-
Notifications
You must be signed in to change notification settings - Fork 2
/
common.conf
101 lines (82 loc) · 3.4 KB
/
common.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
#!/bin/sh
set -e
if [ -z "${PRODUCT_DEVICE}" ]; then
echo "Please set PRODUCT_DEVICE."
exit 1
fi
# important build settings
export PRODUCT_VERSION="hbsd-exp-10-16.7"
export PRODUCT_FLAVOUR=${PRODUCT_FLAVOUR:-"OPNSense"}
export PRODUCT_NAME="HardenedBSD"
export PRODUCT_SETTINGS="${PRODUCT_NAME}"
export PRODUCT_TYPE="opnsense-devel"
export VERSION=${PRODUCT_VERSION}
export INTEGRIFORCE="YES"
export INTEGRIFORCE_WHITELIST="YES"
# full name for easy use
export PRODUCT_RELEASE="${PRODUCT_NAME}-${PRODUCT_VERSION}_${PRODUCT_FLAVOUR}"
# code reositories
export TOOLSDIR="/usr/tools"
export PORTSDIR="/usr/ports"
export COREDIR="/usr/core"
export SRCDIR="/usr/src"
export CONFIGDIR="/usr/tools/config/HardenedBSD"
export PLUGINSDIR="/usr/plugins"
export PORTSREFDIR="/usr/ports"
export PKG_PRIVKEY="/home/shawn/keys/repo.key"
export PKG_PUBKEY="/home/shawn/keys/repo.pub"
# misc. foo
export PRODUCT_CONFIG="${TOOLSDIR}/config/${PRODUCT_NAME}"
export CONFIG_PKG="/usr/local/etc/pkg/repos/origin.conf"
export CPUS=$(sysctl kern.smp.cpus | awk '{ print $2 }')
export CONFIG_XML="/usr/local/etc/config.xml"
export ARCH=${ARCH:-$(uname -m)}
export LABEL=${PRODUCT_NAME}
export TARGET_ARCH=${ARCH}
export TARGETARCH=${ARCH}
export MAKEOBJDIRPREFIX="/usr/obj/opnsense"
export BUILD_KERNEL="SMP-HARDENEDBSD"
# define target directories
export PACKAGESDIR="/opnsense/packages/${PRODUCT_VERSION}"
export STAGEDIR="/usr/local/stage"
export IMAGESDIR="/opnsense/builds/${PRODUCT_VERSION}/${PRODUCT_DEVICE}"
export SETSDIR="/opnsense/sets/${PRODUCT_VERSION}"
# target files
export CDROM="${IMAGESDIR}/${PRODUCT_RELEASE}-cdrom-${PRODUCT_DEVICE}-${ARCH}.iso"
export SERIALIMG="${IMAGESDIR}/${PRODUCT_RELEASE}-serial-${PRODUCT_DEVICE}-${ARCH}.img"
export VGAIMG="${IMAGESDIR}/${PRODUCT_RELEASE}-vga-${PRODUCT_DEVICE}-${ARCH}.img"
export NANOIMG="${IMAGESDIR}/${PRODUCT_RELEASE}-nano-${PRODUCT_DEVICE}-${ARCH}.img"
SERIAL_CONFIG="<enableserial>1</enableserial>"
SERIAL_CONFIG="${SERIAL_CONFIG}<serialspeed>115200</serialspeed>"
export SERIAL_CONFIG="${SERIAL_CONFIG}<primaryconsole>serial</primaryconsole>"
# bootstrap target directories
mkdir -p ${STAGEDIR} ${IMAGESDIR} ${SETSDIR} ${PACKAGESDIR}
filesystem_populate_hook() {
if [ "${INTEGRIFORCE}" = "YES" ]; then
idirs="-d /rescue -d /bin -d /sbin -d /usr/bin"
idirs="${idirs} -d /usr/sbin -d /usr/local/bin -d /usr/local/sbin"
idirs="${idirs} -d /usr/local/libexec"
idirs="${idirs} -d /usr/libexec"
idirs="${idirs} -d /usr/local/etc"
idirs="${idirs} -d /usr/local/opnsense"
idirs="${idirs} -d /etc/rc.d"
if [ -f ${STAGEDIR}/usr/local/etc/secadm.integriforce.rules ]; then
rm -f ${STAGEDIR}/usr/local/etc/secadm.integriforce.rules
fi
cp ${TOOLSDIR}/scripts/integriforce.zsh ${STAGEDIR}/usr/local/bin
chmod 755 ${STAGEDIR}/usr/local/bin/integriforce.zsh
echo "[*] Generating Integriforce rules. Hold on to your butts."
chroot ${STAGEDIR} /usr/local/bin/integriforce.zsh ${idirs} \
-f /libexec/ld-elf.so.1 \
-f /etc/rc \
>> ${STAGEDIR}/usr/local/etc/secadm.integriforce.rules
if [ "${INTEGRIFORCE_WHITELIST}" = "YES" ]; then
echo 'whitelist_mode = true' >> \
${STAGEDIR}/usr/local/etc/secadm.integriforce.rules
fi
fi
echo 'hardening.log.log=0' >> ${STAGEDIR}/boot/loader.conf.local
echo 'secadm_load="YES"' >> ${STAGEDIR}/boot/loader.conf.local
echo "-S115200 -D" >> ${STAGEDIR}/boot.config
sed -i '' -e "s:</system>:${SERIAL_CONFIG}</system>:" ${STAGEDIR}${CONFIG_XML}
}