#!/bin/bash # @details # This file sets up and verifies some of the SOM security. source ./globals.sh CONTENT_SUDOERS=" Defaults env_reset Defaults mail_badpass Defaults secure_path=\"/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\" Defaults use_pty # User privilege specification root ALL=(ALL:ALL) ALL # Allow members of group sudo to execute any command # this line has been intentionaly commented out to revoke any access from sudoes # other than what has been specifically mentioned below. # %sudo ALL=(ALL:ALL) ALL # Allow the denali user to execute specific commands as root. denali ALL=(root) NOPASSWD: /usr/bin/bluetoothctl denali ALL=(root) NOPASSWD: /usr/bin/tee * denali ALL=(root) NOPASSWD: /bin/date -s * denali ALL=(root) NOPASSWD: /sbin/hwclock -w denali ALL=(root) NOPASSWD: /bin/sed -i * denali ALL=(root) NOPASSWD: /bin/systemctl stop wpa_supplicant@* denali ALL=(root) NOPASSWD: /bin/systemctl restart wpa_supplicant@* denali ALL=(root) NOPASSWD: /bin/rm -f /etc/wpa_supplicant/wpa_supplicant-* denali ALL=(root) NOPASSWD: /bin/chmod 640 /etc/wpa_supplicant/wpa_supplicant-* denali ALL=(root) NOPASSWD: /sbin/ip link set * denali ALL=(root) NOPASSWD: /sbin/ip route show denali ALL=(root) NOPASSWD: /sbin/ip route del default denali ALL=(root) NOPASSWD: /sbin/ip route add default via * denali ALL=(root) NOPASSWD: /sbin/ip link set * denali ALL=(root) NOPASSWD: /usr/bin/wpa_passphrase * denali ALL=(root) NOPASSWD: /sbin/ifconfig * denali ALL=(root) NOPASSWD: /sbin/iwconfig wlan0 denali ALL=(root) NOPASSWD: /usr/bin/killall udhcpc denali ALL=(root) NOPASSWD: /sbin/udhcpc --timeout=5 --retries=1 -n -i * denali ALL=(root) NOPASSWD: /usr/sbin/rfkill unblock wifi denali ALL=(root) NOPASSWD: /usr/sbin/rfkill block wifi denali ALL=(root) NOPASSWD: /sbin/iwlist * denali ALL=(root) NOPASSWD: /bin/ping -I * denali ALL=(root) NOPASSWD: /usr/bin/mount * denali ALL=(root) NOPASSWD: /usr/bin/umount * denali ALL=(root) NOPASSWD: /bin/mkdir * denali ALL=(root) NOPASSWD: /usr/sbin/cryptsetup * denali ALL=(root) NOPASSWD: /sbin/mkfs.ext4 * denali ALL=(root) NOPASSWD: /bin/systemctl start sshd.socket denali ALL=(root) NOPASSWD: /bin/systemctl stop sshd.socket denali ALL=(root) NOPASSWD: /bin/systemctl disable sshd.socket denali ALL=(root) NOPASSWD: /bin/systemctl status sshd.socket " CONTENT_IPTABLES=" *filter # Set default chain policies :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [0:0] # Accept all connections via lo interface -A INPUT -i lo -j ACCEPT -A OUTPUT -o lo -j ACCEPT # Accept SSH connections -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT -A OUTPUT -p tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT # Accept incoming VNC connections # -A INPUT -p tcp --dport 5900 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT # -A OUTPUT -p tcp --sport 5900 -m conntrack --ctstate ESTABLISHED -j ACCEPT # Allow established inbound connections -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT COMMIT " CONTENT_SSHD_CONFIG=" # $OpenBSD: sshd_config,v 1.102 2018/02/16 02:32:40 djm Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. # This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin LoginGraceTime 2m PermitRootLogin no AuthorizedKeysFile .ssh/authorized_keys PasswordAuthentication no PermitEmptyPasswords yes ChallengeResponseAuthentication yes UsePAM yes Compression no ClientAliveInterval 15 ClientAliveCountMax 4 Subsystem sftp /usr/libexec/sftp-server " # Allow the denali app to run specific commands as root. function updateSudoers() { # ----------------------------------------- Update Sudoers post_log_dash " Update Sudoers " local fileTarget="/etc/sudoers" # Allow the denali user to execute specific commands as root. echo "$CONTENT_SUDOERS" > $fileTarget #removing the cloud user who runs the CloudSync entirely from sudoers gpasswd -d cloud sudo } # Turn on IPTables Firewall security. function secureIPTables() { # ----------------------------------------- Secure Iptables post_log_dash " Secure Iptables " local fileTarget="/etc/iptables/iptables.rules" iptables -F echo "$CONTENT_IPTABLES" > $fileTarget } # Turn on some ssh security. function secureSsh() { # ----------------------------------------- Secure SSH post_log_dash " Secure SSH " local fileTarget="/etc/ssh/sshd_config" echo "$CONTENT_SSHD_CONFIG" > $fileTarget chown -R root.denali ${fileTarget} chmod -R g+rw ${fileTarget} # Disable the ssh service by defalut and will be enalbed when needed. systemctl disable sshd.socket } function secureDenali() { # ----------------------------------------- Secure the denali post_log_dash " Secure the denali " # Unset the immutable attribute for all of the files in case we are rerunning this script. chattr -R -i /home/denali/* if [ -f ~/denali ]; then rm -f /home/denali/denali mv ~/denali /home/denali/ fi if [ -d ~/scripts ]; then rm -rf /home/denali/scripts mv ~/scripts /home/denali/ fi chown -R denali.denali /home/denali chmod -R o-rwx /home/denali } function secureCloudSync() { # ----------------------------------------- Secure the CloudSync post_log_dash " Secure the CloudSync " # Unset the immutable attribute for all of the files in case we are rerunning this script. chattr -R -i /home/cloud/* if [ -d ~/cloudsync ]; then rm -rf /home/cloud/cloudsync mv ~/cloudsync /home/cloud/ fi #TODO Improve later : Add a quick fix for the CloudSync registration in UpdateOnly mode cp /var/configurations/CloudSync/config/config.json /home/cloud/cloudsync/cloudsync/config/config.json chown -R cloud.cloud /home/cloud chmod -R o-rwx /home/cloud } # Set all permissions for our users that # are not root. function setPermissionsCustomerAppFiles() { # ----------------------------------------- Secure the filesystem post_log_dash " Secure the filesystem " # TODO there seem to be some duplicate commands here to review later. # Make sure the other users have no access to these directories. chmod -R o-rwx /home/cloud chmod -R o-rwx /home/denali chmod u+rx /home/denali/denali # ***** denali # Give read-write access to denali by making it the owner. mkdir -p /media/sd-card/log chown -R denali.denali /media/sd-card/log mkdir -p /media/sd-card/service chown -R denali.denali /media/sd-card/service # Give read-only access to cloud by making the group owner. mkdir -p /var/configurations/treatment chown -R denali.cloud /var/configurations/treatment chmod -R g-w,g+r,o-rwx /var/configurations/treatment # Give read-only access to cloud by making the group owner. mkdir -p /var/configurations/treatment/pending chown -R denali.cloud /var/configurations/treatment/pending/ chmod -R g-w,g+r,o-rwx /var/configurations/treatment/pending/ # Give read-only access to Settings/Systems chown -R denali.denali /var/configurations/Settings # ***** cloud # Give read-only access to denali by making the group owner. chown -R cloud.denali /var/configurations/CloudSync # Give only listing permission to the denali user (e.g Denali can only ls, not cat or open files) # Set the cloud sync directories to have read-only permissions find /var/configurations/CloudSync -type d -exec chmod g-w,g+r,o-rwx {} \; # Set the files to not have read/write permissions find /var/configurations/CloudSync -type f -exec chmod g-rwx,o-rwx {} \; # Give read-only access to denali by making the group owner. mkdir -p /media/sd-card/cloudsync chown -R cloud.denali /media/sd-card/cloudsync chmod -R u+rw,g+rw,o-rwx /media/sd-card/cloudsync # Set the immutable attribute for all of the files. chattr -R +i /home/cloud/* chattr -R +i /home/denali/* # Add Denali and Cloud to other user groups as needed. usermod -a -G video denali usermod -a -G input denali usermod -a -G tty denali # copy the settings crc local FIL_RMD=readme.md local FIL_CRC=settings.crc local SRC_CRC=/home/root/.config/ local DST_CRC=/var/configurations/ cp "$SRC_CRC$FIL_RMD" "$DST_CRC$FIL_RMD" #TODO remove from the shasum cp "$SRC_CRC$FIL_CRC" "$DST_CRC$FIL_CRC" chown denali.denali "$DST_CRC$FIL_CRC" chmod u=r "$DST_CRC$FIL_CRC" chmod g-rwx "$DST_CRC$FIL_CRC" chmod o-rwx "$DST_CRC$FIL_CRC" } function cleanup() { # ----------------------------------------- Remove the setup files post_log_dash " Remove the setup files " rm $SETUP_CONF_FILE rm /home/root/setup.sh rm -frd $HOME/.ssh rm -frd /media/sd-card/cloudsync/* } function main() { cleanup secureDenali secureCloudSync setPermissionsCustomerAppFiles updateSudoers secureIPTables secureSsh } # Running the main function main rm $(basename $0) sync sync sync reboot