From a947a31ede27fdf995e0a63e766fcd68eb491426 Mon Sep 17 00:00:00 2001 From: Silvino Silva Date: Fri, 7 Feb 2020 03:41:45 +0000 Subject: System configuration update --- core/apparmor.html | 402 +++++++++++++++++++++++++++--------------------- core/conf/dracut.conf | 19 +++ core/conf/fstab | 1 + core/conf/pkgmk.conf | 10 +- core/conf/prt-get.conf | 32 ++-- core/conf/skel/.bashrc | 6 +- core/conf/skel/.profile | 3 +- core/conf/sysctl.conf | 17 +- core/index.html | 319 +++++++++++++++++++------------------- 9 files changed, 448 insertions(+), 361 deletions(-) create mode 100644 core/conf/dracut.conf (limited to 'core') diff --git a/core/apparmor.html b/core/apparmor.html index 65ee7c3..22b5183 100644 --- a/core/apparmor.html +++ b/core/apparmor.html @@ -1,202 +1,248 @@ - - 2.6.1. AppArmor + + 2.6.1. AppArmor - Core OS Index + Core OS Index -

2.6.1. AppArmor

+

2.6.1. AppArmor

-

Check kernel configuration or - use the provided with linux-gnu port - to support apparmor. AppArmor enforce rules on applications based - on security policies. User space tools are provided by apparmor port - and its dependencies, install them;

+

Check kernel configuration or + use the provided with linux-gnu port + to support apparmor. AppArmor enforce rules on applications based + on security policies.

- 
-        $ sudo prt-get depinst apparmor
-
-

Enable apparmor on linux by command line, create /etc/default/grub;

+

2.6.1.1 Install

- 
-        GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT apparmor=1 security=apparmor"
-
+

User space tools are provided by apparmor port + and its dependencies, install them;

-

Add SecurityFS to /etc/fstab;

+ 
+	$ sudo prt-get depinst apparmor
+
- 
-        none /sys/kernel/security securityfs defaults 0 0
-
+

Enable apparmor on linux by command line, create /etc/default/grub;

-

Check status;

+ 
+	GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT apparmor=1 security=apparmor"
+
- 
-        # apparmor_status
-
+

Add SecurityFS to /etc/fstab;

-

Utilities;

+ 
+	none /sys/kernel/security securityfs defaults 0 0
+
- 
-        aa-audit           aa-disable         aa-genprof         aa-status
-        aa-autodep         aa-easyprof        aa-logprof         aa-unconfined
-        aa-cleanprof       aa-enabled         aa-mergeprof
-        aa-complain        aa-enforce         aa-notify
-        aa-decode          aa-exec            aa-remove-unknown
-
+

Check status;

-

Profiles

+ 
+	# apparmor_status
+
-

Profiles are located at /etc/apparmor.d/ and - /usr/share/apparmor/extra-profiles contain profiles - that require testing;

- - 
-        # cp -r /usr/share/apparmor/extra-profiles/* /etc/apparmor.d/
-        # sudo rm /etc/apparmor.d/README
-        # bash /etc/rc.d/apparmor restart
-
- -

Profiles are parsed using - apparmor_parser;

- - 
-        Usage: apparmor_parser [options] [profile]
-
-        Options:
-        --------
-        -a, --add               Add apparmor definitions [default]
-        -r, --replace           Replace apparmor definitions
-        -R, --remove            Remove apparmor definitions
-        -C, --Complain          Force the profile into complain mode
-        -B, --binary            Input is precompiled profile
-        -N, --names             Dump names of profiles in input.
-        -S, --stdout            Dump compiled profile to stdout
-        -o n, --ofile n         Write output to file n
-        -b n, --base n          Set base dir and cwd
-        -I n, --Include n       Add n to the search path
-        -f n, --subdomainfs n   Set location of apparmor filesystem
-        -m n, --match-string n  Use only features n
-        -M n, --features-file n Use only features in file n
-        -n n, --namespace n     Set Namespace for the profile
-        -X, --readimpliesX      Map profile read permissions to mr
-        -k, --show-cache        Report cache hit/miss details
-        -K, --skip-cache        Do not attempt to load or save cached profiles
-        -T, --skip-read-cache   Do not attempt to load cached profiles
-        -W, --write-cache       Save cached profile (force with -T)
-            --skip-bad-cache    Don't clear cache if out of sync
-            --purge-cache       Clear cache regardless of its state
-            --debug-cache       Debug cache file checks
-        -L, --cache-loc n       Set the location of the profile cache
-        -q, --quiet             Don't emit warnings
-        -v, --verbose           Show profile names as they load
-        -Q, --skip-kernel-load  Do everything except loading into kernel
-        -V, --version           Display version info and exit
-        -d [n], --debug         Debug apparmor definitions OR [n]
-        -p, --preprocess        Dump preprocessed profile
-        -D [n], --dump          Dump internal info for debugging
-        -O [n], --Optimize      Control dfa optimizations
-        -h [cmd], --help[=cmd]  Display this text or info about cmd
-        -j n, --jobs n          Set the number of compile threads
-        --max-jobs n            Hard cap on --jobs. Default 8*cpus
-        --abort-on-error        Abort processing of profiles on first error
-        --skip-bad-cache-rebuild Do not try rebuilding the cache if it is rejected by the kernel
-        --warn n                Enable warnings (see --help=warn)
-
- -

Create profile with audit

- -

Tools use log as a source to build profiles, it is - necessary to disable log rate limit;

- - 
-        # sysctl -w kernel.printk_ratelimit=0
-
- -

Start aa-genprof;

- - 
-        $ sudo aa-genprof /usr/bin/lynx
-
- -

Execute application with all common application options - and parts. After initial automatic configuration enable profile in - complain mode. Use aa-logprof when rules need to be adapted.

- - 
-        # aa-logprof -f /var/log/kernel
-
- -

Once profile rules become well defined enable profile in - enforce mode with aa-enforce;

- -

Monitor logs with aa-notify;

- - 
-        # aa-notify --file=/var/log/kernel -u username -l
-
- -

And keep adjusting the rules with logprof;

- - 
-        # aa-logprof -f /var/log/kernel
-
- - -

Create profile manually

- -

To create a new profile, let's say for lynx, - first find where the application is;

- - 
-        $ whereis lynx
-        lynx: /usr/bin/lynx /usr/etc/lynx.lss /usr/etc/lynx.cfg /usr/etc/lynx.cfg~ /usr/share/man/man1/lynx.1.gz
-
- -

Now create a file with path to executable in - /etc/apparmor.d;

- - 
-        # vim /etc/apparmor.d/usr.bin.lynx
-
- -

Create basic profile template;

- - 
-        #include <tunables/global>
-
-        profile lynx /usr/bin/lynx {
-          #include <abstractions/base>
-        }
-
- -

Seed up profile loading

- -

Every time apparmor loads a profile in text it needs - to compile into binary format, this takes some time if - there is many profiles to load at boot time. To optimize - edit /etc/apparmor/parser.conf;

- - 
-        ## Turn creating/updating of the cache on by default
-        write-cache
-
- -

To change default location add;

+

Utilities;

+ + 
+	aa-audit           aa-disable         aa-genprof         aa-status
+	aa-autodep         aa-easyprof        aa-logprof         aa-unconfined
+	aa-cleanprof       aa-enabled         aa-mergeprof
+	aa-complain        aa-enforce         aa-notify
+	aa-decode          aa-exec            aa-remove-unknown
+
- 
-        chache-loc=/var/cache/apparmor
-
+

6.2.1.2 Configure

- Core OS Index -

This is part of the Tribu System Documentation. - Copyright (C) 2020 - Tribu Team. - See the file Gnu Free Documentation License - for copying conditions.

+

Profiles are located at /etc/apparmor.d/ and + /usr/share/apparmor/extra-profiles contain profiles + that require testing;

+ + 
+	# cp -r /usr/share/apparmor/extra-profiles/* /etc/apparmor.d/
+	# sudo rm /etc/apparmor.d/README
+	# bash /etc/rc.d/apparmor restart
+
+ +

6.2.1.3 Profiles

+ +

Profiles are parsed using + apparmor_parser;

+ + 
+	Usage: apparmor_parser [options] [profile]
+
+	Options:
+	--------
+	-a, --add               Add apparmor definitions [default]
+	-r, --replace           Replace apparmor definitions
+	-R, --remove            Remove apparmor definitions
+	-C, --Complain          Force the profile into complain mode
+	-B, --binary            Input is precompiled profile
+	-N, --names             Dump names of profiles in input.
+	-S, --stdout            Dump compiled profile to stdout
+	-o n, --ofile n         Write output to file n
+	-b n, --base n          Set base dir and cwd
+	-I n, --Include n       Add n to the search path
+	-f n, --subdomainfs n   Set location of apparmor filesystem
+	-m n, --match-string n  Use only features n
+	-M n, --features-file n Use only features in file n
+	-n n, --namespace n     Set Namespace for the profile
+	-X, --readimpliesX      Map profile read permissions to mr
+	-k, --show-cache        Report cache hit/miss details
+	-K, --skip-cache        Do not attempt to load or save cached profiles
+	-T, --skip-read-cache   Do not attempt to load cached profiles
+	-W, --write-cache       Save cached profile (force with -T)
+	    --skip-bad-cache    Don't clear cache if out of sync
+	    --purge-cache       Clear cache regardless of its state
+	    --debug-cache       Debug cache file checks
+	-L, --cache-loc n       Set the location of the profile cache
+	-q, --quiet             Don't emit warnings
+	-v, --verbose           Show profile names as they load
+	-Q, --skip-kernel-load  Do everything except loading into kernel
+	-V, --version           Display version info and exit
+	-d [n], --debug         Debug apparmor definitions OR [n]
+	-p, --preprocess        Dump preprocessed profile
+	-D [n], --dump          Dump internal info for debugging
+	-O [n], --Optimize      Control dfa optimizations
+	-h [cmd], --help[=cmd]  Display this text or info about cmd
+	-j n, --jobs n          Set the number of compile threads
+	--max-jobs n            Hard cap on --jobs. Default 8*cpus
+	--abort-on-error        Abort processing of profiles on first error
+	--skip-bad-cache-rebuild Do not try rebuilding the cache if it is rejected by the kernel
+	--warn n                Enable warnings (see --help=warn)
+
+ +

2.6.1.4 Profile with audit

+ +

Tools use log as a source to build profiles, it is + necessary to disable log rate limit;

+ + 
+	# sysctl -w kernel.printk_ratelimit=0
+
+ +

Start aa-genprof;

+ + 
+	$ sudo aa-genprof /usr/bin/lynx
+
+ +

Execute application with all common application options + and parts. After initial automatic configuration enable profile in + complain mode.

+ + 
+	$ sudo aa-complain lynx
+
+ +

Use aa-logprof when rules need to be adapted.

+ + 
+	# aa-logprof -f /var/log/kernel
+
+ +

Reload profile with the new settings;

+ + 
+	# apparmor_parser -r lynx
+
+ +

Once profile rules become well defined enable profile in + enforce mode with aa-enforce;

+ +

Monitor logs with aa-notify;

+ + 
+	# aa-notify --file=/var/log/kernel -u username -l
+
+ +

And keep adjusting the rules with logprof;

+ + 
+	# aa-logprof -f /var/log/kernel
+
+ +

2.6.1.5 Edit profiles

+ +

File Globing

+ +
+
/dir/file
match a specific file
+
/dir/*
match any files in a directory (including dot files)
+
/dir/a*
match any file in a directory starting with 'a'
+
/dir/*.png
match any file in a directory ending with '.png'
+
/dir/[^.]*
match any file in a directory except dot files
+
/dir/
match a directory
+
/dir/*/
match any directory within /dir/
+
/dir/a*/
match any directory within /dir/ starting with a
+
/dir/*a/
match any directory within /dir/ ending with a
+
/dir/**
match any file or directory in or below /dir/
+
/dir/**/
match any directory in or below /dir/
+
/dir/**[^/]
match any file in or below /dir/
+
/dir{,1,2}/**
- match any file or directory in or below /dir/, /dir1/, and /dir2/
+
+ +

File Permissions

+ +
+
r
read
+
w
write
+
a
append (implied by w)
+
m
memory map executable
+
k
lock (requires r or w, AppArmor 2.1 and later)
+
l
link
+ +
x
execute
+
+ +
+
ux
Execute unconfined (preserve environment) -- WARNING: should only be used in very special cases
+
Ux
Execute unconfined (scrub the environment)
+
px
Execute under a specific profile (preserve the environment) -- WARNING: should only be used in special cases
+
Px
Execute under a specific profile (scrub the environment)
+
pix
as px but fallback to inheriting the current profile if the target profile is not found
+
Pix
as Px but fallback to inheriting the current profile if the target profile is not found
+
pux
as px but fallback to executing unconfined if the target profile is not found
+
Pux
as Px but fallback to executing unconfined if the target profile is not found
+
ix
Execute and inherit the current profile
+
cx
Execute and transition to a child profile (preserve the environment)
+
Cx
Execute and transition to a child profile (scrub the environment)
+
cix
as cx but fallback to inheriting the current profile if the target profile is not found
+
Cix
as Cx but fallback to inheriting the current profile if the target profile is not found
+
cux
as cx but fallback to executing unconfined if the target profile is not found
+
Cux
as Cx but fallback to executing unconfined if the target profile is not found
+
+ +

The owner keyword can be used as a qualifier making permission conditional on owning the file (process fsuid == file's uid).

+ +

Read Profile Language for more information.

+ +

2.6.1.6 Speedup startup

+ +

Every time apparmor loads a profile in text it needs + to compile into binary format, this takes some time if + there is many profiles to load at boot time. To optimize + edit /etc/apparmor/parser.conf;

+ + 
+	## Turn creating/updating of the cache on by default
+	write-cache
+
+ +

To change default location add;

+ + 
+	chache-loc=/var/cache/apparmor
+
+ + Core OS Index +

This is part of the Tribu System Documentation. + Copyright (C) 2020 + Tribu Team. + See the file Gnu Free Documentation License + for copying conditions.

diff --git a/core/conf/dracut.conf b/core/conf/dracut.conf new file mode 100644 index 0000000..eda69fd --- /dev/null +++ b/core/conf/dracut.conf @@ -0,0 +1,19 @@ +# PUT YOUR CONFIG IN separate files +# in /etc/dracut.conf.d named ".conf" + +# Equivalent to -H +hostonly="no" + +# Mount / and /usr read-only by default. +ro_mnt="yes" + +# Equivalent to -m "module module module" +dracutmodules+="dash kernel-modules rootfs-block udev-rules usrmount base fs-lib shutdown" + +# Equivalent to -a "module" +add_dracutmodules+="caps debug crypt lvm" + +# Equivalent to -o "module" +omit_dracutmodules+="systemd systemd-bootchart systemd-networkd systemd-initrd" + +# SEE man dracut.conf(5) for options diff --git a/core/conf/fstab b/core/conf/fstab index 99fead9..23dd98c 100644 --- a/core/conf/fstab +++ b/core/conf/fstab @@ -25,6 +25,7 @@ none /sys/kernel/security securityfs defau devpts /dev/pts devpts noexec,nosuid,gid=tty,mode=0620 0 0 shm /dev/shm tmpfs defaults 0 0 tmp /tmp tmpfs defaults,noatime,nosuid,nodev,noexec,size=128M 0 0 + UUID=3b408790-65e1-4638-9591-7ba61f266913 /boot ext4 defaults,ro,noatime 0 2 UUID=962D-0DE1 /boot/efi vfat ro,noauto,umask=0077 0 2 UUID=f2336a56-fbe6-444c-bdbf-f0e6c209c237 /var ext4 defaults,nodev,noexec,nosuid,errors=remount-ro 0 2 diff --git a/core/conf/pkgmk.conf b/core/conf/pkgmk.conf index 643abcc..3ae582d 100644 --- a/core/conf/pkgmk.conf +++ b/core/conf/pkgmk.conf @@ -12,18 +12,14 @@ export MAKEFLAGS="-j $JOBS" # ccache settings #export PATH="/usr/lib/ccache/:$PATH" #export CCACHE_DIR="/usr/ports/ccache" -#export CCACHE_COMPILERCHECK="%compiler% -dumpversion; crux" - -# compile using ccache and distcc #export CCACHE_PREFIX="distcc" -#export DISTCC_HOSTS="localhost/4 c11/2" +#export CCACHE_COMPILERCHECK="%compiler% -dumpversion; crux" ## compile using distcc without ccache -#export PATH="/usr/lib/distcc/:$PATH" -#export DISTCC_HOSTS="localhost/4,lzo,cpp xborg/4,lzo,cpp" -#export PUMP_BUILD=yes +##export PATH="/usr/lib/distcc/:$PATH" # distcc settings +#export DISTCC_HOSTS="localhost/4,lzo,cpp xborg/4,lzo,cpp" #export JOBS=$(/usr/bin/distcc -j 2> /dev/null) #export DISTCC_DIR="/usr/ports/distcc" #export MAKEFLAGS="-j ${JOBS}" diff --git a/core/conf/prt-get.conf b/core/conf/prt-get.conf index 8e88333..d248d24 100644 --- a/core/conf/prt-get.conf +++ b/core/conf/prt-get.conf @@ -4,18 +4,31 @@ # note: the order matters: the package found first is used prtdir /usr/ports/core +prtdir /usr/ports/ports prtdir /usr/ports/opt prtdir /usr/ports/xorg +prtdir /usr/ports/contrib +prtdir /usr/ports/mate +#prtdir /usr/ports/kde5 +#prtdir /usr/ports/romster +#prtdir /usr/ports/tb +#prtdir /usr/ports/timcowchip +#prtdir /usr/ports/6c37 +#prtdir /usr/ports/nilp +#prtdir /usr/ports/nullspoon +#prtdir /usr/ports/dbrooke +#prtdir /usr/ports/pitillo + +# 6c37 team provides a collection with freetype-iu, fontconfig-iu +# and cairo-iu ports. +# the following line enables the user maintained contrib collection +# prtdir /usr/ports/6c37-dropin +# prtdir /usr/ports/6c37 + # the following line enables the multilib compat-32 collection #prtdir /usr/ports/compat-32 -# the following line enables the user maintained contrib collection -prtdir /usr/ports/contrib -prtdir /usr/ports/ports -prtdir /usr/ports/mate -prtdir /usr/ports/kde5 - ### use mypackage form local directory # prtdir /home/packages/build:mypackage @@ -23,7 +36,7 @@ prtdir /usr/ports/kde5 writelog enabled # (enabled|disabled) logmode overwrite # (append|overwrite) rmlog_on_success yes # (no|yes) -logfile /usr/ports/pkgbuild/%n.log +logfile /usr/ports/pkgbuild/%n-%v-%r.log # path, %p=path to port dir, %n=port name # %v=version, %r=release @@ -34,7 +47,7 @@ logfile /usr/ports/pkgbuild/%n.log readme verbose # (verbose|compact|disabled) ### prefer higher versions in sysup / diff -preferhigher yes # (yes|no) +preferhigher yes # (yes|no) ### use regexp search # useregex no # (yes|no) @@ -43,10 +56,11 @@ preferhigher yes # (yes|no) ### --install-scripts option runscripts yes # (no|yes) + ### EXPERT SECTION ### ### alternative commands -makecommand sudo -H -u pkgmk fakeroot pkgmk +makecommand sudo -H -u pkgmk -g pkgmk fakeroot pkgmk addcommand sudo pkgadd removecommand sudo pkgrm runscriptcommand sudo sh diff --git a/core/conf/skel/.bashrc b/core/conf/skel/.bashrc index 55d1c78..f562e3c 100644 --- a/core/conf/skel/.bashrc +++ b/core/conf/skel/.bashrc @@ -55,9 +55,9 @@ gloga () { alias tmux="tmux -2" # Virtual Crux machine -alias c1.ank="ssh c1.ank -t tmux a" -alias c2.ank="ssh c2.ank -t tmux a" -alias c9.ank="ssh c9.ank -t tmux a" +alias c1.ank="ssh c1 -t tmux a" +alias c2.ank="ssh c2 -t tmux a" +alias c9.ank="ssh c9 -t tmux a" alias pkg_mirror="pkg_bin -f /usr/ports/mirror_bin_db" alias pkg_update="pkg_bin -r /usr/ports/mirror_bin_db" diff --git a/core/conf/skel/.profile b/core/conf/skel/.profile index 1c8aa8b..7e15d10 100644 --- a/core/conf/skel/.profile +++ b/core/conf/skel/.profile @@ -11,7 +11,8 @@ function start_agent { echo succeeded chmod 600 "${SSH_ENV}" . "${SSH_ENV}" > /dev/null - /usr/bin/ssh-add; + # KEY_NAME with default key to load + /usr/bin/ssh-add ~/.ssh/KEY_NAME; } # Source SSH settings, if applicable diff --git a/core/conf/sysctl.conf b/core/conf/sysctl.conf index 3cc54d1..2a8723b 100644 --- a/core/conf/sysctl.conf +++ b/core/conf/sysctl.conf @@ -34,6 +34,8 @@ kernel.kptr_restrict = 2 # net.core.bpf_jit_enable = 0 +# harden all code +net.core.bpf_jit_harden = 2 # Increase Linux auto tuning TCP buffer limits # min, default, and max number of bytes to use @@ -54,13 +56,13 @@ net.ipv6.conf.default.disable_ipv6 = 1 net.ipv6.conf.lo.disable_ipv6 = 1 # Tuen IPv6 -#net.ipv6.conf.default.router_solicitations = 0 -#net.ipv6.conf.default.accept_ra_rtr_pref = 0 -#net.ipv6.conf.default.accept_ra_pinfo = 0 -#net.ipv6.conf.default.accept_ra_defrtr = 0 -#net.ipv6.conf.default.autoconf = 0 -#net.ipv6.conf.default.dad_transmits = 0 -#net.ipv6.conf.default.max_addresses = 0 +net.ipv6.conf.default.router_solicitations = 0 +net.ipv6.conf.default.accept_ra_rtr_pref = 0 +net.ipv6.conf.default.accept_ra_pinfo = 0 +net.ipv6.conf.default.accept_ra_defrtr = 0 +net.ipv6.conf.default.autoconf = 0 +net.ipv6.conf.default.dad_transmits = 0 +net.ipv6.conf.default.max_addresses = 0 # Avoid a smurf attack, ping scanning net.ipv4.icmp_echo_ignore_broadcasts = 1 @@ -140,4 +142,3 @@ net.ipv4.tcp_keepalive_time = 1800 net.ipv4.tcp_synack_retries = 3 # End of file - diff --git a/core/index.html b/core/index.html index 639ffda..5a914fd 100644 --- a/core/index.html +++ b/core/index.html @@ -1,164 +1,173 @@ - - Core OS + + Core OS - Documentation Index - -

Core OS

- -

Core OS covers installation and configuration of - basic functionality of Crux 3.5 Gnu\Linux operating system. - This documentation try's to follow Crux HandBook installation - method diverges, for example, by only installing and - documenting gpt and grub2.

- -

Read Crux HandBook, - you can ask for help on freenode #crux. Check scripts - folder the install process is automated and ports - for extra ports used during the installation.

- -

1. Install Crux 3.5 Gnu/Linux

- - - -

2. System Administration

- - - - Documentation Index - -

- This is part of the Tribu System Documentation. - Copyright (C) 2020 - Tribu Team. - See the file Gnu Free Documentation License - for copying conditions.

+ Documentation Index + +

Core OS

+ +

Core OS covers installation and configuration of + basic functionality of Crux 3.5 Gnu\Linux operating system. + This documentation try's to follow Crux HandBook installation + method diverges, for example, by only installing and + documenting gpt and grub2.

+ +

Read Crux HandBook, + you can ask for help on freenode #crux. Check scripts + folder the install process is automated and ports + for extra ports used during the installation.

+ +

1. Install Crux 3.5 Gnu/Linux

+ + + +

2. System Administration

+ + + + Documentation Index + +

+ This is part of the Tribu System Documentation. + Copyright (C) 2020 + Tribu Team. + See the file Gnu Free Documentation License + for copying conditions.

-- cgit 1.4.1-2-gfad0