mirror of
https://github.com/ovh/the-bastion.git
synced 2025-02-28 09:32:58 +08:00
parent
073bc3f7e9
commit
231c62b581
4 changed files with 63 additions and 2 deletions
|
@ -23,6 +23,7 @@ set_default_options()
|
|||
opt[regen-hostkeys]=0
|
||||
opt[logrotate]=1
|
||||
opt[overwrite-logrotate]=1
|
||||
|
||||
# special case:
|
||||
# If $autodetect_startup_system is 1, we'll autodetect whether we will install the
|
||||
# systemd units (preferred) or the init.d files.
|
||||
|
@ -33,6 +34,16 @@ set_default_options()
|
|||
opt[init]=0
|
||||
opt[systemd-units]=0
|
||||
# /special
|
||||
|
||||
# special case 2:
|
||||
# If $autodetect_selinux is 1, we'll autodetect whether we're running on a system
|
||||
# supporting SELinux, and if yes, we'll proceed in deploying the module to make it
|
||||
# possible to use TOTP MFA on those systems.
|
||||
# Any specification of --[no-]install-selinux-module will inhibit this behavior
|
||||
autodetect_selinux=1
|
||||
opt[install-selinux-module]=0
|
||||
# /special case 2
|
||||
|
||||
opt[profile]=1
|
||||
opt[cron]=1
|
||||
opt[overwrite-cron]=1
|
||||
|
@ -66,6 +77,7 @@ while [ -n "$1" ]; do
|
|||
opt[logrotate]=0
|
||||
opt[overwrite-logrotate]=0
|
||||
autodetect_startup_system=0
|
||||
autodetect_selinux=0
|
||||
opt[profile]=0
|
||||
opt[cron]=0
|
||||
opt[overwrite-cron]=0
|
||||
|
@ -77,6 +89,7 @@ while [ -n "$1" ]; do
|
|||
opt[logrotate]=1
|
||||
opt[overwrite-logrotate]=0
|
||||
autodetect_startup_system=1
|
||||
autodetect_selinux=1
|
||||
opt[profile]=0
|
||||
opt[cron]=1
|
||||
opt[overwrite-cron]=1
|
||||
|
@ -89,7 +102,8 @@ while [ -n "$1" ]; do
|
|||
for allowedopt in modify-banner modify-sshd-config modify-ssh-config modify-motd modify-umask \
|
||||
modify-pam-lastlog remove-weak-moduli regen-hostkeys overwrite-logrotate overwrite-cron \
|
||||
overwrite-syslog-ng logrotate cron syslog-ng migration-grant-aclkeeper-to-gatekeepers \
|
||||
init systemd-units profile modify-pam-sshd wait check-ttyrec install-fake-ttyrec
|
||||
init systemd-units profile modify-pam-sshd wait check-ttyrec install-fake-ttyrec \
|
||||
install-selinux-module
|
||||
do
|
||||
if [ "$1" = "--no-$allowedopt" ]; then
|
||||
opt[$allowedopt]=0
|
||||
|
@ -102,6 +116,10 @@ while [ -n "$1" ]; do
|
|||
# see "special case" comment above for more information
|
||||
autodetect_startup_system=0
|
||||
fi
|
||||
if [ "$1" = "install-selinux-module" ]; then
|
||||
# see "special case 2" comment above for more information
|
||||
autodetect_selinux=0
|
||||
fi
|
||||
done
|
||||
if [ "$foundoption" != 1 ]; then
|
||||
echo "$0: Unrecognized option '$1'"
|
||||
|
@ -1174,6 +1192,34 @@ if [ "${opt[systemd-units]}" = 1 ]; then
|
|||
action_done
|
||||
fi
|
||||
|
||||
if [ "$autodetect_selinux" = 1 ]; then
|
||||
action_doing "Autodetecting SELinux..."
|
||||
if command -v setenforce >/dev/null; then
|
||||
action_done "found"
|
||||
opt[install-selinux-module]=1
|
||||
else
|
||||
action_done "not found"
|
||||
opt[install-selinux-module]=0
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ "${opt[install-selinux-module]}" = 1 ]; then
|
||||
action_doing "Installing SELinux module"
|
||||
if ! command -v semodule >/dev/null; then
|
||||
action_error "Missing \`semodule' tool, please install it (it's usually found in the 'policycoreutils' package)"
|
||||
else
|
||||
if semodule -l | grep -q the-bastion; then
|
||||
action_na "module is already installed"
|
||||
else
|
||||
if semodule -i "$basedir/etc/selinux/the-bastion.pp"; then
|
||||
action_done "module installed"
|
||||
else
|
||||
action_error "semodule returned an error"
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ "${opt[profile]}" = 1 ]; then
|
||||
action_doing "Copy profile.d files if applicable"
|
||||
if [ -d $ETC_DIR/profile.d ]; then
|
||||
|
|
|
@ -30,7 +30,7 @@
|
|||
"defaultLogin": "",
|
||||
#
|
||||
# adminAccounts (list of accounts names), deprecated alias: adminLogins
|
||||
# DESC: The list of accounts that are Admins of the bastion. Admins can't be deleted or have their ingress keys reset by non-admins. They also gain access to special dangerous/sensitive --osh commands. Note that an admin is also always considered as a Super Owner, which means they can override allchecks of group administrative commands. Don't forget to add them to the osh-admin group too, or they won't really be considered as admins (additional security measure). Tule of thumb: only add here people that have root@localhost access to the bastion
|
||||
# DESC: The list of accounts that are Admins of the bastion. Admins can't be deleted or have their ingress keys reset by non-admins. They also gain access to special dangerous/sensitive --osh commands. Note that an admin is also always considered as a Super Owner, which means they can override allchecks of group administrative commands. Don't forget to add them to the osh-admin group too, or they won't really be considered as admins (additional security measure). Rule of thumb: only add here people that have root@localhost access to the bastion
|
||||
# DEFAULT: []
|
||||
"adminAccounts": [],
|
||||
#
|
||||
|
|
BIN
etc/selinux/the-bastion.pp
Normal file
BIN
etc/selinux/the-bastion.pp
Normal file
Binary file not shown.
15
etc/selinux/the-bastion.te
Normal file
15
etc/selinux/the-bastion.te
Normal file
|
@ -0,0 +1,15 @@
|
|||
module the-bastion 1.0;
|
||||
|
||||
require {
|
||||
type var_t;
|
||||
type sshd_t;
|
||||
type user_home_t;
|
||||
type user_home_dir_t;
|
||||
class file { create getattr rename setattr unlink open read write };
|
||||
}
|
||||
|
||||
# needed for user TOTP (~/.totp and ~/.totp~XXXXXX temporary file)
|
||||
allow sshd_t user_home_dir_t:file { create getattr rename setattr unlink open read write };
|
||||
allow sshd_t user_home_t:file unlink;
|
||||
# needed for root TOTP (/var/otp/root and /var/otp/root~XXXXXX temporary file)
|
||||
allow sshd_t var_t:file { create getattr rename setattr unlink open read write };
|
Loading…
Reference in a new issue