trinitor/DetectionLab
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

added Malcolm

Browse Source
This commit is contained in:
Trinitor
2021-08-06 10:35:01 +02:00
parent f043730066
commit 70f1922e80
751 changed files with 195277 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

37
Vagrant/resources/malcolm/malcolm-iso/config/hooks/normal/0168-firefox-install.hook.chroot Executable file
View File

@@ -0,0 +1,37 @@
#!/bin/bash
# Copyright (c) 2021 Battelle Energy Alliance, LLC. All rights reserved.
export LC_ALL=C.UTF-8
export LANG=C.UTF-8
curl -o /tmp/firefox.tar.bz2 -L "https://download.mozilla.org/?product=firefox-latest-ssl&os=linux64&lang=en-US"
if [ $(file -b --mime-type /tmp/firefox.tar.bz2) = 'application/x-bzip2' ]; then
mkdir -p /opt
rm -rvf /opt/firefox
tar -xvf /tmp/firefox.tar.bz2 -C /opt/
rm -vf /tmp/firefox.tar.bz2
if [[ -f /opt/firefox/firefox ]]; then
rm -vf /usr/local/bin/firefox
ln -vrs /opt/firefox/firefox /usr/local/bin/firefox
dpkg -s firefox-esr >/dev/null 2>&1 && apt-get -y --purge remove firefox-esr || true
cat << 'EOF' > /usr/share/applications/firefox.desktop
[Desktop Entry]
Name=Firefox
Comment=Web Browser
GenericName=Web Browser
X-GNOME-FullName=Firefox Web Browser
Exec=/opt/firefox/firefox %u
Terminal=false
X-MultipleArgs=false
Type=Application
Icon=/opt/firefox/browser/chrome/icons/default/default128.png
Categories=Network;WebBrowser;
MimeType=text/html;text/xml;application/xhtml+xml;application/xml;application/vnd.mozilla.xul+xml;application/rss+xml;application/rdf+xml;image/gif;image/jpeg;image/png;x-scheme-handler/http;x-scheme-handler/https;
StartupWMClass=Firefox
StartupNotify=true
EOF
fi
fi # /tmp/firefox.tar.bz2 check
rm -f /tmp/firefox.tar.bz2

8
Vagrant/resources/malcolm/malcolm-iso/config/hooks/normal/0169-pip-installs.hook.chroot Executable file
View File

@@ -0,0 +1,8 @@
#!/bin/sh
export LC_ALL=C.UTF-8
export LANG=C.UTF-8
# python 3
pip3 install --no-compile --no-cache-dir --force-reinstall --upgrade \
debinterface==3.4.0

20
Vagrant/resources/malcolm/malcolm-iso/config/hooks/normal/0900-setup-rc-local.hook.chroot Executable file
View File

@@ -0,0 +1,20 @@
#!/bin/bash
sed -i 's/^exit 0//' /etc/rc.local 2>/dev/null
cat << 'EOF' >> /etc/rc.local
# other agg-specific initialization prior to starting up
/usr/local/bin/agg-init.sh
# hddtemp daemon for querying HDD temperatures
/usr/sbin/hddtemp --daemon --numeric --quiet --unit=C -4 --listen=127.0.0.1 --port=7634 /dev/sd?
systemctl mask ctrl-alt-del.target
exit 0
EOF
sed -i "1i #!/bin/sh" /etc/rc.local
chmod +x /etc/rc.local /usr/local/bin/*.sh /usr/local/bin/configure-*.py

54
Vagrant/resources/malcolm/malcolm-iso/config/hooks/normal/0910-agg-build.hook.chroot Executable file
View File

@@ -0,0 +1,54 @@
#!/bin/bash
BEATS_VER="7.10.2"
BEATS_OSS="-oss"
BEATS_DEB_URL_TEMPLATE_REPLACER="XXXXX"
BEATS_DEB_URL_TEMPLATE="https://artifacts.elastic.co/downloads/beats/$BEATS_DEB_URL_TEMPLATE_REPLACER/$BEATS_DEB_URL_TEMPLATE_REPLACER$BEATS_OSS-$BEATS_VER-amd64.deb"
DOCKER_COMPOSE_VER="1.29.1"
DOCKER_COMPOSE_URL="https://github.com/docker/compose/releases/download/$DOCKER_COMPOSE_VER/docker-compose-$(uname -s)-$(uname -m)"
# install docker-compose
curl -o /usr/local/bin/docker-compose -sSL "$DOCKER_COMPOSE_URL" && chmod 755 /usr/local/bin/docker-compose
# tweak some dashboards for, then install filebeat/metricbeat/auditbeat/packetbeat
for BEAT in filebeat metricbeat auditbeat packetbeat; do
BEATS_URL="$(echo "$BEATS_DEB_URL_TEMPLATE" | sed "s/$BEATS_DEB_URL_TEMPLATE_REPLACER/$BEAT/g")"
BEATS_DEB="$BEAT-$BEATS_VER-amd64.deb"
BEATS_NEW_DEB="$BEAT-dark-$BEATS_VER-amd64.deb"
BEATS_TMP_DIR="$BEAT-deb"
pushd /tmp && \
curl -f -L -o "$BEATS_DEB" "$BEATS_URL" && \
dpkg-deb -x "$BEATS_DEB" "$BEATS_TMP_DIR" && \
dpkg-deb -e "$BEATS_DEB" "$BEATS_TMP_DIR/DEBIAN" && \
sed -i 's@\(\\"darkTheme\\" *: *\)false@\1true@g' "$BEATS_TMP_DIR"/usr/share/$BEAT/kibana/?/dashboard/*.json && \
( [[ "$BEAT" == "metricbeat" ]] && sed -i -e "s@ |\\\\\\\n\[Containers overview\](#/dashboard/CPU-slash-Memory-per-container)@@g" "$BEATS_TMP_DIR"/usr/share/$BEAT/kibana/?/dashboard/* || true ) && \
pushd "$BEATS_TMP_DIR" && ( rm -f DEBIAN/md5sums && find . -type f ! -regex '.*.hg.*' ! -regex '.*?debian-binary.*' ! -regex '.*?DEBIAN.*' -print0 | xargs -l -0 md5sum >> DEBIAN/md5sums ) && popd && \
dpkg-deb -b "$BEATS_TMP_DIR" "$BEATS_NEW_DEB" && \
rm -rf "$BEATS_TMP_DIR" && \
dpkg -i "$BEATS_NEW_DEB" && \
rm -rf "$BEATS_TMP_DIR" "$BEATS_DEB" "$BEATS_NEW_DEB" && \
popd
done
# add symlinks to our custom dashboards
FILES=$(shopt -s nullglob dotglob; echo /usr/share/filebeat/kibana/7/dashboard-custom/*)
if (( ${#FILES} )) ; then
ln -s -r -f /usr/share/filebeat/kibana/7/dashboard-custom/* /usr/share/filebeat/kibana/7/dashboard/
fi
FILES=$(shopt -s nullglob dotglob; echo /usr/share/metricbeat/kibana/7/dashboard-custom/*)
if (( ${#FILES} )) ; then
ln -s -r -f /usr/share/metricbeat/kibana/7/dashboard-custom/* /usr/share/metricbeat/kibana/7/dashboard/
fi
FILES=$(shopt -s nullglob dotglob; echo /usr/share/auditbeat/kibana/7/dashboard-custom/*)
if (( ${#FILES} )) ; then
ln -s -r -f /usr/share/auditbeat/kibana/7/dashboard-custom/* /usr/share/auditbeat/kibana/7/dashboard/
fi
###
# set up capabilities for network-related tools
chown root:netdev /usr/share/auditbeat/bin/auditbeat && \
setcap 'CAP_AUDIT_READ+eip' /usr/share/auditbeat/bin/auditbeat
###

14
Vagrant/resources/malcolm/malcolm-iso/config/hooks/normal/0911-get-stig-scripts.hook.chroot Executable file
View File

@@ -0,0 +1,14 @@
#!/bin/bash
# Copyright (c) 2021 Battelle Energy Alliance, LLC. All rights reserved.
# clone STIG-4-Debian, harbian-audit and debian-cis and clean up some stuff we don't need
mkdir -p /opt
git clone --depth 1 --recursive --single-branch https://github.com/hardenedlinux/STIG-4-Debian /opt/STIG-4-Debian
git clone --depth 1 --recursive --single-branch https://github.com/hardenedlinux/harbian-audit /opt/harbian-audit
git clone --depth 1 --recursive --single-branch https://github.com/ovh/debian-cis /opt/debian-cis
sed -i "s#CIS_ROOT_DIR=.*#CIS_ROOT_DIR='/opt/harbian-audit'#" /opt/harbian-audit/debian/default.cfg
sed -i "s#CIS_ROOT_DIR=.*#CIS_ROOT_DIR='/opt/debian-cis'#" /opt/debian-cis/debian/default
# cp /opt/harbian-audit/debian/default.cfg /etc/default/cis-hardening
# cp /opt/debian-cis/debian/default /etc/default/cis-hardening
rm -rf /opt/STIG-4-Debian/.git /opt/harbian-audit/.git /opt/debian-cis/.git

45
Vagrant/resources/malcolm/malcolm-iso/config/hooks/normal/0990-remove-unwanted-pkg.hook.chroot Executable file
View File

@@ -0,0 +1,45 @@
#!/bin/bash
# remove development packages
apt-get -y --purge remove build-essential $(dpkg --get-selections | grep -v deinstall$ | cut -f1 | grep -P -- '-dev(:\w+)?$' | grep -Pv -- '^(dpkg|libgcc)') || true
# remove unwanted packages
apt-get -y --purge remove bluez-firmware \
cracklib-runtime \
deluge \
enchant \
ffmpeg \
gdb \
git \
gnome-accessibility-themes \
gucharmap \
libasound2-plugins \
libcupsfilters1 \
libcupsimage2 \
libx264* \
libx265* \
lxmusic \
mailutils \
mpv \
pavucontrol \
prelink \
pulseaudio \
smplayer \
xdg-user-dirs \
yelp \
youtube-dl || true
apt-get -y autoremove
apt-get clean
# remove any residual configs
dpkg -l | awk '/^rc/ { print $2 }' | xargs -r -l dpkg --purge
# disable automatic/initial running of some services (but don't abort if we fail)
systemctl disable systemd-timesyncd.service || true
systemctl disable ctrl-alt-del.target || true
systemctl disable hddtemp.service || true
systemctl disable apt-daily.service || true
systemctl disable apt-daily.timer || true
systemctl disable apt-daily-upgrade.timer || true
systemctl disable apt-daily-upgrade.service || true

173
Vagrant/resources/malcolm/malcolm-iso/config/hooks/normal/0991-security-performance.hook.chroot Executable file
View File

@@ -0,0 +1,173 @@
#!/bin/bash
# configure firewall
sed -i "s/LOGLEVEL=.*/LOGLEVEL=off/" /etc/ufw/ufw.conf
sed -i 's/DEFAULT_FORWARD_POLICY=.*/DEFAULT_FORWARD_POLICY="ACCEPT"/' /etc/default/ufw
sed -i "s/#net\/ipv4\/ip_forward=1/net\/ipv4\/ip_forward=1/" /etc/ufw/sysctl.conf
read -r -d '' MASQUERADECFG <<- EOM
# NAT table rules
*nat
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING ! -o docker0 -s 172.29.0.0/16 -j MASQUERADE
COMMIT
EOM
awk '1' <(echo "$MASQUERADECFG") /etc/ufw/before.rules > /tmp/before.rules && \
cat /tmp/before.rules > /etc/ufw/before.rules && \
rm -f /tmp/before.rules
/usr/sbin/ufw --force enable
/usr/sbin/ufw default deny incoming
/usr/sbin/ufw default allow outgoing
UFW_ALLOW_RULES=(
https
ntp
ssh
5044
5601/tcp
9200/tcp
)
for i in ${UFW_ALLOW_RULES[@]}; do
ufw allow "$i"
done
# docker (disallow overriding firewall)
mkdir -p /etc/docker/
cat << 'EOF' > /etc/docker/daemon.json
{
"iptables": false,
"default-address-pools":[
{"base":"172.29.0.0/16","size":24}
]
}
EOF
# performance parameters for networking, disk, etc.
cat << 'EOF' >> /etc/sysctl.conf
# don't restrict dmesg to root
kernel.dmesg_restrict=0
# the maximum number of open file handles
fs.file-max=2097152
# increase maximums for inotify watches
fs.inotify.max_user_watches=131072
fs.inotify.max_queued_events=131072
fs.inotify.max_user_instances=512
# the maximum number of memory map areas a process may have
vm.max_map_count=262144
# decrease "swappiness" (swapping out runtime memory vs. dropping pages)
vm.swappiness=1
# the % of system memory fillable with "dirty" pages before flushing
vm.dirty_background_ratio=40
# maximum % of dirty system memory before committing everything
vm.dirty_ratio=80
net.core.netdev_max_backlog=250000
net.core.optmem_max=33554432
net.core.rmem_default=425984
net.core.rmem_max=33554432
net.core.somaxconn=65535
net.core.wmem_default=425984
net.core.wmem_max=33554432
net.ipv4.tcp_rmem=10240 425984 33554432
net.ipv4.tcp_wmem=10240 425984 33554432
net.ipv4.udp_mem=10240 425984 33554432
net.ipv4.conf.all.accept_redirects=0
net.ipv4.conf.all.accept_source_route=0
net.ipv4.conf.all.send_redirects=0
net.ipv4.conf.default.accept_redirects=0
net.ipv4.conf.default.accept_source_route=0
net.ipv4.conf.default.send_redirects=0
net.ipv4.icmp_echo_ignore_broadcasts=1
net.ipv4.ip_forward=1
net.ipv6.conf.all.accept_source_route=0
net.ipv6.conf.all.accept_ra=0
net.ipv6.conf.default.accept_ra=0
net.ipv6.conf.all.disable_ipv6=1
net.ipv6.conf.default.disable_ipv6=1
net.ipv6.conf.lo.disable_ipv6=1
EOF
# password requirement hardening
sed -i -e 's/[[:space:]]*nullok[[:alnum:]_]*//g' /etc/pam.d/common-auth
sed -i -r "s/(pam_faildelay.so.*delay)[[:space:]]*=[[:space:]]*[[:digit:]]+/\1=4000000/g" /etc/pam.d/login
sed -i -r "s/([[:space:]]*session[[:space:]]*)[[:alnum:]_]*([[:space:]]*pam_lastlog.so[[:space:]]*)/\1required\2\tshowfailed/g" /etc/pam.d/login
sed -i "s/^[[:space:]]*password[[:space:]]*requisite[[:space:]]*pam_pwquality\.so.*/password requisite pam_pwquality.so retry=3 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1 difok=8 minclass=4 maxrepeat=2 maxclassrepeat=4 minlen=15/g" /etc/pam.d/common-password
# enable cryptsetup support on boot
sed -i "s/#CRYPTSETUP=.*/CRYPTSETUP=y/" /etc/cryptsetup-initramfs/conf-hook
# enable guests to mount vmware/etc. fuse-based mounts with allow_other
sed -i "s/#user_allow_other.*/user_allow_other/" /etc/fuse.conf
# some permissions
find /etc/audit -type d -exec chmod 750 "{}" \;
find /etc/audit -type f -exec chmod 640 "{}" \;
chmod 600 /etc/ssh/sshd_config
# set DIR_MODE to 750 for new users
sed -i "s/^DIR_MODE=.*/DIR_MODE=0750/" /etc/adduser.conf
# new directories default to 750, new files to 640
echo -e "\n\n# new directories default to 700, new files to 600" >> /etc/profile
echo "umask 077" >> /etc/profile
echo "export UMASK=077" >> /etc/profile
# enable cron logging
sed -r -i "s@^#(cron\.\*\s+.*/var/log/cron\.log)@\1@" /etc/rsyslog.conf
# enable rsyslog forwarding to localhost:9514 over UDP (for filebeat syslog input)
echo >> /etc/rsyslog.conf
echo '*.* @127.0.0.1:9514' >> /etc/rsyslog.conf
echo >> /etc/rsyslog.conf
# put sudoers log into its own logfile
awk 'FNR==NR{ if (/^Defaults/) p=NR; next} 1; FNR==p{ print "Defaults\t!syslog\nDefaults\tlogfile=/var/log/sudo.log" }' /etc/sudoers /etc/sudoers > /tmp/newsudoers
mv /tmp/newsudoers /etc/sudoers && chmod 440 /etc/sudoers
cat << 'EOF' > /etc/logrotate.d/sudoers
/var/log/sudo.log
{
weekly
missingok
rotate 4
compress
delaycompress
copytruncate
minsize 100k
}
EOF
# tweak some auditd settings
sed -r -i "s/((disk_full_action|disk_error_action)\s*=\s*).*/\1 SYSLOG/" /etc/audit/auditd.conf
sed -r -i "s/(network_failure_action\s*=\s*).*/\1 syslog/" /etc/audisp/audisp-remote.conf
# disable ntp for now, and disable servers, but it could be turned back on later
systemctl disable ntp || true
sed -i "s/^\(pool \)/# \1/" /etc/ntp.conf
sed -i "s/^\(restrict -6\)/# \1/" /etc/ntp.conf
sed -i "s/^\(restrict ::1\)/# \1/" /etc/ntp.conf
sed -r -i "s/^(NTPD_OPTS=).*/\1'-4 -g'/" /etc/default/ntp
usermod -d /var/lib/ntp ntp
# disable htpdate service, we're going to use cron instead
systemctl disable htpdate || true
sed -i "s/#[[:space:]]*HTP_IFUP=.*/HTP_IFUP=no/" /etc/default/htpdate
sed -i "s/#[[:space:]]*HTP_DAEMON=.*/HTP_DAEMON=no/" /etc/default/htpdate
# remove identifying operating system information from /etc/issue
truncate -s 0 /etc/motd
sed -i "s/Debian/Hedgehog/g" /etc/issue
sed -i "s/Debian/Hedgehog/g" /etc/issue.net
# set up /etc/os-release information (override values in /etc/os-release with custom values)
if [[ -f /etc/skel/Malcolm/.os-info ]]; then
awk '
BEGIN {FS = OFS = "="}
{v1[$1] = $2}
END {for (key in v1) {print key, v1[key]}}
' /etc/os-release /etc/skel/Malcolm/.os-info | sort | sponge /etc/os-release
fi