ovh/the-bastion
1
1
Fork 0
mirror of https://github.com/ovh/the-bastion.git synced 2025-02-27 09:04:13 +08:00
Code Issues Projects Releases Packages Wiki Activity
552 commits 8 branches 50 tags 9.7 MiB
Commit graph

81 commits

Author SHA1 Message Date
Stéphane Lesimple
a6a25fd53b feat: add type8 and type9 password hashes 
This requires the-bastion-mkhash-helper v1.1.0+
 2023-09-19 17:12:48 +02:00
Stéphane Lesimple
5dc50b3e57
feat: add stealth_stderr/stdout ttyrec support, enable it for scp (#413) 2023-09-19 15:27:00 +02:00
Philipp Walter
e616f24d89 enh: setup-gpg.sh: create additional backup signing config with --generate 2023-08-22 14:32:30 +02:00
Stéphane Lesimple
902508f7d1 fix: update undocumented rename-group.sh script 2023-05-31 17:34:34 +02:00
Stéphane Lesimple
c6a6f806d2 feat: add uid/gid collisions checking script & amend doc 2023-04-17 17:53:14 +02:00
Stéphane Lesimple
708efd90ca chore: add RockyLinux 9 support 2023-04-07 10:44:05 +02:00
Stéphane Lesimple
6f13149093 chore: bump OpenSUSE Leap tests from 15.3 to 15.4 2023-04-07 10:44:05 +02:00
Stéphane Lesimple
49dc104dd7 chore: push sandbox and tester images from Deb10 to Deb11 
Also remove old config files from previsously dropped OS versions
 2023-04-07 10:44:05 +02:00
Stéphane Lesimple
76f25f287e enh: setup-encryption.sh: don't require install to be called before us 2023-03-03 10:32:10 +01:00
Stéphane Lesimple
ebebed7be0 fix: remove spurious set +e/-e after commit bdea34c 2022-07-29 11:34:56 +02:00
Stéphane Lesimple
72cefa6417 fix: performance issues introduced by effab4a 
Commit that introduced the performance degradation is effab4a
(fix: workaround for undocumented caching in getpw/getgr funcs)

Rewrote caching at the getpwent/getpwnam/getgrent/getgrnam level,
which restores performance pre-effab4a and even enhances it in somes cases,
for example on a 2000-accounts and 2000-groups bastion, we are:

- 11% faster on --osh help
- 35% faster on --osh selfListAccesses (reduces syscalls by 87%)
 2022-07-12 10:07:16 +02:00
Stéphane Lesimple
bdea34ccad enh: install: better error detection 2022-07-11 12:06:42 +02:00
Stéphane Lesimple
73b6a625f5 feat: add support and tests for Ubuntu 22.04 LTS 2022-07-04 11:06:34 +02:00
Stéphane Lesimple
46a01a546a feat: groupModify: add --idle-lock-timeout and --idle-kill-timeout for group-specific timeouts 2022-07-01 15:33:44 +02:00
Stéphane Lesimple
e040afb074 chore: new perltidy rules 2022-07-01 10:21:19 +02:00
Stéphane Lesimple
884b4bbaf0 fix: install: ensure that the healthcheck user can always connect from 127.0.0.1 
Regardless of the bastion config about the ingressKeysFrom configuration
 2022-06-29 11:33:41 +02:00
Stéphane Lesimple
bbdf5a36b8 feat: add NRPE probes 2022-02-09 14:31:33 +01:00
Stéphane Lesimple
a178aa7906 enh: cron scripts: factorize common code and standardize logging 2022-02-09 14:31:33 +01:00
Stéphane Lesimple
86c7bf39e6 remove compress-old-logs script, as osh-encrypt-rsync will do the job instead 2022-02-09 14:31:33 +01:00
Stéphane Lesimple
e5cfa26853 fix: install: avoid cases of sigpipe on tr 2022-02-01 10:53:01 +01:00
Stéphane Lesimple
7bb0843de1 feat: add osh-remove-empty-folders.sh 2022-01-19 11:23:44 +01:00
Stéphane Lesimple
7f28cce490 chore: install: remove obsolete upgrading sections 
These portions of code were only useful to upgrade bastions from
versions older than v3.00.00, which was the first public release.

There has been no remaining pre-v3.x version in production internally
since some time now, so there is no use keeping that code.
 2021-12-29 13:19:53 +01:00
Stéphane Lesimple
37842c29d3 chore: packages-check.sh: remove obsolete -t and -v options 2021-12-29 13:19:53 +01:00
Stéphane Lesimple
da5cb3c232 chore: packages-check.sh: implement installed pkg detection in rhel/suse, use proper pkg names 2021-12-29 13:19:53 +01:00
Stéphane Lesimple
6694518ab5 chore: remove obsolete check-ssh-hardening.pl 2021-12-29 13:19:53 +01:00
Stéphane Lesimple
000ed4e8af feat: move scripts to GnuPG 2.x and add tests 2021-12-29 11:20:43 +01:00
Stéphane Lesimple
e847a19857 enh: ttyrec & yubico installs: hardcode URLs for when API is down 2021-12-22 18:00:21 +01:00
Stéphane Lesimple
a68ccb3f8c feat: add new OSes and deprecate old ones 
add:
- Debian 11
- RockyLinux 8

remove:
- OpenSUSE Leap 15.2
- Old minor versions of CentOS 7.x
- Old minor versions of CentOS 8.x
 2021-12-21 12:00:04 +01:00
Stéphane Lesimple
d51c4c8be0 fix: tests: full tests on FreeBSD 2021-12-20 12:54:32 +01:00
Christophe Crochet
d85298f229 new account option: --pubkey-auth-optional, to allow ingress login with or without pubkey when pam is required 2021-10-15 11:22:00 +02:00
madx
ea8ed97a34 new account option: mfa-any, to allow ingress login with pubkey alone or pam alone instead of requiring both 2021-10-15 11:22:00 +02:00
Stéphane Lesimple
0dc448943a doc: add osh-sync-watcher.sh config reference 2021-09-02 10:06:47 +02:00
Stéphane Lesimple
9b2aa996b3 enh: better use of account creation metadata 
Store account creation information in a JSON.
Display this information in `accountInfo` for auditors.
 2021-07-23 09:50:18 +02:00
Stéphane Lesimple
6b4418e864 chore: fixrights: ensure tests/functional/proxy/remote-daemon is +x 2021-07-16 11:05:04 +02:00
Stéphane Lesimple
2f1e3fbfa8 support: del deb8/ubuntu1404/opensuse150/opensuse151, add opensuse153 
Remove support for EOL OSes:
- Debian 8
- Ubuntu 14.04
- OpenSUSE 15.0
- OpenSUSE 15.1

Add support for:
- OpenSUSE 15.3
 2021-06-25 16:02:38 +02:00
Stéphane Lesimple
8d2aaf8d8f fix: setup-first-admin-account.sh: support to add several admins 
Fixes #202
 2021-06-21 14:36:08 +02:00
Stéphane Lesimple
b364706f37 feat: httpproxy: add functional tests 2021-06-03 16:16:29 +02:00
Stéphane Lesimple
d6291f3ad4 feat: httpproxy: add and use execute_simple() for more performance 
Also handle errors better in hand_http_request()
 2021-06-03 16:16:29 +02:00
Stéphane Lesimple
60ad30ce5b fix: install: adjust a sed to be FreeBSD 13 compliant 2021-05-21 14:13:22 +02:00
Stéphane Lesimple
f4c59ca96b enh: setup-gpg.sh: clarify the use of ^D with --import 
Closes #179
 2021-05-19 18:56:32 +02:00
Stéphane Lesimple
e865964dd2 enh: setup-encryption.sh: check that luks-config.sh exists 
As seen in #181
 2021-05-19 18:56:17 +02:00
Jérémy Lecour
3e0202d914 Fix typo in unlock-home.sh 
Typo : Mouting → Mounting
 2021-05-19 15:30:32 +02:00
Stéphane Lesimple
90d6dc2e3c fix: superowners need to have +x on group homes 2021-04-09 09:46:14 +02:00
Stéphane Lesimple
003052530e feat: preparatory work to support Debian 11 "Bullseye" 
We still need to replacee pam_tally2 by pam_faillock
Debian 11 is NOT yet supported, and won't be before it's released as stable.
 2021-03-24 17:41:29 +01:00
Stéphane Lesimple
3b4ea53cce fix: fixrights.sh: 'chmod --' not supported under FreeBSD 2021-03-24 10:47:11 +01:00
Stéphane Lesimple
1b04b800b8 fix: packages-check.sh: centos: ensure cache is up to date before trying to install packages 2021-03-24 10:47:11 +01:00
Stéphane Lesimple
5920b09aed chore: mkdir -p doesn't fail if dir already exists 2021-03-24 10:47:11 +01:00
Stéphane Lesimple
7dabfc7135 fix: install-yubico-piv-checker: ppc64le installation was broken 2021-03-17 15:14:13 +01:00
Stéphane Lesimple
b444dc027f chore: tests: support multiple unit-tests 2021-03-01 09:30:43 +01:00
Stéphane Lesimple
70feff2c2d enh: install: use in-place overwrite for sudoers files 
This fixes a race condition in sudo where it would log a log of
error messages to syslog if used while we're running the install
script: files around sudoers.d/ are then moved around, and it'll
yell for each file it previously listed if the file no longer
exists when it tries to stat() it. It also deprecates the --no-wait
flag of the install script, as now the sudoers.d/ directory will
always have integrity at all times.

Signed-off-by: Stéphane Lesimple <stephane.lesimple+bastion@ovhcloud.com>
 2021-02-14 22:25:50 +01:00