUTPUT -o lo -s ${PUB_IP} -d 10.255.255.255 -j ACCEPT
+#$IPT -A INPUT -i lo -s ${PUB_IP} -d ${PUB_IP} -j ACCEPT
+#$IPT -A OUTPUT -o lo -s ${PUB_IP} -d ${PUB_IP} -j ACCEPT
 
 ####### Input Chain ######
 $IPT -A INPUT -j blocker
@@ -44,4 +43,4 @@ $IPT -A OUTPUT -o ${PUB_IF} -d ${BR_NET} -j srv_git_out
 ## log everything else and drop
 ipt_log
 
-iptables-save > /etc/iptables/server.v4
+iptables-save > server.v4
diff --git a/core/conf/iptables/open.v4 b/core/conf/iptables/open.v4
new file mode 100644
index 0000000..30e476d
--- /dev/null
+++ b/core/conf/iptables/open.v4
@@ -0,0 +1,210 @@
+# Generated by iptables-save v1.8.2 on Sat Jun  8 23:05:15 2019
+*security
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+COMMIT
+# Completed on Sat Jun  8 23:05:15 2019
+# Generated by iptables-save v1.8.2 on Sat Jun  8 23:05:15 2019
+*raw
+:PREROUTING ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+COMMIT
+# Completed on Sat Jun  8 23:05:15 2019
+# Generated by iptables-save v1.8.2 on Sat Jun  8 23:05:15 2019
+*nat
+:PREROUTING ACCEPT [0:0]
+:INPUT ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+:POSTROUTING ACCEPT [0:0]
+COMMIT
+# Completed on Sat Jun  8 23:05:15 2019
+# Generated by iptables-save v1.8.2 on Sat Jun  8 23:05:15 2019
+*mangle
+:PREROUTING ACCEPT [0:0]
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+:POSTROUTING ACCEPT [0:0]
+COMMIT
+# Completed on Sat Jun  8 23:05:15 2019
+# Generated by iptables-save v1.8.2 on Sat Jun  8 23:05:15 2019
+*filter
+:INPUT DROP [0:0]
+:FORWARD DROP [0:0]
+:OUTPUT DROP [0:0]
+:blocker - [0:0]
+:cli_dns_in - [0:0]
+:cli_dns_out - [0:0]
+:cli_ftp_in - [0:0]
+:cli_ftp_out - [0:0]
+:cli_git_in - [0:0]
+:cli_git_out - [0:0]
+:cli_gpg_in - [0:0]
+:cli_gpg_out - [0:0]
+:cli_http_in - [0:0]
+:cli_http_out - [0:0]
+:cli_https_in - [0:0]
+:cli_https_out - [0:0]
+:cli_irc_in - [0:0]
+:cli_irc_out - [0:0]
+:cli_pops_in - [0:0]
+:cli_pops_out - [0:0]
+:cli_smtps_in - [0:0]
+:cli_smtps_out - [0:0]
+:cli_ssh_in - [0:0]
+:cli_ssh_out - [0:0]
+:srv_db_in - [0:0]
+:srv_db_out - [0:0]
+:srv_dhcp - [0:0]
+:srv_dns_in - [0:0]
+:srv_dns_out - [0:0]
+:srv_git_in - [0:0]
+:srv_git_out - [0:0]
+:srv_http_in - [0:0]
+:srv_http_out - [0:0]
+:srv_https_in - [0:0]
+:srv_https_out - [0:0]
+:srv_icmp - [0:0]
+:srv_rip - [0:0]
+:srv_ssh_in - [0:0]
+:srv_ssh_out - [0:0]
+-A INPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -i lo -j ACCEPT
+-A INPUT -j blocker
+-A INPUT -i wlp9s0 -j cli_dns_in
+-A INPUT -i wlp9s0 -j cli_http_in
+-A INPUT -i wlp9s0 -j cli_https_in
+-A INPUT -i wlp9s0 -j cli_git_in
+-A INPUT -i wlp9s0 -j cli_ssh_in
+-A INPUT -i wlp9s0 -j srv_icmp
+-A INPUT -i wlp9s0 -j cli_pops_in
+-A INPUT -i wlp9s0 -j cli_smtps_in
+-A INPUT -i wlp9s0 -j cli_irc_in
+-A INPUT -i wlp9s0 -j cli_ftp_in
+-A INPUT -i wlp9s0 -j cli_gpg_in
+-A INPUT -j LOG --log-prefix "iptables: INPUT: " --log-level 7
+-A FORWARD -j LOG --log-prefix "iptables: FORWARD: " --log-level 7
+-A OUTPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -o lo -j ACCEPT
+-A OUTPUT -j blocker
+-A OUTPUT -o wlp9s0 -j cli_dns_out
+-A OUTPUT -o wlp9s0 -j cli_https_out
+-A OUTPUT -o wlp9s0 -j cli_ssh_out
+-A OUTPUT -o wlp9s0 -j cli_git_out
+-A OUTPUT -o wlp9s0 -j cli_git_out
+-A OUTPUT -o wlp9s0 -j srv_icmp
+-A OUTPUT -o wlp9s0 -j cli_pops_out
+-A OUTPUT -o wlp9s0 -j cli_smtps_out
+-A OUTPUT -o wlp9s0 -j cli_irc_out
+-A OUTPUT -o wlp9s0 -j cli_ftp_out
+-A OUTPUT -o wlp9s0 -j cli_gpg_out
+-A OUTPUT -j LOG --log-prefix "iptables: OUTPUT: " --log-level 7
+-A blocker -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop sync: " --log-level 7
+-A blocker -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
+-A blocker -f -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop frag: "
+-A blocker -f -j DROP
+-A blocker -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
+-A blocker -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
+-A blocker -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop null: "
+-A blocker -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
+-A blocker -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop syn rst syn rs"
+-A blocker -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
+-A blocker -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop xmas: "
+-A blocker -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
+-A blocker -p tcp -m tcp --tcp-flags FIN,ACK FIN -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop fin scan: "
+-A blocker -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DROP
+-A blocker -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j DROP
+-A blocker -j RETURN
+-A cli_dns_in -p udp -m udp --sport 53 --dport 1024:65535 -j ACCEPT
+-A cli_dns_in -j RETURN
+-A cli_dns_out -p udp -m udp --sport 1024:65535 --dport 53 -j ACCEPT
+-A cli_dns_out -j RETURN
+-A cli_ftp_in -p tcp -m tcp --sport 21 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+-A cli_ftp_in -p tcp -m tcp --sport 20 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A cli_ftp_in -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+-A cli_ftp_in -j RETURN
+-A cli_ftp_out -p tcp -m tcp --sport 1024:65535 --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
+-A cli_ftp_out -p tcp -m tcp --sport 1024:65535 --dport 20 -m state --state ESTABLISHED -j ACCEPT
+-A cli_ftp_out -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A cli_ftp_out -j RETURN
+-A cli_git_in -p tcp -m tcp --sport 9418 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+-A cli_git_in -j RETURN
+-A cli_git_out -p tcp -m tcp --sport 1024:65535 --dport 9418 -m state --state NEW,ESTABLISHED -j ACCEPT
+-A cli_git_out -j RETURN
+-A cli_gpg_in -p tcp -m tcp --sport 11371 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+-A cli_gpg_in -j RETURN
+-A cli_gpg_out -p tcp -m tcp --sport 1024:65535 --dport 11371 -m state --state NEW,ESTABLISHED -j ACCEPT
+-A cli_gpg_out -j RETURN
+-A cli_http_in -p tcp -m tcp --sport 80 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+-A cli_http_in -p udp -m udp --sport 80 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+-A cli_http_in -j RETURN
+-A cli_http_out -p tcp -m tcp --sport 1024:65535 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
+-A cli_http_out -p udp -m udp --sport 1024:65535 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
+-A cli_http_out -j RETURN
+-A cli_https_in -p tcp -m tcp --sport 443 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+-A cli_https_in -p udp -m udp --sport 443 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+-A cli_https_in -j RETURN
+-A cli_https_out -p tcp -m tcp --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
+-A cli_https_out -p udp -m udp --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
+-A cli_https_out -j RETURN
+-A cli_irc_in -p tcp -m tcp --sport 6667 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+-A cli_irc_in -j RETURN
+-A cli_irc_out -p tcp -m tcp --sport 1024:65535 --dport 6667 -m state --state NEW,ESTABLISHED -j ACCEPT
+-A cli_irc_out -j RETURN
+-A cli_pops_in -p tcp -m tcp --sport 995 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+-A cli_pops_in -j RETURN
+-A cli_pops_out -p tcp -m tcp --sport 1024:65535 --dport 995 -m state --state NEW,ESTABLISHED -j ACCEPT
+-A cli_pops_out -j RETURN
+-A cli_smtps_in -p tcp -m tcp --sport 465 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+-A cli_smtps_in -j RETURN
+-A cli_smtps_out -p tcp -m tcp --sport 1024:65535 --dport 465 -m state --state NEW,ESTABLISHED -j ACCEPT
+-A cli_smtps_out -j RETURN
+-A cli_ssh_in -p tcp -m tcp --sport 2222 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+-A cli_ssh_in -p tcp -m tcp --sport 22 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+-A cli_ssh_in -j RETURN
+-A cli_ssh_out -p tcp -m tcp --sport 1024:65535 --dport 2222 -m state --state NEW,ESTABLISHED -j ACCEPT
+-A cli_ssh_out -p tcp -m tcp --sport 1024:65535 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
+-A cli_ssh_out -j RETURN
+-A srv_db_in -p tcp -m tcp --sport 1024:65535 --dport 5432 -m state --state NEW,ESTABLISHED -j ACCEPT
+-A srv_db_in -j RETURN
+-A srv_db_out -p tcp -m tcp --sport 5432 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+-A srv_db_out -j RETURN
+-A srv_dhcp -p udp -m udp --sport 68 --dport 67 -j ACCEPT
+-A srv_dhcp -p udp -m udp --sport 67 --dport 68 -j ACCEPT
+-A srv_dhcp -p udp -m udp --sport 67 --dport 67 -j ACCEPT
+-A srv_dhcp -j RETURN
+-A srv_dns_in -p udp -m udp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
+-A srv_dns_in -p tcp -m tcp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
+-A srv_dns_in -j RETURN
+-A srv_dns_out -p udp -m udp --sport 53 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A srv_dns_out -p tcp -m tcp --sport 53 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A srv_dns_out -j RETURN
+-A srv_git_in -p tcp -m tcp --sport 1024:65535 --dport 9418 -m state --state NEW,ESTABLISHED -j ACCEPT
+-A srv_git_in -j RETURN
+-A srv_git_out -p tcp -m tcp --sport 9418 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A srv_git_out -j RETURN
+-A srv_http_in -p tcp -m tcp --sport 1024:65535 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
+-A srv_http_in -j RETURN
+-A srv_http_out -p tcp -m tcp --sport 80 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A srv_http_out -j RETURN
+-A srv_https_in -p tcp -m tcp --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
+-A srv_https_in -j RETURN
+-A srv_https_out -p tcp -m tcp --sport 443 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A srv_https_out -j RETURN
+-A srv_icmp -p icmp -j ACCEPT
+-A srv_icmp -j RETURN
+-A srv_rip -p udp -m udp --sport 520 --dport 520 -j ACCEPT
+-A srv_rip -j RETURN
+-A srv_ssh_in -p tcp -m tcp --dport 2222 -m state --state NEW -m recent --set --name SSH --mask 255.255.255.255 --rsource -j ACCEPT
+-A srv_ssh_in -p tcp -m tcp --dport 2222 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH --mask 255.255.255.255 --rsource -j LOG --log-prefix "BLOCKED IP DROP SSH"
+-A srv_ssh_in -p tcp -m tcp --dport 2222 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH --mask 255.255.255.255 --rsource -j DROP
+-A srv_ssh_in -p tcp -m tcp --sport 1024:65535 --dport 2222 -m state --state ESTABLISHED -j ACCEPT
+-A srv_ssh_in -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name SSH --mask 255.255.255.255 --rsource -j ACCEPT
+-A srv_ssh_in -p tcp -m tcp --dport 22 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH --mask 255.255.255.255 --rsource -j LOG --log-prefix "BLOCKED IP DROP SSH"
+-A srv_ssh_in -p tcp -m tcp --dport 22 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH --mask 255.255.255.255 --rsource -j DROP
+-A srv_ssh_in -p tcp -m tcp --sport 1024:65535 --dport 22 -m state --state ESTABLISHED -j ACCEPT
+-A srv_ssh_in -j RETURN
+-A srv_ssh_out -p tcp -m tcp --sport 2222 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+-A srv_ssh_out -p tcp -m tcp --sport 22 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+-A srv_ssh_out -j RETURN
+COMMIT
+# Completed on Sat Jun  8 23:05:15 2019
diff --git a/core/conf/iptables/server.v4 b/core/conf/iptables/server.v4
new file mode 100644
index 0000000..ed202ee
--- /dev/null
+++ b/core/conf/iptables/server.v4
@@ -0,0 +1,204 @@
+# Generated by iptables-save v1.8.2 on Sat Jun  8 19:50:25 2019
+*security
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+COMMIT
+# Completed on Sat Jun  8 19:50:25 2019
+# Generated by iptables-save v1.8.2 on Sat Jun  8 19:50:25 2019
+*raw
+:PREROUTING ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+COMMIT
+# Completed on Sat Jun  8 19:50:25 2019
+# Generated by iptables-save v1.8.2 on Sat Jun  8 19:50:25 2019
+*nat
+:PREROUTING ACCEPT [0:0]
+:INPUT ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+:POSTROUTING ACCEPT [0:0]
+COMMIT
+# Completed on Sat Jun  8 19:50:25 2019
+# Generated by iptables-save v1.8.2 on Sat Jun  8 19:50:25 2019
+*mangle
+:PREROUTING ACCEPT [0:0]
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+:POSTROUTING ACCEPT [0:0]
+COMMIT
+# Completed on Sat Jun  8 19:50:25 2019
+# Generated by iptables-save v1.8.2 on Sat Jun  8 19:50:25 2019
+*filter
+:INPUT DROP [0:0]
+:FORWARD DROP [0:0]
+:OUTPUT DROP [0:0]
+:blocker - [0:0]
+:cli_dns_in - [0:0]
+:cli_dns_out - [0:0]
+:cli_ftp_in - [0:0]
+:cli_ftp_out - [0:0]
+:cli_git_in - [0:0]
+:cli_git_out - [0:0]
+:cli_gpg_in - [0:0]
+:cli_gpg_out - [0:0]
+:cli_http_in - [0:0]
+:cli_http_out - [0:0]
+:cli_https_in - [0:0]
+:cli_https_out - [0:0]
+:cli_irc_in - [0:0]
+:cli_irc_out - [0:0]
+:cli_pops_in - [0:0]
+:cli_pops_out - [0:0]
+:cli_smtps_in - [0:0]
+:cli_smtps_out - [0:0]
+:cli_ssh_in - [0:0]
+:cli_ssh_out - [0:0]
+:srv_db_in - [0:0]
+:srv_db_out - [0:0]
+:srv_dhcp - [0:0]
+:srv_dns_in - [0:0]
+:srv_dns_out - [0:0]
+:srv_git_in - [0:0]
+:srv_git_out - [0:0]
+:srv_http_in - [0:0]
+:srv_http_out - [0:0]
+:srv_https_in - [0:0]
+:srv_https_out - [0:0]
+:srv_icmp - [0:0]
+:srv_rip - [0:0]
+:srv_ssh_in - [0:0]
+:srv_ssh_out - [0:0]
+-A INPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -i lo -j ACCEPT
+-A INPUT -j blocker
+-A INPUT -s 212.55.154.174/32 -d 10.0.0.254/32 -i enp8s0 -j cli_dns_in
+-A INPUT -s 10.0.0.0/8 -d 10.0.0.254/32 -i enp8s0 -j srv_https_in
+-A INPUT -s 10.0.0.0/8 -d 10.0.0.254/32 -i enp8s0 -j srv_ssh_in
+-A INPUT -s 10.0.0.0/8 -d 10.0.0.254/32 -i enp8s0 -j srv_git_in
+-A INPUT -d 10.0.0.254/32 -i enp8s0 -j srv_https_in
+-A INPUT -d 10.0.0.254/32 -i enp8s0 -j cli_https_in
+-A INPUT -d 10.0.0.254/32 -i enp8s0 -j srv_ssh_in
+-A INPUT -d 10.0.0.254/32 -i enp8s0 -j srv_git_in
+-A INPUT -j LOG --log-prefix "iptables: INPUT: " --log-level 7
+-A FORWARD -j LOG --log-prefix "iptables: FORWARD: " --log-level 7
+-A OUTPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -o lo -j ACCEPT
+-A OUTPUT -j blocker
+-A OUTPUT -s 10.0.0.254/32 -d 212.55.154.174/32 -o enp8s0 -j cli_dns_out
+-A OUTPUT -s 10.0.0.254/32 -d 10.0.0.0/8 -o enp8s0 -j srv_https_out
+-A OUTPUT -s 10.0.0.254/32 -d 10.0.0.0/8 -o enp8s0 -j srv_ssh_out
+-A OUTPUT -s 10.0.0.254/32 -d 10.0.0.0/8 -o enp8s0 -j srv_git_out
+-A OUTPUT -s 10.0.0.254/32 -o enp8s0 -j cli_https_out
+-A OUTPUT -s 10.0.0.254/32 -o enp8s0 -j srv_https_out
+-A OUTPUT -d 10.0.0.0/8 -o enp8s0 -j srv_ssh_out
+-A OUTPUT -d 10.0.0.0/8 -o enp8s0 -j srv_git_out
+-A OUTPUT -j LOG --log-prefix "iptables: OUTPUT: " --log-level 7
+-A blocker -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop sync: " --log-level 7
+-A blocker -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
+-A blocker -f -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop frag: "
+-A blocker -f -j DROP
+-A blocker -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
+-A blocker -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
+-A blocker -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop null: "
+-A blocker -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
+-A blocker -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop syn rst syn rs"
+-A blocker -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
+-A blocker -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop xmas: "
+-A blocker -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
+-A blocker -p tcp -m tcp --tcp-flags FIN,ACK FIN -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop fin scan: "
+-A blocker -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DROP
+-A blocker -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j DROP
+-A blocker -j RETURN
+-A cli_dns_in -p udp -m udp --sport 53 --dport 1024:65535 -j ACCEPT
+-A cli_dns_in -j RETURN
+-A cli_dns_out -p udp -m udp --sport 1024:65535 --dport 53 -j ACCEPT
+-A cli_dns_out -j RETURN
+-A cli_ftp_in -p tcp -m tcp --sport 21 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+-A cli_ftp_in -p tcp -m tcp --sport 20 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A cli_ftp_in -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+-A cli_ftp_in -j RETURN
+-A cli_ftp_out -p tcp -m tcp --sport 1024:65535 --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
+-A cli_ftp_out -p tcp -m tcp --sport 1024:65535 --dport 20 -m state --state ESTABLISHED -j ACCEPT
+-A cli_ftp_out -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A cli_ftp_out -j RETURN
+-A cli_git_in -p tcp -m tcp --sport 9418 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+-A cli_git_in -j RETURN
+-A cli_git_out -p tcp -m tcp --sport 1024:65535 --dport 9418 -m state --state NEW,ESTABLISHED -j ACCEPT
+-A cli_git_out -j RETURN
+-A cli_gpg_in -p tcp -m tcp --sport 11371 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+-A cli_gpg_in -j RETURN
+-A cli_gpg_out -p tcp -m tcp --sport 1024:65535 --dport 11371 -m state --state NEW,ESTABLISHED -j ACCEPT
+-A cli_gpg_out -j RETURN
+-A cli_http_in -p tcp -m tcp --sport 80 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+-A cli_http_in -p udp -m udp --sport 80 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+-A cli_http_in -j RETURN
+-A cli_http_out -p tcp -m tcp --sport 1024:65535 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
+-A cli_http_out -p udp -m udp --sport 1024:65535 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
+-A cli_http_out -j RETURN
+-A cli_https_in -p tcp -m tcp --sport 443 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+-A cli_https_in -p udp -m udp --sport 443 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+-A cli_https_in -j RETURN
+-A cli_https_out -p tcp -m tcp --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
+-A cli_https_out -p udp -m udp --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
+-A cli_https_out -j RETURN
+-A cli_irc_in -p tcp -m tcp --sport 6667 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+-A cli_irc_in -j RETURN
+-A cli_irc_out -p tcp -m tcp --sport 1024:65535 --dport 6667 -m state --state NEW,ESTABLISHED -j ACCEPT
+-A cli_irc_out -j RETURN
+-A cli_pops_in -p tcp -m tcp --sport 995 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+-A cli_pops_in -j RETURN
+-A cli_pops_out -p tcp -m tcp --sport 1024:65535 --dport 995 -m state --state NEW,ESTABLISHED -j ACCEPT
+-A cli_pops_out -j RETURN
+-A cli_smtps_in -p tcp -m tcp --sport 465 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+-A cli_smtps_in -j RETURN
+-A cli_smtps_out -p tcp -m tcp --sport 1024:65535 --dport 465 -m state --state NEW,ESTABLISHED -j ACCEPT
+-A cli_smtps_out -j RETURN
+-A cli_ssh_in -p tcp -m tcp --sport 2222 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+-A cli_ssh_in -p tcp -m tcp --sport 22 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+-A cli_ssh_in -j RETURN
+-A cli_ssh_out -p tcp -m tcp --sport 1024:65535 --dport 2222 -m state --state NEW,ESTABLISHED -j ACCEPT
+-A cli_ssh_out -p tcp -m tcp --sport 1024:65535 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
+-A cli_ssh_out -j RETURN
+-A srv_db_in -p tcp -m tcp --sport 1024:65535 --dport 5432 -m state --state NEW,ESTABLISHED -j ACCEPT
+-A srv_db_in -j RETURN
+-A srv_db_out -p tcp -m tcp --sport 5432 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+-A srv_db_out -j RETURN
+-A srv_dhcp -p udp -m udp --sport 68 --dport 67 -j ACCEPT
+-A srv_dhcp -p udp -m udp --sport 67 --dport 68 -j ACCEPT
+-A srv_dhcp -p udp -m udp --sport 67 --dport 67 -j ACCEPT
+-A srv_dhcp -j RETURN
+-A srv_dns_in -p udp -m udp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
+-A srv_dns_in -p tcp -m tcp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
+-A srv_dns_in -j RETURN
+-A srv_dns_out -p udp -m udp --sport 53 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A srv_dns_out -p tcp -m tcp --sport 53 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A srv_dns_out -j RETURN
+-A srv_git_in -p tcp -m tcp --sport 1024:65535 --dport 9418 -m state --state NEW,ESTABLISHED -j ACCEPT
+-A srv_git_in -j RETURN
+-A srv_git_out -p tcp -m tcp --sport 9418 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A srv_git_out -j RETURN
+-A srv_http_in -p tcp -m tcp --sport 1024:65535 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
+-A srv_http_in -j RETURN
+-A srv_http_out -p tcp -m tcp --sport 80 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A srv_http_out -j RETURN
+-A srv_https_in -p tcp -m tcp --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
+-A srv_https_in -j RETURN
+-A srv_https_out -p tcp -m tcp --sport 443 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A srv_https_out -j RETURN
+-A srv_icmp -p icmp -j ACCEPT
+-A srv_icmp -j RETURN
+-A srv_rip -p udp -m udp --sport 520 --dport 520 -j ACCEPT
+-A srv_rip -j RETURN
+-A srv_ssh_in -p tcp -m tcp --dport 2222 -m state --state NEW -m recent --set --name SSH --mask 255.255.255.255 --rsource -j ACCEPT
+-A srv_ssh_in -p tcp -m tcp --dport 2222 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH --mask 255.255.255.255 --rsource -j LOG --log-prefix "BLOCKED IP DROP SSH"
+-A srv_ssh_in -p tcp -m tcp --dport 2222 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH --mask 255.255.255.255 --rsource -j DROP
+-A srv_ssh_in -p tcp -m tcp --sport 1024:65535 --dport 2222 -m state --state ESTABLISHED -j ACCEPT
+-A srv_ssh_in -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name SSH --mask 255.255.255.255 --rsource -j ACCEPT
+-A srv_ssh_in -p tcp -m tcp --dport 22 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH --mask 255.255.255.255 --rsource -j LOG --log-prefix "BLOCKED IP DROP SSH"
+-A srv_ssh_in -p tcp -m tcp --dport 22 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH --mask 255.255.255.255 --rsource -j DROP
+-A srv_ssh_in -p tcp -m tcp --sport 1024:65535 --dport 22 -m state --state ESTABLISHED -j ACCEPT
+-A srv_ssh_in -j RETURN
+-A srv_ssh_out -p tcp -m tcp --sport 2222 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+-A srv_ssh_out -p tcp -m tcp --sport 22 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+-A srv_ssh_out -j RETURN
+COMMIT
+# Completed on Sat Jun  8 19:50:25 2019
diff --git a/core/conf/rc.d/iptables b/core/conf/rc.d/iptables
index f8896cc..cc7c765 100644
--- a/core/conf/rc.d/iptables
+++ b/core/conf/rc.d/iptables
@@ -4,85 +4,59 @@ TYPE=bridge
 #TYPE=server
 #TYPE=open
 
+echo "clear all iptables tables"
+
+${IPT} -F
+${IPT} -X
+${IPT} -t nat -F
+${IPT} -t nat -X
+${IPT} -t mangle -F
+${IPT} -t mangle -X
+${IPT} -t raw -F
+${IPT} -t raw -X
+${IPT} -t security -F
+${IPT} -t security -X
+
+# Set Default Rules
+${IPT} -P INPUT DROP
+${IPT} -P FORWARD DROP
+${IPT} -P OUTPUT DROP
+
+${IPT} -A INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
+${IPT} -A OUTPUT -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
 
 case $1 in
 	start)
-        echo "clear all iptables tables"
+            case $TYPE in
+                bridge)
 
-        ${IPT} -F
-        ${IPT} -X
-        ${IPT} -t nat -F
-        ${IPT} -t nat -X
-        ${IPT} -t mangle -F
-        ${IPT} -t mangle -X
-        ${IPT} -t raw -F
-        ${IPT} -t raw -X
-        ${IPT} -t security -F
-        ${IPT} -t security -X
+                    echo "setting bridge network..."
+                    echo 1 > /proc/sys/net/ipv4/ip_forward
 
-        # Set Default Rules
-        ${IPT} -P INPUT DROP
-        ${IPT} -P FORWARD DROP
-        ${IPT} -P OUTPUT DROP
+                    ## load bridge configuration
+                    iptables-restore /etc/iptables/bridge.v4
 
-        ${IPT} -A INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
-        ${IPT} -A OUTPUT -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
+   		;;
+		server)
 
+                    echo "setting server network..."
+                    ## load server configuration
+                    iptables-restore /etc/iptables/server.v4
 
-		case $TYPE in
-		    bridge)
-
-            echo "setting bridge ${BR_IF} network..."
-            echo 1 > /proc/sys/net/ipv4/ip_forward
-
-            ## load bridge configuration
-            iptables-restore /etc/iptables/bridge.v4
-
-   			;;
-		    server)
-
-            ## load server configuration
-            iptables-restore /etc/iptables/server.v4
-
-			;;
-		    open)
-
-            ## load client configuration
-            iptables-restore /etc/iptables/open.v4
-
-			;;
-
-		esac
 		;;
-	stop)
-
-        echo "clear all iptables tables"
-
-        ${IPT} -F
-        ${IPT} -X
-        ${IPT} -t nat -F
-        ${IPT} -t nat -X
-        ${IPT} -t mangle -F
-        ${IPT} -t mangle -X
-        ${IPT} -t raw -F
-        ${IPT} -t raw -X
-        ${IPT} -t security -F
-        ${IPT} -t security -X
-
-        # Set Default Rules
-        ${IPT} -P INPUT DROP
-        ${IPT} -P FORWARD DROP
-        ${IPT} -P OUTPUT DROP
+		open)
 
-        ${IPT} -A INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
-        ${IPT} -A OUTPUT -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
+                    echo "setting client network..."
+                    ## load client configuration
+                    iptables-restore /etc/iptables/open.v4
 
 		;;
-	restart)
-		$0 stop
-		$0 start
-		;;
+	    esac
+	;;
+        stop)
+
+	;;
 	*)
-		echo "Usage: $0 [start|stop|restart]"
-		;;
+	    echo "Usage: $0 [start|stop]"
+	;;
 esac
diff --git a/core/index.html b/core/index.html
index 87330b1..d19f9e0 100644
--- a/core/index.html
+++ b/core/index.html
@@ -117,6 +117,7 @@
 		    
  • 2.3.2. Static ip
    • 
 		    
  • 2.3.3. Iptables
    • 
 		    
  • 2.3.4. Wpa and dhcpd
    • 
+		    
  • 2.3.5. NetworkManager
    • 
 		
 	    
 
diff --git a/core/network.html b/core/network.html
index 18dd220..c87acf9 100644
--- a/core/network.html
+++ b/core/network.html
@@ -9,7 +9,8 @@
 
         
    2.3. Network
    
 
-        
    Operation of the network can be handle with init scripts;
    
+        
    Operation of the network can be handle with init scripts or with
+        network manager;
    
 
         
    
             
    /etc/rc.d/iptables
    
@@ -24,11 +25,13 @@
             
    Configure Wireless interface, launch wpa_supplicant to handle
             wireless authenticationand dynamic (dhcp)
             connection to router and add as default gateway.
    
+            
    /etc/rc.d/networkmanager
    
+            
    Use network manager to handle connections.
    
         
    
 
-        
    Choose wireless or net as connection to outside world and configure
-        /etc/rc.conf to run at startup, example
-        connecting using wireless interface;
    
+        
    Choose wireless (wlan), cable network (net) or network manager in
+        /etc/rc.conf to handle configuration of the 
+        network at startup, example using network manager;
    
 
         
             #
@@ -40,7 +43,7 @@
         TIMEZONE="Europe/Lisbon"
         HOSTNAME=machine
         SYSLOG=sysklogd
-        SERVICES=(lo iptables wlan crond)
+        SERVICES=(lo iptables networkmanager crond)
 
         # End of file
         
    
@@ -116,33 +119,7 @@
 
         
    For more information about firewall systems read arch wiki
         iptables
-        an nftables.
    
-
-        
    To setup iptables rules a set of scripts is used, init script
-        /etc/rc.d/iptables
-        loads set of rules from file /etc/iptables/net.v4 at boot time.
-        Start option "open" option allows everything to outside
-        and blocks everything from outside, "stop" will block and log
-        everything. Setup init script and rules ;
    
-
-        
    -        # mkdir /etc/iptables
-        # cp core/conf/iptables/net.v4 /etc/iptables/
-        # cp core/conf/rc.d/iptables /etc/rc.d/
-        # chmod +x /etc/rc.d/iptables
-        
    
-
-        
    Change /etc/rc.conf and add iptables;
    
-
-        
    -        SERVICES=(iptables lo net crond)
-        
    
-
-        
    See current rules and packets counts;
    
-
-        
    -        # iptables -L -n -v | less
-        
    
+        and nftables.
    
 
         
    Diagram of a package route throw iptables;
    
 
@@ -286,135 +263,42 @@
          -c, --set-counters packets bytes
         
    
 
-
-        
    2.3.3.1. Iptable scripts
    
-
-        
    /etc/rc.d/iptables sources
-        host configuration and create tables with rules that later are
-        used to match packages.
    
+        
    See current rules and packets counts;
    
 
         
    -        source /etc/iptables/ipt-conf.sh
-        source /etc/iptables/ipt-firewall.sh
-
-        case $1 in
-            start)
-                ipt_clear
-                ipt_tables
-                case $TYPE in
-                    bridge)
-
-                    ## load bridge configuration
-                    source /etc/iptables/ipt-bridge.sh
-
-                    ## log everything else and drop
-                    ipt_log
-
-                    iptables-save > /etc/iptables/bridge.v4
-                    ;;
-                    server)
-
-
-                    ## load server configuration
-                    source /etc/iptables/iptables-conf.sh
-
-                    ## log everything else and drop
-                    ipt_log
-
-                    iptables-save > /etc/iptables/server.v4
-                    ;;
-                esac
-                ;;
-            stop)
-
-                ipt_clear
-                ;;
-            restart)
-                $0 stop
-                $0 start
-                ;;
-            *)
-                echo "Usage: $0 [start|stop|restart]"
-                ;;
-        esac
+        # iptables -L -n -v | less
         
    
 
-        
    2.3.3.2. Server iptables
    
+        
    2.3.3.1. Iptable scripts
    
 
-        
    Adjust /etc/iptables/ipt-conf.sh
-        with your network configuration, edit /etc/iptables/ipt-server.sh matching rules with interfaces.
    
+        
    Scripts help to setup iptables rules so they can be saved using iptables-save
+        and later restored using iptables-restore utilities. Init script
+        /etc/rc.d/iptables
+        loads set of rules from /etc/iptables folder at boot time.
+        Start option "open" option allows everything to outside
+        and blocks new connections from outside, "stop" will block and log
+        everything.
    
 
-        
    Default configuration;
    
+        
    Setup init script and rules;
    
 
         
    -        echo "setting server network..."
-
-        # Unlimited on loopback
-        $IPT -A INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
-        $IPT -A OUTPUT -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
-        $IPT -A INPUT -i lo -s ${PUB_IP} -d ${PUB_IP} -j ACCEPT
-        $IPT -A OUTPUT -o lo -s ${PUB_IP} -d ${PUB_IP} -j ACCEPT
-
-        ####### Input Chain ######
-        $IPT -A INPUT -j blocker
-
-        $IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -s ${DNS} -j cli_dns_in
-        $IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -s ${BR_NET} -j srv_https_in
-        $IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -s ${BR_NET} -j srv_ssh_in
-        $IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -s ${BR_NET} -j srv_git_in
-        #$IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -s ${BR_NET} -j cli_http_in
-
-
-        $IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -j srv_https_in
-        $IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -j cli_https_in
-        $IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -j srv_ssh_in
-        $IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -j srv_git_in
-
-        ####### Output Chain ######
-        $IPT -A OUTPUT -j blocker
-
-        $IPT -A OUTPUT -o ${PUB_IF} -d ${DNS} -s ${PUB_IP} -j cli_dns_out
-        #$IPT -A OUTPUT -o ${PUB_IF} -d ${BR_NET} -s ${PUB_IP} -j cli_http_out
-        $IPT -A OUTPUT -o ${PUB_IF} -d ${BR_NET} -s ${PUB_IP} -j srv_https_out
-        $IPT -A OUTPUT -o ${PUB_IF} -d ${BR_NET} -s ${PUB_IP} -j srv_ssh_out
-        $IPT -A OUTPUT -o ${PUB_IF} -d ${BR_NET} -s ${PUB_IP} -j srv_git_out
-
-        $IPT -A OUTPUT -o ${PUB_IF} -s ${PUB_IP} -j cli_https_out
-        $IPT -A OUTPUT -o ${PUB_IF} -s ${PUB_IP} -j srv_https_out
-
-        $IPT -A OUTPUT -o ${PUB_IF} -d ${BR_NET} -j srv_ssh_out
-        $IPT -A OUTPUT -o ${PUB_IF} -d ${BR_NET} -j srv_git_out
+        # mkdir /etc/iptables
+        # cp core/conf/iptables/net.v4 /etc/iptables/
+        # cp core/conf/rc.d/iptables /etc/rc.d/
+        # chmod +x /etc/rc.d/iptables
         
    
 
+        
    Change /etc/rc.conf and add iptables;
    
 
         
    -        # bash core/scripts/iptables.sh
+        SERVICES=(iptables lo net crond)
         
    
 
-        
    2.3.3.3. Client iptables 
    
-
-        
    
-        
    2.3.3.4. Bridge iptables
    
-
-        
    -        $IPT -A FORWARD -j blocker
-        $IPT -A FORWARD -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
-        $IPT -A FORWARD -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
-
-        $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -d ${BR_NET} -j srv_ssh_in
-        $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out ${PUB_IF} -j srv_ssh_out
+        
    Change /etc/rc.d/iptables and define type; server, bridge or open.
    
 
-        $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j srv_https_in
-        $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out ${PUB_IF} -j srv_https_out
-
-        $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j srv_rip
-
-        $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out ${PUB_IF} -j srv_dhcp
-        $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j srv_dhcp
-
-        $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out ${PUB_IF} -j cli_https_out
-        $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j cli_https_in
-       
    
+        
    Adjust /etc/iptables/ipt-conf.sh
+        with your network configuration, and adjust
+        /etc/iptables/ipt-server.sh, /etc/iptables/ipt-bridge.sh, /etc/iptables/ipt-open.sh according with host necessities.
    
 
         
    2.3.4. Wpa and dhcpd
    
 
@@ -503,11 +387,24 @@
         > save_config
    +

    2.3.5. Network Manager

    + +

    List wifi networks;

    + + 
    +        nmcli device wifi list
+
    + +

    Connect to a wifi network;

    + + 
    +        nmcli device wifi connect "network name" password "network password"
+
    Core OS Index

    This is part of the Hive System Documentation. - Copyright (C) 2018 + Copyright (C) 2019 Hive Team. See the file Gnu Free Documentation License for copying conditions.

    diff --git a/tools/wireless.html b/tools/wireless.html index 7481069..f4eeddb 100644 --- a/tools/wireless.html +++ b/tools/wireless.html @@ -5,7 +5,15 @@

    Wireless

    -

    Recover Password

    + +

    Manual configuration

    + + 
    +        # iwlist wlp2s0 scan
+        # iwconfig wlp2s0 essid name_of_network
+
    + +

    Recover Password WPS

    Tested on debian system only.

    -- cgit 1.4.1-2-gfad0 From 44ee76746ec6f23f3e67602770e4a04ab8471e95 Mon Sep 17 00:00:00 2001 From: Silvino Date: Sun, 9 Jun 2019 02:19:01 +0100 Subject: core index re-ordering and tools storage revision --- core/apparmor.html | 4 +- core/conf/sysctl.conf | 463 +---------------------------------------------- core/exim.html | 14 +- core/hardening.html | 48 +++-- core/index.html | 58 +++--- core/network.html | 41 +++-- core/package.html | 16 +- core/samhain.html | 8 +- core/sysctl.html | 481 ++----------------------------------------------- core/toolchain.html | 4 +- core/tty-terminal.html | 4 +- tools/storage.html | 61 ++++++- 12 files changed, 190 insertions(+), 1012 deletions(-) diff --git a/core/apparmor.html b/core/apparmor.html index 9954593..5c9b541 100644 --- a/core/apparmor.html +++ b/core/apparmor.html @@ -2,13 +2,13 @@ - 2.2.1. AppArmor + 2.6.1. AppArmor Core OS Index -

    2.2.1. AppArmor

    +

    2.6.1. AppArmor

    Check kernel configuration or use the provided with linux-gnu port diff --git a/core/conf/sysctl.conf b/core/conf/sysctl.conf index 4606791..771112a 100644 --- a/core/conf/sysctl.conf +++ b/core/conf/sysctl.conf @@ -3,50 +3,18 @@ # kernel.printk = 7 1 1 4 + kernel.randomize_va_space = 2 + # Shared Memory #kernel.shmmax = 500000000 # Total allocated file handlers that can be allocated # fs.file-nr= vm.mmap_min_addr=65536 + # Allow for more PIDs (to reduce rollover problems); may break some programs 32768 kernel.pid_max = 65536 -# -# Memory Protections -# - -# If you say Y here, all ioperm and iopl calls will return an error. -# Ioperm and iopl can be used to modify the running kernel. -# Unfortunately, some programs need this access to operate properly, -# the most notable of which are XFree86 and hwclock. hwclock can be -# remedied by having RTC support in the kernel, so real-time -# clock support is enabled if this option is enabled, to ensure -# that hwclock operates correctly. -# -# If you're using XFree86 or a version of Xorg from 2012 or earlier, -# you may not be able to boot into a graphical environment with this -# option enabled. In this case, you should use the RBAC system instead. -kernel.grsecurity.disable_priv_io = 1 - -# If you say Y here, attempts to bruteforce exploits against forking -# daemons such as apache or sshd, as well as against suid/sgid binaries -# will be deterred. When a child of a forking daemon is killed by PaX -# or crashes due to an illegal instruction or other suspicious signal, -# the parent process will be delayed 30 seconds upon every subsequent -# fork until the administrator is able to assess the situation and -# restart the daemon. -# In the suid/sgid case, the attempt is logged, the user has all their -# existing instances of the suid/sgid binary terminated and will -# be unable to execute any suid/sgid binaries for 15 minutes. -# -# It is recommended that you also enable signal logging in the auditing -# section so that logs are generated when a process triggers a suspicious -# signal. -# If the sysctl option is enabled, a sysctl option with name -# "deter_bruteforce" is created. -kernel.grsecurity.deter_bruteforce = 1 - # # Filesystem Protections # @@ -55,341 +23,9 @@ kernel.grsecurity.deter_bruteforce = 1 # Increase system file descriptor limit fs.file-max = 65535 -# If you say Y here, /tmp race exploits will be prevented, since users -# will no longer be able to follow symlinks owned by other users in -# world-writable +t directories (e.g. /tmp), unless the owner of the -# symlink is the owner of the directory. users will also not be -# able to hardlink to files they do not own. If the sysctl option is -# enabled, a sysctl option with name "linking_restrictions" is created. -kernel.grsecurity.linking_restrictions = 1 - - -# Apache's SymlinksIfOwnerMatch option has an inherent race condition -# that prevents it from being used as a security feature. As Apache -# verifies the symlink by performing a stat() against the target of -# the symlink before it is followed, an attacker can setup a symlink -# to point to a same-owned file, then replace the symlink with one -# that targets another user's file just after Apache "validates" the -# symlink -- a classic TOCTOU race. If you say Y here, a complete, -# race-free replacement for Apache's "SymlinksIfOwnerMatch" option -# will be in place for the group you specify. If the sysctl option -# is enabled, a sysctl option with name "enforce_symlinksifowner" is -# created. -kernel.grsecurity.enforce_symlinksifowner = 1 -kernel.grsecurity.symlinkown_gid = 15 - -# if you say Y here, users will not be able to write to FIFOs they don't -# own in world-writable +t directories (e.g. /tmp), unless the owner of -# the FIFO is the same owner of the directory it's held in. If the sysctl -# option is enabled, a sysctl option with name "fifo_restrictions" is -# created. -kernel.grsecurity.fifo_restrictions = 1 - -# If you say Y here, a sysctl option with name "romount_protect" will -# be created. By setting this option to 1 at runtime, filesystems -# will be protected in the following ways: -# * No new writable mounts will be allowed -# * Existing read-only mounts won't be able to be remounted read/write -# * Write operations will be denied on all block devices -# This option acts independently of grsec_lock: once it is set to 1, -# it cannot be turned off. Therefore, please be mindful of the resulting -# behavior if this option is enabled in an init script on a read-only -# filesystem. -# Also be aware that as with other root-focused features, GRKERNSEC_KMEM -# and GRKERNSEC_IO should be enabled and module loading disabled via -# config or at runtime. -# This feature is mainly intended for secure embedded systems. -#kernel.grsecurity.romount_protect = 1 - -# if you say Y here, the capabilities on all processes within a -# chroot jail will be lowered to stop module insertion, raw i/o, -# system and net admin tasks, rebooting the system, modifying immutable -# files, modifying IPC owned by another, and changing the system time. -# This is left an option because it can break some apps. Disable this -# if your chrooted apps are having problems performing those kinds of -# tasks. If the sysctl option is enabled, a sysctl option with -# name "chroot_caps" is created. -kernel.grsecurity.chroot_caps = 1 - -#kernel.grsecurity.chroot_deny_bad_rename = 1 - -# If you say Y here, processes inside a chroot will not be able to chmod -# or fchmod files to make them have suid or sgid bits. This protects -# against another published method of breaking a chroot. If the sysctl -# option is enabled, a sysctl option with name "chroot_deny_chmod" is -# created. -kernel.grsecurity.chroot_deny_chmod = 1 - -# If you say Y here, processes inside a chroot will not be able to chroot -# again outside the chroot. This is a widely used method of breaking -# out of a chroot jail and should not be allowed. If the sysctl -# option is enabled, a sysctl option with name -# "chroot_deny_chroot" is created. -kernel.grsecurity.chroot_deny_chroot = 1 - -# If you say Y here, a well-known method of breaking chroots by fchdir'ing -# to a file descriptor of the chrooting process that points to a directory -# outside the filesystem will be stopped. If the sysctl option -# is enabled, a sysctl option with name "chroot_deny_fchdir" is created. -kernel.grsecurity.chroot_deny_fchdir = 1 - -# If you say Y here, processes inside a chroot will not be allowed to -# mknod. The problem with using mknod inside a chroot is that it -# would allow an attacker to create a device entry that is the same -# as one on the physical root of your system, which could range from -# anything from the console device to a device for your harddrive (which -# they could then use to wipe the drive or steal data). It is recommended -# that you say Y here, unless you run into software incompatibilities. -# If the sysctl option is enabled, a sysctl option with name -# "chroot_deny_mknod" is created. -kernel.grsecurity.chroot_deny_mknod = 1 - -# If you say Y here, processes inside a chroot will not be able to -# mount or remount filesystems. If the sysctl option is enabled, a -# sysctl option with name "chroot_deny_mount" is created. -kernel.grsecurity.chroot_deny_mount = 1 - -# If you say Y here, processes inside a chroot will not be able to use -# a function called pivot_root() that was introduced in Linux 2.3.41. It -# works similar to chroot in that it changes the root filesystem. This -# function could be misused in a chrooted process to attempt to break out -# of the chroot, and therefore should not be allowed. If the sysctl -# option is enabled, a sysctl option with name "chroot_deny_pivot" is -# created. -kernel.grsecurity.chroot_deny_pivot = 1 - -# If you say Y here, processes inside a chroot will not be able to attach -# to shared memory segments that were created outside of the chroot jail. -# It is recommended that you say Y here. If the sysctl option is enabled, -# a sysctl option with name "chroot_deny_shmat" is created. -kernel.grsecurity.chroot_deny_shmat = 1 - -# If you say Y here, an attacker in a chroot will not be able to -# write to sysctl entries, either by sysctl(2) or through a /proc -# interface. It is strongly recommended that you say Y here. If the -# sysctl option is enabled, a sysctl option with name -# "chroot_deny_sysctl" is created. -kernel.grsecurity.chroot_deny_sysctl = 1 - -# If you say Y here, processes inside a chroot will not be able to -# connect to abstract (meaning not belonging to a filesystem) Unix -# domain sockets that were bound outside of a chroot. It is recommended -# that you say Y here. If the sysctl option is enabled, a sysctl option -# with name "chroot_deny_unix" is created. -kernel.grsecurity.chroot_deny_unix = 1 - -# If you say Y here, the current working directory of all newly-chrooted -# applications will be set to the the root directory of the chroot. -# The man page on chroot(2) states: -# Note that usually chhroot does not change the current working -# directory, so that `.' can be outside the tree rooted at -# `/'. In particular, the super-user can escape from a -# `chroot jail' by doing `mkdir foo; chroot foo; cd ..'. -# -# It is recommended that you say Y here, since it's not known to break -# any software. If the sysctl option is enabled, a sysctl option with -# name "chroot_enforce_chdir" is created. -kernel.grsecurity.chroot_enforce_chdir = 1 - -# If you say Y here, processes inside a chroot will not be able to -# kill, send signals with fcntl, ptrace, capget, getpgid, setpgid, -# getsid, or view any process outside of the chroot. If the sysctl -# option is enabled, a sysctl option with name "chroot_findtask" is -# created. -kernel.grsecurity.chroot_findtask = 1 - -# If you say Y here, processes inside a chroot will not be able to raise -# the priority of processes in the chroot, or alter the priority of -# processes outside the chroot. This provides more security than simply -# removing CAP_SYS_NICE from the process' capability set. If the -# sysctl option is enabled, a sysctl option with name "chroot_restrict_nice" -# is created. -kernel.grsecurity.chroot_restrict_nice = 1 - -# -# Kernel Auditing -# - -# If you say Y here, the exec and chdir logging features will only operate -# on a group you specify. This option is recommended if you only want to -# watch certain users instead of having a large amount of logs from the -# entire system. If the sysctl option is enabled, a sysctl option with -# name "audit_group" is created. -kernel.grsecurity.audit_group = 1 - -# If you say Y here, the exec and chdir logging features will only operate -# on a group you specify. This option is recommended if you only want to -# watch certain users instead of having a large amount of logs from the -# entire system. If the sysctl option is enabled, a sysctl option with -# name "audit_group" is created. -kernel.grsecurity.audit_gid = 99 - -# If you say Y here, all execve() calls will be logged (since the -# other exec*() calls are frontends to execve(), all execution -# will be logged). Useful for shell-servers that like to keep track -# of their users. If the sysctl option is enabled, a sysctl option with -# name "exec_logging" is created. -# WARNING: This option when enabled will produce a LOT of logs, especially -# on an active system. -kernel.grsecurity.exec_logging = 0 - -# If you say Y here, all attempts to overstep resource limits will -# be logged with the resource name, the requested size, and the current -# limit. It is highly recommended that you say Y here. If the sysctl -# option is enabled, a sysctl option with name "resource_logging" is -# created. If the RBAC system is enabled, the sysctl value is ignored. -kernel.grsecurity.resource_logging = 1 - -# If you say Y here, all executions inside a chroot jail will be logged -# to syslog. This can cause a large amount of logs if certain -# applications (eg. djb's daemontools) are installed on the system, and -# is therefore left as an option. If the sysctl option is enabled, a -# sysctl option with name "chroot_execlog" is created. -kernel.grsecurity.chroot_execlog = 0 - -# If you say Y here, all attempts to attach to a process via ptrace -# will be logged. If the sysctl option is enabled, a sysctl option -# with name "audit_ptrace" is created. -#kernel.grsecurity.audit_ptrace = 1 - -# If you say Y here, all attempts to attach to a process via ptrace -# will be logged. If the sysctl option is enabled, a sysctl option -# with name "audit_ptrace" is created. -kernel.grsecurity.audit_chdir = 0 - -# If you say Y here, all mounts and unmounts will be logged. If the -# sysctl option is enabled, a sysctl option with name "audit_mount" is -# created. -kernel.grsecurity.audit_mount = 1 - -# If you say Y here, certain important signals will be logged, such as -# SIGSEGV, which will as a result inform you of when a error in a program -# occurred, which in some cases could mean a possible exploit attempt. -# If the sysctl option is enabled, a sysctl option with name -# "signal_logging" is created. -kernel.grsecurity.signal_logging = 1 - -# If you say Y here, all failed fork() attempts will be logged. -# This could suggest a fork bomb, or someone attempting to overstep -# their process limit. If the sysctl option is enabled, a sysctl option -# with name "forkfail_logging" is created. -kernel.grsecurity.forkfail_logging = 1 - -# If you say Y here, any changes of the system clock will be logged. -# If the sysctl option is enabled, a sysctl option with name -# "timechange_logging" is created. -kernel.grsecurity.timechange_logging = 1 - -# if you say Y here, calls to mmap() and mprotect() with explicit -# usage of PROT_WRITE and PROT_EXEC together will be logged when -# denied by the PAX_MPROTECT feature. This feature will also -# log other problematic scenarios that can occur when PAX_MPROTECT -# is enabled on a binary, like textrels and PT_GNU_STACK. If the -# sysctl option is enabled, a sysctl option with name "rwxmap_logging" -# is created. -kernel.grsecurity.rwxmap_logging = 1 - -# -# Executable Protections -# - - -# if you say Y here, non-root users will not be able to use dmesg(8) -# to view the contents of the kernel's circular log buffer. -# The kernel's log buffer often contains kernel addresses and other -# identifying information useful to an attacker in fingerprinting a -# system for a targeted exploit. -# If the sysctl option is enabled, a sysctl option with name "dmesg" is -# created. -kernel.grsecurity.dmesg = 1 - # Hide symbol addresses in /proc/kallsyms kernel.kptr_restrict = 2 -# If you say Y here, TTY sniffers and other malicious monitoring -# programs implemented through ptrace will be defeated. If you -# have been using the RBAC system, this option has already been -# enabled for several years for all users, with the ability to make -# fine-grained exceptions. -# -# This option only affects the ability of non-root users to ptrace -# processes that are not a descendent of the ptracing process. -# This means that strace ./binary and gdb ./binary will still work, -# but attaching to arbitrary processes will not. If the sysctl -# option is enabled, a sysctl option with name "harden_ptrace" is -# created. -kernel.grsecurity.harden_ptrace = 1 - -# If you say Y here, unprivileged users will not be able to ptrace unreadable -# binaries. This option is useful in environments that -# remove the read bits (e.g. file mode 4711) from suid binaries to -# prevent infoleaking of their contents. This option adds -# consistency to the use of that file mode, as the binary could normally -# be read out when run without privileges while ptracing. -# -# If the sysctl option is enabled, a sysctl option with name "ptrace_readexec" -# is created. -kernel.grsecurity.ptrace_readexec = 1 - -# If you say Y here, a change from a root uid to a non-root uid -# in a multithreaded application will cause the resulting uids, -# gids, supplementary groups, and capabilities in that thread -# to be propagated to the other threads of the process. In most -# cases this is unnecessary, as glibc will emulate this behavior -# on behalf of the application. Other libcs do not act in the -# same way, allowing the other threads of the process to continue -# running with root privileges. If the sysctl option is enabled, -# a sysctl option with name "consistent_setxid" is created. -kernel.grsecurity.consistent_setxid = 1 - -# If you say Y here, access to overly-permissive IPC objects (shared -# memory, message queues, and semaphores) will be denied for processes -# given the following criteria beyond normal permission checks: -# 1) If the IPC object is world-accessible and the euid doesn't match -# that of the creator or current uid for the IPC object -# 2) If the IPC object is group-accessible and the egid doesn't -# match that of the creator or current gid for the IPC object -# It's a common error to grant too much permission to these objects, -# with impact ranging from denial of service and information leaking to -# privilege escalation. This feature was developed in response to -# research by Tim Brown: -# http://labs.portcullis.co.uk/whitepapers/memory-squatting-attacks-on-system-v-shared-memory/ -# who found hundreds of such insecure usages. Processes with -# CAP_IPC_OWNER are still permitted to access these IPC objects. -# If the sysctl option is enabled, a sysctl option with name -# "harden_ipc" is created. -kernel.grsecurity.harden_ipc = 1 - -# If you say Y here, you will be able to choose a gid to add to the -# supplementary groups of users you want to mark as "untrusted." -# These users will not be able to execute any files that are not in -# root-owned directories writable only by root. If the sysctl option -# is enabled, a sysctl option with name "tpe" is created. -kernel.grsecurity.tpe = 1 -kernel.grsecurity.tpe_gid = 100 - -# If you say Y here, the group you specify in the TPE configuration will -# decide what group TPE restrictions will be *disabled* for. This -# option is useful if you want TPE restrictions to be applied to most -# users on the system. If the sysctl option is enabled, a sysctl option -# with name "tpe_invert" is created. Unlike other sysctl options, this -# entry will default to on for backward-compatibility. -kernel.grsecurity.tpe_invert = 0 - -# If you say Y here, all non-root users will be covered under -# a weaker TPE restriction. This is separate from, and in addition to, -# the main TPE options that you have selected elsewhere. Thus, if a -# "trusted" GID is chosen, this restriction applies to even that GID. -# Under this restriction, all non-root users will only be allowed to -# execute files in directories they own that are not group or -# world-writable, or in directories owned by root and writable only by -# root. If the sysctl option is enabled, a sysctl option with name -# "tpe_restrict_all" is created. -kernel.grsecurity.tpe_restrict_all = 1 - - -kernel.grsecurity.harden_tty = 1 - # # Network Protections # @@ -455,7 +91,6 @@ net.ipv4.conf.default.rp_filter = 1 #net.ipv6.conf.default.rp_filter = 1 #net.ipv6.conf.all.rp_filter = 1 - # Make sure no one can alter the routing tables # Act as a router, necessary for Access Point net.ipv4.conf.all.accept_redirects = 0 @@ -495,96 +130,4 @@ net.ipv4.tcp_keepalive_time = 1800 # Sen SynAck retries to 3 net.ipv4.tcp_synack_retries = 3 -# If you say Y here, neither TCP resets nor ICMP -# destination-unreachable packets will be sent in response to packets -# sent to ports for which no associated listening process exists. -# This feature supports both IPV4 and IPV6 and exempts the -# loopback interface from blackholing. Enabling this feature -# makes a host more resilient to DoS attacks and reduces network -# visibility against scanners. -# -# The blackhole feature as-implemented is equivalent to the FreeBSD -# blackhole feature, as it prevents RST responses to all packets, not -# just SYNs. Under most application behavior this causes no -# problems, but applications (like haproxy) may not close certain -# connections in a way that cleanly terminates them on the remote -# end, leaving the remote host in LAST_ACK state. Because of this -# side-effect and to prevent intentional LAST_ACK DoSes, this -# feature also adds automatic mitigation against such attacks. -# The mitigation drastically reduces the amount of time a socket -# can spend in LAST_ACK state. If you're using haproxy and not -# all servers it connects to have this option enabled, consider -# disabling this feature on the haproxy host. -# -# If the sysctl option is enabled, two sysctl options with names -# "ip_blackhole" and "lastack_retries" will be created. -# While "ip_blackhole" takes the standard zero/non-zero on/off -# toggle, "lastack_retries" uses the same kinds of values as -# "tcp_retries1" and "tcp_retries2". The default value of 4 -# prevents a socket from lasting more than 45 seconds in LAST_ACK -# state. -kernel.grsecurity.ip_blackhole = 1 -kernel.grsecurity.lastack_retries = 4 - -# If you say Y here, you will be able to choose a GID of whose users will -# be unable to connect to other hosts from your machine or run server -# applications from your machine. If the sysctl option is enabled, a -# sysctl option with name "socket_all" is created. -kernel.grsecurity.socket_all = 1 - -# Here you can choose the GID to disable socket access for. Remember to -# add the users you want socket access disabled for to the GID -# specified here. If the sysctl option is enabled, a sysctl option -# with name "socket_all_gid" is created. -kernel.grsecurity.socket_all_gid = 200 - -# If you say Y here, you will be able to choose a GID of whose users will -# be unable to connect to other hosts from your machine, but will be -# able to run servers. If this option is enabled, all users in the group -# you specify will have to use passive mode when initiating ftp transfers -# from the shell on your machine. If the sysctl option is enabled, a -# sysctl option with name "socket_client" is created. -kernel.grsecurity.socket_client = 1 - -# Here you can choose the GID to disable client socket access for. -# Remember to add the users you want client socket access disabled for to -# the GID specified here. If the sysctl option is enabled, a sysctl -# option with name "socket_client_gid" is created. -kernel.grsecurity.socket_client_gid = 201 - -# If you say Y here, you will be able to choose a GID of whose users will -# be unable to connect to other hosts from your machine, but will be -# able to run servers. If this option is enabled, all users in the group -# you specify will have to use passive mode when initiating ftp transfers -# from the shell on your machine. If the sysctl option is enabled, a -# sysctl option with name "socket_client" is created. -kernel.grsecurity.socket_server = 1 - -# Here you can choose the GID to disable server socket access for. -# Remember to add the users you want server socket access disabled for to -# the GID specified here. If the sysctl option is enabled, a sysctl -# option with name "socket_server_gid" is created. -kernel.grsecurity.socket_server_gid = 99 - -# -# Physical Protections -# - -# If you say Y here, a new sysctl option with name "deny_new_usb" -# will be created. Setting its value to 1 will prevent any new -# USB devices from being recognized by the OS. Any attempted USB -# device insertion will be logged. This option is intended to be -# used against custom USB devices designed to exploit vulnerabilities -# in various USB device drivers. -# -# For greatest effectiveness, this sysctl should be set after any -# relevant init scripts. This option is safe to enable in distros -# as each user can choose whether or not to toggle the sysctl. -kernel.grsecurity.deny_new_usb = 0 - -# -# Restrict grsec sysctl changes after this was set -# -kernel.grsecurity.grsec_lock = 0 - # End of file diff --git a/core/exim.html b/core/exim.html index 7e1fd28..3b86bb7 100644 --- a/core/exim.html +++ b/core/exim.html @@ -2,13 +2,13 @@ - 2.6. Exim + 2.5. Exim Core OS Index -

    2.6. Exim

    +

    2.5. Exim

    -

    2.6.1. Exim Configuration

    +

    2.5.1. Exim Configuration

    Exim come with default configuration we will change to mach system settings /etc/exim/exim.conf.

    @@ -17,7 +17,7 @@ $ sudo prt-get depinst mailx -

    2.6.2. Certificates

    +

    2.5.2. Certificates

    Exim creates a key for you if you just copy exim.conf and start daemon;

    @@ -64,7 +64,7 @@ # chmod 644 /etc/ssl/certs/exim.cert -

    2.6.3. Aliases

    +

    2.5.3. Aliases

    Exim come with default aliases we will change to mach system settings /etc/exim/aliases;

    @@ -109,7 +109,7 @@ #### -

    2.6.4. Smarthost

    +

    2.5.4. Smarthost

    Tony Finch publish a nice configuration reference. @@ -133,7 +133,7 @@ # exim -bt bob@remote.com -

    2.6. Fetchmail

    +

    2.5. Fetchmail

             $ prt-get depinst fetchmail
diff --git a/core/hardening.html b/core/hardening.html
index 1455398..8e9788f 100644
--- a/core/hardening.html
+++ b/core/hardening.html
@@ -2,25 +2,51 @@
 
     
         
-        2.2. Hardening
+        2.6. Hardening
     
     
 
         Core OS Index
 
-        
    2.2. Hardening
    
+        
    2.6. Hardening
    
 
-        
    Check apparmor,
-        sysctl, 
-        toolchain and
-        samhain before running tests.
    
+        
    2.6.0.1 System configuration
    
 
-        
    Mount some filesystems in read only
    
-        
    Check processes running as root
    
-        
    Check processes users premissions
    
+        
    
+            
    File systems
    
+            
    Check fstab and current mount options. Mount filesystems in read only, only strict necessary in rw.
    
+            
    Sys
    
+            
    Check kernel settings with sysctl.
    
+            
    Iptables
    
+            
    Check if iptables rules are loaded and are correctly logging.
    
+            
    Apparmor
    
+            
    Check if apparmor is active and enforcing policies.
    
+            
    Samhain
    
+            
    Check if samhain is running.
    
+            
    Toolchain
    
+            
    Build ports using hardened toolchain settings.
    
+        
    
+
+        
    System security
    
+
+        
    +        $ sudo prt-get depinst checksec
+        
    
+
+        
    
+            
    User / Pam
    
+            
    Normal user is not part of wheel group
+            or have administration rights.
    
+            
    Disable su.
    
+            
    Processes
    
+            
    Check processes running as root
    
+            
    Check processes users premissions
    
+        
    
+
+        
    2.6.0.2 Lynis
    
 
         
    -        $ sudo prt-get depinst checksec lynis
+        $ sudo prt-get depinst lynis
         
    
 
         
    Lynis gives a view of system overall configuration, without changing
@@ -44,7 +70,7 @@
 
         Core OS Index
         
    This is part of the Hive System Documentation.
-        Copyright (C) 2018
+        Copyright (C) 2019
         Hive Team.
         See the file Gnu Free Documentation License
         for copying conditions.
    
diff --git a/core/index.html b/core/index.html
index d19f9e0..c9d5d4b 100644
--- a/core/index.html
+++ b/core/index.html
@@ -103,49 +103,47 @@
 		    
  • 2.1.6. Remove
    • 
 		
 	    
-	    
  • 2.2. Hardening
+	    
  • 2.2. Network
 		
 	    
    • 
-	    
  • 2.3. Network
+	    
  • 2.3. Package Management
 		
 	    
    • 
-
-	    
  • 2.4. Package Management
+	    
  • 2.4. Terminals and shells
 		
 	    
    • 
-
-	    
  • 2.5. Terminals and shells
+	    
  • 2.5. Exim
 		
 	    
    • 
-	    
  • 2.6. Exim
+	    
  • 2.6. Hardening
 		
 	    
    • 
 
diff --git a/core/network.html b/core/network.html
index c87acf9..4a412ad 100644
--- a/core/network.html
+++ b/core/network.html
@@ -2,12 +2,12 @@
 
     
         
-        2.3. Network
+        2.2. Network
     
     
         Core OS Index
 
-        
    2.3. Network
    
+        
    2.2. Network
    
 
         
    Operation of the network can be handle with init scripts or with
         network manager;
    
@@ -52,7 +52,7 @@
         described scripts then proceed to
         update system.
    
 
-        
    2.3.1. Resolver
    
+        
    2.2.1. Resolver
    
 
         
    This example will use
         Chaos Computer Club
@@ -60,7 +60,7 @@
 
         
             # /etc/resolv.conf.head can replace this line
-        nameserver 213.73.91.35
+        nameserver 2.2.73.91.35
         # /etc/resolv.conf.tail can replace this line
         
    
 
@@ -68,7 +68,7 @@
         # chattr +i /etc/resolv.conf
    -

    2.3.2. Static IP

    +

    2.2.2. Static IP

    Current example of /etc/rc.d/net;

    @@ -115,7 +115,7 @@ # ip route add default via ${GW} -

    2.3.3. Iptables

    +

    2.2.3. Iptables

    For more information about firewall systems read arch wiki iptables @@ -269,7 +269,7 @@ # iptables -L -n -v | less -

    2.3.3.1. Iptable scripts

    +

    2.2.3.1. Iptable scripts

    Scripts help to setup iptables rules so they can be saved using iptables-save and later restored using iptables-restore utilities. Init script @@ -300,7 +300,7 @@ with your network configuration, and adjust /etc/iptables/ipt-server.sh, /etc/iptables/ipt-bridge.sh, /etc/iptables/ipt-open.sh according with host necessities.

    -

    2.3.4. Wpa and dhcpd

    +

    2.2.4. Wpa and dhcpd

    There is more information on Wiki Wifi Start Scripts and @@ -318,7 +318,7 @@ # iwconfig wlp2s0 essid NAME key s:ABCDE12345 -

    2.3.4.1. Wpa Supplicant

    +

    2.2.4.1. Wpa Supplicant

    Configure wpa supplicant edit;

    @@ -348,7 +348,7 @@ init script to auto load wpa configuration and dhcp client.

    -

    2.3.4.2. Wpa Cli

    +

    2.2.4.2. Wpa Cli

             # wpa_cli
@@ -387,18 +387,33 @@
         > save_config
    -

    2.3.5. Network Manager

    +

    2.2.5. Network Manager

    + +

    Wifi status;

    + + 
    +        $ nmcli radio wifi
+        $ nmcli radio wifi on
+

    List wifi networks;

    -        nmcli device wifi list
+        $ nmcli device wifi rescan
+        $ nmcli device wifi list

    Connect to a wifi network;

    -        nmcli device wifi connect "network name" password "network password"
+        $ nmcli device wifi connect "network name" password "network password"
+
    + +

    Edit and save network configuration;

    + + 
    +        $ nmcli connection edit "network name"
+        nmcli> save persistent
    Core OS Index diff --git a/core/package.html b/core/package.html index e0f8eae..7d4c8b5 100644 --- a/core/package.html +++ b/core/package.html @@ -2,13 +2,13 @@ - 2.4. Package Management + 2.3. Package Management Core OS Index -

    2.4. Package Management

    +

    2.3. Package Management

    For more information read crux handbook Package management front-end: @@ -57,7 +57,7 @@ $ prt-get depinst prt-utils prt-get-bashcompletion -

    2.4.1. Update System

    +

    2.3.1. Update System

    Before build software get latest version of port collections;

    @@ -87,7 +87,7 @@ $ prt-get update -fr $(revdep) -

    2.4.2. Install port and dependencies

    +

    2.3.2. Install port and dependencies

    Installing using prt-get tool;

    @@ -111,7 +111,7 @@

    If you user pkgmk and pkgadd allways check if README, pre and post instal files exist.

    -

    2.4.3. Ports collections

    +

    2.3.3. Ports collections

    Clone this documentation;

    @@ -148,7 +148,7 @@ $ sudo ports -u 6c37 -

    2.4.4. Show port information

    +

    2.3.4. Show port information

             $ prt-get info port_name
@@ -166,13 +166,13 @@
         $ pkginfo -o filename
    -

    2.4.5. Show port dependencies

    +

    2.3.5. Show port dependencies

             $ prt-get depends port_name
    -

    2.4.6. Print information

    +

    2.3.6. Print information

    Example how to get ports installed from contrib. Maybe there is a "cleaner" way to this, for now is ok;

    diff --git a/core/samhain.html b/core/samhain.html index d28a6d2..a209864 100644 --- a/core/samhain.html +++ b/core/samhain.html @@ -2,13 +2,13 @@ - 2.2.4. Samhain + 2.6.4. Samhain Core OS Index -

    2.2.4. Samhain

    +

    2.6.4. Samhain

    Read Samhain Manual, @@ -37,7 +37,7 @@

    log file
    -

    2.2.4.1. Configure

    +

    2.6.4.1. Configure

    For more information on configuration check Monitoring Policies. @@ -234,7 +234,7 @@ # samhain status -

    2.2.4.2. Update database

    +

    2.6.4.2. Update database

    Manual, You can update the database while the daemon is running, as long diff --git a/core/sysctl.html b/core/sysctl.html index d06afde..a5af197 100644 --- a/core/sysctl.html +++ b/core/sysctl.html @@ -2,24 +2,18 @@ - 2.2.2. Sysctl + 2.6.2. Sysctl Core OS Index -

    2.2.2. Sysctl

    +

    2.6.2. Sysctl

    Sysctl references Arch TCP/IP stack hardening, Cyberciti Nginx Hardning, - Cyberciti Security Hardening, - Grsecurity and PaX Configuration.

    - -

    Since kernels on machine-ports have PaX - and grsecurity, - /etc/sysctl.conf can have follow - values;

    + Cyberciti Security Hardening.

             #
@@ -27,50 +21,18 @@
         #
 
         kernel.printk = 7 1 1 4
+
         kernel.randomize_va_space = 2
+
         # Shared Memory
         #kernel.shmmax = 500000000
         # Total allocated file handlers that can be allocated
         # fs.file-nr=
         vm.mmap_min_addr=65536
+
         # Allow for more PIDs (to reduce rollover problems); may break some programs 32768
         kernel.pid_max = 65536
 
-        #
-        # Memory Protections
-        #
-
-        #  If you say Y here, all ioperm and iopl calls will return an error.
-        #  Ioperm and iopl can be used to modify the running kernel.
-        #  Unfortunately, some programs need this access to operate properly,
-        #  the most notable of which are XFree86 and hwclock.  hwclock can be
-        #  remedied by having RTC support in the kernel, so real-time
-        #  clock support is enabled if this option is enabled, to ensure
-        #  that hwclock operates correctly.
-        #
-        #  If you're using XFree86 or a version of Xorg from 2012 or earlier,
-        #  you may not be able to boot into a graphical environment with this
-        #  option enabled.  In this case, you should use the RBAC system instead.
-        kernel.grsecurity.disable_priv_io = 1
-
-        #  If you say Y here, attempts to bruteforce exploits against forking
-        #  daemons such as apache or sshd, as well as against suid/sgid binaries
-        #  will be deterred.  When a child of a forking daemon is killed by PaX
-        #  or crashes due to an illegal instruction or other suspicious signal,
-        #  the parent process will be delayed 30 seconds upon every subsequent
-        #  fork until the administrator is able to assess the situation and
-        #  restart the daemon.
-        #  In the suid/sgid case, the attempt is logged, the user has all their
-        #  existing instances of the suid/sgid binary terminated and will
-        #  be unable to execute any suid/sgid binaries for 15 minutes.
-        #
-        #  It is recommended that you also enable signal logging in the auditing
-        #  section so that logs are generated when a process triggers a suspicious
-        #  signal.
-        #  If the sysctl option is enabled, a sysctl option with name
-        #  "deter_bruteforce" is created.
-        kernel.grsecurity.deter_bruteforce = 1
-
         #
         # Filesystem Protections
         #
@@ -79,341 +41,9 @@
         # Increase system file descriptor limit
         fs.file-max = 65535
 
-        #  If you say Y here, /tmp race exploits will be prevented, since users
-        #  will no longer be able to follow symlinks owned by other users in
-        #  world-writable +t directories (e.g. /tmp), unless the owner of the
-        #  symlink is the owner of the directory. users will also not be
-        #  able to hardlink to files they do not own.  If the sysctl option is
-        #  enabled, a sysctl option with name "linking_restrictions" is created.
-        kernel.grsecurity.linking_restrictions = 1
-
-
-        #  Apache's SymlinksIfOwnerMatch option has an inherent race condition
-        #  that prevents it from being used as a security feature.  As Apache
-        #  verifies the symlink by performing a stat() against the target of
-        #  the symlink before it is followed, an attacker can setup a symlink
-        #  to point to a same-owned file, then replace the symlink with one
-        #  that targets another user's file just after Apache "validates" the
-        #  symlink -- a classic TOCTOU race.  If you say Y here, a complete,
-        #  race-free replacement for Apache's "SymlinksIfOwnerMatch" option
-        #  will be in place for the group you specify. If the sysctl option
-        #  is enabled, a sysctl option with name "enforce_symlinksifowner" is
-        #  created.
-        kernel.grsecurity.enforce_symlinksifowner = 1
-        kernel.grsecurity.symlinkown_gid = 15
-
-        #  if you say Y here, users will not be able to write to FIFOs they don't
-        #  own in world-writable +t directories (e.g. /tmp), unless the owner of
-        #  the FIFO is the same owner of the directory it's held in.  If the sysctl
-        #  option is enabled, a sysctl option with name "fifo_restrictions" is
-        #  created.
-        kernel.grsecurity.fifo_restrictions = 1
-
-        #  If you say Y here, a sysctl option with name "romount_protect" will
-        #  be created.  By setting this option to 1 at runtime, filesystems
-        #  will be protected in the following ways:
-        #  * No new writable mounts will be allowed
-        #  * Existing read-only mounts won't be able to be remounted read/write
-        #  * Write operations will be denied on all block devices
-        #  This option acts independently of grsec_lock: once it is set to 1,
-        #  it cannot be turned off.  Therefore, please be mindful of the resulting
-        #  behavior if this option is enabled in an init script on a read-only
-        #  filesystem.
-        #  Also be aware that as with other root-focused features, GRKERNSEC_KMEM
-        #  and GRKERNSEC_IO should be enabled and module loading disabled via
-        #  config or at runtime.
-        #  This feature is mainly intended for secure embedded systems.
-        #kernel.grsecurity.romount_protect = 1
-
-        #  if you say Y here, the capabilities on all processes within a
-        #  chroot jail will be lowered to stop module insertion, raw i/o,
-        #  system and net admin tasks, rebooting the system, modifying immutable
-        #  files, modifying IPC owned by another, and changing the system time.
-        #  This is left an option because it can break some apps.  Disable this
-        #  if your chrooted apps are having problems performing those kinds of
-        #  tasks.  If the sysctl option is enabled, a sysctl option with
-        #  name "chroot_caps" is created.
-        kernel.grsecurity.chroot_caps = 1
-
-        #kernel.grsecurity.chroot_deny_bad_rename = 1
-
-        #  If you say Y here, processes inside a chroot will not be able to chmod
-        #  or fchmod files to make them have suid or sgid bits.  This protects
-        #  against another published method of breaking a chroot.  If the sysctl
-        #  option is enabled, a sysctl option with name "chroot_deny_chmod" is
-        #  created.
-        kernel.grsecurity.chroot_deny_chmod = 1
-
-        #  If you say Y here, processes inside a chroot will not be able to chroot
-        #  again outside the chroot.  This is a widely used method of breaking
-        #  out of a chroot jail and should not be allowed.  If the sysctl
-        #  option is enabled, a sysctl option with name
-        #  "chroot_deny_chroot" is created.
-        kernel.grsecurity.chroot_deny_chroot = 1
-
-        #  If you say Y here, a well-known method of breaking chroots by fchdir'ing
-        #  to a file descriptor of the chrooting process that points to a directory
-        #  outside the filesystem will be stopped.  If the sysctl option
-        #  is enabled, a sysctl option with name "chroot_deny_fchdir" is created.
-        kernel.grsecurity.chroot_deny_fchdir = 1
-
-        #  If you say Y here, processes inside a chroot will not be allowed to
-        #  mknod.  The problem with using mknod inside a chroot is that it
-        #  would allow an attacker to create a device entry that is the same
-        #  as one on the physical root of your system, which could range from
-        #  anything from the console device to a device for your harddrive (which
-        #  they could then use to wipe the drive or steal data).  It is recommended
-        #  that you say Y here, unless you run into software incompatibilities.
-        #  If the sysctl option is enabled, a sysctl option with name
-        #  "chroot_deny_mknod" is created.
-        kernel.grsecurity.chroot_deny_mknod = 1
-
-        #  If you say Y here, processes inside a chroot will not be able to
-        #  mount or remount filesystems.  If the sysctl option is enabled, a
-        #  sysctl option with name "chroot_deny_mount" is created.
-        kernel.grsecurity.chroot_deny_mount = 1
-
-        #  If you say Y here, processes inside a chroot will not be able to use
-        #  a function called pivot_root() that was introduced in Linux 2.3.41.  It
-        #  works similar to chroot in that it changes the root filesystem.  This
-        #  function could be misused in a chrooted process to attempt to break out
-        #  of the chroot, and therefore should not be allowed.  If the sysctl
-        #  option is enabled, a sysctl option with name "chroot_deny_pivot" is
-        #  created.
-        kernel.grsecurity.chroot_deny_pivot     = 1
-
-        #  If you say Y here, processes inside a chroot will not be able to attach
-        #  to shared memory segments that were created outside of the chroot jail.
-        #  It is recommended that you say Y here.  If the sysctl option is enabled,
-        #  a sysctl option with name "chroot_deny_shmat" is created.
-        kernel.grsecurity.chroot_deny_shmat = 1
-
-        #  If you say Y here, an attacker in a chroot will not be able to
-        #  write to sysctl entries, either by sysctl(2) or through a /proc
-        #  interface.  It is strongly recommended that you say Y here. If the
-        #  sysctl option is enabled, a sysctl option with name
-        #  "chroot_deny_sysctl" is created.
-        kernel.grsecurity.chroot_deny_sysctl = 1
-
-        #  If you say Y here, processes inside a chroot will not be able to
-        #  connect to abstract (meaning not belonging to a filesystem) Unix
-        #  domain sockets that were bound outside of a chroot.  It is recommended
-        #  that you say Y here.  If the sysctl option is enabled, a sysctl option
-        #  with name "chroot_deny_unix" is created.
-        kernel.grsecurity.chroot_deny_unix = 1
-
-        #  If you say Y here, the current working directory of all newly-chrooted
-        #  applications will be set to the the root directory of the chroot.
-        #  The man page on chroot(2) states:
-        #  Note that usually chhroot does not change  the  current  working
-        #  directory,  so  that `.' can be outside the tree rooted at
-        #  `/'.  In particular, the  super-user  can  escape  from  a
-        #  `chroot jail' by doing `mkdir foo; chroot foo; cd ..'.
-        #
-        #  It is recommended that you say Y here, since it's not known to break
-        #  any software.  If the sysctl option is enabled, a sysctl option with
-        #  name "chroot_enforce_chdir" is created.
-        kernel.grsecurity.chroot_enforce_chdir  = 1
-
-        #  If you say Y here, processes inside a chroot will not be able to
-        #  kill, send signals with fcntl, ptrace, capget, getpgid, setpgid,
-        #  getsid, or view any process outside of the chroot.  If the sysctl
-        #  option is enabled, a sysctl option with name "chroot_findtask" is
-        #  created.
-        kernel.grsecurity.chroot_findtask = 1
-
-        #  If you say Y here, processes inside a chroot will not be able to raise
-        #  the priority of processes in the chroot, or alter the priority of
-        #  processes outside the chroot.  This provides more security than simply
-        #  removing CAP_SYS_NICE from the process' capability set.  If the
-        #  sysctl option is enabled, a sysctl option with name "chroot_restrict_nice"
-        #  is created.
-        kernel.grsecurity.chroot_restrict_nice = 1
-
-        #
-        # Kernel Auditing
-        #
-
-        #  If you say Y here, the exec and chdir logging features will only operate
-        #  on a group you specify.  This option is recommended if you only want to
-        #  watch certain users instead of having a large amount of logs from the
-        #  entire system.  If the sysctl option is enabled, a sysctl option with
-        #  name "audit_group" is created.
-        kernel.grsecurity.audit_group = 1
-
-        #  If you say Y here, the exec and chdir logging features will only operate
-        #  on a group you specify.  This option is recommended if you only want to
-        #  watch certain users instead of having a large amount of logs from the
-        #  entire system.  If the sysctl option is enabled, a sysctl option with
-        #  name "audit_group" is created.
-        kernel.grsecurity.audit_gid = 99
-
-        #  If you say Y here, all execve() calls will be logged (since the
-        #  other exec*() calls are frontends to execve(), all execution
-        #  will be logged).  Useful for shell-servers that like to keep track
-        #  of their users.  If the sysctl option is enabled, a sysctl option with
-        #  name "exec_logging" is created.
-        #  WARNING: This option when enabled will produce a LOT of logs, especially
-        #  on an active system.
-        kernel.grsecurity.exec_logging = 0
-
-        #  If you say Y here, all attempts to overstep resource limits will
-        #  be logged with the resource name, the requested size, and the current
-        #  limit.  It is highly recommended that you say Y here.  If the sysctl
-        #  option is enabled, a sysctl option with name "resource_logging" is
-        #  created.  If the RBAC system is enabled, the sysctl value is ignored.
-        kernel.grsecurity.resource_logging = 1
-
-        #  If you say Y here, all executions inside a chroot jail will be logged
-        #  to syslog.  This can cause a large amount of logs if certain
-        #  applications (eg. djb's daemontools) are installed on the system, and
-        #  is therefore left as an option.  If the sysctl option is enabled, a
-        #  sysctl option with name "chroot_execlog" is created.
-        kernel.grsecurity.chroot_execlog = 0
-
-        #  If you say Y here, all attempts to attach to a process via ptrace
-        #  will be logged.  If the sysctl option is enabled, a sysctl option
-        #  with name "audit_ptrace" is created.
-        #kernel.grsecurity.audit_ptrace = 1
-
-        #  If you say Y here, all attempts to attach to a process via ptrace
-        #  will be logged.  If the sysctl option is enabled, a sysctl option
-        #  with name "audit_ptrace" is created.
-        kernel.grsecurity.audit_chdir = 0
-
-        #  If you say Y here, all mounts and unmounts will be logged.  If the
-        #  sysctl option is enabled, a sysctl option with name "audit_mount" is
-        #  created.
-        kernel.grsecurity.audit_mount = 1
-
-        #  If you say Y here, certain important signals will be logged, such as
-        #  SIGSEGV, which will as a result inform you of when a error in a program
-        #  occurred, which in some cases could mean a possible exploit attempt.
-        #  If the sysctl option is enabled, a sysctl option with name
-        #  "signal_logging" is created.
-        kernel.grsecurity.signal_logging = 1
-
-        #  If you say Y here, all failed fork() attempts will be logged.
-        #  This could suggest a fork bomb, or someone attempting to overstep
-        #  their process limit.  If the sysctl option is enabled, a sysctl option
-        #  with name "forkfail_logging" is created.
-        kernel.grsecurity.forkfail_logging = 1
-
-        #  If you say Y here, any changes of the system clock will be logged.
-        #  If the sysctl option is enabled, a sysctl option with name
-        #  "timechange_logging" is created.
-        kernel.grsecurity.timechange_logging = 1
-
-        #  if you say Y here, calls to mmap() and mprotect() with explicit
-        #  usage of PROT_WRITE and PROT_EXEC together will be logged when
-        #  denied by the PAX_MPROTECT feature.  This feature will also
-        #  log other problematic scenarios that can occur when PAX_MPROTECT
-        #  is enabled on a binary, like textrels and PT_GNU_STACK.  If the
-        #  sysctl option is enabled, a sysctl option with name "rwxmap_logging"
-        #  is created.
-        kernel.grsecurity.rwxmap_logging = 1
-
-        #
-        # Executable Protections
-        #
-
-
-        #  if you say Y here, non-root users will not be able to use dmesg(8)
-        #  to view the contents of the kernel's circular log buffer.
-        #  The kernel's log buffer often contains kernel addresses and other
-        #  identifying information useful to an attacker in fingerprinting a
-        #  system for a targeted exploit.
-        #  If the sysctl option is enabled, a sysctl option with name "dmesg" is
-        #  created.
-        kernel.grsecurity.dmesg = 1
-
         # Hide symbol addresses in /proc/kallsyms
         kernel.kptr_restrict = 2
 
-        #  If you say Y here, TTY sniffers and other malicious monitoring
-        #  programs implemented through ptrace will be defeated.  If you
-        #  have been using the RBAC system, this option has already been
-        #  enabled for several years for all users, with the ability to make
-        #  fine-grained exceptions.
-        #
-        #  This option only affects the ability of non-root users to ptrace
-        #  processes that are not a descendent of the ptracing process.
-        #  This means that strace ./binary and gdb ./binary will still work,
-        #  but attaching to arbitrary processes will not.  If the sysctl
-        #  option is enabled, a sysctl option with name "harden_ptrace" is
-        #  created.
-        kernel.grsecurity.harden_ptrace = 1
-
-        #  If you say Y here, unprivileged users will not be able to ptrace unreadable
-        #  binaries.  This option is useful in environments that
-        #  remove the read bits (e.g. file mode 4711) from suid binaries to
-        #  prevent infoleaking of their contents.  This option adds
-        #  consistency to the use of that file mode, as the binary could normally
-        #  be read out when run without privileges while ptracing.
-        #
-        #  If the sysctl option is enabled, a sysctl option with name "ptrace_readexec"
-        #  is created.
-        kernel.grsecurity.ptrace_readexec = 1
-
-        #  If you say Y here, a change from a root uid to a non-root uid
-        #  in a multithreaded application will cause the resulting uids,
-        #  gids, supplementary groups, and capabilities in that thread
-        #  to be propagated to the other threads of the process.  In most
-        #  cases this is unnecessary, as glibc will emulate this behavior
-        #  on behalf of the application.  Other libcs do not act in the
-        #  same way, allowing the other threads of the process to continue
-        #  running with root privileges.  If the sysctl option is enabled,
-        #  a sysctl option with name "consistent_setxid" is created.
-        kernel.grsecurity.consistent_setxid = 1
-
-        #  If you say Y here, access to overly-permissive IPC objects (shared
-        #  memory, message queues, and semaphores) will be denied for processes
-        #  given the following criteria beyond normal permission checks:
-        #  1) If the IPC object is world-accessible and the euid doesn't match
-        #     that of the creator or current uid for the IPC object
-        #  2) If the IPC object is group-accessible and the egid doesn't
-        #     match that of the creator or current gid for the IPC object
-        #  It's a common error to grant too much permission to these objects,
-        #  with impact ranging from denial of service and information leaking to
-        #  privilege escalation.  This feature was developed in response to
-        #  research by Tim Brown:
-        #  http://labs.portcullis.co.uk/whitepapers/memory-squatting-attacks-on-system-v-shared-memory/
-        #  who found hundreds of such insecure usages.  Processes with
-        #  CAP_IPC_OWNER are still permitted to access these IPC objects.
-        #  If the sysctl option is enabled, a sysctl option with name
-        #  "harden_ipc" is created.
-        kernel.grsecurity.harden_ipc = 1
-
-        #  If you say Y here, you will be able to choose a gid to add to the
-        #  supplementary groups of users you want to mark as "untrusted."
-        #  These users will not be able to execute any files that are not in
-        #  root-owned directories writable only by root.  If the sysctl option
-        #  is enabled, a sysctl option with name "tpe" is created.
-        kernel.grsecurity.tpe = 1
-        kernel.grsecurity.tpe_gid = 100
-
-        #  If you say Y here, the group you specify in the TPE configuration will
-        #  decide what group TPE restrictions will be *disabled* for.  This
-        #  option is useful if you want TPE restrictions to be applied to most
-        #  users on the system.  If the sysctl option is enabled, a sysctl option
-        #  with name "tpe_invert" is created.  Unlike other sysctl options, this
-        #  entry will default to on for backward-compatibility.
-        kernel.grsecurity.tpe_invert = 1
-
-        #  If you say Y here, all non-root users will be covered under
-        #  a weaker TPE restriction.  This is separate from, and in addition to,
-        #  the main TPE options that you have selected elsewhere.  Thus, if a
-        #  "trusted" GID is chosen, this restriction applies to even that GID.
-        #  Under this restriction, all non-root users will only be allowed to
-        #  execute files in directories they own that are not group or
-        #  world-writable, or in directories owned by root and writable only by
-        #  root.  If the sysctl option is enabled, a sysctl option with name
-        #  "tpe_restrict_all" is created.
-        kernel.grsecurity.tpe_restrict_all = 1
-
-
-        kernel.grsecurity.harden_tty = 1
-
         #
         # Network Protections
         #
@@ -519,105 +149,18 @@
         # Sen SynAck retries to 3
         net.ipv4.tcp_synack_retries = 3
 
-        #  If you say Y here, neither TCP resets nor ICMP
-        #  destination-unreachable packets will be sent in response to packets
-        #  sent to ports for which no associated listening process exists.
-        #  This feature supports both IPV4 and IPV6 and exempts the
-        #  loopback interface from blackholing.  Enabling this feature
-        #  makes a host more resilient to DoS attacks and reduces network
-        #  visibility against scanners.
-        #
-        #  The blackhole feature as-implemented is equivalent to the FreeBSD
-        #  blackhole feature, as it prevents RST responses to all packets, not
-        #  just SYNs.  Under most application behavior this causes no
-        #  problems, but applications (like haproxy) may not close certain
-        #  connections in a way that cleanly terminates them on the remote
-        #  end, leaving the remote host in LAST_ACK state.  Because of this
-        #  side-effect and to prevent intentional LAST_ACK DoSes, this
-        #  feature also adds automatic mitigation against such attacks.
-        #  The mitigation drastically reduces the amount of time a socket
-        #  can spend in LAST_ACK state.  If you're using haproxy and not
-        #  all servers it connects to have this option enabled, consider
-        #  disabling this feature on the haproxy host.
-        #
-        #  If the sysctl option is enabled, two sysctl options with names
-        #  "ip_blackhole" and "lastack_retries" will be created.
-        #  While "ip_blackhole" takes the standard zero/non-zero on/off
-        #  toggle, "lastack_retries" uses the same kinds of values as
-        #  "tcp_retries1" and "tcp_retries2".  The default value of 4
-        #  prevents a socket from lasting more than 45 seconds in LAST_ACK
-        #  state.
-        kernel.grsecurity.ip_blackhole = 1
-        kernel.grsecurity.lastack_retries = 4
-
-        #  If you say Y here, you will be able to choose a GID of whose users will
-        #  be unable to connect to other hosts from your machine or run server
-        #  applications from your machine.  If the sysctl option is enabled, a
-        #  sysctl option with name "socket_all" is created.
-        kernel.grsecurity.socket_all = 1
-
-        #  Here you can choose the GID to disable socket access for. Remember to
-        #  add the users you want socket access disabled for to the GID
-        #  specified here.  If the sysctl option is enabled, a sysctl option
-        #  with name "socket_all_gid" is created.
-        kernel.grsecurity.socket_all_gid = 200
-
-        #  If you say Y here, you will be able to choose a GID of whose users will
-        #  be unable to connect to other hosts from your machine, but will be
-        #  able to run servers.  If this option is enabled, all users in the group
-        #  you specify will have to use passive mode when initiating ftp transfers
-        #  from the shell on your machine.  If the sysctl option is enabled, a
-        #  sysctl option with name "socket_client" is created.
-        kernel.grsecurity.socket_client = 1
-
-        #  Here you can choose the GID to disable client socket access for.
-        #  Remember to add the users you want client socket access disabled for to
-        #  the GID specified here.  If the sysctl option is enabled, a sysctl
-        #  option with name "socket_client_gid" is created.
-        kernel.grsecurity.socket_client_gid = 201
-
-        #  If you say Y here, you will be able to choose a GID of whose users will
-        #  be unable to connect to other hosts from your machine, but will be
-        #  able to run servers.  If this option is enabled, all users in the group
-        #  you specify will have to use passive mode when initiating ftp transfers
-        #  from the shell on your machine.  If the sysctl option is enabled, a
-        #  sysctl option with name "socket_client" is created.
-        kernel.grsecurity.socket_server = 1
-
-        #  Here you can choose the GID to disable server socket access for.
-        #  Remember to add the users you want server socket access disabled for to
-        #  the GID specified here.  If the sysctl option is enabled, a sysctl
-        #  option with name "socket_server_gid" is created.
-        kernel.grsecurity.socket_server_gid = 99
-
-        #
-        # Physical Protections
-        #
-
-        #  If you say Y here, a new sysctl option with name "deny_new_usb"
-        #  will be created.  Setting its value to 1 will prevent any new
-        #  USB devices from being recognized by the OS.  Any attempted USB
-        #  device insertion will be logged.  This option is intended to be
-        #  used against custom USB devices designed to exploit vulnerabilities
-        #  in various USB device drivers.
-        #
-        #  For greatest effectiveness, this sysctl should be set after any
-        #  relevant init scripts.  This option is safe to enable in distros
-        #  as each user can choose whether or not to toggle the sysctl.
-        kernel.grsecurity.deny_new_usb = 0
-
-        #
-        # Restrict grsec sysctl changes after this was set
-        #
-        kernel.grsecurity.grsec_lock = 0
-
         # End of file
    +

    Reload sysctl settings;

    + + 
    +        # sysctl --system
+
    Core OS Index

    This is part of the Hive System Documentation. - Copyright (C) 2018 + Copyright (C) 2019 Hive Team. See the file Gnu Free Documentation License for copying conditions.

    diff --git a/core/toolchain.html b/core/toolchain.html index 57113fd..9662217 100644 --- a/core/toolchain.html +++ b/core/toolchain.html @@ -2,13 +2,13 @@ - 2.2.3. Toolchain + 2.6.3. Toolchain Core OS Index -

    2.2.3. Toolchain

    +

    2.6.3. Toolchain

    Add flags to pkgmk configuration and change specific ports that don't build with hardening flags. More information about diff --git a/core/tty-terminal.html b/core/tty-terminal.html index 6eb08d3..d033ec2 100644 --- a/core/tty-terminal.html +++ b/core/tty-terminal.html @@ -2,13 +2,13 @@ - 2.5. Consoles, terminals and shells + 2.4. Consoles, terminals and shells Core OS Index -

    2.5. Consoles, terminals and shells

    +

    2.4. Consoles, terminals and shells

    Consoles
    diff --git a/tools/storage.html b/tools/storage.html index 932e724..f90bca0 100644 --- a/tools/storage.html +++ b/tools/storage.html @@ -11,14 +11,66 @@

    1. Maintenance

    -

    SMART provides statistics of disk firmware, this system - handle errors has their occur. Badblocks detect bad blocks - by writing and reading from disk in a destructive test. - Example of how to view SMART statistics of a disk;

    +

    SMART provides statistics of disk firmware, + this system handle errors has their occur. Badblocks are detected by writing and reading from disk in + a destructive test. Example of how to view SMART + statistics of a disk;

             # smartctl -t long /dev/sdb1
         # smartctl -a /dev/sdb1 | less
+        # hdparm -I /dev/sda | less
+
    + +

    Mechanical hard drives spindown disks + and put heads in hold position to save energy + and protect the disk. This spindow spinup + can shorter the life expectancy of the hard + drive. Relevant output from smartctl;

    + +

    Settings with hdparm [options] [device];

    + +
    +
    -B
    + +
    Set the Advanced Power Management feature. + Possible values are between 1 and 255, low + values mean more aggressive power management + and higher values mean better performance. + Values from 1 to 127 permit spin-down, whereas + values from 128 to 254 do not. A value of 255 + completely disables the feature.
    + +
    -S
    + +
    Set the standby (spindown) timeout for + the drive. The timeout specifies how long to + wait in idle (with no disk activity) before + turning off the motor to save power. The value + of 0 disables spindown, the values from 1 to + 240 specify multiples of 5 seconds and values + from 241 to 251 specify multiples of 30 + minutes.
    + +
    -M
    + +
    Set the Automatic Acoustic Management + feature. Most modern hard disk drives have the + ability to speed down the head movements to + reduce their noise output. The possible value + depends on the disk, some disks may not support + this feature.
    +
    + + 
    +        # hdparm -S 0 /dev/sda
+        # hdparm -B 255 /dev/sda
+
    + +

    Set persistent values using udev, edit /etc/udev/rules.d/69-hdparm.rules;

    + + 
    +        ACTION=="add", SUBSYSTEM=="block", KERNEL=="sda", RUN=="/usr/bin/hdparm -B 255 -S 0 /dev/sda"

    Search for bad blocks using @@ -28,6 +80,7 @@ # badblocks -nsv /dev/sdb1 +

    2. Moving data

    Temp partition with 20M-50M;

    -- cgit 1.4.1-2-gfad0 From aef9e68386cff79c5d5ebd5288c5c1cd971eca72 Mon Sep 17 00:00:00 2001 From: Silvino Date: Sun, 9 Jun 2019 03:49:27 +0100 Subject: core pkgmk and prt-get configuration revision --- core/conf/pkgmk.conf | 2 +- core/conf/prt-get.conf | 22 ++++++++----------- core/index.html | 5 +++-- core/package.html | 14 ++++++------- core/ports.html | 57 +++++++++++++++++++++++++++++++++----------------- 5 files changed, 57 insertions(+), 43 deletions(-) diff --git a/core/conf/pkgmk.conf b/core/conf/pkgmk.conf index 4e4190c..18d8730 100644 --- a/core/conf/pkgmk.conf +++ b/core/conf/pkgmk.conf @@ -2,7 +2,7 @@ # /etc/pkgmk.conf: pkgmk(8) configuration # -export CFLAGS="-O2 -march=x86-64 -pipe" +export CFLAGS="-O2 -march=x86-64" export CXXFLAGS="${CFLAGS}" export JOBS=$(nproc) diff --git a/core/conf/prt-get.conf b/core/conf/prt-get.conf index 1f7a39e..12a24d8 100644 --- a/core/conf/prt-get.conf +++ b/core/conf/prt-get.conf @@ -5,28 +5,25 @@ # note: the order matters: the package found first is used prtdir /usr/ports/core prtdir /usr/ports/opt -prtdir /usr/ports/contrib -prtdir /usr/ports/machine-ports prtdir /usr/ports/xorg -# 6c37 team provides a collection with freetype-iu, fontconfig-iu -# and cairo-iu ports. - # the following line enables the multilib compat-32 collection #prtdir /usr/ports/compat-32 # the following line enables the user maintained contrib collection -# prtdir /usr/ports/6c37-dropin -# prtdir /usr/ports/6c37 +prtdir /usr/ports/contrib +prtdir /usr/ports/ports +prtdir /usr/ports/mate +prtdir /usr/ports/kde5 ### use mypackage form local directory # prtdir /home/packages/build:mypackage ### log options: -writelog enabled # (enabled|disabled) -logmode overwrite # (append|overwrite) -rmlog_on_success yes # (no|yes) -logfile /usr/ports/pkgbuild/%n-%v-%r.log +# writelog enabled # (enabled|disabled) +# logmode overwrite # (append|overwrite) +# rmlog_on_success yes # (no|yes) +logfile /var/log/pkgbuild/%n.log # path, %p=path to port dir, %n=port name # %v=version, %r=release @@ -37,7 +34,7 @@ logfile /usr/ports/pkgbuild/%n-%v-%r.log readme verbose # (verbose|compact|disabled) ### prefer higher versions in sysup / diff -preferhigher no # (yes|no) +preferhigher yes # (yes|no) ### use regexp search # useregex no # (yes|no) @@ -46,7 +43,6 @@ preferhigher no # (yes|no) ### --install-scripts option runscripts yes # (no|yes) - ### EXPERT SECTION ### ### alternative commands diff --git a/core/index.html b/core/index.html index c9d5d4b..20e50af 100644 --- a/core/index.html +++ b/core/index.html @@ -45,16 +45,17 @@
  • 1.2.3. Set lacale
  • 1.2.4. Users
  • 1.2.5. File system table
    • -
  • 1.2.6. Initialization Scripts
    • +
  • 1.2.6. Initialization scripts
  • 1.3. Ports
    • diff --git a/core/package.html b/core/package.html index 7d4c8b5..974ead2 100644 --- a/core/package.html +++ b/core/package.html @@ -108,7 +108,7 @@ $ sudo pkgadd /usr/ports/packages/git#2.9.3-1.pkg.tar.gz -

    If you user pkgmk and pkgadd allways check if README, pre and post +

    If you user pkgmk and pkgadd allways check if README, pre and post instal files exist.

    2.3.3. Ports collections

    @@ -132,20 +132,18 @@ prtdir /usr/ports/contrib # ports described on this documentation - prtdir /usr/ports/machine-ports + prtdir /usr/ports/ports # 6c37 team provides a collection with freetype-iu, fontconfig-iu # and cairo-iu ports. - prtdir /usr/ports/6c37-dropin - prtdir /usr/ports/6c37 + # prtdir /usr/ports/6c37-dropin + # prtdir /usr/ports/6c37

    Get new ports;

    -        $ sudo ports -u machine-ports
-        $ sudo ports -u 6c37-dropin
-        $ sudo ports -u 6c37
+        $ sudo ports -u ports

    2.3.4. Show port information

    @@ -183,7 +181,7 @@ Core OS Index

    This is part of the Hive System Documentation. - Copyright (C) 2018 + Copyright (C) 2019 Hive Team. See the file Gnu Free Documentation License for copying conditions.

    diff --git a/core/ports.html b/core/ports.html index e921351..07d52d2 100644 --- a/core/ports.html +++ b/core/ports.html @@ -76,10 +76,11 @@ # /etc/pkgmk.conf: pkgmk(8) configuration # - export CFLAGS="-O2 -g -march=x86-64 -pipe" + export CFLAGS="-O2 -march=x86-64" export CXXFLAGS="${CFLAGS}" - # export MAKEFLAGS="-j2" + export JOBS=$(nproc) + export MAKEFLAGS="-j $JOBS" case ${PKGMK_ARCH} in "64"|"") @@ -96,14 +97,16 @@ ;; esac - #PKGMK_SOURCE_MIRRORS=(http://machine.example.org/ports/distfiles/) + PKGMK_SOURCE_MIRRORS=(https://hive.gnu.systems/mirror/distfiles/) # PKGMK_SOURCE_DIR="$PWD" PKGMK_SOURCE_DIR="/usr/ports/distfiles" # PKGMK_PACKAGE_DIR="$PWD" PKGMK_PACKAGE_DIR="/usr/ports/packages" # PKGMK_WORK_DIR="$PWD/work" - PKGMK_WORK_DIR="/usr/ports/work/$name" + PKGMK_WORK_DIR="/usr/ports/work/${name}" # PKGMK_DOWNLOAD="no" + # PKGMK_IGNORE_SIGNATURE="no" + # PKGMK_IGNORE_MD5SUM="no" # PKGMK_IGNORE_FOOTPRINT="no" # PKGMK_IGNORE_NEW="no" # PKGMK_NO_STRIP="no" @@ -136,39 +139,36 @@ # note: the order matters: the package found first is used prtdir /usr/ports/core prtdir /usr/ports/opt - prtdir /usr/ports/contrib - prtdir /usr/ports/ports prtdir /usr/ports/xorg - # 6c37 team provides a collection with freetype-iu, fontconfig-iu - # and cairo-iu ports. - # the following line enables the multilib compat-32 collection #prtdir /usr/ports/compat-32 # the following line enables the user maintained contrib collection - # prtdir /usr/ports/6c37-dropin - # prtdir /usr/ports/6c37 + prtdir /usr/ports/contrib + prtdir /usr/ports/ports + prtdir /usr/ports/mate + prtdir /usr/ports/kde ### use mypackage form local directory # prtdir /home/packages/build:mypackage ### log options: - writelog enabled # (enabled|disabled) - logmode overwrite # (append|overwrite) - rmlog_on_success yes # (no|yes) - logfile /usr/ports/pkgbuild/%n-%v-%r.log + # writelog enabled # (enabled|disabled) + # logmode overwrite # (append|overwrite) + # rmlog_on_success yes # (no|yes) + logfile /var/log/pkgbuild/%n.log # path, %p=path to port dir, %n=port name # %v=version, %r=release ### use alternate cache file (default: /var/lib/pkg/prt-get.cache # cachefile /mnt/nfs/cache - ### print readme information: + ### print README information: readme verbose # (verbose|compact|disabled) ### prefer higher versions in sysup / diff - preferhigher no # (yes|no) + preferhigher yes # (yes|no) ### use regexp search # useregex no # (yes|no) @@ -177,16 +177,35 @@ ### --install-scripts option runscripts yes # (no|yes) - ### expert section ### ### alternative commands - makecommand sudo -h -u pkgmk fakeroot pkgmk + makecommand sudo -H -u pkgmk fakeroot pkgmk addcommand sudo pkgadd removecommand sudo pkgrm runscriptcommand sudo sh +

    1.3.5. Ccache and distcc

    + +

    Ccache avoids same code to be compiled by saving + the output from compilers and identifying same + input by using hashes and distcc distributes + compiling process across machines.

    + +

    Don't set native or generic on /etc/pkgmk.conf.

    + 
    +        $ prt-get depinst ccache distcc
+
    + +

    Add to /etc/profile;

    + + 
    +        export PATH="/usr/lib/ccache/:$PATH"
+        export CCACHE_DIR="/var/cache/ccache"
+        export CCACHE_COMPILERCHECK="%compiler% -dumpversion; crux"
+
    + Core OS Index

    This is part of the Hive System Documentation. -- cgit 1.4.1-2-gfad0 From 83eba7ffb016b7d8bea6e35ac229089213c06e70 Mon Sep 17 00:00:00 2001 From: Silvino Date: Sun, 9 Jun 2019 03:57:15 +0100 Subject: added apparmor to default grub --- core/conf/default/grub | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/core/conf/default/grub b/core/conf/default/grub index cc7934a..e1a4636 100644 --- a/core/conf/default/grub +++ b/core/conf/default/grub @@ -1,4 +1,4 @@ GRUB_DISABLE_LINUX_UUID=false GRUB_ENABLE_LINUX_LABEL=false -GRUB_CMDLINE_LINUX="rd.luks.uuid=luks-15f15024-e994-43e3-9de4-694ba94aaf7f rd.lvm.lv=vg_system/lv_root" +GRUB_CMDLINE_LINUX="rd.luks.uuid=luks-15f15024-e994-43e3-9de4-694ba94aaf7f rd.lvm.lv=vg_system/lv_root apparmor=1 security=apparmor" GRUB_ENABLE_CRYPTODISK=y -- cgit 1.4.1-2-gfad0 From e0fac3869c68af251ce762d3e2e9fca010336f98 Mon Sep 17 00:00:00 2001 From: Silvino Date: Sun, 9 Jun 2019 03:57:34 +0100 Subject: tools network revision --- tools/network.html | 41 +++++++++++++++++++++++++---------------- 1 file changed, 25 insertions(+), 16 deletions(-) diff --git a/tools/network.html b/tools/network.html index 6f9e941..0fad69e 100644 --- a/tools/network.html +++ b/tools/network.html @@ -10,24 +10,28 @@

    Network Tools

    -

    This document and others under tools extend - core network - witch allow to connect to the internet in the most - common environments. Follow documents allow to configure - tap interfaces for virtual machines, audit network, - dns cache and encryption, etc.

    - -

    On core is configured a sub-domain from +

    This document extend + core network, + that cover the most common environments, with + virtual networks and bridges.

    + +

    To configure a sub-domain from afraid.org, generate cron job to update ip every 5 minutes, check - about dynamic interface. To run as system cron job add as root and remove path line from example;

    + about dynamic interface. + To run as system cron job add as root and remove + path line from example;

    + 
             # crontab -e
    -

    Example from afraid uses curl and will log output to /tmp/freedns*, - change to /var/log/freedns

    +

    Replace KEY and domain_name with correct one;

    + + 
    +        4,9,14,19,24,29,34,39,44,49,54,59 * * * * sleep 22 ; wget --no-check-certificate -O - https://freedns.afraid.org/dynamic/update.php?[KEY]= >> /var/log/freedns_domain_name.log 2>&1 &
+

    Bridges

    @@ -55,19 +59,24 @@

    Change iptables init script /etc/rc.d/iptables - to load new rules from - /etc/iptables/br-lan.v4. - Now change iptables-br.sh + and set TYPE to bridge, + /etc/iptables/bridge.v4. + Now change + ipt-conf.sh + and ipt-bridge.sh with your network configuration and run; 

    -        # bash core/scripts/iptables-br.sh
+        # bash ipt-bridge.sh
    +

    Copy bridge.v4 to /etc/iptables and restart + iptables.

    + Tools Index

    This is part of the Hive System Documentation. - Copyright (C) 2018 + Copyright (C) 2019 Hive Team. See the file Gnu Free Documentation License for copying conditions.

    -- cgit 1.4.1-2-gfad0 From d418554cda9c0489fdebea35957467dfbeb00473 Mon Sep 17 00:00:00 2001 From: Silvino Date: Sun, 9 Jun 2019 14:38:44 +0100 Subject: core prt-get.conf revision --- core/conf/prt-get.conf | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/core/conf/prt-get.conf b/core/conf/prt-get.conf index 12a24d8..d2905cf 100644 --- a/core/conf/prt-get.conf +++ b/core/conf/prt-get.conf @@ -20,9 +20,9 @@ prtdir /usr/ports/kde5 # prtdir /home/packages/build:mypackage ### log options: -# writelog enabled # (enabled|disabled) -# logmode overwrite # (append|overwrite) -# rmlog_on_success yes # (no|yes) +writelog enabled # (enabled|disabled) +logmode overwrite # (append|overwrite) +rmlog_on_success yes # (no|yes) logfile /var/log/pkgbuild/%n.log # path, %p=path to port dir, %n=port name # %v=version, %r=release -- cgit 1.4.1-2-gfad0 From 58e9e9fcd317f591963ad1a2bd46060396d36471 Mon Sep 17 00:00:00 2001 From: Silvino Date: Mon, 10 Jun 2019 23:24:09 +0100 Subject: added kde5 ports collection to core --- core/conf/ports/kde5.git | 7 +++++++ 1 file changed, 7 insertions(+) create mode 100644 core/conf/ports/kde5.git diff --git a/core/conf/ports/kde5.git b/core/conf/ports/kde5.git new file mode 100644 index 0000000..37b5764 --- /dev/null +++ b/core/conf/ports/kde5.git @@ -0,0 +1,7 @@ +# Collection core +# +NAME=kde5 +URL=git://hive.gnu.systems/kde5.git +BRANCH=stable-3.4 +destination=/usr/ports/kde5 +PORTS_DIR="/usr/ports" -- cgit 1.4.1-2-gfad0 From a55b4d39a97361fd4f04c6547835204b9e5371ac Mon Sep 17 00:00:00 2001 From: Silvino Date: Mon, 10 Jun 2019 23:24:32 +0100 Subject: fix core install typo --- core/install.html | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/core/install.html b/core/install.html index 65b9148..1526c12 100644 --- a/core/install.html +++ b/core/install.html @@ -117,7 +117,7 @@ 
             # pvcreate /dev/mapper/cryptlvm
-        vgcreate vg_system /dev/mapper/cryptlvm
+        # vgcreate vg_system /dev/mapper/cryptlvm

    Core collection installation on root partition uses -- cgit 1.4.1-2-gfad0 From 5adacc390c152b1540372d653712cb41fcb76b7b Mon Sep 17 00:00:00 2001 From: Silvino Date: Tue, 11 Jun 2019 00:27:06 +0100 Subject: ports distcc and ccache revision --- core/conf/pkgmk.conf | 26 +++++++++++++++++++----- core/conf/rc.d/distccd | 33 ++++++++++++++++++++++++++++++ core/ports.html | 55 ++++++++++++++++++++++++++++++++++++++++++++------ 3 files changed, 103 insertions(+), 11 deletions(-) create mode 100755 core/conf/rc.d/distccd diff --git a/core/conf/pkgmk.conf b/core/conf/pkgmk.conf index 18d8730..c94fea7 100644 --- a/core/conf/pkgmk.conf +++ b/core/conf/pkgmk.conf @@ -2,12 +2,20 @@ # /etc/pkgmk.conf: pkgmk(8) configuration # -export CFLAGS="-O2 -march=x86-64" +export CFLAGS="-O2 -g -march=x86-64" export CXXFLAGS="${CFLAGS}" +# local compile only export JOBS=$(nproc) export MAKEFLAGS="-j $JOBS" +## compile using distcc +## set static cpu cores available +###export MAKEFLAGS="-j 8" +## get dynamically cpu cores available +#export MAKEFLAGS="/usr/bin/distcc -j 2> /dev/null" +#export SCONSFLAGS="$MAKEFLAGS" + case ${PKGMK_ARCH} in "64"|"") ;; @@ -23,16 +31,14 @@ case ${PKGMK_ARCH} in ;; esac -PKGMK_SOURCE_MIRRORS=(https://hive.gnu.systems/mirror/distfiles/) +PKGMK_SOURCE_MIRRORS=(http://c1.ank/distfiles/ http://c1.ank/archive/distfiles/) # PKGMK_SOURCE_DIR="$PWD" PKGMK_SOURCE_DIR="/usr/ports/distfiles" # PKGMK_PACKAGE_DIR="$PWD" PKGMK_PACKAGE_DIR="/usr/ports/packages" # PKGMK_WORK_DIR="$PWD/work" -PKGMK_WORK_DIR="/usr/ports/work/${name}" +PKGMK_WORK_DIR="/usr/ports/work/$name" # PKGMK_DOWNLOAD="no" -# PKGMK_IGNORE_SIGNATURE="no" -# PKGMK_IGNORE_MD5SUM="no" # PKGMK_IGNORE_FOOTPRINT="no" # PKGMK_IGNORE_NEW="no" # PKGMK_NO_STRIP="no" @@ -40,5 +46,15 @@ PKGMK_WORK_DIR="/usr/ports/work/${name}" # PKGMK_WGET_OPTS="" # PKGMK_CURL_OPTS="" # PKGMK_COMPRESSION_MODE="gz" +# PKGMK_UP_TO_DATE=yes + +## ccache settings +#export PATH="/usr/lib/ccache/:$PATH" +#export CCACHE_DIR="/usr/ports/cache/ccache" +#export CCACHE_PREFIX="distcc" +#export CCACHE_COMPILERCHECK="%compiler% -dumpversion; crux" +# +#export DISTCC_HOSTS="localhost/4 worker/4" +#export DISTCC_DIR="/urs/ports/distcc" # End of file diff --git a/core/conf/rc.d/distccd b/core/conf/rc.d/distccd new file mode 100755 index 0000000..65a166d --- /dev/null +++ b/core/conf/rc.d/distccd @@ -0,0 +1,33 @@ +#!/usr/bin/env bash +# +# /etc/rc.d/distccd: start/stop distcc daemon +# + +. /etc/distcc.conf +if [ -z "$DISTCC_ALLOW" ]; then + echo "Please define a range of IPs allowed to connect to this distccd" + echo "host in DISTCC_ALLOW in /etc/rc.conf. More detailed information" + echo "can be found in the distcc's README package." + exit 1 +fi + +DISTCC_USER="${DISTCC_USER:=nobody}" +DISTCC_LOG_LEVEL="${DISTCC_LOG_LEVEL:=notice}" + +case $1 in +start) + /usr/sbin/distccd --daemon --user "$DISTCC_USER" --allow "$DISTCC_ALLOW" --log-level "$DISTCC_LOG_LEVEL" + ;; +stop) + killall -q /usr/sbin/distccd + ;; +restart) + $0 stop + $0 start + ;; +*) + echo "usage: $0 [start|stop|restart]" + ;; +esac + +# End of file diff --git a/core/ports.html b/core/ports.html index 07d52d2..a61643d 100644 --- a/core/ports.html +++ b/core/ports.html @@ -148,15 +148,15 @@ prtdir /usr/ports/contrib prtdir /usr/ports/ports prtdir /usr/ports/mate - prtdir /usr/ports/kde + prtdir /usr/ports/kde5 ### use mypackage form local directory # prtdir /home/packages/build:mypackage ### log options: - # writelog enabled # (enabled|disabled) - # logmode overwrite # (append|overwrite) - # rmlog_on_success yes # (no|yes) + writelog enabled # (enabled|disabled) + logmode overwrite # (append|overwrite) + rmlog_on_success yes # (no|yes) logfile /var/log/pkgbuild/%n.log # path, %p=path to port dir, %n=port name # %v=version, %r=release @@ -198,14 +198,57 @@ $ prt-get depinst ccache distcc -

    Add to /etc/profile;

    +

    Configure pkgmk and define number of cores available, + in this example get dynamically Edit /etc/pkgmk.conf;

    +        ## local compile only
+        #export JOBS=$(nproc)
+        #export MAKEFLAGS="-j $JOBS"
+
+        # compile using distcc
+        # set static cpu cores available
+        ##export MAKEFLAGS="-j 8"
+        # get dynamically cpu cores available
+        export MAKEFLAGS="/usr/bin/distcc -j 2> /dev/null"
+        export SCONSFLAGS="$MAKEFLAGS"
+
    + +

    Set ccaching directory and instructs to use distcc backend;

    + + 
    +        # ccache settings
         export PATH="/usr/lib/ccache/:$PATH"
-        export CCACHE_DIR="/var/cache/ccache"
+        export CCACHE_DIR="/usr/ports/cache/ccache"
+        export CCACHE_PREFIX="distcc"
         export CCACHE_COMPILERCHECK="%compiler% -dumpversion; crux"
    +

    Set distcc hosts and respective number of cpu cores to send work;

    + 
    +        export DISTCC_HOSTS="localhost/4 worker/4"
+        export DISTCC_DIR="/urs/ports/distcc"
+
    + +

    Configure distcc daemon, edit /etc/rc.d/distccd;

    + + 
    +        #!/usr/bin/env bash
+        #
+        # /etc/rc.d/distccd: start/stop distcc daemon
+        #
+
+        . /etc/distcc.conf
+        if [ -z "$DISTCC_ALLOW" ]; then 
+
    + +

    Create /etc/distcc.conf;

    + + 
    +
+
    + + Core OS Index

    This is part of the Hive System Documentation. -- cgit 1.4.1-2-gfad0 From 8ed4702bc69f8855fcd7c9d192f48c8d12fe75f0 Mon Sep 17 00:00:00 2001 From: Silvino Date: Tue, 11 Jun 2019 00:27:19 +0100 Subject: tools storage revision --- tools/storage.html | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/tools/storage.html b/tools/storage.html index f90bca0..3a0a064 100644 --- a/tools/storage.html +++ b/tools/storage.html @@ -19,14 +19,19 @@ 

             # smartctl -t long /dev/sdb1
         # smartctl -a /dev/sdb1 | less
-        # hdparm -I /dev/sda | less

    Mechanical hard drives spindown disks and put heads in hold position to save energy and protect the disk. This spindow spinup can shorter the life expectancy of the hard - drive. Relevant output from smartctl;

    + drive. Relevant output from hdparm;

    + + 
    +        # hdparm -I /dev/sda | grep "Advanced power management level"
+        # hdparm -I /dev/sda | grep "Recommended acoustic management value"
+
    +

    Settings with hdparm [options] [device];

    -- cgit 1.4.1-2-gfad0 From 672abe915b399ccd934f7450b5357df7b78e36fd Mon Sep 17 00:00:00 2001 From: Silvino Date: Tue, 11 Jun 2019 00:32:06 +0100 Subject: core ports distcc revision --- core/conf/distcc.conf | 3 +++ core/ports.html | 5 +++-- 2 files changed, 6 insertions(+), 2 deletions(-) create mode 100644 core/conf/distcc.conf diff --git a/core/conf/distcc.conf b/core/conf/distcc.conf new file mode 100644 index 0000000..723338b --- /dev/null +++ b/core/conf/distcc.conf @@ -0,0 +1,3 @@ +DISTCC_ALLOW="10.0.0.0/8" +DISTCC_USER="pkgmk" +DISTCC_LOG_LEVEL="info" diff --git a/core/ports.html b/core/ports.html index a61643d..dbaa226 100644 --- a/core/ports.html +++ b/core/ports.html @@ -245,10 +245,11 @@

    Create /etc/distcc.conf;

    -
+        DISTCC_ALLOW="10.0.0.0/8"
+        DISTCC_USER="pkgmk"
+        DISTCC_LOG_LEVEL="info"
    - Core OS Index

    This is part of the Hive System Documentation. -- cgit 1.4.1-2-gfad0 From f4f8011dfe20f374a52a38b72a87fa92769a6523 Mon Sep 17 00:00:00 2001 From: Silvino Date: Tue, 11 Jun 2019 01:02:28 +0100 Subject: fix ccache location --- core/conf/pkgmk.conf | 2 +- core/ports.html | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/core/conf/pkgmk.conf b/core/conf/pkgmk.conf index c94fea7..fe82d4d 100644 --- a/core/conf/pkgmk.conf +++ b/core/conf/pkgmk.conf @@ -50,7 +50,7 @@ PKGMK_WORK_DIR="/usr/ports/work/$name" ## ccache settings #export PATH="/usr/lib/ccache/:$PATH" -#export CCACHE_DIR="/usr/ports/cache/ccache" +#export CCACHE_DIR="/usr/ports/ccache" #export CCACHE_PREFIX="distcc" #export CCACHE_COMPILERCHECK="%compiler% -dumpversion; crux" # diff --git a/core/ports.html b/core/ports.html index dbaa226..da0f9b2 100644 --- a/core/ports.html +++ b/core/ports.html @@ -219,7 +219,7 @@ 

             # ccache settings
         export PATH="/usr/lib/ccache/:$PATH"
-        export CCACHE_DIR="/usr/ports/cache/ccache"
+        export CCACHE_DIR="/usr/ports/ccache"
         export CCACHE_PREFIX="distcc"
         export CCACHE_COMPILERCHECK="%compiler% -dumpversion; crux"
    -- cgit 1.4.1-2-gfad0 From fd50d963db28959f1cf652dbc3f6d24e31b63a17 Mon Sep 17 00:00:00 2001 From: Silvino Date: Tue, 11 Jun 2019 01:06:18 +0100 Subject: better distcc documentation --- core/ports.html | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/core/ports.html b/core/ports.html index da0f9b2..5350ee2 100644 --- a/core/ports.html +++ b/core/ports.html @@ -214,7 +214,8 @@ export SCONSFLAGS="$MAKEFLAGS" -

    Set ccaching directory and instructs to use distcc backend;

    +

    Set ccaching directory and instructs to + use distcc backend;

             # ccache settings
@@ -224,13 +225,16 @@
         export CCACHE_COMPILERCHECK="%compiler% -dumpversion; crux"
    -

    Set distcc hosts and respective number of cpu cores to send work;

    +

    Set distcc hosts and respective number of + cpu cores to send work;

             export DISTCC_HOSTS="localhost/4 worker/4"
         export DISTCC_DIR="/urs/ports/distcc"
    -

    Configure distcc daemon, edit /etc/rc.d/distccd;

    +

    Host name "worker" must be configured on + /etc/hosts. Configure distcc daemon, edit + /etc/rc.d/distccd;

             #!/usr/bin/env bash
@@ -239,7 +243,7 @@
         #
 
         . /etc/distcc.conf
-        if [ -z "$DISTCC_ALLOW" ]; then 
+        if [ -z "$DISTCC_ALLOW" ]; then

    Create /etc/distcc.conf;

    -- cgit 1.4.1-2-gfad0 From c1ec5af5868c0050dcb82167224affae7d684849 Mon Sep 17 00:00:00 2001 From: Silvino Date: Tue, 11 Jun 2019 01:29:02 +0100 Subject: core ports distcc reconfiguration --- core/conf/pkgmk.conf | 18 +++++++++--------- core/ports.html | 32 ++++++++++++++++---------------- 2 files changed, 25 insertions(+), 25 deletions(-) diff --git a/core/conf/pkgmk.conf b/core/conf/pkgmk.conf index fe82d4d..14cc258 100644 --- a/core/conf/pkgmk.conf +++ b/core/conf/pkgmk.conf @@ -5,6 +5,15 @@ export CFLAGS="-O2 -g -march=x86-64" export CXXFLAGS="${CFLAGS}" +## ccache settings +#export PATH="/usr/lib/ccache/:$PATH" +#export CCACHE_DIR="/usr/ports/ccache" +#export CCACHE_PREFIX="distcc" +#export CCACHE_COMPILERCHECK="%compiler% -dumpversion; crux" +# +#export DISTCC_HOSTS="localhost/4 worker/4" +#export DISTCC_DIR="/urs/ports/distcc" + # local compile only export JOBS=$(nproc) export MAKEFLAGS="-j $JOBS" @@ -48,13 +57,4 @@ PKGMK_WORK_DIR="/usr/ports/work/$name" # PKGMK_COMPRESSION_MODE="gz" # PKGMK_UP_TO_DATE=yes -## ccache settings -#export PATH="/usr/lib/ccache/:$PATH" -#export CCACHE_DIR="/usr/ports/ccache" -#export CCACHE_PREFIX="distcc" -#export CCACHE_COMPILERCHECK="%compiler% -dumpversion; crux" -# -#export DISTCC_HOSTS="localhost/4 worker/4" -#export DISTCC_DIR="/urs/ports/distcc" - # End of file diff --git a/core/ports.html b/core/ports.html index 5350ee2..a977568 100644 --- a/core/ports.html +++ b/core/ports.html @@ -199,7 +199,17 @@

    Configure pkgmk and define number of cores available, - in this example get dynamically Edit /etc/pkgmk.conf;

    + in this example get dynamically Edit /etc/pkgmk.conf and + set ccaching directory and instructs to use distcc + backend;

    + + 
    +        # ccache settings
+        export PATH="/usr/lib/ccache/:$PATH"
+        export CCACHE_DIR="/usr/ports/ccache"
+        export CCACHE_PREFIX="distcc"
+        export CCACHE_COMPILERCHECK="%compiler% -dumpversion; crux"
+        
             ## local compile only
@@ -214,26 +224,16 @@
         export SCONSFLAGS="$MAKEFLAGS"
    -

    Set ccaching directory and instructs to - use distcc backend;

    - - 
    -        # ccache settings
-        export PATH="/usr/lib/ccache/:$PATH"
-        export CCACHE_DIR="/usr/ports/ccache"
-        export CCACHE_PREFIX="distcc"
-        export CCACHE_COMPILERCHECK="%compiler% -dumpversion; crux"
-
    -

    Set distcc hosts and respective number of - cpu cores to send work;

    + cpu cores to send work, hosts names, exp; "worker" must + be configured on /etc/hosts.

    + 
             export DISTCC_HOSTS="localhost/4 worker/4"
         export DISTCC_DIR="/urs/ports/distcc"
    -

    Host name "worker" must be configured on - /etc/hosts. Configure distcc daemon, edit +

    Configure distcc daemon, edit /etc/rc.d/distccd;

    @@ -257,7 +257,7 @@
         Core OS Index
         
    
         This is part of the Hive System Documentation.
-        Copyright (C) 2018
+        Copyright (C) 2019
         Hive Team.
         See the file Gnu Free Documentation License
         for copying conditions.
    
-- 
cgit 1.4.1-2-gfad0


From e52ad7baa28982fb63154d7eda40c54982f8d276 Mon Sep 17 00:00:00 2001
From: Silvino 
Date: Tue, 11 Jun 2019 03:46:58 +0100
Subject: fix core ports pkgmk.conf

---
 core/conf/pkgmk.conf | 24 +++++++++++++-----------
 core/ports.html      | 26 +++++++++++---------------
 2 files changed, 24 insertions(+), 26 deletions(-)

diff --git a/core/conf/pkgmk.conf b/core/conf/pkgmk.conf
index 14cc258..7a7c6e7 100644
--- a/core/conf/pkgmk.conf
+++ b/core/conf/pkgmk.conf
@@ -2,7 +2,7 @@
 # /etc/pkgmk.conf: pkgmk(8) configuration
 #
 
-export CFLAGS="-O2 -g -march=x86-64"
+export CFLAGS="-O2 -march=x86-64"
 export CXXFLAGS="${CFLAGS}"
 
 ## ccache settings
@@ -10,21 +10,23 @@ export CXXFLAGS="${CFLAGS}"
 #export CCACHE_DIR="/usr/ports/ccache"
 #export CCACHE_PREFIX="distcc"
 #export CCACHE_COMPILERCHECK="%compiler% -dumpversion; crux"
+#export DISTCC_DIR="/usr/ports/distcc"
 #
-#export DISTCC_HOSTS="localhost/4 worker/4"
-#export DISTCC_DIR="/urs/ports/distcc"
+## compile using ccache and distcc
+#export DISTCC_HOSTS="localhost/4 xborg/4"
+#
+## compile using distcc without ccache
+##export PATH="/usr/lib/distcc/:$PATH"
+##export DISTCC_HOSTS="localhost/4,lzo,cpp xborg/4,lzo,cpp cb1/2,lzo,cpp"
+#
+#export MAKEFLAGS="-j $(/usr/bin/distcc -j 2> /dev/null)"
+#export SCONSFLAGS="$MAKEFLAGS"
 
 # local compile only
+#export MAKEFLAGS="-j 8"
 export JOBS=$(nproc)
 export MAKEFLAGS="-j $JOBS"
 
-## compile using distcc
-## set static cpu cores available
-###export MAKEFLAGS="-j 8"
-## get dynamically cpu cores available
-#export MAKEFLAGS="/usr/bin/distcc -j 2> /dev/null"
-#export SCONSFLAGS="$MAKEFLAGS"
-
 case ${PKGMK_ARCH} in
 	"64"|"")
 		;;
@@ -40,7 +42,7 @@ case ${PKGMK_ARCH} in
 		;;
 esac
 
-PKGMK_SOURCE_MIRRORS=(http://c1.ank/distfiles/ http://c1.ank/archive/distfiles/)
+PKGMK_SOURCE_MIRRORS=(https://hive.gnu.systems/mirror/distfiles/)
 # PKGMK_SOURCE_DIR="$PWD"
 PKGMK_SOURCE_DIR="/usr/ports/distfiles"
 # PKGMK_PACKAGE_DIR="$PWD"
diff --git a/core/ports.html b/core/ports.html
index a977568..d7ea41c 100644
--- a/core/ports.html
+++ b/core/ports.html
@@ -211,26 +211,22 @@
         export CCACHE_COMPILERCHECK="%compiler% -dumpversion; crux"
    - 
    -        ## local compile only
-        #export JOBS=$(nproc)
-        #export MAKEFLAGS="-j $JOBS"
-
-        # compile using distcc
-        # set static cpu cores available
-        ##export MAKEFLAGS="-j 8"
-        # get dynamically cpu cores available
-        export MAKEFLAGS="/usr/bin/distcc -j 2> /dev/null"
-        export SCONSFLAGS="$MAKEFLAGS"
-
    -

    Set distcc hosts and respective number of cpu cores to send work, hosts names, exp; "worker" must be configured on /etc/hosts.

    -        export DISTCC_HOSTS="localhost/4 worker/4"
-        export DISTCC_DIR="/urs/ports/distcc"
+        export DISTCC_DIR="/usr/ports/distcc"
+
+        # compile using ccache and distcc
+        export DISTCC_HOSTS="localhost/4 xborg/4"
+
+        # compile using distcc without ccache
+        #export PATH="/usr/lib/distcc/:$PATH"
+        #export DISTCC_HOSTS="localhost/4,lzo,cpp xborg/4,lzo,cpp cb1/2,lzo,cpp"
+
+        export MAKEFLAGS="-j $(/usr/bin/distcc -j 2> /dev/null)"
+        export SCONSFLAGS="$MAKEFLAGS"

    Configure distcc daemon, edit -- cgit 1.4.1-2-gfad0 From f0c45e7842ef205123124ba7ec2a1d044749c328 Mon Sep 17 00:00:00 2001 From: Silvino Date: Tue, 11 Jun 2019 04:03:30 +0100 Subject: core pkgmk with pump variable --- core/conf/pkgmk.conf | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/core/conf/pkgmk.conf b/core/conf/pkgmk.conf index 7a7c6e7..eb2d573 100644 --- a/core/conf/pkgmk.conf +++ b/core/conf/pkgmk.conf @@ -5,7 +5,7 @@ export CFLAGS="-O2 -march=x86-64" export CXXFLAGS="${CFLAGS}" -## ccache settings +### ccache settings #export PATH="/usr/lib/ccache/:$PATH" #export CCACHE_DIR="/usr/ports/ccache" #export CCACHE_PREFIX="distcc" @@ -13,18 +13,19 @@ export CXXFLAGS="${CFLAGS}" #export DISTCC_DIR="/usr/ports/distcc" # ## compile using ccache and distcc +#PUMP_BUILD=no #export DISTCC_HOSTS="localhost/4 xborg/4" # ## compile using distcc without ccache ##export PATH="/usr/lib/distcc/:$PATH" ##export DISTCC_HOSTS="localhost/4,lzo,cpp xborg/4,lzo,cpp cb1/2,lzo,cpp" +##export PUMP_BUILD=yes # #export MAKEFLAGS="-j $(/usr/bin/distcc -j 2> /dev/null)" #export SCONSFLAGS="$MAKEFLAGS" +export JOBS=$(nproc) # local compile only -#export MAKEFLAGS="-j 8" -export JOBS=$(nproc) export MAKEFLAGS="-j $JOBS" case ${PKGMK_ARCH} in -- cgit 1.4.1-2-gfad0 From c2b515c1d39ff4711c1e677df46f634cd955bfe0 Mon Sep 17 00:00:00 2001 From: Silvino Date: Tue, 11 Jun 2019 04:34:38 +0100 Subject: fix pkgmk.conf distcc pump mode --- core/conf/pkgmk.conf | 15 ++++++++------- core/ports.html | 24 ++++++++++++++---------- 2 files changed, 22 insertions(+), 17 deletions(-) diff --git a/core/conf/pkgmk.conf b/core/conf/pkgmk.conf index eb2d573..8222926 100644 --- a/core/conf/pkgmk.conf +++ b/core/conf/pkgmk.conf @@ -5,27 +5,28 @@ export CFLAGS="-O2 -march=x86-64" export CXXFLAGS="${CFLAGS}" -### ccache settings +## ccache settings #export PATH="/usr/lib/ccache/:$PATH" #export CCACHE_DIR="/usr/ports/ccache" #export CCACHE_PREFIX="distcc" #export CCACHE_COMPILERCHECK="%compiler% -dumpversion; crux" -#export DISTCC_DIR="/usr/ports/distcc" # ## compile using ccache and distcc -#PUMP_BUILD=no #export DISTCC_HOSTS="localhost/4 xborg/4" # -## compile using distcc without ccache +### compile using distcc without ccache ##export PATH="/usr/lib/distcc/:$PATH" -##export DISTCC_HOSTS="localhost/4,lzo,cpp xborg/4,lzo,cpp cb1/2,lzo,cpp" +##export DISTCC_HOSTS="localhost/4,lzo,cpp xborg/4,lzo,cpp" ##export PUMP_BUILD=yes # -#export MAKEFLAGS="-j $(/usr/bin/distcc -j 2> /dev/null)" +## distcc settings +#export JOBS=$(/usr/bin/distcc -j 2> /dev/null) +#export DISTCC_DIR="/usr/ports/distcc" +#export MAKEFLAGS="-j ${JOBS}" #export SCONSFLAGS="$MAKEFLAGS" -export JOBS=$(nproc) # local compile only +export JOBS=$(nproc) export MAKEFLAGS="-j $JOBS" case ${PKGMK_ARCH} in diff --git a/core/ports.html b/core/ports.html index d7ea41c..bbb8472 100644 --- a/core/ports.html +++ b/core/ports.html @@ -199,7 +199,8 @@

    Configure pkgmk and define number of cores available, - in this example get dynamically Edit /etc/pkgmk.conf and + in this example get dynamically Edit + /etc/pkgmk.conf and set ccaching directory and instructs to use distcc backend;

    @@ -216,17 +217,20 @@ be configured on /etc/hosts.

    -        export DISTCC_DIR="/usr/ports/distcc"
-
-        # compile using ccache and distcc
-        export DISTCC_HOSTS="localhost/4 xborg/4"
-
-        # compile using distcc without ccache
-        #export PATH="/usr/lib/distcc/:$PATH"
-        #export DISTCC_HOSTS="localhost/4,lzo,cpp xborg/4,lzo,cpp cb1/2,lzo,cpp"
+        ### compile using distcc without ccache
+        ##export PATH="/usr/lib/distcc/:$PATH"
+        ##export DISTCC_HOSTS="localhost/4,lzo,cpp xborg/4,lzo,cpp"
+        ##export PUMP_BUILD=yes
 
-        export MAKEFLAGS="-j $(/usr/bin/distcc -j 2> /dev/null)"
+        # distcc settings
+        export JOBS=$(/usr/bin/distcc -j 2> /dev/null)
+        export DISTCC_DIR="/usr/ports/distcc"
+        export MAKEFLAGS="-j ${JOBS}"
         export SCONSFLAGS="$MAKEFLAGS"
+
+        # local compile only
+        #export JOBS=$(nproc)
+        #export MAKEFLAGS="-j $JOBS"

    Configure distcc daemon, edit -- cgit 1.4.1-2-gfad0 From d0caaf447c7aef7bd329e7d1a99fb127c658f784 Mon Sep 17 00:00:00 2001 From: Silvino Date: Wed, 12 Jun 2019 16:43:59 +0100 Subject: fix core prt-get.conf pkgbuild directory --- core/conf/prt-get.conf | 2 +- core/ports.html | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/core/conf/prt-get.conf b/core/conf/prt-get.conf index d2905cf..8e88333 100644 --- a/core/conf/prt-get.conf +++ b/core/conf/prt-get.conf @@ -23,7 +23,7 @@ prtdir /usr/ports/kde5 writelog enabled # (enabled|disabled) logmode overwrite # (append|overwrite) rmlog_on_success yes # (no|yes) -logfile /var/log/pkgbuild/%n.log +logfile /usr/ports/pkgbuild/%n.log # path, %p=path to port dir, %n=port name # %v=version, %r=release diff --git a/core/ports.html b/core/ports.html index bbb8472..be9ce7c 100644 --- a/core/ports.html +++ b/core/ports.html @@ -157,7 +157,7 @@ writelog enabled # (enabled|disabled) logmode overwrite # (append|overwrite) rmlog_on_success yes # (no|yes) - logfile /var/log/pkgbuild/%n.log + logfile /usr/ports/pkgbuild/%n.log # path, %p=path to port dir, %n=port name # %v=version, %r=release -- cgit 1.4.1-2-gfad0 From 4cfdf53921842b1b59fa5fd77777fb6065f6e977 Mon Sep 17 00:00:00 2001 From: Silvino Date: Wed, 12 Jun 2019 23:51:18 +0000 Subject: apparmor added profiles --- core/apparmor.html | 51 +++++++++++++++++++++++++++++++++++++++++++++++---- 1 file changed, 47 insertions(+), 4 deletions(-) diff --git a/core/apparmor.html b/core/apparmor.html index 5c9b541..0052a68 100644 --- a/core/apparmor.html +++ b/core/apparmor.html @@ -11,7 +11,7 @@

    2.6.1. AppArmor

    Check kernel configuration or - use the provided with linux-gnu port + use the provided with linux-gnu port to support apparmor. AppArmor enforce rules on applications based on security policies. User space tools are provided by apparmor port and its dependencies, install them;

    @@ -48,7 +48,20 @@ aa-decode aa-exec aa-remove-unknown -

    apparmor_parser options;

    +

    Profiles

    + +

    Profiles are located at /etc/apparmor.d/ and + /usr/share/apparmor/extra-profiles contain profiles + that require testing; + + 

    +        # cp -r /usr/share/apparmor/extra-profiles/* /etc/apparmor.d/
+        # sudo rm /etc/apparmor.d/README
+        # bash /etc/rc.d/apparmor restart
+
    + +

    Profiles are parsed using + apparmor_parser;

     	Usage: apparmor_parser [options] [profile]
@@ -93,11 +106,41 @@
 	--skip-bad-cache-rebuild Do not try rebuilding the cache if it is rejected by the kernel
 	--warn n                Enable warnings (see --help=warn)
    - # + +

    Create profile with audit

    + +

    Create profile manually

    + +

    To create a new profile, let's say for lynx, + first find where the application is;

    + + 
    +        $ whereis lynx
+        lynx: /usr/bin/lynx /usr/etc/lynx.lss /usr/etc/lynx.cfg /usr/etc/lynx.cfg~ /usr/share/man/man1/lynx.1.gz
+
    + +

    Now create a file with path to executable in + /etc/apparmor.d;

    + + 
    +        # vim /etc/apparmor.d/usr.bin.lynx
+
    + +

    Create basic profile template;

    + + 
    +        #include <tunables/global>
+
+        profile lynx /usr/bin/lynx {
+          #include <abstractions/base>
+        }
+
    + + Core OS Index

    This is part of the Hive System Documentation. - Copyright (C) 2018 + Copyright (C) 2019 Hive Team. See the file Gnu Free Documentation License for copying conditions.

    -- cgit 1.4.1-2-gfad0 From cef80b1553d23673af7ad5b6ca82e51c121a3775 Mon Sep 17 00:00:00 2001 From: Silvino Date: Thu, 13 Jun 2019 01:21:13 +0000 Subject: added pkg-get conf and pkgmk.conf updated --- core/conf/pkg-get.conf | 15 +++++++++++++++ core/conf/pkgmk.conf | 2 +- core/ports.html | 2 +- 3 files changed, 17 insertions(+), 2 deletions(-) create mode 100644 core/conf/pkg-get.conf diff --git a/core/conf/pkg-get.conf b/core/conf/pkg-get.conf new file mode 100644 index 0000000..4825657 --- /dev/null +++ b/core/conf/pkg-get.conf @@ -0,0 +1,15 @@ +## +# /etc/pkg-get.conf +# pkg-get configuration file + +# package repositories (remote) +# The first two are remote repoistories, the last is a local one +pkgdir /usr/ports/server|https://hive.gnu.systems/mirror-3.4/packages +#pkgdir /usr/packages/java|http://www.foobar.com/java +#pkgdir /usr/packages/games + +# runscripts: if "yes" pre-post install scripts are +# automatically executed. Handle with care. +runscripts yes + +preferhigher yes # (yes|no) diff --git a/core/conf/pkgmk.conf b/core/conf/pkgmk.conf index 8222926..4d689ec 100644 --- a/core/conf/pkgmk.conf +++ b/core/conf/pkgmk.conf @@ -44,7 +44,7 @@ case ${PKGMK_ARCH} in ;; esac -PKGMK_SOURCE_MIRRORS=(https://hive.gnu.systems/mirror/distfiles/) +PKGMK_SOURCE_MIRRORS=(https://hive.gnu.systems/mirror-3.4/distfiles/) # PKGMK_SOURCE_DIR="$PWD" PKGMK_SOURCE_DIR="/usr/ports/distfiles" # PKGMK_PACKAGE_DIR="$PWD" diff --git a/core/ports.html b/core/ports.html index be9ce7c..9d2f989 100644 --- a/core/ports.html +++ b/core/ports.html @@ -97,7 +97,7 @@ ;; esac - PKGMK_SOURCE_MIRRORS=(https://hive.gnu.systems/mirror/distfiles/) + PKGMK_SOURCE_MIRRORS=(https://hive.gnu.systems/mirror-3.4/distfiles/) # PKGMK_SOURCE_DIR="$PWD" PKGMK_SOURCE_DIR="/usr/ports/distfiles" # PKGMK_PACKAGE_DIR="$PWD" -- cgit 1.4.1-2-gfad0 From caf14bbeab74235c8d6574beb8b3ad2b55aef667 Mon Sep 17 00:00:00 2001 From: Silvino Date: Sun, 16 Jun 2019 00:34:08 +0100 Subject: core user added to input group --- core/configure.html | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/core/configure.html b/core/configure.html index 10d5823..cdb51a4 100644 --- a/core/configure.html +++ b/core/configure.html @@ -190,7 +190,7 @@ 
             # useradd -U -m -k /etc/skel -s /bin/bash username
-        # usermod -G adm,wheel,audio,video,users username
+        # usermod -G adm,wheel,audio,input,video,users username
         # passwd username
    -- cgit 1.4.1-2-gfad0 From 951a8a84411da6b71cee11d8c9feb993b984acf5 Mon Sep 17 00:00:00 2001 From: Silvino Date: Sun, 16 Jun 2019 05:03:49 +0100 Subject: apparmor and hardening revision --- core/apparmor.html | 31 +++++++++++++- core/hardening.html | 118 +++++++++++++++++++++++++++++++++++++++++++++------- core/sysctl.html | 5 +++ tools/irssi.html | 42 ++++++++++++++++--- tools/x.html | 60 +------------------------- 5 files changed, 176 insertions(+), 80 deletions(-) diff --git a/core/apparmor.html b/core/apparmor.html index 0052a68..8b7a30c 100644 --- a/core/apparmor.html +++ b/core/apparmor.html @@ -109,6 +109,35 @@

    Create profile with audit

    +

    Tools use log as a source to build profiles, it is + necessary to disable log rate limit;

    + + 
    +        # sysctl -w kernel.printk_ratelimit=0
+
    + +

    Start aa-genprof;

    + + 
    +        $ sudo aa-genprof /usr/bin/lynx
+
    + +

    Execute application with all common application options + and parts;

    + +

    After initial automatic configuration enable profile in + complain mode. Use aa-logprof when rules need to be adapted.

    + + 
    +        # aa-logprof
+
    + +

    Once profile rules become well defined enable profile in + enforce mode with aa-enforce;

    + +

    Monitor logs with aa-notify; + +

    Create profile manually

    To create a new profile, let's say for lynx, @@ -136,8 +165,6 @@ } - - Core OS Index

    This is part of the Hive System Documentation. Copyright (C) 2019 diff --git a/core/hardening.html b/core/hardening.html index 8e9788f..d94cda6 100644 --- a/core/hardening.html +++ b/core/hardening.html @@ -10,15 +10,16 @@

    2.6. Hardening

    -

    2.6.0.1 System configuration

    +

    2.6.0.2 System security

    File systems
    Check fstab and current mount options. Mount filesystems in read only, only strict necessary in rw.
    Sys
    Check kernel settings with sysctl.
    +
    kernel.yama.ptrace_scope breaks gdb, strace, perf trace and reptyr.
    Iptables
    -
    Check if iptables rules are loaded and are correctly logging.
    +
    Check if iptables rules are loaded and are correctly logging.(firewald works as API to iptables).
    Apparmor
    Check if apparmor is active and enforcing policies.
    Samhain
    @@ -27,31 +28,120 @@
    Build ports using hardened toolchain settings.
    -

    System security

             $ sudo prt-get depinst checksec
    -
    -
    User / Pam
    -
    Normal user is not part of wheel group - or have administration rights.
    -
    Disable su.
    -
    Processes
    -
    Check processes running as root
    -
    Check processes users premissions
    +

    2.6.0.1 System configuration

    + +

    1.1 - Users groups, passwords and sudo.

    + +

    Check "normal" users groups, make sure they are not admin or wheel group; ps -U root -u root u, ps axl | awk '$7 != 0 && $10 !~ "Z"', process permission; ps -o gid,rdig,supgid -p "$pid"

    + +

    Maintain, secure with hash, and enforce secure passwords with pam-cracklib.

    + + +

    1.2 - Linux PAM

    + +

    Cat /etc/pam.d/system-auth. Check pam modules, test on virtual machine, user can lockout during tests.

    + +

    Check files (processes) set uid and set gid;

    + + 
    +        # find / -perm -4000 >> /root/setuid_files
+        # find / -perm 2000 >> /root/setguid_files
+
    + +

    To setuid (4744);

    + + 
    +        # chmod u+s filename
+
    + +

    To remove (0664) from su and Xorg (user must be part of input and video for xorg to run);

    + + 
    +        # chmod u-s /usr/bin/su
+        # chmod u-s /usr/bin/X
+
    + +

    To set gid (2744)

    + 
    +        # chmod g+s filename
+
    +

    To remove (0774);

    + 
    +        # chmod g-s filename
+
    + +

    Check files (processes); getfacl filename.

    + , disable admins and root from sshd.

    + +

    1.3. Capabilities

    + +

    Check capabilities;

    + 
    +        # getcap filename
+
    + +
    1.9 - Limit number of processes.
    +
    1.10 - Lock user after 3 failed loggins.
    +
    1.8 - Block host ip based on iptable and services + abuse.
    +

    1.4 Sudo

    + +

    Check sudo, sudoers and sudo replay.

    + +

    Don't run editor as root, instead run sudoedit filename or sudo --edit filename. Editor can be set as a environment variable;

    + + 
    +        $ export SUDO_EDITOR=vim
+
    + +

    Set rvim as default on sudo config;

    + + 
    +        # visudo
+
+        Defaults editor=/usr/bin/rvim
+
    + +

    Once sudo is correctly configured, disable root login;

    + + 
    +        # passwd --lock root
+
    + +

    1.5 Auditd

    + + 
    +        $ prt-get depinst audit
+
    + +

    Example audit when file /etc/passwd get modified;

    + + 
    +        $ auditctl -w /etc/passwd -p wa -k passwd_changes
+
    + +

    Audit when a module get's loaded;

    + + 
    +        # auditctl -w /sbin/insmod -p x -k module_insertion
+
    +

    2.6.0.2 Lynis

             $ sudo prt-get depinst lynis
    -

    Lynis gives a view of system overall configuration, without changing - default profile it runs irrelevant tests. Create a lynis profile by - coping default one and run lynis;

    +

    Lynis gives a view of system overall configuration, + without changing default profile it runs irrelevant tests. + Create a lynis profile by coping default one and run lynis;

             $ sudo cp /etc/lynis/default.prf /etc/lynis/custom.prf
diff --git a/core/sysctl.html b/core/sysctl.html
index a5af197..afee463 100644
--- a/core/sysctl.html
+++ b/core/sysctl.html
@@ -33,6 +33,9 @@
         # Allow for more PIDs (to reduce rollover problems); may break some programs 32768
         kernel.pid_max = 65536
 
+        #Yama LSM by default
+        kernel.yama.ptrace_scope = 1
+
         #
         # Filesystem Protections
         #
@@ -48,6 +51,8 @@
         # Network Protections
         #
 
+        net.core.bpf_jit_enable = 0
+
         # Increase Linux auto tuning TCP buffer limits
         # min, default, and max number of bytes to use
         # set max to at least 4MB, or higher if you use very high BDP paths
diff --git a/tools/irssi.html b/tools/irssi.html
index d4fcc0d..dbb1372 100644
--- a/tools/irssi.html
+++ b/tools/irssi.html
@@ -1,9 +1,39 @@
+
+
+    
+        
+        Irssi
+    
+    
 
-   Start up irssi, then:
-   /connect irc.freenode.net
-   /nick MyIRCNick
-   /SERVER ADD -auto -network freenode irc.freenode.net 6667 
+        Tools Index
+
+        
    Irssi
    
+
+        
    Default configuration file is at /usr/etc/irssi.conf;
    
+
+        
    +        $ mkdir .irssi
+        $ cp /usr/etc/irssi.conf .irssi/config
+        
    
+
+        
    Start up irssi, then:
    
+
+        
    +        /connect irc.freenode.net
+        /nick MyIRCNick
+        /SERVER ADD -auto -network freenode irc.freenode.net 6667 <password>
+        /CHANNEL ADD -auto #crux freenode
+        
    
 
-      (you may have to shutdown and restart irssi at this point for it to
          recognize the network name "freenode" in the next step)
-         /CHANNEL ADD -auto #crux freenode
+
+        Tools Index
+        
    
+        This is part of the Hive System Documentation.
+        Copyright (C) 2019
+        Hive Team.
+        See the file Gnu Free Documentation License
+        for copying conditions.
    
+    
+
diff --git a/tools/x.html b/tools/x.html
index c693062..3efaf7a 100644
--- a/tools/x.html
+++ b/tools/x.html
@@ -17,34 +17,7 @@
         
    Xorg
    
 
         
    -        $ sudo prt-get depinst xorg-server \
-             xorg-xinit \
-             xorg-xrdb \
-             xorg-xdpyinfo \
-             xorg-xauth \
-             xorg-xmodmap \
-             xorg-xrandr \
-             xorg-xgamma \
-             xorg-xf86-input-evdev \
-             xorg-xf86-input-synaptics \
-             xsel \
-             xkeyboard-config
-        
    
-
-        
    Fonts
    
-
-        
    -        $ sudo prt-get depinst xorg-font-util \
-             xorg-font-alias \
-             xorg-font-dejavu-ttf \
-             xorg-font-cursor-misc \
-             xorg-font-misc-misc \
-             console-font-terminus \
-             xorg-font-terminus \
-             xorg-font-mutt-misc
-
-        $ prt-get search xorg-font-bitstream | xargs sudo prt-get depinst
-        $ prt-get search xorg-font-bh | xargs sudo prt-get depinst
+        $ prt-get depinst meta-desktop
         
    
 
 
@@ -53,35 +26,6 @@
         $ prt-get depinst otf-sourcecode
    -

    Utilities

    - - 
    -        $ sudo prt-get depinst \
-            alsa-utils \
-            libdrm \
-            mesa3d \
-            ffmpeg \
-            gstreamer \
-            gstreamer-vaapi \
-            gst-plugins-base \
-            gst-plugins-good \
-            gst-plugins-bad \
-            gst-plugins-ugly \
-            cmus \
-            dmenu \
-            st \
-            gparted \
-            gimp \
-            libreoffice \
-            ca-certificates \
-	    linux-pam \
-	    gstreamer \
-	    libgd \
-            icu \
-	    syndaemon \
-	    firefox
-
    -

    Window Managers

    @@ -92,7 +36,7 @@
 	 	mate
    -

    Configure

    +

    Configure

    Local xinitrc

    -- cgit 1.4.1-2-gfad0