getch 0.1.2 → 0.1.9
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- checksums.yaml.gz.sig +0 -0
- data/README.md +66 -32
- data/assets/network-stack.conf +63 -0
- data/assets/system.conf +38 -0
- data/bin/getch +12 -4
- data/lib/cmdline.rb +128 -0
- data/lib/getch/command.rb +32 -22
- data/lib/getch/config/gentoo.rb +58 -0
- data/lib/getch/config/void.rb +47 -0
- data/lib/getch/config.rb +45 -0
- data/lib/getch/filesystem/clean.rb +22 -15
- data/lib/getch/filesystem/device.rb +8 -6
- data/lib/getch/filesystem/ext4/config.rb +8 -4
- data/lib/getch/filesystem/ext4/deps.rb +3 -1
- data/lib/getch/filesystem/ext4/device.rb +2 -3
- data/lib/getch/filesystem/ext4/encrypt/config.rb +15 -11
- data/lib/getch/filesystem/ext4/encrypt/deps.rb +5 -10
- data/lib/getch/filesystem/ext4/encrypt/device.rb +5 -3
- data/lib/getch/filesystem/ext4/encrypt/format.rb +4 -2
- data/lib/getch/filesystem/ext4/encrypt/mount.rb +3 -3
- data/lib/getch/filesystem/ext4/encrypt/partition.rb +29 -35
- data/lib/getch/filesystem/ext4/encrypt/void.rb +101 -0
- data/lib/getch/filesystem/ext4/encrypt.rb +3 -0
- data/lib/getch/filesystem/ext4/format.rb +4 -1
- data/lib/getch/filesystem/ext4/mount.rb +3 -0
- data/lib/getch/filesystem/ext4/partition.rb +11 -8
- data/lib/getch/filesystem/ext4/void.rb +44 -0
- data/lib/getch/filesystem/ext4.rb +3 -0
- data/lib/getch/filesystem/lvm/config.rb +10 -29
- data/lib/getch/filesystem/lvm/deps.rb +7 -11
- data/lib/getch/filesystem/lvm/device.rb +5 -3
- data/lib/getch/filesystem/lvm/encrypt/config.rb +17 -17
- data/lib/getch/filesystem/lvm/encrypt/deps.rb +8 -12
- data/lib/getch/filesystem/lvm/encrypt/device.rb +7 -5
- data/lib/getch/filesystem/lvm/encrypt/format.rb +5 -2
- data/lib/getch/filesystem/lvm/encrypt/mount.rb +4 -2
- data/lib/getch/filesystem/lvm/encrypt/partition.rb +17 -13
- data/lib/getch/filesystem/lvm/encrypt/void.rb +101 -0
- data/lib/getch/filesystem/lvm/encrypt.rb +3 -0
- data/lib/getch/filesystem/lvm/format.rb +4 -1
- data/lib/getch/filesystem/lvm/mount.rb +3 -0
- data/lib/getch/filesystem/lvm/partition.rb +10 -7
- data/lib/getch/filesystem/lvm/void.rb +46 -0
- data/lib/getch/filesystem/lvm.rb +3 -0
- data/lib/getch/filesystem/mount.rb +19 -12
- data/lib/getch/filesystem/partition.rb +19 -11
- data/lib/getch/filesystem/zfs/config.rb +10 -24
- data/lib/getch/filesystem/zfs/deps.rb +28 -58
- data/lib/getch/filesystem/zfs/device.rb +9 -1
- data/lib/getch/filesystem/zfs/encrypt/config.rb +12 -28
- data/lib/getch/filesystem/zfs/encrypt/deps.rb +29 -60
- data/lib/getch/filesystem/zfs/encrypt/device.rb +9 -1
- data/lib/getch/filesystem/zfs/encrypt/format.rb +24 -22
- data/lib/getch/filesystem/zfs/encrypt/mount.rb +15 -14
- data/lib/getch/filesystem/zfs/encrypt/partition.rb +24 -18
- data/lib/getch/filesystem/zfs/encrypt/void.rb +97 -0
- data/lib/getch/filesystem/zfs/encrypt.rb +3 -0
- data/lib/getch/filesystem/zfs/format.rb +21 -18
- data/lib/getch/filesystem/zfs/mount.rb +12 -13
- data/lib/getch/filesystem/zfs/partition.rb +20 -15
- data/lib/getch/filesystem/zfs/void.rb +81 -0
- data/lib/getch/filesystem/zfs.rb +3 -0
- data/lib/getch/filesystem.rb +2 -0
- data/lib/getch/gentoo/boot.rb +29 -67
- data/lib/getch/gentoo/bootloader.rb +68 -0
- data/lib/getch/gentoo/chroot.rb +26 -29
- data/lib/getch/gentoo/config.rb +69 -31
- data/lib/getch/gentoo/sources.rb +73 -38
- data/lib/getch/gentoo/stage.rb +12 -13
- data/lib/getch/gentoo/use.rb +39 -0
- data/lib/getch/gentoo/use_flag.rb +89 -0
- data/lib/getch/gentoo.rb +39 -21
- data/lib/getch/guard.rb +71 -0
- data/lib/getch/helpers.rb +180 -48
- data/lib/getch/log.rb +10 -7
- data/lib/getch/options.rb +50 -41
- data/lib/getch/states.rb +10 -3
- data/lib/getch/version.rb +1 -1
- data/lib/getch/void/boot.rb +84 -0
- data/lib/getch/void/chroot.rb +56 -0
- data/lib/getch/void/config.rb +90 -0
- data/lib/getch/void/stage.rb +69 -0
- data/lib/getch/void.rb +65 -0
- data/lib/getch.rb +125 -74
- data.tar.gz.sig +0 -0
- metadata +28 -10
- metadata.gz.sig +0 -0
- data/.gitignore +0 -2
- data/CHANGELOG.md +0 -80
- data/Rakefile +0 -21
- data/bin/setup.sh +0 -90
- data/getch.gemspec +0 -25
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 46439ee6483306d467923074b461ad5df9d9f7a9a32981936952b586e85173f9
|
4
|
+
data.tar.gz: e4232a6832086eafb46e9f29da73b461762c65c6232071cf2854c9ddb7680e2f
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 8689b833a86f39c1b5a310ed193e588399fed86384012015f04251d39175e3bd6121a7f65540086fc1556f831017a6d56467a3325ec29f78651295adcdd3ed23
|
7
|
+
data.tar.gz: ac28be3804fddb3f995a8b86c438d447216547078855ca103ac4151a038934a9e7369a8a96500165b14ca38fdcac6ece31bbb5a1324e036b553ad76a0f456621
|
checksums.yaml.gz.sig
CHANGED
Binary file
|
data/README.md
CHANGED
@@ -1,34 +1,57 @@
|
|
1
1
|
# Getch
|
2
|
-
|
2
|
+
|
3
|
+
<div align="center">
|
4
|
+
<br/>
|
5
|
+
|
6
|
+
[![Gem Version](https://badge.fury.io/rb/getch.svg)](https://badge.fury.io/rb/getch)
|
7
|
+
![GitHub Workflow Status (branch)](https://img.shields.io/github/workflow/status/szorfein/getch/Rubocop/develop)
|
8
|
+
[![Ruby Style Guide](https://img.shields.io/badge/code_style-rubocop-brightgreen.svg)](https://github.com/rubocop/rubocop)
|
9
|
+
![GitHub](https://img.shields.io/github/license/szorfein/ardecy)
|
10
|
+
|
11
|
+
</div>
|
12
|
+
|
13
|
+
A CLI tool to install Gentoo or Void Linux with default:
|
14
|
+
+ DNS over HTTPS (with [Quad9](https://www.quad9.net/)).
|
15
|
+
+ Vim | Nano installed.
|
16
|
+
+ Iptables installed (not configured).
|
17
|
+
+ Sudo installed (not configured).
|
18
|
+
+ [iwd](https://iwd.wiki.kernel.org/) installed if wifi is detected.
|
19
|
+
+ No GUI installed.
|
20
|
+
|
21
|
+
Hardened System:
|
22
|
+
+ sysctl.conf with TCP/IP stack hardening and more [Arch](https://wiki.archlinux.org/title/Sysctl)
|
23
|
+
+ Kernel parameters enforced (dmesg restricted, kexec disabled, etc)
|
24
|
+
+ Kernel source (Gentoo) patched with [bask](https://github.com/szorfein/bask).
|
3
25
|
|
4
26
|
## Description
|
5
|
-
Actually, Getch support only the
|
27
|
+
Actually, Getch support only the `x86_64` architecture and only with the following archives:
|
28
|
+
+ **Gentoo**: `stage3-amd64-systemd` [Gentoo](https://www.gentoo.org/downloads/).
|
29
|
+
+ **Void**: `rootfs glibc` [Void](https://voidlinux.org/download/).
|
6
30
|
|
7
|
-
|
31
|
+
Filesystem supported (with or without encryption)
|
8
32
|
+ Ext4
|
9
|
-
+
|
33
|
+
+ Lvm
|
10
34
|
+ ZFS
|
11
35
|
|
12
|
-
|
36
|
+
Boot Manager:
|
37
|
+
+ **Gentoo**: `BIOS` will use `Grub2` and `systemd-boot` for `UEFI`.
|
38
|
+
+ **Void**: use only Grub2, encryption for the root fs use luks1.
|
13
39
|
|
14
40
|
The ISO images i was able to test and that works:
|
15
41
|
+ [Archlinux](https://www.archlinux.org/download/)
|
16
42
|
+ [Archaeidae](https://github.com/szorfein/archaeidae): Custom Archiso that includes ZFS support.
|
17
43
|
|
44
|
+
## Dependencies
|
45
|
+
Getch is build without external libs, so it only require `ruby >= 2.5`.
|
46
|
+
|
18
47
|
## Install
|
19
48
|
Getch is cryptographically signed, so add my public key (if you haven’t already) as a trusted certificate.
|
20
49
|
With `gem` installed:
|
21
50
|
|
22
51
|
$ gem cert --add <(curl -Ls https://raw.githubusercontent.com/szorfein/getch/master/certs/szorfein.pem)
|
23
|
-
|
24
52
|
$ gem install getch -P HighSecurity
|
25
53
|
|
26
|
-
|
27
|
-
|
28
|
-
# sh <(curl -L https://raw.githubusercontent.com/szorfein/getch/master/bin/setup.sh)
|
29
|
-
# source ~/.zshrc # or ~/.bashrc
|
30
|
-
|
31
|
-
If you want to try the master branch:
|
54
|
+
If you want to try from the source:
|
32
55
|
|
33
56
|
# git clone https://github.com/szorfein/getch
|
34
57
|
# cd getch
|
@@ -46,51 +69,62 @@ For a french user:
|
|
46
69
|
|
47
70
|
# getch --zoneinfo "Europe/Paris" --language fr_FR --keymap fr
|
48
71
|
|
49
|
-
Install Gentoo on LVM
|
72
|
+
Install Gentoo on LVM and use a different root disk `/dev/sdc`
|
50
73
|
|
51
|
-
# getch --format lvm --disk
|
74
|
+
# getch --format lvm --disk sdc
|
52
75
|
|
53
76
|
Encrypt your disk with LVM with a french keymap
|
54
77
|
|
55
78
|
# getch --format lvm --encrypt --keymap fr
|
56
79
|
|
57
|
-
Encrypt with ext4 and create a
|
80
|
+
Encrypt with ext4 and create a new user `ninja`:
|
58
81
|
|
59
82
|
# getch --format ext4 --encrypt --username ninja
|
60
83
|
|
61
|
-
With ZFS:
|
84
|
+
With ZFS, if used with `--encrypt`, it use the native ZFS encryption:
|
62
85
|
|
63
86
|
# getch --format zfs
|
64
87
|
|
88
|
+
With `Void Linux`:
|
89
|
+
|
90
|
+
# getch --os void --encrypt -k fr
|
91
|
+
|
65
92
|
## Troubleshooting
|
66
93
|
|
67
|
-
#### LVM
|
68
|
-
|
94
|
+
#### Old VG for LVM
|
95
|
+
If a old volume group exist, `getch` may fail to partition your disk. You have to clean up your device before proceed with `vgremove` and `pvremove`. An short example how doing this with a volume group named `vg0`:
|
69
96
|
|
70
97
|
# vgdisplay | grep vg0
|
71
98
|
# vgremove -f vg0
|
72
99
|
# pvremove -f /dev/sdb
|
73
100
|
|
74
101
|
#### Encryption enable on BIOS with ext4
|
75
|
-
To decrypt your disk on BIOS system, you have to enter your password
|
102
|
+
To decrypt your disk on BIOS system, you have to enter your password twice. One time for Grub and another time for Genkernel. [post](https://wiki.archlinux.org/index.php/GRUB#Encrypted_/boot).
|
76
103
|
Also with GRUB, only a `us` keymap is working.
|
77
104
|
|
78
|
-
####
|
79
|
-
|
105
|
+
#### ZFS for Void Linux - Enable the boot pool
|
106
|
+
You have some extras step to do after booting to enable the boot pool, you need this pool when you update your system. It's used mainly by Grub and Dracut.
|
107
|
+
By default, your /boot is empty because your boot pool is not imported...
|
108
|
+
|
109
|
+
# zpool import -f -d /dev/disk/by-id -N bpool-150ed
|
110
|
+
# zfs mount bpool-150ed/BOOT/void
|
111
|
+
# ls /boot
|
112
|
+
|
113
|
+
You should see something in the boot (initramfs, vmlinuz).. Recreate the initramfs.
|
114
|
+
|
115
|
+
# xbps-reconfigure -fa
|
80
116
|
|
81
|
-
|
117
|
+
Make the `bpool` available at the boot:
|
82
118
|
|
83
|
-
#
|
84
|
-
-> 150ed969...
|
85
|
-
# zpool import -N -R /mnt rpool-150ed
|
119
|
+
# zfs set canmount=on bpool-150ed/BOOT/void
|
86
120
|
|
87
|
-
And
|
121
|
+
And reboot, the `/boot` partition should be mounted automatically after that.
|
88
122
|
|
89
|
-
|
123
|
+
#### ZFS Encrypted with Void
|
124
|
+
Well, another weird issue, the first time you boot on your encrypted pool, nothing append. Dracut try to mount inexistent device. Just wait for enter in the shell:
|
90
125
|
|
91
|
-
|
126
|
+
# ls /lib/dracut/hooks/initqueue/finished/*
|
127
|
+
# rm /lib/dracut/hooks/initqueue/finished/dev*
|
128
|
+
# exit
|
92
129
|
|
93
|
-
|
94
|
-
If need more support for your hardware (network, sound card, ...), you can submit a [new issue](https://github.com/szorfein/getch/issues/new) and post the output of the following command:
|
95
|
-
+ lspci
|
96
|
-
+ lsmod
|
130
|
+
Dracut should finally start `mount-zfs.sh` and ask for your password. After you first login, follow instructions above for recompile the initramfs and mount the boot pool and your good.
|
@@ -0,0 +1,63 @@
|
|
1
|
+
# https://wiki.archlinux.org/title/Sysctl#TCP/IP_stack_hardening
|
2
|
+
# https://github.com/trimstray/the-practical-linux-hardening-guide/wiki/Network-stack
|
3
|
+
|
4
|
+
# TCP SYN cookie protection
|
5
|
+
net.ipv4.tcp_syncookies = 1
|
6
|
+
|
7
|
+
# TCP rfc1337
|
8
|
+
net.ipv4.tcp_rfc1337 = 1
|
9
|
+
|
10
|
+
# Reverse path filtering
|
11
|
+
net.ipv4.conf.default.rp_filter = 1
|
12
|
+
net.ipv4.conf.all.rp_filter = 1
|
13
|
+
|
14
|
+
# Log martian packets
|
15
|
+
net.ipv4.conf.default.log_martians = 1
|
16
|
+
net.ipv4.conf.all.log_martians = 1
|
17
|
+
|
18
|
+
# Disable ICMP redirects
|
19
|
+
net.ipv6.conf.all.accept_redirects = 0
|
20
|
+
net.ipv6.conf.default.accept_redirects = 0
|
21
|
+
|
22
|
+
# Disable IP source routing
|
23
|
+
net.ipv4.conf.default.accept_source_route = 0
|
24
|
+
net.ipv4.conf.all.accept_source_route = 0
|
25
|
+
|
26
|
+
# Ignore ICMP echo requests
|
27
|
+
net.ipv4.icmp_echo_ignore_all = 1
|
28
|
+
net.ipv6.icmp.echo_ignore_all = 1
|
29
|
+
|
30
|
+
# Ignoring broadcasts request
|
31
|
+
net.ipv4.icmp_echo_ignore_broadcasts = 1
|
32
|
+
|
33
|
+
# An illicit router advertisement message could result in a man-in-the-middle attack.
|
34
|
+
net.ipv6.conf.default.accept_ra = 0
|
35
|
+
net.ipv6.conf.all.accept_ra = 0
|
36
|
+
|
37
|
+
# Ignore bogus ICMP error responses
|
38
|
+
net.ipv4.icmp_ignore_bogus_error_responses = 1
|
39
|
+
|
40
|
+
# ICMP redirects
|
41
|
+
net.ipv4.conf.default.accept_redirects = 0
|
42
|
+
net.ipv4.conf.all.accept_redirects = 0
|
43
|
+
|
44
|
+
# Accepting secure redirects
|
45
|
+
net.ipv4.conf.default.secure_redirects = 0
|
46
|
+
net.ipv4.conf.all.secure_redirects = 0
|
47
|
+
|
48
|
+
# IP forwarding
|
49
|
+
net.ipv4.ip_forward = 0
|
50
|
+
|
51
|
+
# Sending ICMP redirects
|
52
|
+
net.ipv4.conf.default.send_redirects = 0
|
53
|
+
net.ipv4.conf.all.send_redirects = 0
|
54
|
+
|
55
|
+
# Keep sockets in FIN-WAIT-2 state
|
56
|
+
net.ipv4.tcp_fin_timeout = 30
|
57
|
+
|
58
|
+
# Keepalive packets to keep an connection alive
|
59
|
+
net.ipv4.tcp_keepalive_time = 180
|
60
|
+
net.ipv4.tcp_keepalive_intvl = 10
|
61
|
+
net.ipv4.tcp_keepalive_probes = 3
|
62
|
+
|
63
|
+
|
data/assets/system.conf
ADDED
@@ -0,0 +1,38 @@
|
|
1
|
+
# Disable SysReq
|
2
|
+
kernel.sysrq = 0
|
3
|
+
|
4
|
+
# No core dump of executable setuid
|
5
|
+
fs.suid_dumpable = 0
|
6
|
+
|
7
|
+
# Prohibit unreferencing links to files
|
8
|
+
fs.protected_symlinks = 1
|
9
|
+
fs.protected_hardlinks = 1
|
10
|
+
|
11
|
+
# Activate ASLR
|
12
|
+
kernel.randomize_va_space = 2
|
13
|
+
|
14
|
+
# Prohibit mapping of memory in low addresses (0)
|
15
|
+
vm.mmap_min_addr = 65536
|
16
|
+
|
17
|
+
# Larger choice space for PID values
|
18
|
+
kernel.pid_max = 65536
|
19
|
+
|
20
|
+
# Obfuscation of addresses memory kernel
|
21
|
+
kernel.kptr_restrict = 1
|
22
|
+
|
23
|
+
# Access restriction to the dmesg buffer
|
24
|
+
kernel.dmesg_restrict = 1
|
25
|
+
|
26
|
+
# Restricts the use of the perf system
|
27
|
+
kernel.perf_event_paranoid = 2
|
28
|
+
kernel.perf_event_max_sample_rate = 1
|
29
|
+
kernel.perf_cpu_time_max_percent = 1
|
30
|
+
|
31
|
+
# Avoid non-ancestor ptrace access to running processes and their credentials.
|
32
|
+
kernel.yama.ptrace_scope = 1
|
33
|
+
|
34
|
+
# Disable User Namespaces
|
35
|
+
user.max_user_namespaces = 0
|
36
|
+
|
37
|
+
# Turn off unprivileged eBPF access.
|
38
|
+
kernel.unprivileged_bpf_disabled = 1
|
data/bin/getch
CHANGED
@@ -2,8 +2,16 @@
|
|
2
2
|
|
3
3
|
require 'getch'
|
4
4
|
|
5
|
-
|
6
|
-
Getch::
|
7
|
-
|
5
|
+
getch = Getch::Main.new(
|
6
|
+
:cli => Getch::Options.new(ARGV)
|
7
|
+
)
|
8
8
|
|
9
|
-
|
9
|
+
getch.resume
|
10
|
+
|
11
|
+
getch.partition
|
12
|
+
getch.format
|
13
|
+
getch.mount
|
14
|
+
|
15
|
+
getch.install
|
16
|
+
|
17
|
+
getch.configure
|
data/lib/cmdline.rb
ADDED
@@ -0,0 +1,128 @@
|
|
1
|
+
module CmdLine
|
2
|
+
def echo(path, content, mode = 0700)
|
3
|
+
f = File.new path, 'w'
|
4
|
+
f.write "#{content}\n"
|
5
|
+
f.chmod mode
|
6
|
+
f.close
|
7
|
+
end
|
8
|
+
|
9
|
+
class Kernel
|
10
|
+
include CmdLine
|
11
|
+
|
12
|
+
# man kernel-install
|
13
|
+
# use /etc/kernel/cmdline by default
|
14
|
+
def initialize(arg)
|
15
|
+
@dir = arg[:workdir]
|
16
|
+
@file = "#{@dir}/cmdline"
|
17
|
+
@line = ''
|
18
|
+
end
|
19
|
+
|
20
|
+
def main
|
21
|
+
puts ' > Generate cmdline for Kernel...'
|
22
|
+
cpu_mitigations
|
23
|
+
distrust_cpu
|
24
|
+
kernel_hardening
|
25
|
+
quiet
|
26
|
+
|
27
|
+
puts " >> Writing cmdline to #{@file}..."
|
28
|
+
echo @file, "#{@line}\n", 0644
|
29
|
+
end
|
30
|
+
|
31
|
+
private
|
32
|
+
|
33
|
+
def cpu_mitigations
|
34
|
+
@line << 'mds=full,nosmt'
|
35
|
+
@line << ' l1tf=full,force'
|
36
|
+
@line << ' kvm.nx_huge_pages=force'
|
37
|
+
end
|
38
|
+
|
39
|
+
def distrust_cpu
|
40
|
+
@line << ' random.trust_cpu=off'
|
41
|
+
end
|
42
|
+
|
43
|
+
def kernel_hardening
|
44
|
+
@line << ' slab_nomerge'
|
45
|
+
@line << ' slub_debug=FZ'
|
46
|
+
@line << ' init_on_alloc=1 init_on_free=1'
|
47
|
+
@line << ' mce=0'
|
48
|
+
@line << ' pti=on'
|
49
|
+
@line << ' vsyscall=none'
|
50
|
+
@line << ' page_alloc.shuffle=1'
|
51
|
+
@line << ' debugfs=off'
|
52
|
+
end
|
53
|
+
|
54
|
+
def quiet
|
55
|
+
@line << ' quiet loglevel=0'
|
56
|
+
end
|
57
|
+
end
|
58
|
+
|
59
|
+
class Grub
|
60
|
+
include CmdLine
|
61
|
+
|
62
|
+
def initialize(arg)
|
63
|
+
@conf = arg[:workdir]
|
64
|
+
@default_alias = 'GRUB_CMDLINE_LINUX_DEFAULT'
|
65
|
+
@cmd_alias = 'GRUB_CMDLINE_LINUX'
|
66
|
+
end
|
67
|
+
|
68
|
+
def main
|
69
|
+
puts ' > Generate cmdline for Grub...'
|
70
|
+
cpu_mitigations
|
71
|
+
distrust_cpu
|
72
|
+
kernel_hardening
|
73
|
+
quiet
|
74
|
+
end
|
75
|
+
|
76
|
+
private
|
77
|
+
|
78
|
+
def cpu_mitigations
|
79
|
+
lines = []
|
80
|
+
lines << add_linux('mds=full,nosmt')
|
81
|
+
lines << add_linux('l1tf=full,force')
|
82
|
+
lines << add_linux('kvm.nx_huge_pages=force')
|
83
|
+
|
84
|
+
puts " >> Writing to #{@conf}/40_cpu_mitigations.cfg"
|
85
|
+
echo "#{@conf}/40_cpu_mitigations.cfg", lines.join("\n"), 0755
|
86
|
+
end
|
87
|
+
|
88
|
+
def distrust_cpu
|
89
|
+
lines = []
|
90
|
+
lines << add_linux('random.trust_cpu=off')
|
91
|
+
|
92
|
+
puts " >> Writing to #{@conf}/40_distrust_cpu.cfg"
|
93
|
+
echo "#{@conf}/40_distrust_cpu.cfg", lines.join("\n"), 0755
|
94
|
+
end
|
95
|
+
|
96
|
+
def kernel_hardening
|
97
|
+
lines = []
|
98
|
+
lines << add_linux('slab_nomerge')
|
99
|
+
lines << add_linux('slub_debug=FZ')
|
100
|
+
lines << add_linux('init_on_alloc=1 init_on_free=1')
|
101
|
+
lines << add_linux('mce=0')
|
102
|
+
lines << add_linux('pti=on')
|
103
|
+
lines << add_linux('vsyscall=none')
|
104
|
+
lines << add_linux('page_alloc.shuffle=1')
|
105
|
+
lines << add_linux('debugfs=off')
|
106
|
+
|
107
|
+
puts " >> Writing to #{@conf}/40_kernel_hardening.cfg"
|
108
|
+
echo "#{@conf}/40_kernel_hardening.cfg", lines.join("\n"), 0755
|
109
|
+
end
|
110
|
+
|
111
|
+
def quiet
|
112
|
+
lines = []
|
113
|
+
lines << "#{@default_alias}=\"$(echo \"$#{@default_alias}\" | LANG=C str_replace \"quiet\" \"\")\""
|
114
|
+
lines << add_linux_default('quiet loglevel=0')
|
115
|
+
|
116
|
+
puts " >> Writing to #{@conf}/41_quiet.cfg"
|
117
|
+
echo "#{@conf}/41_quiet.cfg", lines.join("\n"), 0755
|
118
|
+
end
|
119
|
+
|
120
|
+
def add_linux(arg)
|
121
|
+
"#{@cmd_alias}=\"$#{@cmd_alias} #{arg}\""
|
122
|
+
end
|
123
|
+
|
124
|
+
def add_linux_default(arg)
|
125
|
+
"#{@default_alias}=\"$#{@default_alias} #{arg}\""
|
126
|
+
end
|
127
|
+
end
|
128
|
+
end
|
data/lib/getch/command.rb
CHANGED
@@ -1,3 +1,5 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
1
3
|
require 'open3'
|
2
4
|
|
3
5
|
module Getch
|
@@ -9,7 +11,7 @@ module Getch
|
|
9
11
|
end
|
10
12
|
|
11
13
|
def run!
|
12
|
-
@log.info
|
14
|
+
@log.info 'Running command: ' + @cmd.gsub(/\"/, '')
|
13
15
|
|
14
16
|
Open3.popen3(@cmd) do |stdin, stdout, stderr, wait_thr|
|
15
17
|
stdin.close_write
|
@@ -18,7 +20,7 @@ module Getch
|
|
18
20
|
# only stderr
|
19
21
|
begin
|
20
22
|
@log.debug stderr.readline until stderr.eof.nil?
|
21
|
-
rescue
|
23
|
+
rescue
|
22
24
|
end
|
23
25
|
|
24
26
|
begin
|
@@ -59,9 +61,9 @@ module Getch
|
|
59
61
|
block.each do |f|
|
60
62
|
begin
|
61
63
|
data = f.read_nonblock(@block_size)
|
62
|
-
puts data if
|
64
|
+
puts data if OPTIONS[:verbose]
|
63
65
|
rescue EOFError
|
64
|
-
puts
|
66
|
+
puts
|
65
67
|
rescue => e
|
66
68
|
puts "Fatal - #{e}"
|
67
69
|
end
|
@@ -79,13 +81,13 @@ module Getch
|
|
79
81
|
|
80
82
|
def run!
|
81
83
|
@log.info "Running emerge: #{@cmd}"
|
82
|
-
system(
|
84
|
+
system('chroot', @gentoo, '/bin/bash', '-c', "source /etc/profile && #{@cmd}")
|
83
85
|
read_exit
|
84
86
|
end
|
85
87
|
|
86
88
|
def pkg!
|
87
89
|
@log.info "Running emerge pkg: #{@cmd}"
|
88
|
-
system(
|
90
|
+
system('chroot', @gentoo, '/bin/bash', '-c', "source /etc/profile && emerge --changed-use #{@cmd}")
|
89
91
|
read_exit
|
90
92
|
end
|
91
93
|
|
@@ -113,10 +115,8 @@ module Getch
|
|
113
115
|
&& env-update \
|
114
116
|
&& cd /usr/src/linux \
|
115
117
|
&& #{@cmd}\""
|
116
|
-
Open3.popen2e(cmd) do |
|
117
|
-
|
118
|
-
puts line
|
119
|
-
end
|
118
|
+
Open3.popen2e(cmd) do |_, stdout_err, wait_thr|
|
119
|
+
stdout_err.each { |l| puts l }
|
120
120
|
|
121
121
|
exit_status = wait_thr.value
|
122
122
|
unless exit_status.success?
|
@@ -129,23 +129,21 @@ module Getch
|
|
129
129
|
|
130
130
|
class Bask
|
131
131
|
def initialize(cmd)
|
132
|
-
@gentoo = MOUNTPOINT
|
133
132
|
@cmd = cmd
|
134
133
|
@log = Getch::Log.new
|
135
|
-
@version =
|
134
|
+
@version = '0.6'
|
135
|
+
@config = "#{MOUNTPOINT}/etc/kernel/config.d"
|
136
|
+
download_bask unless Dir.exist? "#{MOUNTPOINT}/root/bask-#{@version}"
|
136
137
|
end
|
137
138
|
|
138
139
|
def run!
|
139
|
-
download_bask if ! Dir.exist? "#{MOUNTPOINT}/root/bask-#{@version}"
|
140
140
|
@log.info "Running Bask: #{@cmd}"
|
141
|
-
cmd = "chroot #{
|
141
|
+
cmd = "chroot #{MOUNTPOINT} /bin/bash -c \"source /etc/profile \
|
142
142
|
&& env-update \
|
143
143
|
&& cd /root/bask-#{@version} \
|
144
144
|
&& ./bask.sh #{@cmd} -k /usr/src/linux\""
|
145
|
-
Open3.popen2e(cmd) do |
|
146
|
-
|
147
|
-
puts line
|
148
|
-
end
|
145
|
+
Open3.popen2e(cmd) do |_, stdout_err, wait_thr|
|
146
|
+
stdout_err.each { |l| puts l }
|
149
147
|
|
150
148
|
exit_status = wait_thr.value
|
151
149
|
unless exit_status.success?
|
@@ -155,15 +153,27 @@ module Getch
|
|
155
153
|
end
|
156
154
|
end
|
157
155
|
|
158
|
-
|
156
|
+
def cp
|
157
|
+
Helpers.mkdir @config
|
158
|
+
Helpers.cp(
|
159
|
+
"#{MOUNTPOINT}/root/bask-#{@version}/config.d/#{@cmd}",
|
160
|
+
"#{@config}/#{@cmd}"
|
161
|
+
)
|
162
|
+
end
|
163
|
+
|
164
|
+
def add(content)
|
165
|
+
Helpers.add_file "#{@config}/#{@cmd}", content
|
166
|
+
end
|
167
|
+
|
168
|
+
private
|
159
169
|
|
160
170
|
def download_bask
|
161
|
-
@log.info
|
162
|
-
url = "https://github.com/szorfein/bask/archive/
|
171
|
+
@log.info 'Installing Bask...'
|
172
|
+
url = "https://github.com/szorfein/bask/archive/refs/tags/#{@version}.tar.gz"
|
163
173
|
file = "bask-#{@version}.tar.gz"
|
164
174
|
|
165
175
|
Dir.chdir("#{MOUNTPOINT}/root")
|
166
|
-
Helpers
|
176
|
+
Helpers.get_file_online(url, file)
|
167
177
|
Getch::Command.new("tar xzf #{file}").run!
|
168
178
|
end
|
169
179
|
end
|
@@ -0,0 +1,58 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
module Getch
|
4
|
+
module Config
|
5
|
+
class Gentoo
|
6
|
+
def initialize
|
7
|
+
@systemd_net_dir = "#{MOUNTPOINT}/etc/systemd"
|
8
|
+
end
|
9
|
+
|
10
|
+
def ethernet
|
11
|
+
conf = "#{@systemd_net_dir}/network/20-ethernet.network"
|
12
|
+
datas = [
|
13
|
+
'[Match]',
|
14
|
+
'Name=en*',
|
15
|
+
'Name=eth*',
|
16
|
+
'[Network]',
|
17
|
+
'DHCP=yes',
|
18
|
+
'IPv6PrivacyExtensions=yes',
|
19
|
+
'[DHCP]',
|
20
|
+
'RouteMetric=512',
|
21
|
+
]
|
22
|
+
File.write(conf, datas.join("\n"), mode: 'w')
|
23
|
+
end
|
24
|
+
|
25
|
+
def wifi
|
26
|
+
conf = "#{@systemd_net_dir}/network/20-wireless.network"
|
27
|
+
datas = [
|
28
|
+
'[Match]',
|
29
|
+
'Name=wlp*',
|
30
|
+
'Name=wlan*',
|
31
|
+
'[Network]',
|
32
|
+
'DHCP=yes',
|
33
|
+
'IPv6PrivacyExtensions=yes',
|
34
|
+
'[DHCP]',
|
35
|
+
'RouteMetric=1024',
|
36
|
+
]
|
37
|
+
File.write(conf, datas.join("\n"), mode: 'w')
|
38
|
+
end
|
39
|
+
|
40
|
+
def dns
|
41
|
+
conf = "#{@systemd_net_dir}/resolved.conf.d/dns_over_tls.conf"
|
42
|
+
datas = [
|
43
|
+
'[Resolve]',
|
44
|
+
'DNS=9.9.9.9#dns.quad9.net',
|
45
|
+
'DNSOverTLS=yes',
|
46
|
+
]
|
47
|
+
Helpers.create_dir("#{@systemd_net_dir}/resolved.conf.d")
|
48
|
+
File.write(conf, datas.join("\n"), mode: 'w')
|
49
|
+
|
50
|
+
Getch::Chroot.new('systemctl enable systemd-networkd').run!
|
51
|
+
Getch::Chroot.new('systemctl enable systemd-resolved').run!
|
52
|
+
end
|
53
|
+
|
54
|
+
def shell
|
55
|
+
end
|
56
|
+
end
|
57
|
+
end
|
58
|
+
end
|
@@ -0,0 +1,47 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
module Getch
|
4
|
+
module Config
|
5
|
+
class Void
|
6
|
+
include Helpers::Void
|
7
|
+
|
8
|
+
def initialize
|
9
|
+
@service_dir = '/etc/runit/runsvdir/default/'
|
10
|
+
end
|
11
|
+
|
12
|
+
# Enable dhcpcd service
|
13
|
+
def ethernet
|
14
|
+
command "ln -fs /etc/sv/dhcpcd #{@service_dir}"
|
15
|
+
end
|
16
|
+
|
17
|
+
# with Quad9
|
18
|
+
# https://www.dnsknowledge.com/tutorials/how-to-setup-quad9-dns-on-a-linux/
|
19
|
+
def dns
|
20
|
+
conf = "#{MOUNTPOINT}/etc/resolv.conf"
|
21
|
+
content = [
|
22
|
+
'nameserver 9.9.9.9',
|
23
|
+
'nameserver 2620:fe::fe',
|
24
|
+
'options rotate',
|
25
|
+
]
|
26
|
+
File.write(conf, content.join("\n"), mode: 'w', chmod: 0644)
|
27
|
+
end
|
28
|
+
|
29
|
+
# https://docs.voidlinux.org/config/network/iwd.html
|
30
|
+
def wifi
|
31
|
+
conf = "#{MOUNTPOINT}/etc/iwd/main.conf"
|
32
|
+
content = [
|
33
|
+
'[General]',
|
34
|
+
'UseDefaultInterface=true',
|
35
|
+
]
|
36
|
+
File.write(conf, content.join("\n"), mode: 'a', chmod: 0644)
|
37
|
+
# Enabling dbus and iwd
|
38
|
+
command "ln -fs /etc/sv/dbus #{@service_dir}"
|
39
|
+
command "ln -fs /etc/sv/iwd #{@service_dir}"
|
40
|
+
end
|
41
|
+
|
42
|
+
def shell
|
43
|
+
command 'chsh -s /bin/bash'
|
44
|
+
end
|
45
|
+
end
|
46
|
+
end
|
47
|
+
end
|