#!/bin/bash # # Initial script for Live operating system # This script are launching before starting init from linux-live script. # Current dir allways must be set to root (/) # All system path must be relative, except initrd dirs ENABLED=yes [ "$ENABLED" != "yes" ] && exit 0 DEBUGMODE=no SELF_NAME="56-security" PATH=.:/:/usr/bin:/usr/local/bin:/usr/local/sbin unset ROOTFS; [[ -d /usr/lib/ublinux ]] || ROOTFS=. SOURCE=${ROOTFS}/usr/lib/ublinux/functions; [[ -f ${SOURCE} ]] && . ${SOURCE} 2>/dev/null || exit 0 SOURCE=${ROOTFS}/usr/lib/ublinux/os-config; [[ -f ${SOURCE} ]] && . ${SOURCE} 2>/dev/null || exit 0 debug_mode "$0" "$@" SYSCONF="${ROOTFS}/${SYSCONF}" SOURCE=${SYSCONF}/config; [[ -f ${SOURCE} ]] && . ${SOURCE} 2>/dev/null SOURCE=${SYSCONF}/security; [ -f ${SOURCE} ] && . ${SOURCE} 2>/dev/null exec_openssl_gost(){ ## Настройка OpenSSL ГОСТ FILE_OPENSSL_CONF="${ROOTFS}/etc//etc/ssl/openssl.cnf" FILE_OPENSSL_GOST_CONF="${ROOTFS}/etc//etc/ssl/gost.cnf" TXT_OPENSSL_GOST_CONF="$(sed -r '/^\s*$/d' "${FILE_OPENSSL_GOST_CONF}")" TXT_ENABLE_GOST_CONF="openssl_conf = openssl_gost" if [[ ${OPENSSL_GOST,,} == @(y|yes|enable) ]]; then # Enable GOST grep -q "${TXT_ENABLE_GOST_CONF}" "${FILE_OPENSSL_CONF}" || sed "0,/^[a-zA-Z0-9\[]/s//${TXT_ENABLE_GOST_CONF}\n&/" -i "${FILE_OPENSSL_CONF}" grep -q "${TXT_OPENSSL_GOST_CONF%%$'\n'*}" "${FILE_OPENSSL_CONF}" || cat ${FILE_OPENSSL_GOST_CONF} >> "${FILE_OPENSSL_CONF}" elif [[ ${OPENSSL_GOST,,} == @(n|no|disable) ]]; then ## Disable GOST sed "/${TXT_ENABLE_GOST_CONF}/d" -i "${FILE_OPENSSL_CONF}" sed "/${TXT_OPENSSL_GOST_CONF%%$'\n'*}/,/${TXT_OPENSSL_GOST_CONF##*$'\n'}/d" -i "${FILE_OPENSSL_CONF}" fi } exec_access_denied_vtx11(){ FILE_XORGDONTVTSWITCH_CONF="${ROOTFS}/etc/X11/xorg.conf.d/ublinux-disable-vt.conf" FILE_SYSTEMDLOGIND_CONF="${ROOTFS}/etc/systemd/logind.conf.d/ublinux-disable-vt.conf" FILE_LIGHTDM_CONF="${ROOTFS}/etc/lightdm/lightdm.conf.d/ublinux-disable-vt.conf" if [[ ${ACCESS_DENIED_VTX11,,} == @(y|yes|enable) ]]; then mkdir -p ${FILE_XORGDONTVTSWITCH_CONF%/*} cat <<-EOF | sed 's/^\s*\t*//' > "${FILE_XORGDONTVTSWITCH_CONF}" Section "ServerFlags" Option "DontVTSwitch" "true" EndSection EOF if readlink -fq ${ROOTFS}/usr/bin/init | grep -q "lib/systemd/systemd$"; then mkdir -p ${FILE_SYSTEMDLOGIND_CONF%/*} cat <<-EOF | sed 's/^\s*\t*//' > "${FILE_SYSTEMDLOGIND_CONF}" [Login] NAutoVTs=0 ReserveVT=0 EOF fi if [[ -d ${ROOTFS}/etc/lightdm ]]; then mkdir -p ${FILE_LIGHTDM_CONF%/*} cat <<-EOF | sed 's/^\s*\t*//' > "${FILE_LIGHTDM_CONF}" [LightDM] logind-check-graphical=true EOF fi elif [[ ${ACCESS_DENIED_VTX11,,} == @(n|no|disable) ]]; then rm -f "${FILE_SYSTEMDLOGIND_CONF}" "${FILE_XORGDONTVTSWITCH_CONF}" "${FILE_LIGHTDM_CONF}" fi } exec_access_allowed_login(){ ## Управление доступом в систему, правила разрешения FILE_ACCESS_CONF="${ROOTFS}/etc/security/access.d/01-ublinux-allowed.conf" rm -f "${FILE_ACCESS_CONF}" if [[ -n ${ACCESS_ALLOWED_LOGIN} ]]; then [[ -d ${FILE_ACCESS_CONF%/*} ]] || mkdir -p ${FILE_ACCESS_CONF%/*} tr , $'\n' <<< ${ACCESS_ALLOWED_LOGIN} | while read RULE; do echo "+:${RULE}" >> "${FILE_ACCESS_CONF}" done fi } exec_access_denied_login(){ ## Управление доступом в систему, правила блокировки FILE_ACCESS_CONF="${ROOTFS}/etc/security/access.d/02-ublinux-denied.conf" rm -f "${FILE_ACCESS_CONF}" if [[ -n ${ACCESS_DENIED_LOGIN} ]]; then [[ -d ${FILE_ACCESS_CONF%/*} ]] || mkdir -p ${FILE_ACCESS_CONF%/*} tr , $'\n' <<< ${ACCESS_DENIED_LOGIN} | while read RULE; do echo "-:${RULE}" >> "${FILE_ACCESS_CONF}" done fi } exec_access_allowed_suid(){ ## Отключить влияние SUID бита на привилегии порождаемого процесса всем, кроме указанных в ACCESS_ALLOWED_SUID if [[ -n ${ACCESS_ALLOWED_SUID[@]} ]]; then for PATH_WORK_SUID in "${!ACCESS_ALLOWED_SUID[@]}"; do EXCLUDE_SUID=$(tr , $'\n' <<< ${ACCESS_ALLOWED_SUID[${PATH_WORK_SUID}]}) find ${PATH_WORK_SUID} -type f -perm /u=s $(printf "! -name %s " ${EXCLUDE_SUID}) -exec chmod u-s {} + done fi } exec_access_allowed_sgid(){ ## Отключить влияние SGID бита на привилегии порождаемого процесса всем, кроме указанных в ACCESS_ALLOWED_SGID if [[ -n ${ACCESS_ALLOWED_SGID[@]} ]]; then for PATH_WORK_SGID in "${!ACCESS_ALLOWED_SGID[@]}"; do EXCLUDE_SGID=$(tr , $'\n' <<< ${ACCESS_ALLOWED_SGID[${PATH_WORK_SGID}]}) find ${PATH_WORK_SGID} -type f -perm /g=s $(printf "! -name %s " ${EXCLUDE_SGID}) -exec chmod g-s {} + done fi } exec_access_allowed_interpreter(){ ## Ограничить запуск интерпретаторов языков программирования в интерактивном режиме true } exec_mount_attr(){ ## Отключить пользовательские nosuid nodev noexec на смонтированные цели true } exec_mount_quota(){ ## Использовать дисковые квоты на файловые системы true } exec_cgroup_quota(){ ## Квоты на ресурсы, через cgroup2. Механизм systemd или напрямую cgroup true } exec_polkit(){ ## Настрока polkit правил rm -f "${ROOTFS}"/etc/polkit-1/rules.d/ublinux-* if [[ -n ${POLKIT[@]} ]]; then for RULES in "${!POLKIT[@]}"; do RULES_GROUP= RULES_FILE="${ROOTFS}/etc/polkit-1/rules.d/ublinux-$(sed 's/\([A-z0-9]*.[A-z0-9]*.[A-z0-9]*\)\..*/\1/' <<< ${RULES}).rules" RULES_RESULT=$(cut -d: -f1 <<< ${POLKIT[${RULES}]}) for GROUP in $(grep ":" <<< ${POLKIT[${RULES}]} | cut -d: -f2 | tr ',' '\n'); do RULES_GROUP+="&& subject.isInGroup(\"${GROUP}\") " done cat >> ${RULES_FILE} </dev/null && ${FUNCTION} done else true fi