Compare commits

..

27 Commits

Author SHA1 Message Date
pedro b255dddff7 Makefile: easy way to regenerate pxe setup 2024-11-12 01:21:11 +01:00
pedro fb7e768229 pxe: dnsmasq restart, do not cause big error 2024-11-12 01:20:54 +01:00
pedro 768851090a settings.ini.example: legacy, use capital boolean 2024-11-12 01:16:25 +01:00
pedro 4cb3e34b6b legacy: use public_url, url is not very useful
also refactor vars so it is easier to read
2024-11-12 01:15:34 +01:00
pedro b4d86fcc12 pxe: restart dnsmasq after applying config
useful on first init of service
2024-11-11 14:50:33 +01:00
pedro a857db5de1 pxe: improve init bugfix 2024-11-11 14:05:22 +01:00
pedro 192861b47e pxe: improve first init 2024-11-11 14:04:17 +01:00
pedro f7c3e138f1 pxe: add the missing env 2024-11-11 13:58:37 +01:00
pedro 13f38dacb8 deploy-workbench: add qrencode deb dependency 2024-11-11 13:17:37 +01:00
pedro cf81579819 workbench-script: in legacy, lshw is a json object 2024-11-11 02:30:30 +01:00
pedro 2d0048433b workbench-script.py: server error is provided 2024-11-11 02:24:06 +01:00
pedro 3fb1cd19dc settings.ini.example: better localhost by default
then avoid sending data by default to the internet, that's weird
2024-11-09 19:42:44 +01:00
pedro d9e85dca36 settings.ini.example: better example/ref 2024-11-09 19:41:26 +01:00
pedro 12209c84fa workbench-script: bugfix when url is used 2024-11-08 20:14:08 +01:00
pedro 55eec35d58 relevant improvement in locales
- locales fixed
- keyboard works
- better prepared for other LANGs
2024-11-08 20:13:37 +01:00
pedro 5889e81f04 Merge pull request 'issue 100 new url in qr for evidence instead of device' (#5) from issue_100 into main
Reviewed-on: #5
2024-11-08 17:28:15 +00:00
pedro c1867d1ce3 add es translations to new logs 2024-11-08 18:27:44 +01:00
pedro 8ac0da99fe wb.py: improved error msgs when sending to URL 2024-11-08 18:27:44 +01:00
Cayo Puigdefabregas 71e06b13a4 fix process for show qr 2024-11-08 18:27:44 +01:00
Cayo Puigdefabregas 82f93a9446 fix legacy case 2024-11-08 18:27:44 +01:00
Cayo Puigdefabregas b1136e3dd8 issue 100 new url in qr for evidence instead of device 2024-11-08 18:27:44 +01:00
pedro af780b1247 Makefile: even easier generate translations 2024-11-08 18:27:24 +01:00
pedro da7b78eae3 pxe: .env generated once from example file 2024-11-08 18:20:47 +01:00
pedro e8b1d62290 change strategy on example files (added -v to cps)
- if it does not exist, copy once from example
- added -v flag to cps that did not have it
2024-11-06 19:31:44 +01:00
pedro 3e5e151bef make nfs mount verbose
related to #4
2024-11-05 04:49:09 +01:00
Cayo Puigdefabregas 81a3c5240b fix workbench-script name 2024-10-24 09:07:59 +02:00
pedro 09b7f085ef deploy-workbench: note on debug line 2024-10-18 10:48:02 +02:00
8 changed files with 297 additions and 209 deletions

View File

@ -44,20 +44,14 @@ boot_iso_uefi_secureboot:
-drive file=deploy/iso/workbench_debug.iso,cache=none,if=virtio,format=raw,index=0,media=disk \ -drive file=deploy/iso/workbench_debug.iso,cache=none,if=virtio,format=raw,index=0,media=disk \
-boot menu=on -boot menu=on
test_usody_sanitize: # when you change something, you need to refresh it this way
# TODO adapt settings accordingly for this test regenerate_pxe_install:
# ERASE=y ./deploy-workbench.sh ./deploy-workbench.sh
# create 3 disks for testing pxe/install-pxe.sh
qemu-img create -f raw test_sanitize_disk1.img 1G
qemu-img create -f raw test_sanitize_disk2.img 1G
qemu-img create -f raw test_sanitize_disk3.img 1G
sudo qemu-system-x86_64 \
-enable-kvm -m 2G -vga qxl -netdev user,id=wan -device virtio-net,netdev=wan,id=nic1 \
-drive format=raw,file=iso/workbench_debug.iso,cache=none,if=virtio \
-drive format=raw,file=test_sanitize_disk1.img,cache=none,if=virtio \
-drive format=raw,file=test_sanitize_disk2.img,cache=none,if=virtio \
-drive format=raw,file=test_sanitize_disk3.img,cache=none,if=virtio
es_gen:
$(MAKE) es_gen_po
$(MAKE) es_gen_mo
es_gen_po: es_gen_po:
cp locale/es/LC_MESSAGES/messages.po locale/es/LC_MESSAGES/messages.pot.bak cp locale/es/LC_MESSAGES/messages.po locale/es/LC_MESSAGES/messages.pot.bak

View File

@ -199,12 +199,12 @@ create_persistence_partition() {
mkdir -p "${tmp_rw_mount}" mkdir -p "${tmp_rw_mount}"
${SUDO} mount "$(pwd)/${rw_img_path}" "${tmp_rw_mount}" ${SUDO} mount "$(pwd)/${rw_img_path}" "${tmp_rw_mount}"
${SUDO} mkdir -p "${tmp_rw_mount}" ${SUDO} mkdir -p "${tmp_rw_mount}"
if [ -f "settings.ini" ]; then if [ ! -f "settings.ini" ]; then
${SUDO} cp -v settings.ini "${tmp_rw_mount}/settings.ini" ${SUDO} cp -v settings.ini.example settings.ini
else echo "WARNING: settings.ini was not there, settings.ini.example was copied, this only happens once"
echo "ERROR: settings.ini does not exist yet, cannot read config from there. You can take inspiration with file settings.ini.example"
exit 1
fi fi
${SUDO} cp -v settings.ini "${tmp_rw_mount}/settings.ini"
${SUDO} umount "${tmp_rw_mount}" ${SUDO} umount "${tmp_rw_mount}"
uuid="$(blkid "${rw_img_path}" | awk '{ print $3; }')" uuid="$(blkid "${rw_img_path}" | awk '{ print $3; }')"
@ -253,6 +253,27 @@ END2
END END
)" )"
# thanks https://wiki.debian.org/Keyboard
chroot_kbd_conf_str="$(cat<<END
chroot_kbd_conf() {
###################
# configure keyboard
cat > /etc/default/keyboard <<END2
# KEYBOARD CONFIGURATION FILE
# generated by deploy-workbench.sh
# Consult the keyboard(5) manual page.
XKBMODEL="pc105"
XKBLAYOUT="\${CUSTOM_LANG}"
BACKSPACE="guess"
END2
}
END
)"
prepare_app() { prepare_app() {
# prepare app during prepare_chroot_env # prepare app during prepare_chroot_env
workbench_dir="${ISO_PATH}/chroot/opt/workbench" workbench_dir="${ISO_PATH}/chroot/opt/workbench"
@ -264,8 +285,6 @@ prepare_app() {
# startup script execution # startup script execution
cat > "${ISO_PATH}/chroot/root/.profile" <<END cat > "${ISO_PATH}/chroot/root/.profile" <<END
# pipx path for usody-sanitize
PATH="${PATH}:/root/.local/bin"
if [ -f /tmp/workbench_lock ]; then if [ -f /tmp/workbench_lock ]; then
return 0 return 0
else else
@ -282,13 +301,15 @@ if [ "\${nfs_host}" ]; then
mount --bind /run/live/medium /mnt mount --bind /run/live/medium /mnt
# debian live nfs path is readonly, do a trick # debian live nfs path is readonly, do a trick
# to make snapshots subdir readwrite # to make snapshots subdir readwrite
mount \${nfs_host}:/snapshots /run/live/medium/snapshots mount -v \${nfs_host}:/snapshots /run/live/medium/snapshots
# reload mounts on systemd # reload mounts on systemd
systemctl daemon-reload systemctl daemon-reload
fi fi
# clearly specify the right working directory, used in the python script as os.getcwd() # clearly specify the right working directory, used in the python script as os.getcwd()
cd /mnt cd /mnt
pipenv run python /opt/workbench/workbench-script.py --config /mnt/settings.ini #pipenv run python /opt/workbench/workbench-script.py --config /mnt/settings.ini
# works meanwhile this project is vanilla python
python /opt/workbench/workbench-script.py --config /mnt/settings.ini
stty echo stty echo
set +x set +x
@ -304,18 +325,16 @@ echo 'Install requirements'
# Install debian requirements # Install debian requirements
apt-get install -y --no-install-recommends \ apt-get install -y --no-install-recommends \
sudo locales \ sudo locales keyboard-configuration console-setup qrencode \
python-is-python3 python3 python3-dev python3-pip pipenv \ python-is-python3 python3 python3-dev python3-pip pipenv \
dmidecode smartmontools hwinfo pciutils lshw nfs-common pipx < /dev/null dmidecode smartmontools hwinfo pciutils lshw nfs-common < /dev/null
pipx install usody-sanitize
# Install lshw B02.19 utility using backports (DEPRECATED in Debian 12) # Install lshw B02.19 utility using backports (DEPRECATED in Debian 12)
#apt install -y -t ${VERSION_CODENAME}-backports lshw < /dev/null #apt install -y -t ${VERSION_CODENAME}-backports lshw < /dev/null
echo 'Install usody-sanitize requirements' echo 'Install sanitize requirements'
# Install usody-sanitize debian requirements # Install sanitize debian requirements
apt-get install -y --no-install-recommends \ apt-get install -y --no-install-recommends \
hdparm nvme-cli < /dev/null hdparm nvme-cli < /dev/null
@ -364,8 +383,15 @@ ${install_app_str}
# thanks src https://serverfault.com/questions/362903/how-do-you-set-a-locale-non-interactively-on-debian-ubuntu # thanks src https://serverfault.com/questions/362903/how-do-you-set-a-locale-non-interactively-on-debian-ubuntu
export LANG=${LANG} export LANG=${LANG}
export LC_ALL=${LANG} export LC_ALL=${LANG}
echo "${MYLOCALE}" > /etc/locale.gen
# Generate the locale
locale-gen
# feeds /etc/default/locale for the shell env var
update-locale LANG=${LANG} LC_ALL=${LANG}
# this is a high level command that does locale-gen and update-locale altogether # this is a high level command that does locale-gen and update-locale altogether
dpkg-reconfigure --frontend=noninteractive locales # but it is too interactive
#dpkg-reconfigure --frontend=noninteractive locales
# DEBUG
locale -a locale -a
# Autologin root user # Autologin root user
@ -390,6 +416,9 @@ apt-get install -y --no-install-recommends \
< /dev/null < /dev/null
${chroot_netdns_conf_str} ${chroot_netdns_conf_str}
CUSTOM_LANG=${CUSTOM_LANG}
${chroot_kbd_conf_str}
chroot_kbd_conf
# Set up root user # Set up root user
# this is the root password # this is the root password
@ -409,7 +438,19 @@ CHROOT
} }
prepare_chroot_env() { prepare_chroot_env() {
LANG="${CUSTOM_LANG:-es_ES.UTF-8}" CUSTOM_LANG="${CUSTOM_LANG:-es}"
case "${CUSTOM_LANG}" in
es)
export LANG="es_ES.UTF-8"
export MYLOCALE="${LANG} UTF-8"
;;
en)
export LANG="en_US.UTF-8"
;;
*)
echo "ERROR: CUSTOM_LANG not supported. Available: es"
exit 1
esac
# version of debian the bootstrap is going to build # version of debian the bootstrap is going to build
# if no VERSION_CODENAME is specified we assume that the bootstrap is going to # if no VERSION_CODENAME is specified we assume that the bootstrap is going to
# be build with the same version of debian being executed because some files # be build with the same version of debian being executed because some files
@ -433,6 +474,7 @@ prepare_chroot_env() {
prepare_app prepare_app
} }
# thanks https://willhaley.com/blog/custom-debian-live-environment/ # thanks https://willhaley.com/blog/custom-debian-live-environment/
install_requirements() { install_requirements() {
# Install requirements # Install requirements

View File

@ -1,112 +0,0 @@
## borrado minimalista
Un enfoque inicial que teníamos para el borrado de disco son las siguientes funciones, esto lo hemos descartado para usar una herramienta más avanzada en el borrado [usody-sanitize](https://github.com/usody/sanitize/)
```python
## Xavier Functions ##
def erase_basic(disk):
"""
Basic Erasure
https://tsapps.nist.gov/publication/get_pdf.cfm?pub_id=917935
Settings for basic data erasure using shred Linux command.
A software-based fast non-100%-secured way of erasing data storage.
Performs 1 pass overwriting one round using all zeros.
Compliant with NIST SP-800-8y8.
In settings appear:
WB_ERASE = EraseBasic
WB_ERASE_STEPS = 1
WB_ERASE_LEADING_ZEROS = False
"""
cmd = f'shred -vn 1 /dev/{disk}'
return [exec_cmd_erase(cmd)]
def erase_baseline(disk):
"""
Baseline Secure Erasure
Settings for advanced data erasure using badblocks Linux software.
A secured-way of erasing data storages, erase hidden areas,
checking the erase sector by sector.
Performs 1 pass overwriting each sector with zeros and a final verification.
Compliant with HMG Infosec Standard 5 Baseline.
In settings appear:
WB_ERASE = EraseSectors
WB_ERASE_STEPS = 1
WB_ERASE_LEADING_ZEROS = True
WB_ERASE_1_METHOD = EraseBasic
WB_ERASE_1_STEP_TYPE = 0
WB_ERASE_2_METHOD = EraseSectors
WB_ERASE_2_STEP_TYPE = 1
"""
result = []
cmd = f'shred -zvn 0 /dev/{disk}'
result.append(exec_cmd_erase(cmd))
cmd = f'badblocks -st random -w /dev/{disk}'
result.append(exec_cmd_erase(cmd))
return result
def erase_enhanced(disk):
"""
Enhanced Secure Erasure
Settings for advanced data erasure using badblocks Linux software.
A secured-way of erasing data storages, erase hidden areas,
checking the erase sector by sector.
Performs 3 passes overwriting every sector with zeros and ones,
and final verification. Compliant with HMG Infosec Standard 5 Enhanced.
In settings appear:
WB_ERASE = EraseSectors
WB_ERASE_LEADING_ZEROS = True
WB_ERASE_1_METHOD = EraseBasic
WB_ERASE_1_STEP_TYPE = 1
WB_ERASE_2_METHOD = EraseBasic
WB_ERASE_2_STEP_TYPE = 0
WB_ERASE_3_METHOD = EraseSectors
WB_ERASE_3_STEP_TYPE = 1
"""
result = []
cmd = f'shred -vn 1 /dev/{disk}'
result.append(exec_cmd_erase(cmd))
cmd = f'shred -zvn 0 /dev/{disk}'
result.append(exec_cmd_erase(cmd))
## creo que realmente seria asi (3 pases y una extra poniendo a ceros):
# shred -zvn 3 /def/{disk}
# tampoco estoy seguro que el badblocks haga un proceso de verificacion.
cmd = f'badblocks -st random -w /dev/{disk}'
result.append(exec_cmd_erase(cmd))
return result
## End Xavier Functions ##
## Erase Functions ##
def ata_secure_erase_null(disk):
cmd_baseline = f'hdparm --user-master u --security-erase NULL /dev/{disk}'
return [exec_cmd_erase(cmd_baseline)]
def ata_secure_erase_enhanced(disk):
cmd_enhanced = f'hdparm --user-master u --security-erase-enhanced /dev/{disk}'
return [exec_cmd_erase(cmd_enhanced)]
def nvme_secure_erase(disk):
cmd_encrypted = f'nvme format /dev/{disk} --ses=1'
return [exec_cmd_erase(cmd_encrypted)]
## End Erase Functions ##
```

Binary file not shown.

View File

@ -8,7 +8,7 @@ msgid ""
msgstr "" msgstr ""
"Project-Id-Version: PACKAGE VERSION\n" "Project-Id-Version: PACKAGE VERSION\n"
"Report-Msgid-Bugs-To: \n" "Report-Msgid-Bugs-To: \n"
"POT-Creation-Date: 2024-10-15 21:15+0200\n" "POT-Creation-Date: 2024-11-08 18:25+0100\n"
"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n" "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
"Language-Team: LANGUAGE <LL@li.org>\n" "Language-Team: LANGUAGE <LL@li.org>\n"
@ -17,19 +17,19 @@ msgstr ""
"Content-Type: text/plain; charset=UTF-8\n" "Content-Type: text/plain; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n" "Content-Transfer-Encoding: 8bit\n"
#: workbench-script.py:48 workbench-script.py:53 #: workbench-script.py:49 workbench-script.py:54
msgid "Running command `%s`" msgid "Running command `%s`"
msgstr "Ejecutando comando `%s`" msgstr "Ejecutando comando `%s`"
#: workbench-script.py:284 #: workbench-script.py:279
msgid "Created snapshots directory at '%s'" msgid "Created snapshots directory at '%s'"
msgstr "Creado directorio de snapshots en '%s'" msgstr "Creado directorio de snapshots en '%s'"
#: workbench-script.py:287 #: workbench-script.py:282
msgid "Snapshot written in path '%s'" msgid "Snapshot written in path '%s'"
msgstr "Snapshot escrito en ruta '%s'" msgstr "Snapshot escrito en ruta '%s'"
#: workbench-script.py:290 #: workbench-script.py:285
msgid "" msgid ""
"Attempting to save file in actual path. Reason: Failed to write in snapshots " "Attempting to save file in actual path. Reason: Failed to write in snapshots "
"directory:\n" "directory:\n"
@ -39,11 +39,11 @@ msgstr ""
"escribir en el directorio de snapshots:\n" "escribir en el directorio de snapshots:\n"
" %s." " %s."
#: workbench-script.py:297 #: workbench-script.py:292
msgid "Snapshot written in fallback path '%s'" msgid "Snapshot written in fallback path '%s'"
msgstr "Snapshot escrito en ruta alternativa '%s'" msgstr "Snapshot escrito en ruta alternativa '%s'"
#: workbench-script.py:299 #: workbench-script.py:294
msgid "" msgid ""
"Could not save snapshot locally. Reason: Failed to write in fallback path:\n" "Could not save snapshot locally. Reason: Failed to write in fallback path:\n"
" %s" " %s"
@ -52,49 +52,53 @@ msgstr ""
"alternativa:\n" "alternativa:\n"
" %s" " %s"
#: workbench-script.py:316 #: workbench-script.py:317
msgid "Snapshot successfully sent to '%s'" msgid "Snapshot successfully sent to '%s'"
msgstr "Snapshot enviado con éxito a '%s'" msgstr "Snapshot enviado con éxito a '%s'"
#: workbench-script.py:331 #: workbench-script.py:335
msgid "Snapshot %s could not be sent to URL '%s'"
msgstr "Snapshot %s no se pudo enviar a la URL '%s'"
#: workbench-script.py:338
msgid "" msgid ""
"Snapshot not remotely sent to URL '%s'. Do you have internet? Is your server " "Snapshot %s not remotely sent to URL '%s'. Do you have internet? Is your "
"up & running? Is the url token authorized?\n" "server up & running? Is the url token authorized?\n"
" %s" " %s"
msgstr "" msgstr ""
"Snapshot no enviado remotamente a la URL '%s'. Tienes internet? Está el " "Snapshot %s no enviado remotamente a la URL '%s'. Tienes internet? Está el "
"servidor en marcha? Está autorizado el url token?\n" "servidor en marcha? Está autorizado el url token?\n"
" %s" " %s"
#: workbench-script.py:342 #: workbench-script.py:350
msgid "Found config file in path: %s." msgid "Found config file in path: %s."
msgstr "Encontrado fichero de configuración en ruta: %s." msgstr "Encontrado fichero de configuración en ruta: %s."
#: workbench-script.py:353 #: workbench-script.py:361
msgid "Config file '%s' not found. Using default values." msgid "Config file '%s' not found. Using default values."
msgstr "" msgstr ""
"Fichero de configuración '%s' no encontrado. Utilizando valores por defecto." "Fichero de configuración '%s' no encontrado. Utilizando valores por defecto."
#: workbench-script.py:373 #: workbench-script.py:379
msgid "workbench-script.py [-h] [--config CONFIG]" msgid "workbench-script.py [-h] [--config CONFIG]"
msgstr "" msgstr ""
#: workbench-script.py:374 #: workbench-script.py:380
msgid "Optional config loader for workbench." msgid "Optional config loader for workbench."
msgstr "Cargador opcional de configuración para workbench" msgstr "Cargador opcional de configuración para workbench"
#: workbench-script.py:377 #: workbench-script.py:383
msgid "" msgid ""
"path to the config file. Defaults to 'settings.ini' in the current directory." "path to the config file. Defaults to 'settings.ini' in the current directory."
msgstr "" msgstr ""
"ruta al fichero de configuración. Por defecto es 'settings.ini' en el " "ruta al fichero de configuración. Por defecto es 'settings.ini' en el "
"directorio actual" "directorio actual"
#: workbench-script.py:410 #: workbench-script.py:416
msgid "START" msgid "START"
msgstr "INICIO" msgstr "INICIO"
#: workbench-script.py:423 #: workbench-script.py:430
msgid "" msgid ""
"This script must be run as root. Collected data will be incomplete or " "This script must be run as root. Collected data will be incomplete or "
"unusable" "unusable"
@ -102,6 +106,6 @@ msgstr ""
"Es conveniente que este script sea ejecutado como administrador (root). Los " "Es conveniente que este script sea ejecutado como administrador (root). Los "
"datos recopilados serán incompletos o no usables." "datos recopilados serán incompletos o no usables."
#: workbench-script.py:441 #: workbench-script.py:448
msgid "END" msgid "END"
msgstr "FIN" msgstr "FIN"

View File

@ -37,7 +37,7 @@ backup_file() {
if [ -f "${target}" ]; then if [ -f "${target}" ]; then
if ! grep -q 'we should do a backup' "${target}"; then if ! grep -q 'we should do a backup' "${target}"; then
${SUDO} cp -a "${target}" "${target}-bak_${ts}" ${SUDO} cp -v -a "${target}" "${target}-bak_${ts}"
fi fi
fi fi
} }
@ -69,14 +69,14 @@ END
# reload nfs exports # reload nfs exports
${SUDO} exportfs -vra ${SUDO} exportfs -vra
if [ ! -f ./settings.ini ]; then
cp -v ./settings.ini.example ./settings.ini
echo "WARNING: settings.ini was not there, settings.ini.example was copied, this only happens once"
fi
if [ ! -f "${nfs_path}/settings.ini" ]; then if [ ! -f "${nfs_path}/settings.ini" ]; then
if [ -f "settings.ini" ]; then ${SUDO} cp -v settings.ini "${nfs_path}/settings.ini"
${SUDO} cp settings.ini "${nfs_path}/settings.ini" echo "WARNING: ${nfs_path}/settings.ini was not there, ./settings.ini was copied, this only happens once"
else
echo "ERROR: $(pwd)/settings.ini does not exist yet, cannot read config from there. You can take inspiration with file $(pwd)/settings.ini.example"
exit 1
fi
fi fi
} }
@ -93,6 +93,7 @@ pxe-service=x86PC,"Network Boot",pxelinux
enable-tftp enable-tftp
tftp-root=${tftp_path} tftp-root=${tftp_path}
END END
sudo systemctl restart dnsmasq || true
} }
install_netboot() { install_netboot() {
@ -110,8 +111,12 @@ install_netboot() {
${SUDO} cp -fv "${PXE_DIR}/../iso/staging/live/vmlinuz" "${tftp_path}/" ${SUDO} cp -fv "${PXE_DIR}/../iso/staging/live/vmlinuz" "${tftp_path}/"
${SUDO} cp -fv "${PXE_DIR}/../iso/staging/live/initrd" "${tftp_path}/" ${SUDO} cp -fv "${PXE_DIR}/../iso/staging/live/initrd" "${tftp_path}/"
${SUDO} cp /usr/lib/syslinux/memdisk "${tftp_path}/" ${SUDO} cp -v /usr/lib/syslinux/memdisk "${tftp_path}/"
${SUDO} cp /usr/lib/syslinux/modules/bios/* "${tftp_path}/" ${SUDO} cp -v /usr/lib/syslinux/modules/bios/* "${tftp_path}/"
if [ ! -f ./pxe-menu.cfg ]; then
${SUDO} cp -v ./pxe-menu.cfg.example pxe-menu.cfg
echo "WARNING: pxe-menu.cfg was not there, pxe-menu.cfg.example was copied, this only happens once"
fi
envsubst < ./pxe-menu.cfg | ${SUDO} tee "${tftp_path}/pxelinux.cfg/default" envsubst < ./pxe-menu.cfg | ${SUDO} tee "${tftp_path}/pxelinux.cfg/default"
fi fi
@ -128,11 +133,11 @@ init_config() {
PXE_DIR="$(pwd)" PXE_DIR="$(pwd)"
if [ -f ./.env ]; then if [ ! -f ./.env ]; then
. ./.env cp -v ./.env.example ./.env
else echo "WARNING: .env was not there, .env.example was copied, this only happens once"
echo "PXE: WARNING: $(pwd)/.env does not exist yet, cannot read config from there. You can take inspiration with file $(pwd)/.env.example"
fi fi
. ./.env
VERSION_CODENAME="${VERSION_CODENAME:-bookworm}" VERSION_CODENAME="${VERSION_CODENAME:-bookworm}"
tftp_path="${tftp_path:-/srv/pxe-tftp}" tftp_path="${tftp_path:-/srv/pxe-tftp}"
# vars used in envsubst require to be exported: # vars used in envsubst require to be exported:

View File

@ -1,7 +1,10 @@
[settings] [settings]
url = http://localhost:8000/api/snapshot/ url = http://localhost:8000/api/v1/snapshot/
token = '1234' #url = https://demo.ereuse.org/api/v1/snapshot/
# sample token that works with default deployment such as the previous two urls
token = 5018dd65-9abd-4a62-8896-80f34ac66150
# path = /path/to/save # path = /path/to/save
# device = your_device_name # device = your_device_name
# # erase = basic # # erase = basic
# legacy = true # legacy = True

View File

@ -6,6 +6,7 @@ import uuid
import hashlib import hashlib
import argparse import argparse
import configparser import configparser
import urllib.parse
import urllib.request import urllib.request
import gettext import gettext
@ -16,6 +17,7 @@ from datetime import datetime
## Legacy Functions ## ## Legacy Functions ##
def convert_to_legacy_snapshot(snapshot): def convert_to_legacy_snapshot(snapshot):
snapshot["sid"] = str(uuid.uuid4()).split("-")[0] snapshot["sid"] = str(uuid.uuid4()).split("-")[0]
snapshot["software"] = "workbench-script" snapshot["software"] = "workbench-script"
@ -24,10 +26,10 @@ def convert_to_legacy_snapshot(snapshot):
snapshot["settings_version"] = "No Settings Version (NaN)" snapshot["settings_version"] = "No Settings Version (NaN)"
snapshot["timestamp"] = snapshot["timestamp"].replace(" ", "T") snapshot["timestamp"] = snapshot["timestamp"].replace(" ", "T")
snapshot["data"]["smart"] = snapshot["data"]["disks"] snapshot["data"]["smart"] = snapshot["data"]["disks"]
snapshot["data"]["lshw"] = json.loads(snapshot["data"]["lshw"])
snapshot["data"].pop("disks") snapshot["data"].pop("disks")
snapshot.pop("code")
snapshot.pop("erase") snapshot.pop("erase")
## End Legacy Functions ## ## End Legacy Functions ##
@ -54,11 +56,6 @@ def exec_cmd_erase(cmd):
return '' return ''
# return os.popen(cmd).read() # return os.popen(cmd).read()
def gen_code():
uid = str(uuid.uuid4()).encode('utf-8')
return hashlib.shake_256(uid).hexdigest(3)
## End Utility functions ## ## End Utility functions ##
@ -66,14 +63,119 @@ SNAPSHOT_BASE = {
'timestamp': str(datetime.now()), 'timestamp': str(datetime.now()),
'type': 'Snapshot', 'type': 'Snapshot',
'uuid': str(uuid.uuid4()), 'uuid': str(uuid.uuid4()),
'code': gen_code(),
'software': "workbench-script", 'software': "workbench-script",
'version': "0.0.1", 'version': "0.0.1",
'data': {}, 'data': {},
'erase': [] 'erase': []
} }
## Command Functions ## ## Command Functions ##
## Erase Functions ##
## Xavier Functions ##
def erase_basic(disk):
"""
Basic Erasure
https://tsapps.nist.gov/publication/get_pdf.cfm?pub_id=917935
Settings for basic data erasure using shred Linux command.
A software-based fast non-100%-secured way of erasing data storage.
Performs 1 pass overwriting one round using all zeros.
Compliant with NIST SP-800-8y8.
In settings appear:
WB_ERASE = EraseBasic
WB_ERASE_STEPS = 1
WB_ERASE_LEADING_ZEROS = False
"""
cmd = f'shred -vn 1 /dev/{disk}'
return [exec_cmd_erase(cmd)]
def erase_baseline(disk):
"""
Baseline Secure Erasure
Settings for advanced data erasure using badblocks Linux software.
A secured-way of erasing data storages, erase hidden areas,
checking the erase sector by sector.
Performs 1 pass overwriting each sector with zeros and a final verification.
Compliant with HMG Infosec Standard 5 Baseline.
In settings appear:
WB_ERASE = EraseSectors
WB_ERASE_STEPS = 1
WB_ERASE_LEADING_ZEROS = True
WB_ERASE_1_METHOD = EraseBasic
WB_ERASE_1_STEP_TYPE = 0
WB_ERASE_2_METHOD = EraseSectors
WB_ERASE_2_STEP_TYPE = 1
"""
result = []
cmd = f'shred -zvn 0 /dev/{disk}'
result.append(exec_cmd_erase(cmd))
cmd = f'badblocks -st random -w /dev/{disk}'
result.append(exec_cmd_erase(cmd))
return result
def erase_enhanced(disk):
"""
Enhanced Secure Erasure
Settings for advanced data erasure using badblocks Linux software.
A secured-way of erasing data storages, erase hidden areas,
checking the erase sector by sector.
Performs 3 passes overwriting every sector with zeros and ones,
and final verification. Compliant with HMG Infosec Standard 5 Enhanced.
In settings appear:
WB_ERASE = EraseSectors
WB_ERASE_LEADING_ZEROS = True
WB_ERASE_1_METHOD = EraseBasic
WB_ERASE_1_STEP_TYPE = 1
WB_ERASE_2_METHOD = EraseBasic
WB_ERASE_2_STEP_TYPE = 0
WB_ERASE_3_METHOD = EraseSectors
WB_ERASE_3_STEP_TYPE = 1
"""
result = []
cmd = f'shred -vn 1 /dev/{disk}'
result.append(exec_cmd_erase(cmd))
cmd = f'shred -zvn 0 /dev/{disk}'
result.append(exec_cmd_erase(cmd))
## creo que realmente seria asi (3 pases y una extra poniendo a ceros):
# shred -zvn 3 /def/{disk}
# tampoco estoy seguro que el badblocks haga un proceso de verificacion.
cmd = f'badblocks -st random -w /dev/{disk}'
result.append(exec_cmd_erase(cmd))
return result
## End Xavier Functions ##
def ata_secure_erase_null(disk):
cmd_baseline = f'hdparm --user-master u --security-erase NULL /dev/{disk}'
return [exec_cmd_erase(cmd_baseline)]
def ata_secure_erase_enhanced(disk):
cmd_enhanced = f'hdparm --user-master u --security-erase-enhanced /dev/{disk}'
return [exec_cmd_erase(cmd_enhanced)]
def nvme_secure_erase(disk):
cmd_encrypted = f'nvme format /dev/{disk} --ses=1'
return [exec_cmd_erase(cmd_encrypted)]
## End Erase Functions ##
@logs @logs
def get_disks(): def get_disks():
@ -82,13 +184,39 @@ def get_disks():
) )
return disks.get('blockdevices', []) return disks.get('blockdevices', [])
@logs @logs
def gen_erase(type_erase, user_disk=None): def gen_erase(all_disks, type_erase, user_disk=None):
if user_disk: erase = []
return exec_cmd(f"sanitize -d {user_disk} -m {type_erase}") for disk in all_disks:
return exec_cmd(f"sanitize -a -m {type_erase}") if user_disk and disk['name'] not in user_disk:
# return exec_cmd(f"sanitize -a -m {type_erase} --confirm") continue
if disk['type'] != 'disk':
continue
if 'boot' in disk['mountpoints']:
continue
if not disk['rota']:
# if soport nvme erase
erase.append(nvme_secure_erase(disk['name']))
elif disk['tran'] in ['ata', 'sata']:
# if soport ata erase
if type_erase == 'basic':
erase.append(ata_secure_erase_null(disk['name']))
elif type_erase == 'baseline':
erase.append(ata_secure_erase_null(disk['name']))
elif type_erase == 'enhanced':
erase.append(ata_secure_erase_enhanced(disk['name']))
else:
# For old disks
if type_erase == 'basic':
erase.append(erase_basic(disk['name']))
elif type_erase == 'baseline':
erase.append(erase_baseline(disk['name']))
elif type_erase == 'enhanced':
erase.append(erase_enhanced(disk['name']))
return erase
@logs @logs
@ -168,7 +296,13 @@ def save_snapshot_in_disk(snapshot, path):
# TODO sanitize url, if url is like this, it fails # TODO sanitize url, if url is like this, it fails
# url = 'http://127.0.0.1:8000/api/snapshot/' # url = 'http://127.0.0.1:8000/api/snapshot/'
def send_snapshot_to_devicehub(snapshot, token, url): def send_snapshot_to_devicehub(snapshot, token, url, legacy):
url_components = urllib.parse.urlparse(url)
ev_path = "evidence/{}".format(snapshot["uuid"])
components = (url_components.scheme, url_components.netloc, ev_path, '', '', '')
ev_url = urllib.parse.urlunparse(components)
# apt install qrencode
headers = { headers = {
"Authorization": f"Bearer {token}", "Authorization": f"Bearer {token}",
"Content-Type": "application/json" "Content-Type": "application/json"
@ -182,21 +316,35 @@ def send_snapshot_to_devicehub(snapshot, token, url):
if 200 <= status_code < 300: if 200 <= status_code < 300:
logger.info(_("Snapshot successfully sent to '%s'"), url) logger.info(_("Snapshot successfully sent to '%s'"), url)
if legacy:
try: try:
response = json.loads(response_text) response = json.loads(response_text)
if response.get('url'): public_url = response.get('public_url')
# apt install qrencode dhid = response.get('dhid')
qr = "echo {} | qrencode -t ANSI".format(response['url']) if public_url:
# apt install qrencode
qr = "echo {} | qrencode -t ANSI".format(public_url)
print(exec_cmd(qr))
print("url: {}".format(public_url))
if dhid:
print("dhid: {}".format(dhid))
except Exception:
logger.error(response_text)
else:
qr = "echo {} | qrencode -t ANSI".format(ev_url)
print(exec_cmd(qr)) print(exec_cmd(qr))
print("url: {}".format(response['url'])) print(f"url: {ev_url}")
if response.get("dhid"): else:
print("dhid: {}".format(response['dhid'])) logger.error(_("Snapshot %s could not be sent to URL '%s'"), snapshot["uuid"], url)
except Exception: # TODO review all the try-except thing here; maybe the try inside legacy does not make sense anymore
logger.error(response_text) except urllib.error.HTTPError as e:
error_details = e.read().decode('utf-8') # Get the error response body
logger.error(_("Snapshot %s not remotely sent to URL '%s'. Server responded with error:\n %s"),
snapshot["uuid"], url, error_details)
except Exception as e: except Exception as e:
logger.error(_("Snapshot not remotely sent to URL '%s'. Do you have internet? Is your server up & running? Is the url token authorized?\n %s"), url, e) logger.error(_("Snapshot %s not remotely sent to URL '%s'. Do you have internet? Is your server up & running? Is the url token authorized?\n %s"), snapshot["uuid"], url, e)
def load_config(config_file="settings.ini"): def load_config(config_file="settings.ini"):
""" """
@ -282,6 +430,7 @@ def main():
config_file = args.config config_file = args.config
config = load_config(config_file) config = load_config(config_file)
legacy = config.get("legacy")
# TODO show warning if non root, means data is not complete # TODO show warning if non root, means data is not complete
# if annotate as potentially invalid snapshot (pending the new API to be done) # if annotate as potentially invalid snapshot (pending the new API to be done)
@ -291,15 +440,18 @@ def main():
all_disks = get_disks() all_disks = get_disks()
snapshot = gen_snapshot(all_disks) snapshot = gen_snapshot(all_disks)
if config.get("legacy"): if config['erase'] and config['device'] and not config.get("legacy"):
snapshot['erase'] = gen_erase(all_disks, config['erase'], user_disk=config['device'])
elif config['erase'] and not config.get("legacy"):
snapshot['erase'] = gen_erase(all_disks, config['erase'])
if legacy:
convert_to_legacy_snapshot(snapshot) convert_to_legacy_snapshot(snapshot)
else:
snapshot['erase'] = gen_erase(config['erase'], user_disk=config['device'])
save_snapshot_in_disk(snapshot, config['path']) save_snapshot_in_disk(snapshot, config['path'])
if config['url']: if config['url']:
send_snapshot_to_devicehub(snapshot, config['token'], config['url']) send_snapshot_to_devicehub(snapshot, config['token'], config['url'], legacy)
logger.info(_("END")) logger.info(_("END"))