You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
171 lines
6.6 KiB
171 lines
6.6 KiB
#!/bin/bash
|
|
#
|
|
# Initial script for Live operating system
|
|
# This script are launching before starting init from linux-live script.
|
|
# Current dir allways must be set to root (/)
|
|
# All system path must be relative, except initrd dirs
|
|
|
|
ENABLED=yes
|
|
[ "$ENABLED" != "yes" ] && exit 0
|
|
DEBUGMODE=no
|
|
|
|
SELF_NAME="56-security"
|
|
PATH=.:/:/usr/bin:/usr/local/bin:/usr/local/sbin
|
|
|
|
unset ROOTFS; [[ -d /usr/lib/ublinux ]] || ROOTFS=.
|
|
SOURCE=${ROOTFS}/usr/lib/ublinux/functions; [[ -f ${SOURCE} ]] && . ${SOURCE} 2>/dev/null || exit 0
|
|
SOURCE=${ROOTFS}/usr/lib/ublinux/os-config; [[ -f ${SOURCE} ]] && . ${SOURCE} 2>/dev/null || exit 0
|
|
debug_mode "$0" "$@"
|
|
|
|
SYSCONF="${ROOTFS}/${SYSCONF}"
|
|
SOURCE=${SYSCONF}/config; [[ -f ${SOURCE} ]] && . ${SOURCE} 2>/dev/null
|
|
SOURCE=${SYSCONF}/security; [ -f ${SOURCE} ] && . ${SOURCE} 2>/dev/null
|
|
|
|
exec_openssl_gost(){
|
|
## Настройка OpenSSL ГОСТ
|
|
FILE_OPENSSL_CONF="${ROOTFS}/etc//etc/ssl/openssl.cnf"
|
|
FILE_OPENSSL_GOST_CONF="${ROOTFS}/etc//etc/ssl/gost.cnf"
|
|
TXT_OPENSSL_GOST_CONF="$(sed -r '/^\s*$/d' "${FILE_OPENSSL_GOST_CONF}")"
|
|
TXT_ENABLE_GOST_CONF="openssl_conf = openssl_gost"
|
|
|
|
if [[ ${OPENSSL_GOST,,} == @(y|yes|enable) ]]; then
|
|
# Enable GOST
|
|
grep -q "${TXT_ENABLE_GOST_CONF}" "${FILE_OPENSSL_CONF}" || sed "0,/^[a-zA-Z0-9\[]/s//${TXT_ENABLE_GOST_CONF}\n&/" -i "${FILE_OPENSSL_CONF}"
|
|
grep -q "${TXT_OPENSSL_GOST_CONF%%$'\n'*}" "${FILE_OPENSSL_CONF}" || cat ${FILE_OPENSSL_GOST_CONF} >> "${FILE_OPENSSL_CONF}"
|
|
elif [[ ${OPENSSL_GOST,,} == @(n|no|disable) ]]; then
|
|
## Disable GOST
|
|
sed "/${TXT_ENABLE_GOST_CONF}/d" -i "${FILE_OPENSSL_CONF}"
|
|
sed "/${TXT_OPENSSL_GOST_CONF%%$'\n'*}/,/${TXT_OPENSSL_GOST_CONF##*$'\n'}/d" -i "${FILE_OPENSSL_CONF}"
|
|
fi
|
|
}
|
|
exec_access_denied_vtx11(){
|
|
FILE_XORGDONTVTSWITCH_CONF="${ROOTFS}/etc/X11/xorg.conf.d/ublinux-disable-vt.conf"
|
|
FILE_SYSTEMDLOGIND_CONF="${ROOTFS}/etc/systemd/logind.conf.d/ublinux-disable-vt.conf"
|
|
FILE_LIGHTDM_CONF="${ROOTFS}/etc/lightdm/lightdm.conf.d/ublinux-disable-vt.conf"
|
|
if [[ ${ACCESS_DENIED_VTX11,,} == @(y|yes|enable) ]]; then
|
|
mkdir -p ${FILE_XORGDONTVTSWITCH_CONF%/*}
|
|
cat <<-EOF | sed 's/^\s*\t*//' > "${FILE_XORGDONTVTSWITCH_CONF}"
|
|
Section "ServerFlags"
|
|
Option "DontVTSwitch" "true"
|
|
EndSection
|
|
EOF
|
|
if readlink -fq ${ROOTFS}/usr/bin/init | grep -q "lib/systemd/systemd$"; then
|
|
mkdir -p ${FILE_SYSTEMDLOGIND_CONF%/*}
|
|
cat <<-EOF | sed 's/^\s*\t*//' > "${FILE_SYSTEMDLOGIND_CONF}"
|
|
[Login]
|
|
NAutoVTs=0
|
|
ReserveVT=0
|
|
EOF
|
|
fi
|
|
if [[ -d ${ROOTFS}/etc/lightdm ]]; then
|
|
mkdir -p ${FILE_LIGHTDM_CONF%/*}
|
|
cat <<-EOF | sed 's/^\s*\t*//' > "${FILE_LIGHTDM_CONF}"
|
|
[LightDM]
|
|
logind-check-graphical=true
|
|
EOF
|
|
fi
|
|
elif [[ ${ACCESS_DENIED_VTX11,,} == @(n|no|disable) ]]; then
|
|
rm -f "${FILE_SYSTEMDLOGIND_CONF}" "${FILE_XORGDONTVTSWITCH_CONF}" "${FILE_LIGHTDM_CONF}"
|
|
fi
|
|
}
|
|
exec_access_allowed_login(){
|
|
## Управление доступом в систему, правила разрешения
|
|
FILE_ACCESS_CONF="${ROOTFS}/etc/security/access.d/01-ublinux-allowed.conf"
|
|
rm -f "${FILE_ACCESS_CONF}"
|
|
if [[ -n ${ACCESS_ALLOWED_LOGIN} ]]; then
|
|
[[ -d ${FILE_ACCESS_CONF%/*} ]] || mkdir -p ${FILE_ACCESS_CONF%/*}
|
|
tr , $'\n' <<< ${ACCESS_ALLOWED_LOGIN} | while read RULE; do
|
|
echo "+:${RULE}" >> "${FILE_ACCESS_CONF}"
|
|
done
|
|
fi
|
|
}
|
|
exec_access_denied_login(){
|
|
## Управление доступом в систему, правила блокировки
|
|
FILE_ACCESS_CONF="${ROOTFS}/etc/security/access.d/02-ublinux-denied.conf"
|
|
rm -f "${FILE_ACCESS_CONF}"
|
|
if [[ -n ${ACCESS_DENIED_LOGIN} ]]; then
|
|
[[ -d ${FILE_ACCESS_CONF%/*} ]] || mkdir -p ${FILE_ACCESS_CONF%/*}
|
|
tr , $'\n' <<< ${ACCESS_DENIED_LOGIN} | while read RULE; do
|
|
echo "-:${RULE}" >> "${FILE_ACCESS_CONF}"
|
|
done
|
|
fi
|
|
}
|
|
exec_access_allowed_suid(){
|
|
## Отключить влияние SUID бита на привилегии порождаемого процесса всем, кроме указанных в ACCESS_ALLOWED_SUID
|
|
if [[ -n ${ACCESS_ALLOWED_SUID[@]} ]]; then
|
|
for PATH_WORK_SUID in "${!ACCESS_ALLOWED_SUID[@]}"; do
|
|
EXCLUDE_SUID=$(tr , $'\n' <<< ${ACCESS_ALLOWED_SUID[${PATH_WORK_SUID}]})
|
|
find ${PATH_WORK_SUID} -type f -perm /u=s $(printf "! -name %s " ${EXCLUDE_SUID}) -exec chmod u-s {} +
|
|
done
|
|
fi
|
|
}
|
|
exec_access_allowed_sgid(){
|
|
## Отключить влияние SGID бита на привилегии порождаемого процесса всем, кроме указанных в ACCESS_ALLOWED_SGID
|
|
if [[ -n ${ACCESS_ALLOWED_SGID[@]} ]]; then
|
|
for PATH_WORK_SGID in "${!ACCESS_ALLOWED_SGID[@]}"; do
|
|
EXCLUDE_SGID=$(tr , $'\n' <<< ${ACCESS_ALLOWED_SGID[${PATH_WORK_SGID}]})
|
|
find ${PATH_WORK_SGID} -type f -perm /g=s $(printf "! -name %s " ${EXCLUDE_SGID}) -exec chmod g-s {} +
|
|
done
|
|
fi
|
|
}
|
|
exec_access_allowed_interpreter(){
|
|
## Ограничить запуск интерпретаторов языков программирования в интерактивном режиме
|
|
true
|
|
}
|
|
exec_mount_attr(){
|
|
## Отключить пользовательские nosuid nodev noexec на смонтированные цели
|
|
true
|
|
}
|
|
exec_mount_quota(){
|
|
## Использовать дисковые квоты на файловые системы
|
|
true
|
|
}
|
|
exec_cgroup_quota(){
|
|
## Квоты на ресурсы, через cgroup2. Механизм systemd или напрямую cgroup
|
|
true
|
|
}
|
|
exec_polkit(){
|
|
## Настрока polkit правил
|
|
rm -f "${ROOTFS}"/etc/polkit-1/rules.d/ublinux-*
|
|
if [[ -n ${POLKIT[@]} ]]; then
|
|
for RULES in "${!POLKIT[@]}"; do
|
|
RULES_GROUP=
|
|
RULES_FILE="${ROOTFS}/etc/polkit-1/rules.d/ublinux-$(sed 's/\([A-z0-9]*.[A-z0-9]*.[A-z0-9]*\)\..*/\1/' <<< ${RULES}).rules"
|
|
RULES_RESULT=$(cut -d: -f1 <<< ${POLKIT[${RULES}]})
|
|
for GROUP in $(grep ":" <<< ${POLKIT[${RULES}]} | cut -d: -f2 | tr ',' '\n'); do
|
|
RULES_GROUP+="&& subject.isInGroup(\"${GROUP}\") "
|
|
done
|
|
cat >> ${RULES_FILE} <<EOF
|
|
polkit.addRule(function(action, subject) {
|
|
if (action.id.indexOf("${RULES}") == 0
|
|
&& subject.active == true
|
|
&& subject.local == true
|
|
${RULES_GROUP}
|
|
)
|
|
{
|
|
return polkit.Result.${RULES_RESULT^^};
|
|
}
|
|
});
|
|
|
|
EOF
|
|
done
|
|
#touch ${ROOTFS}/etc/polkit-1/rules.d
|
|
fi
|
|
}
|
|
|
|
################
|
|
##### MAIN #####
|
|
################
|
|
|
|
if [[ ${0##*/} == ${SELF_NAME} && -z $@ ]]; then
|
|
while read -r FUNCTION; do
|
|
$"${FUNCTION##* }"
|
|
done < <(declare -F | grep "declare -f exec_")
|
|
elif [[ ${0##*/} == ${SELF_NAME} ]]; then
|
|
for FUNCTION in $@; do
|
|
declare -f ${FUNCTION} &>/dev/null && ${FUNCTION}
|
|
done
|
|
else
|
|
true
|
|
fi
|