From c9ebc886fd771c482c805722a6caf14b8288f6b2 Mon Sep 17 00:00:00 2001 From: Christer Edwards Date: Wed, 22 May 2019 21:50:29 -0600 Subject: [PATCH] May 2019 update: HardenedBSD, tzdata, NS - closes #32: support HardenedBSD - adds support for defined nameservers in new jails (up to three) - adds support for defined nameserver options (eg; options edns0 rotate) - adds support for defined tzdata in new jails (eg; America/Denver, etc/UTC) - adds support for dynamic hw.machine/hw.machine_arch downloads - new jails now output default rc.conf settings (sysrc) at creation - no longer use freebsd_dist_fetch.sh; replaced with simpler fetch --- usr/local/bin/bastille | 10 ++--- usr/local/etc/bastille/bastille.conf | 7 ++- usr/local/share/bastille/bootstrap.sh | 44 +++++++++++++----- usr/local/share/bastille/create.sh | 65 +++++++++------------------ usr/local/share/bastille/update.sh | 5 +++ usr/local/share/bastille/upgrade.sh | 6 +++ usr/local/share/bastille/verify.sh | 5 +++ 7 files changed, 80 insertions(+), 62 deletions(-) diff --git a/usr/local/bin/bastille b/usr/local/bin/bastille index d73f4c6a..da945e6b 100755 --- a/usr/local/bin/bastille +++ b/usr/local/bin/bastille @@ -88,16 +88,16 @@ esac # Filter out all non-commands case "${CMD}" in cmd|cp|create|destroy|list|pkg|restart|start|stop|sysrc|template|verify) - ;; + ;; update|upgrade) - ;; + ;; console|bootstrap|htop|top) ;; bootstrap|update|upgrade) - ;; + ;; *) - usage - ;; +usage + ;; esac SCRIPTPATH="${bastille_sharedir}/${CMD}.sh" diff --git a/usr/local/etc/bastille/bastille.conf b/usr/local/etc/bastille/bastille.conf index d5981a62..d512f00c 100644 --- a/usr/local/etc/bastille/bastille.conf +++ b/usr/local/etc/bastille/bastille.conf @@ -9,4 +9,9 @@ bastille_logsdir=${bastille_prefix}/logs bastille_releasesdir=${bastille_prefix}/releases bastille_templatesdir=${bastille_prefix}/templates bastille_sharedir=/usr/local/share/bastille -bastille_bootstrap_archives=base +bastille_bootstrap_archives="base" +bastille_tzdata="America/Denver" +bastille_nameserver1="1.1.1.1" +bastille_nameserver2="1.0.0.1" +bastille_nameserver3="" +bastille_nameserver_options="options edns0 rotate" diff --git a/usr/local/share/bastille/bootstrap.sh b/usr/local/share/bastille/bootstrap.sh index 58fcf813..e4fb7a44 100644 --- a/usr/local/share/bastille/bootstrap.sh +++ b/usr/local/share/bastille/bootstrap.sh @@ -58,9 +58,29 @@ bootstrap_release() { mkdir -p "${bastille_cachedir}/${RELEASE}" fi - if [ ! -d "${bastille_releasesdir}/${RELEASE}" ]; then + ## if release exists, quit + if [ -d "${bastille_releasesdir}/${RELEASE}" ]; then + echo -e "${COLOR_RED}Bootstrap appears complete.${COLOR_RESET}" + exit 1 + fi + + ## if existing ${CACHEDIR}/${RELEASE}/base.txz; extract + if [ -f "${bastille_cachedir}/${RELEASE}/base.txz" ] && [ ! -d "${bastille_releasesdir}/${RELEASE}" ]; then + mkdir -p "${bastille_releasesdir}/${RELEASE}" + for _archive in ${bastille_bootstrap_archives}; do + echo -e "${COLOR_GREEN}Extracting FreeBSD ${RELEASE} ${_archive}.txz.${COLOR_RESET}" + /usr/bin/tar -C "${bastille_releasesdir}/${RELEASE}" -xf "${bastille_cachedir}/${RELEASE}/${_archive}.txz" + done + + echo -e "${COLOR_GREEN}Bootstrap successful.${COLOR_RESET}" + echo -e "${COLOR_GREEN}See 'bastille --help' for available commands.${COLOR_RESET}" + echo + fi + + ## if no existing ${CACHEDIR}/${RELEASE} download and extract + if [ ! -f "${bastille_cachedir}/${RELEASE}/base.txz" ] && [ ! -d "${bastille_releasesdir}/${RELEASE}" ]; then mkdir -p "${bastille_releasesdir}/${RELEASE}" - sh ${bastille_sharedir}/freebsd_dist_fetch.sh -r ${RELEASE} ${bastille_bootstrap_archives} + fetch ${UPSTREAM_URL}/base.txz -o ${bastille_cachedir}/${RELEASE}/base.txz echo for _archive in ${bastille_bootstrap_archives}; do @@ -71,9 +91,6 @@ bootstrap_release() { echo -e "${COLOR_GREEN}Bootstrap successful.${COLOR_RESET}" echo -e "${COLOR_GREEN}See 'bastille --help' for available commands.${COLOR_RESET}" echo - else - echo -e "${COLOR_RED}Bootstrap appears complete.${COLOR_RESET}" - exit 1 fi } @@ -156,24 +173,29 @@ bootstrap_template() { #Usage: bastille bootstrap [release|template].${COLOR_RESET}" +HW_MACHINE=$(sysctl hw.machine | awk '{ print $2 }') +HW_MACHINE_ARCH=$(sysctl hw.machine_arch | awk '{ print $2 }') + # Filter sane release names case "${1}" in -10.1-RELEASE|10.2-RELEASE|10.3-RELEASE|10.4-RELEASE) +11.2-RELEASE) RELEASE="${1}" + UPSTREAM_URL="http://ftp.freebsd.org/pub/FreeBSD/releases/${HW_MACHINE}/${HW_MACHINE_ARCH}/11.2-RELEASE/" bootstrap_release - echo -e "${COLOR_RED}WARNING: FreeBSD 10.1-RELEASE HAS PASSED ITS END-OF-LIFE DATE.${COLOR_RESET}" ;; -11.0-RELEASE|11.1-RELEASE) +12.0-RELEASE) RELEASE="${1}" + UPSTREAM_URL="http://ftp.freebsd.org/pub/FreeBSD/releases/${HW_MACHINE}/${HW_MACHINE_ARCH}/12.0-RELEASE/" bootstrap_release - echo -e "${COLOR_RED}WARNING: FreeBSD 11.0-RELEASE HAS PASSED ITS END-OF-LIFE DATE.${COLOR_RESET}" ;; -11.2-RELEASE) +11-stable-LAST) RELEASE="${1}" + UPSTREAM_URL="https://installer.hardenedbsd.org/pub/HardenedBSD/releases/${HW_MACHINE}/${HW_MACHINE_ARCH}/hardenedbsd-11-stable-LAST/" bootstrap_release ;; -12.0-RELEASE) +12-stable-LAST) RELEASE="${1}" + UPSTREAM_URL="https://installer.hardenedbsd.org/pub/HardenedBSD/releases/${HW_MACHINE}/${HW_MACHINE_ARCH}/hardenedbsd-12-stable-LAST/" bootstrap_release ;; http?://github.com/*/*) diff --git a/usr/local/share/bastille/create.sh b/usr/local/share/bastille/create.sh index fc6f371a..30387551 100644 --- a/usr/local/share/bastille/create.sh +++ b/usr/local/share/bastille/create.sh @@ -65,7 +65,7 @@ create_jail() { bastille_jail_fstab="${bastille_jailsdir}/${NAME}/fstab" ## file bastille_jail_conf="${bastille_jailsdir}/${NAME}/jail.conf" ## file bastille_jail_log="${bastille_logsdir}/${NAME}_console.log" ## file - bastille_jail_rc_conf="${bastille_jailsdir}/${NAME}/root/etc/rc.conf.local" ## file + bastille_jail_rc_conf="${bastille_jailsdir}/${NAME}/root/etc/rc.conf" ## file bastille_jail_resolv_conf="${bastille_jailsdir}/${NAME}/root/etc/resolv.conf" ## file if [ ! -d "${bastille_jail_base}" ]; then @@ -124,22 +124,30 @@ create_jail() { cp -a "${bastille_releasesdir}/${RELEASE}/usr/obj" "${bastille_jail_path}" if [ "${RELEASE}" == "11.2-RELEASE" ]; then cp -a "${bastille_releasesdir}/${RELEASE}/usr/tests" "${bastille_jail_path}"; fi - ## rc.conf.local + ## rc.conf ## + syslogd_flags="-ss" ## + sendmail_none="NONE" ## + cron_flags="-J 60" ## cedwards 20181118 - ## resolv.conf if [ ! -f "${bastille_jail_rc_conf}" ]; then - echo -e "syslogd_flags=\"-ss\"\nsendmail_enable=\"NONE\"" > ${bastille_jail_rc_conf} - echo -e "cron_flags=\"-J 60\"" >> ${bastille_jail_rc_conf} + touch "${bastille_jail_rc_conf}" + /usr/sbin/sysrc -f "${bastille_jail_rc_conf}" syslogd_flags=-ss + /usr/sbin/sysrc -f "${bastille_jail_rc_conf}" sendmail_enable=NONE + /usr/sbin/sysrc -f "${bastille_jail_rc_conf}" cron_flags='-J 60' + echo fi + ## resolv.conf + ## + default nameservers configurable; 1 required, 3 optional ## cedwards 20190522 + ## + nameserver options supported if [ ! -f "${bastille_jail_resolv_conf}" ]; then - echo -e "nameserver 1.1.1.1\nnameserver 1.0.0.1\noptions edns0 rotate" > ${bastille_jail_resolv_conf} + [ ! -z "${bastille_nameserver1}" ] && echo -e "nameserver ${bastille_nameserver1}" >> ${bastille_jail_resolv_conf} + [ ! -z "${bastille_nameserver2}" ] && echo -e "nameserver ${bastille_nameserver2}" >> ${bastille_jail_resolv_conf} + [ ! -z "${bastille_nameserver3}" ] && echo -e "nameserver ${bastille_nameserver3}" >> ${bastille_jail_resolv_conf} + [ ! -z "${bastille_nameserver_options}" ] && echo -e "${bastille_nameserver_options}" >> ${bastille_jail_resolv_conf} fi - ## TZ: UTC - ln -s /usr/share/zoneinfo/Etc/UTC etc/localtime + ## TZ: configurable (default: etc/UTC) + ln -s /usr/share/zoneinfo/${bastille_tzdata} etc/localtime } # Handle special-case commands first. @@ -159,50 +167,17 @@ IP="$3" ## verify release case "${RELEASE}" in -10.1-RELEASE) - RELEASE="10.1-RELEASE" - ;; -10.2-RELEASE) - RELEASE="10.2-RELEASE" - ;; -10.3-RELEASE) - RELEASE="10.3-RELEASE" - ;; -10.4-RELEASE) - RELEASE="10.4-RELEASE" - ;; -11.0-RELEASE) - RELEASE="11.0-RELEASE" - ;; -11.1-RELEASE) - RELEASE="11.1-RELEASE" - ;; 11.2-RELEASE) RELEASE="11.2-RELEASE" ;; 12.0-RELEASE) RELEASE="12.0-RELEASE" ;; -12.0-BETA1) - RELEASE="12.0-BETA1" - ;; -12.0-BETA2) - RELEASE="12.0-BETA2" - ;; -12.0-BETA3) - RELEASE="12.0-BETA3" - ;; -12.0-BETA4) - RELEASE="12.0-BETA4" - ;; -12.0-RC1) - RELEASE="12.0-RC1" - ;; -12.0-RC2) - RELEASE="12.0-RC2" +11-stable-LAST) + RELEASE="11-stable-LAST" ;; -12.0-RC3) - RELEASE="12.0-RC3" +12-stable-LAST) + RELEASE="12-stable-LAST" ;; *) echo -e "${COLOR_RED}Unknown Release.${COLOR_RESET}" diff --git a/usr/local/share/bastille/update.sh b/usr/local/share/bastille/update.sh index 2f9bef5b..d15e7689 100644 --- a/usr/local/share/bastille/update.sh +++ b/usr/local/share/bastille/update.sh @@ -49,6 +49,11 @@ fi RELEASE=$1 +if [ ! -z "$(freebsd-version | grep -i HBSD)" ]; then + echo -e "${COLOR_RED}Not yet supported on HardenedBSD.${COLOR_RESET}" + exit 1 +fi + if [ -d "${bastille_releasesdir}/${RELEASE}" ]; then freebsd-update -b "${bastille_releasesdir}/${RELEASE}" fetch install --currently-running ${RELEASE} else diff --git a/usr/local/share/bastille/upgrade.sh b/usr/local/share/bastille/upgrade.sh index 39e125e7..4833261e 100644 --- a/usr/local/share/bastille/upgrade.sh +++ b/usr/local/share/bastille/upgrade.sh @@ -50,6 +50,12 @@ fi RELEASE=$1 NEWRELEASE=$2 +if [ ! -z "$(freebsd-version | grep -i HBSD)" ]; then + echo -e "${COLOR_RED}Not yet supported on HardenedBSD.${COLOR_RESET}" + exit 1 +fi + + if [ -d "${bastille_releasesdir}/${RELEASE}" ]; then freebsd-update -b "${bastille_releasesdir}/${RELEASE}" -r ${NEWRELEASE} upgrade else diff --git a/usr/local/share/bastille/verify.sh b/usr/local/share/bastille/verify.sh index 7abadb80..7a276887 100644 --- a/usr/local/share/bastille/verify.sh +++ b/usr/local/share/bastille/verify.sh @@ -49,6 +49,11 @@ fi RELEASE=$1 +if [ ! -z "$(freebsd-version | grep -i HBSD)" ]; then + echo -e "${COLOR_RED}Not yet supported on HardenedBSD.${COLOR_RESET}" + exit 1 +fi + if [ -d "${bastille_releasesdir}/${RELEASE}" ]; then freebsd-update -b "${bastille_releasesdir}/${RELEASE}" IDS else