#!/bin/bash # Copyright (c) 2021 Battelle Energy Alliance, LLC. All rights reserved. declare -A IFACES # read all non-virtual interfaces and their speeds into an associative array function PopulateInterfaces() { IFACE_RESULT="" SPEED_MAX=0 while IFS='' read -r -d ' ' IFACE_NAME && IFS='' read -r -d '' IFACE_LINK; do if [[ "${IFACE_LINK}" != *"virtual"* ]]; then IFACE_SPEED="$(cat /sys/class/net/$IFACE_NAME/speed 2>/dev/null)" if [[ -n $IFACE_SPEED ]]; then IFACES[$IFACE_NAME]+=$IFACE_SPEED else IFACES[$IFACE_NAME]+=0 fi fi done < <(find /sys/class/net/ -mindepth 1 -maxdepth 1 -type l -printf '%P %l\0' 2>/dev/null) } # the capture interface is the one with the highest "speed" function DetermineCaptureInterface() { for IFACE_NAME in "${!IFACES[@]}"; do echo "$IFACE_NAME" "${IFACES["$IFACE_NAME"]}" done | sort -rn -k2 | head -n 1 | cut -d' ' -f1 } # remove default accounts/groups we don't want, create/set directories for non-user users for stig to not complain function CleanDefaultAccounts() { for systemuser in games gnats irc list lp news www-data do deluser $systemuser 2>/dev/null || true done [ ! -d /var/lib/nobody ] && ((mkdir -p /var/lib/nobody && chown nobody:nogroup /var/lib/nobody && chmod 700 /var/lib/nobody && usermod -m -d /var/lib/nobody nobody) || true) [ ! -d /var/lib/_apt ] && ((mkdir -p /var/lib/_apt && chown _apt:nogroup /var/lib/_apt && chmod 700 /var/lib/_apt && usermod -m -d /var/lib/_apt _apt) || true) [ ! -d /run/systemd/resolve ] && ((mkdir -p /run/systemd/resolve && chown systemd-resolve:systemd-resolve /run/systemd/resolve && chmod 700 /run/systemd/resolve) || true) [ ! -d /var/lib/usbmux ] && ((mkdir -p /var/lib/usbmux && chown usbmux:plugdev /var/lib/usbmux && chmod 700 /var/lib/usbmux) || true) [ ! -d /var/lib/ntp ] && ((mkdir -p /var/lib/ntp && chown ntp:ntp /var/lib/ntp && chmod 700 /var/lib/ntp) || true) ((mkdir -p /var/lib/systemd-coredump && chown systemd-coredump:nogroup /var/lib/systemd-coredump && chmod 700 /var/lib/systemd-coredump && usermod -m -d /var/lib/systemd-coredump systemd-coredump) || true) chmod 600 "/etc/crontab" "/etc/group-" "/etc/gshadow-" "/etc/passwd-" "/etc/shadow-" >/dev/null 2>&1 || true chmod 700 "/etc/cron.hourly" "/etc/cron.daily" "/etc/cron.weekly" "/etc/cron.monthly" "/etc/cron.d" >/dev/null 2>&1 || true } # if the network configuration files for the interfaces haven't been set to come up on boot, configure that function InitializeSensorNetworking() { unset NEED_NETWORKING_RESTART if [[ ! -f /etc/network/interfaces.d/sensor ]]; then # /etc/network/interfaces.d/sensor can be further configured by the system admin via configure-interfaces.py. echo "" >> /etc/network/interfaces echo "# sensor interfaces should be configured in \"/etc/network/interfaces.d/sensor\"" >> /etc/network/interfaces for IFACE_NAME in "${!IFACES[@]}"; do echo "auto $IFACE_NAME" >> /etc/network/interfaces.d/sensor echo "allow-hotplug $IFACE_NAME" >> /etc/network/interfaces.d/sensor echo "iface $IFACE_NAME inet manual" >> /etc/network/interfaces.d/sensor echo " pre-up ip link set dev \$IFACE up" >> /etc/network/interfaces.d/sensor echo " post-down ip link set dev \$IFACE down" >> /etc/network/interfaces.d/sensor echo "" >> /etc/network/interfaces.d/sensor done NEED_NETWORKING_RESTART=0 fi if ! grep --quiet ^TimeoutStartSec=1min /etc/systemd/system/network-online.target.wants/networking.service; then # only wait 1 minute during boot for network interfaces to come up sed -i 's/^\(TimeoutStartSec\)=.*/\1=1min/' /etc/systemd/system/network-online.target.wants/networking.service NEED_NETWORKING_RESTART=0 fi [[ -n $NEED_NETWORKING_RESTART ]] && systemctl restart networking } function InitializeAggregatorNetworking() { unset NEED_NETWORKING_RESTART # we're going to let wicd manage networking on the aggregator, so remove physical interfaces from /etc/network/interfaces NET_IFACES_LINES=$(wc -l /etc/network/interfaces | awk '{print $1}') if [ $NET_IFACES_LINES -gt 4 ] ; then echo -e "source /etc/network/interfaces.d/*\n\nauto lo\niface lo inet loopback" > /etc/network/interfaces NEED_NETWORKING_RESTART=0 fi if ! grep --quiet ^TimeoutStartSec=1min /etc/systemd/system/network-online.target.wants/networking.service; then # only wait 1 minute during boot for network interfaces to come up sed -i 's/^\(TimeoutStartSec\)=.*/\1=1min/' /etc/systemd/system/network-online.target.wants/networking.service NEED_NETWORKING_RESTART=0 fi [[ -n $NEED_NETWORKING_RESTART ]] && systemctl restart networking } # fix some permisions to make sure things belong to the right person function FixPermissions() { if [ -n "$1" ]; then USER_TO_FIX="$1" [ -d /home/"$USER_TO_FIX" ] && find /home/"$USER_TO_FIX" \( -type d -o -type f \) -exec chmod o-rwx "{}" \; [ -d /home/"$USER_TO_FIX" ] && find /home/"$USER_TO_FIX" -type f -name ".*" -exec chmod g-wx "{}" \; if [ ! -f /etc/cron.allow ] || ! grep -q "$USER_TO_FIX" /etc/cron.allow; then echo "$USER_TO_FIX" >> /etc/cron.allow fi if [ ! -f /etc/at.allow ] || ! grep -q "$USER_TO_FIX" /etc/at.allow; then echo "$USER_TO_FIX" >> /etc/at.allow fi chmod 644 /etc/cron.allow /etc/at.allow fi } # block some call-homes function BadTelemetry() { if ! grep -q google /etc/hosts; then echo >> /etc/hosts echo '127.0.0.1 _googlecast._tcp.local' >> /etc/hosts echo '127.0.0.1 accounts.google.com' >> /etc/hosts echo '127.0.0.1 clients.l.google.com' >> /etc/hosts echo '127.0.0.1 fonts.googleapis.com' >> /etc/hosts echo '127.0.0.1 safebrowsing-cache.google.com' >> /etc/hosts echo '127.0.0.1 safebrowsing.clients.google.com' >> /etc/hosts echo '127.0.0.1 update.googleapis.com' >> /etc/hosts echo '127.0.0.1 www.google-analytics.com' >> /etc/hosts echo '127.0.0.1 www.gstatic.com' >> /etc/hosts echo '127.0.0.1 connectivitycheck.gstatic.com' >> /etc/hosts echo '127.0.0.1 incoming.telemetry.mozilla.org' >> /etc/hosts echo '127.0.0.1 detectportal.firefox.com' >> /etc/hosts echo '127.0.0.1 prod.detectportal.prod.cloudops.mozgcp.net' >> /etc/hosts echo '127.0.0.1 detectportal.prod.mozaws.net' >> /etc/hosts fi }