Skip to content

Commit

Permalink
Merge pull request #43 from cedwards/master
Browse files Browse the repository at this point in the history 
Bastille Day Update
  • Loading branch information
@cedwards
cedwards authored Jul 15, 2019
2 parents 4dd6a91 + e857093 commit 5540b22
Show file tree
Hide file tree
Showing 8 changed files with 284 additions and 60 deletions.
69 changes: 58 additions & 11 deletions usr/local/bin/bastille
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
#!/bin/sh
#
#
# Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com>
# All rights reserved.
#
Expand Down Expand Up @@ -28,16 +28,53 @@
# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

## root check first.
bastille_root_check() {
if [ $(id -u) -ne 0 ]; then
## so we can make it colorful
. /usr/local/share/bastille/colors.pre.sh

## permission denied
echo -e "${COLOR_RED}Bastille: Permission Denied${COLOR_RESET}" 1>&2
echo -e "${COLOR_RED}root / sudo / doas required${COLOR_RESET}" 1>&2
exit 1
fi
}

bastille_root_check

## we only load the config if root_check passes
. /usr/local/etc/bastille/bastille.conf
. /usr/local/share/bastille/colors.pre.sh


## bastille_prefix should be 0750
## this restricts file system access to privileged users
bastille_perms_check() {
if [ -d "${bastille_prefix}" ]; then
BASTILLE_PREFIX_PERMS=$(stat -f "%Op" "${bastille_prefix}")
if [ "${BASTILLE_PREFIX_PERMS}" != 40750 ]; then
echo -e "${COLOR_RED}Insecure permissions on ${bastille_prefix}${COLOR_RESET}" 1>&2
echo -e "${COLOR_RED}Try: chmod 0750 ${bastille_prefix}${COLOR_RESET}" 1>&2
echo
exit 1
fi
fi
}

bastille_perms_check


## we only load the config if root_check passes
. /usr/local/etc/bastille/bastille.conf

## version
BASTILLE_VERSION="0.4.20190623"
BASTILLE_VERSION="0.4.20190714"

usage() {
cat << EOF
Bastille is a jail automation framework that allows you to quickly and easily
create and manage FreeBSD jails.
Bastille is a jail automation framework that allows you to quickly create and
manage FreeBSD jails.
Usage:
bastille command [ALL|glob] [args]
Expand All @@ -54,13 +91,16 @@ Available Commands:
list List containers (running and stopped).
pkg Manipulate binary packages within targeted container(s). See pkg(8).
restart Restart a running container.
service Manage services within targeted jail(s).
start Start a stopped container.
stop Stop a running container.
sysrc Safely edit rc files within targeted container(s).
template Apply file templates to targeted jail(s).
top Display and update information about the top(1) cpu processes.
update Update container base -pX release.
upgrade Upgrade container release to X.Y-RELEASE.
verify Compare release against a "known good" index.
zfs Manage (get|set) zfs attributes on targeted jail(s).
Use "bastille -v|--version" for version information.
Use "bastille command -h|--help" for more information about a command.
Expand All @@ -87,20 +127,27 @@ esac

# Filter out all non-commands
case "${CMD}" in
bootstrap|cmd|console|cp|create|destroy|htop|list|pkg|restart|service)
cmd|cp|create|destroy|list|pkg|restart|start|stop|sysrc|template|verify)
;;
start|stop|sysrc|template|top|update|upgrade|verify|zfs)
update|upgrade)
;;
service|console|bootstrap|htop|top)
;;
bootstrap|update|upgrade|zfs)
;;
*)
usage
;;
esac

SCRIPTPATH="${bastille_sharedir}/${CMD}.sh"
if [ -f "${SCRIPTPATH}" ]; then
: ${UMASK:=022}
umask ${UMASK}

: ${UMASK:=022}
umask ${UMASK}

: ${SH:=sh}
: ${SH:=sh}

exec ${SH} "${SCRIPTPATH}" "$@"
exec ${SH} "${SCRIPTPATH}" "$@"
else
echo -e "${COLOR_RED}${SCRIPTPATH} not found.${COLOR_RESET}" 1>&2
fi
112 changes: 108 additions & 4 deletions usr/local/share/bastille/bootstrap.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,98 @@ help|-h|--help)
;;
esac

bootstrap_network_interfaces() {

## test for both options empty
if [ -z ${bastille_jail_loopback} ] && [ -z ${bastille_jail_external} ]; then
echo -e "${COLOR_RED}Please set preferred loopback or external interface.${COLOR_RESET}"
echo -e "${COLOR_RED}See bastille.conf.${COLOR_RESET}"
exit 1
fi

## test for required variables -- external
if [ -z ${bastille_jail_loopback} ] && [ ! -z ${bastille_jail_external} ]; then

## test for existing interface
ifconfig ${bastille_jail_external} 2>&1 >/dev/null
if [ $? = 0 ]; then

## create ifconfig alias
ifconfig ${bastille_jail_external} inet ${bastille_jail_addr} alias && \
echo -e "${COLOR_GREEN}IP alias added to ${bastille_jail_external} successfully.${COLOR_RESET}"
echo

## attempt to ping gateway
echo -e "${COLOR_YELLOW}Attempting to ping default gateway...${COLOR_RESET}"
ping -c3 -t3 -S ${bastille_jail_addr} ${bastille_jail_gateway}
if [ $? = 0 ]; then
echo
echo -e "${COLOR_GREEN}External networking appears functional.${COLOR_RESET}"
echo
else
echo -e "${COLOR_RED}Unable to ping default gateway.${COLOR_RESET}"
fi
fi
fi

## test for required variables -- loopback
if [ -z ${bastille_jail_external} ] && [ ! -z ${bastille_jail_loopback} ] && \
[ ! -z ${bastille_jail_addr} ]; then

echo -e "${COLOR_GREEN}Detecting...${COLOR_RESET}"
## test for existing interface
ifconfig ${bastille_jail_interface} >&2 >/dev/null

## if above return code is 1; create interface
if [ $? = 1 ]; then
sysrc ifconfig_${bastille_jail_loopback}_name | grep ${bastille_jail_interface} >&2 >/dev/null
if [ $? = 1 ]; then
echo
echo -e "${COLOR_GREEN}Defining secure loopback interface.${COLOR_RESET}"
sysrc cloned_interfaces+="${bastille_jail_loopback}" &&
sysrc ifconfig_${bastille_jail_loopback}_name="${bastille_jail_interface}"
sysrc ifconfig_${bastille_jail_interface}_aliases+="inet ${bastille_jail_addr}/32"

## create and name interface; assign address
echo
echo -e "${COLOR_GREEN}Creating secure loopback interface.${COLOR_RESET}"
ifconfig ${bastille_jail_loopback} create name ${bastille_jail_interface}
ifconfig ${bastille_jail_interface} up
ifconfig ${bastille_jail_interface} inet ${bastille_jail_addr}/32

## reload firewall
pfctl -f /etc/pf.conf

## look for nat rule for bastille_jail_addr
echo -e "${COLOR_GREEN}Detecting NAT from bastille0 interface...${COLOR_RESET}"
pfctl -s nat | grep nat | grep ${bastille_jail_addr}
if [ $? = 0 ]; then
## test connectivity; ping from bastille_jail_addr
echo
echo -e "${COLOR_YELLOW}Attempting to ping default gateway...${COLOR_RESET}"
ping -c3 -t3 -S ${bastille_jail_addr} ${bastille_jail_gateway}
if [ $? = 0 ]; then
echo
echo -e "${COLOR_GREEN}Private networking appears functional.${COLOR_RESET}"
echo
else
echo -e "${COLOR_RED}Unable to ping default gateway.${COLOR_RESET}"
echo -e "${COLOR_YELLOW}See https://github.com/BastilleBSD/bastille/blob/master/README.md#etcpfconf.${COLOR_RESET}"
echo -e
fi
else
echo -e "${COLOR_RED}Unable to detect firewall 'nat' rule.${COLOR_RESET}"
echo -e "${COLOR_YELLOW}See https://github.com/BastilleBSD/bastille/blob/master/README.md#etcpfconf.${COLOR_RESET}"
fi
else
echo -e "${COLOR_RED}Interface ${bastille_jail_loopback} already configured; bailing out.${COLOR_RESET}"
fi
else
echo -e "${COLOR_RED}Interface ${bastille_jail_interface} already active; bailing out.${COLOR_RESET}"
fi
fi
}

bootstrap_directories() {
## ensure required directories are in place

Expand All @@ -54,6 +146,7 @@ bootstrap_directories() {
fi
else
mkdir -p "${bastille_prefix}"
chmod 0750 "${bastille_prefix}"
fi
fi

Expand All @@ -62,7 +155,7 @@ bootstrap_directories() {
if [ "${bastille_zfs_enable}" = "YES" ]; then
if [ ! -z "${bastille_zfs_zpool}" ]; then
zfs create ${bastille_zfs_options} -o mountpoint=${bastille_cachedir} ${bastille_zfs_zpool}/${bastille_zfs_prefix}/cache
mkdir -p ${bastille_cachedir}/${RELEASE}
zfs create ${bastille_zfs_options} -o mountpoint=${bastille_cachedir}/${RELEASE} ${bastille_zfs_zpool}/${bastille_zfs_prefix}/cache/${RELEASE}
fi
else
mkdir -p "${bastille_cachedir}/${RELEASE}"
Expand Down Expand Up @@ -107,7 +200,7 @@ bootstrap_directories() {
if [ "${bastille_zfs_enable}" = "YES" ]; then
if [ ! -z "${bastille_zfs_zpool}" ]; then
zfs create ${bastille_zfs_options} -o mountpoint=${bastille_releasesdir} ${bastille_zfs_zpool}/${bastille_zfs_prefix}/releases
mkdir -p "${bastille_releasesdir}/${RELEASE}"
zfs create ${bastille_zfs_options} -o mountpoint=${bastille_releasesdir}/${RELEASE} ${bastille_zfs_zpool}/${bastille_zfs_prefix}/releases/${RELEASE}
fi
else
mkdir -p "${bastille_releasesdir}/${RELEASE}"
Expand Down Expand Up @@ -187,14 +280,22 @@ bootstrap_template() {
done

# template overlay
if [ -s ${_template}/CONFIG ]; then
if [ -s ${_template}/OVERLAY ]; then
_hook_validate=$((_hook_validate+1))
echo -e "${COLOR_GREEN}Detected OVERLAY hook.${COLOR_RESET}"
while read _dir; do
echo -e "${COLOR_GREEN}[${_dir}]:${COLOR_RESET}"
tree -a ${_template}/${_dir}
done < ${_template}/OVERLAY
echo
fi
if [ -s ${_template}/CONFIG ]; then
echo -e "${COLOR_GREEN}Detected CONFIG hook.${COLOR_RESET}"
echo -e "${COLOR_YELLOW}CONFIG deprecated; rename to OVERLAY.${COLOR_RESET}"
while read _dir; do
echo -e "${COLOR_GREEN}[${_dir}]:${COLOR_RESET}"
tree -a ${_template}/${_dir}
done < ${_template}/CONFIG
echo
fi

## remove bad templates
Expand Down Expand Up @@ -250,6 +351,9 @@ http?://github.com/*/*|http?://gitlab.com/*/*)
bootstrap_directories
bootstrap_template
;;
network)
bootstrap_network_interfaces
;;
*)
usage
;;
Expand Down
13 changes: 12 additions & 1 deletion usr/local/share/bastille/create.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -94,7 +94,13 @@ create_jail() {
fi

if [ ! -f "${bastille_jail_conf}" ]; then
echo -e "interface = lo1;\nhost.hostname = ${NAME};\nexec.consolelog = \
if [ -z ${bastille_jail_loopback} ] && [ ! -z ${bastille_jail_external} ]; then
local bastille_jail_conf_interface=${bastille_jail_external}
fi
if [ ! -z ${bastille_jail_loopback} ] && [ -z ${bastille_jail_external} ]; then
local bastille_jail_conf_interface=${bastille_jail_interface}
fi
echo -e "interface = ${bastille_jail_conf_interface};\nhost.hostname = ${NAME};\nexec.consolelog = \
${bastille_jail_log};\npath = ${bastille_jail_path};\nip6 = \
disable;\nsecurelevel = 2;\ndevfs_ruleset = 4;\nenforce_statfs = \
2;\nexec.start = '/bin/sh /etc/rc';\nexec.stop = '/bin/sh \
Expand Down Expand Up @@ -167,6 +173,11 @@ if [ $# -gt 3 ] || [ $# -lt 3 ]; then
usage
fi

if [ $(echo $3 | grep '@' ) ]; then
BASTILLE_JAIL_IP=$(echo $3 | awk -F@ '{print $2}')
BASTILLE_JAIL_INTERFACES=$( echo $3 | awk -F@ '{print $1}')
fi

NAME="$1"
RELEASE="$2"
IP="$3"
Expand Down
8 changes: 4 additions & 4 deletions usr/local/share/bastille/list.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -47,16 +47,16 @@ if [ $# -gt 0 ]; then
usage
;;
release|releases)
ls "${bastille_releasesdir}" | sed "s/\n//g"
find "${bastille_releasesdir}" -type d -maxdepth 1
;;
template|templates)
ls "${bastille_templatesdir}" | sed "s/\n//g"
find "${bastille_templatesdir}" -type d -maxdepth 2
;;
jail|jails)
ls "${bastille_jailsdir}" | sed "s/\n//g"
ls "${bastille_jailsdir}" | sed "s/\n//g"
;;
log|logs)
ls "${bastille_logsdir}" | sed "s/\n//g"
find "${bastille_logsdir}" -type f -maxdepth 1
;;
*)
usage
Expand Down
4 changes: 3 additions & 1 deletion usr/local/share/bastille/start.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -60,7 +60,9 @@ for _jail in ${JAILS}; do
elif [ ! $(jls name | grep ${_jail}) ]; then
echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}"
jail -f "${bastille_jailsdir}/${_jail}/jail.conf" -c ${_jail}
pfctl -f /etc/pf.conf
if [ ! -z ${bastille_jail_loopback} ]; then
pfctl -f /etc/pf.conf
fi
fi
echo
done
4 changes: 3 additions & 1 deletion usr/local/share/bastille/stop.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -57,6 +57,8 @@ fi
for _jail in ${JAILS}; do
echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}"
jail -f "${bastille_jailsdir}/${_jail}/jail.conf" -r ${_jail}
pfctl -f /etc/pf.conf
if [ ! -z ${bastille_jail_loopback} ]; then
pfctl -f /etc/pf.conf
fi
echo
done
Loading

0 comments on commit 5540b22

Please sign in to comment.