chadmed/gentoo-asahi-releng
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

tools-hardened/desktop: initial commit of hardened amd64 desktop

Browse source 
This is a revamping of the TinHat build, see

    http://opensource.dyc.edu/tinhat

Signed-off-by: Anthony G. Basile <blueness@gentoo.org>
This commit is contained in:
Devan Franchini 2014-04-06 08:12:19 -04:00 committed by Anthony G. Basile
parent 1c585a9f2b
commit b80e4e5ff8
93 changed files with 21658 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

3211
tools-hardened/desktop/files/3.13.5-hardened.config Normal file
View file

File diff suppressed because one or more lines are too long

2854
tools-hardened/desktop/files/3.7.5-hardened.config Normal file
View file

File diff suppressed because it is too large Load diff

71
tools-hardened/desktop/files/Encrypt/howto-loop-aes.txt Normal file
View file

@ -0,0 +1,71 @@
- First make the key file. To make things easy, I've given you a script. Just run
./mkkey.sh
to generate key.gpg This file contains 65 random keys in an ascii armored gpg
file. (See the reference below for details.)
If this is slow, do some work. (It depends on /dev/random which blocks on system entropy.)
Put it somewhere. A USB stick is good. You can't put it on the filesystem since
it lives only in RAM. Once you reboot, poof! and no more access to your data.
You have been warned!
You have been warned!
You have been warned!
- Fill your drive with random data. Replace sda with your device.
head -c 15 /dev/urandom | uuencode -m - | head -n 2 | tail -n 1 | losetup -p 0 -e AES256 /dev/loop3 /dev/sda
dd if=/dev/zero of=/dev/loop3 bs=4k conv=notrunc 2>/dev/null
losetup -d /dev/loop3
- Add the following line to /etc/fstab
/dev/sda /mnt/mpoint ext3 defaults,noauto,loop=/dev/loop3,encryption=AES256,gpgkey=/path/to/key.gpg 0 0
Change /mnt/mpoint to whatever mount point you like. Change /path/to to
wherever your key lives.
NOTE: We are using the entire drive as one partition.
- Lay down a filesystem on your encrypted partition:
losetup -F /dev/loop3
mke2fs -j /dev/loop3
losetup -d /dev/loop3
- Mount the partition:
mount /mnt/mpoint
You may now use that filesystem as usual.
- Umount the parition:
umount /mnt/mpoint
- Every so often, you should do an fsck on the filesystem. Make sure its
unmount, and then:
losetup -F /dev/loop3
fsck -f -y /dev/loop3
losetup -d /dev/loop3
--------------------------------------------------------------------------------
REFERENCE: This howto derived from section 7.2 of
http://loop-aes.sourceforge.net/loop-AES.README
See that howto for more information on the loop-aes patch.

4
tools-hardened/desktop/files/Encrypt/mkkey.sh Normal file
View file

@ -0,0 +1,4 @@
#!/bin/bash
eval 'gpg-agent --daemon --use-standard-socket'
head -c 2925 /dev/random | uuencode -m - | head -n 66 | tail -n 65 | gpg --symmetric -a > key.gpg

6
tools-hardened/desktop/files/Save/clean-docs.sh Normal file
View file

@ -0,0 +1,6 @@
#!/bin/bash
rm -rf /usr/share/doc/*
rm -rf /usr/share/gnome/help/*
rm -rf /usr/share/gtk-doc/*

58
tools-hardened/desktop/files/Save/clean.sh Normal file
View file

@ -0,0 +1,58 @@
#!/bin/bash
rm -rf /root/.ssh
rm -f /root/.bash_history /root/.lesshst /root/.recently-used.xbel /root/.recently-used.xbel /root/.viminfo
rm -f /etc/ssh/ssh_host_*
rm -f /etc/udev/rules.d/70-persistent-cd.rules /etc/udev/rules.d/70-persistent-net.rules
rm -f /var/lib/dhcpcd-eth*
rm -f /var/lib/dhcpcd/*
>/var/log/everything/current
rm -f /var/log/everything/log*
>/var/log/critical/current
rm -f /var/log/critical/log*
>/var/log/cron/current
rm -f /var/log/cron/log*
>/var/log/mail/current
rm -f /var/log/mail/log*
>/var/log/pm-powersave.log
rm -f /var/log/pm-powersave/log*
>/var/log/pwdfail/current
rm -f /var/log/pwdfail/log*
>/var/log/tallylog
>/var/log/sshd/current
rm -f /var/log/sshd/log*
>/var/log/kernel/current
rm -f /var/log/kernel/log*
>/var/log/gdm/:0.log
rm -f /var/log/gdm/:0.log.*
>/var/log/Xorg.0.log
rm -f /var/log/Xorg.0.log.old
>/var/log/dmesg
>/var/log/emerge.log
>/var/log/emerge-fetch.log
>/var/log/faillog
>/var/log/genkernel.log
>/var/log/lastlog
>/var/log/wtmp
>/var/log/portage/elog/summary.log
>/var/log/ConsoleKit/history
find /var/log/ -size +1c -type f

10
tools-hardened/desktop/files/Save/configs/ABOUT.html Normal file
View file

@ -0,0 +1,10 @@
<HTML>
<HEAD>
<TITLE>Welcome to Tin Hat Linux</TITLE>
<META HTTP-EQUIV="refresh" content="10;URL=http://opensource.dyc.edu/tinhat">
</HEAD>
<BODY>
Redirecting to <A HREF="http://opensource.dyc.edu/tinhat">http://opensource.dyc.edu/tinhat</A> in 10 seconds ...
</BODY>
</HTML>

45
tools-hardened/desktop/files/Save/configs/init Normal file
View file

@ -0,0 +1,45 @@
#!/bin/sh
/bin/mount -t proc proc /proc
/bin/mount -t sysfs sysfs /sys
/bin/mount -o remount,rw /
/bin/mknod /dev/null c 1 3
/bin/mknod /dev/tty c 5 0
echo
echo "Waiting for slow devices ... "
echo
sleep 10
mdev -s
FOUND=''
for CDROM in hda hdb hdc hdd sr0 sr1 sr2 sr3 sda1 sdb1 sdc1 sdd1 sde1 sdf1 sdg1
do
if [ "x$FOUND" == "x" ]
then
/bin/mount /dev/${CDROM} /mnt/cdrom
[ -f /mnt/cdrom/tinroot ] && FOUND=$CDROM || /bin/umount /dev/${CDROM}
fi
done
if [ "x$FOUND" == "x" ]
then
echo "Boot device not found, very confusing"
echo "Dropping to shell"
exec /bin/sh
fi
/bin/mount -o loop -t squashfs /mnt/cdrom/tinroot /mnt/squashfs
/bin/mount -o size=3400m,nr_inodes=1m,mode=755 -t tmpfs none /mnt/tmpfs
/bin/cp -a /mnt/squashfs/* /mnt/tmpfs/
/bin/umount /mnt/squashfs
/bin/umount /mnt/cdrom
/bin/umount /sys
/bin/umount /proc
exec /sbin/switch_root /mnt/tmpfs /sbin/init

2404
tools-hardened/desktop/files/Save/configs/kernel-3.3.8.config Normal file
View file

File diff suppressed because it is too large Load diff

4
tools-hardened/desktop/files/Save/configs/menu.lst Normal file
View file

@ -0,0 +1,4 @@
timeout 10
title TinHat
kernel /boot/tinhat
initrd /boot/tinhat.igz

6
tools-hardened/desktop/files/Save/configs/syslinux.cfg Normal file
View file

@ -0,0 +1,6 @@
default TinHat
timeout 1
label TinHat
kernel tinhat
append initrd=tinhat.igz

32
tools-hardened/desktop/files/Save/howto-save.txt Normal file
View file

@ -0,0 +1,32 @@
1. To save your running Tin Hat system, first prepare a working directory:
sudo su -
cd ~
cp -a ~thuser/Save .
cd Save
chmod 755 *.sh
2. If you want to clean out logs, ssh keys, udev persistent rules (eg. for a
prestine release), then
./clean.sh
3. If you want information about your release, then
./info.sh
4. To make the ISO, do
./make.sh
5. After having made the ISO, you can optionally transfer the image to a pen drive
using
./iso2usb.sh

11
tools-hardened/desktop/files/Save/info.sh Normal file
View file

@ -0,0 +1,11 @@
#!/bin/bash
[ $(uname -m) == "x86_64" ] && ARCH=amd64
[ $(uname -m) == "i686" ] && ARCH=i686
cat /etc/make.conf > make-conf.${ARCH}.txt
emerge --info > emerge-info.${ARCH}.txt
epm -qa | sort > epm-qa.${ARCH}.txt
emerge -vep world > emerge-world.${ARCH}.txt
zcat /proc/config.gz > kernel-config.${ARCH}.txt

96
tools-hardened/desktop/files/Save/iso2usb.sh Normal file
View file

@ -0,0 +1,96 @@
#!/bin/bash
WORKING=$(pwd)
welcome ()
{
echo
echo "================================================================================"
echo "= This script will transfer the contents of a bootable iso to a usb stick. ="
echo "= ="
echo "= WARNING: IT WILL DESTROY THE CONTENTS OF THE USB STICK!!! ="
echo "= ="
echo "================================================================================"
echo
}
check ()
{
echo
echo "Enter the device name of the USB drive, eg sda "
echo "Don't worry, I'll show you the device's partition table before we wipe it "
echo
echo -n "Device: "
read DEVICE
echo
parted /dev/${DEVICE} print
echo -n "Are you sure? (Type uppercase yes): "
read ANSWER
if [[ $ANSWER != "YES" ]] ; then
echo
echo "ABORT! ABORT! ABORT!"
echo
exit
fi
}
partition ()
{
dd if=/dev/zero of=/dev/${DEVICE} bs=1 count=1024 >/dev/null 2>&1
dd if=/usr/lib/syslinux/mbr.bin of=/dev/${DEVICE} >/dev/null 2>&1
parted -s /dev/${DEVICE} mklabel msdos mkpartfs primary fat32 0 100% >/dev/null 2>&1
parted -s /dev/${DEVICE} set 1 boot >/dev/null 2>&1
}
copyiso()
{
echo
echo "Enter the name of the iso image relative to ${WORKING} "
echo
echo -n "Name: "
read IMAGE
if [[ ! -f ${WORKING}/${IMAGE} ]] ; then
echo
echo "Cannot find iso image, exiting."
echo
exit
fi
cd ${WORKING}
mkdir -p iso usb
mount -o loop ${IMAGE} iso
mount /dev/${DEVICE}1 usb
cp iso/tinroot usb
cp iso/boot/tinhat usb
cp iso/boot/tinhat.igz usb
cp configs/syslinux.cfg usb
umount iso && rmdir iso
umount usb && rmdir usb
}
finishup()
{
syslinux /dev/${DEVICE}1
}
welcome
check
partition
copyiso
finishup

134
tools-hardened/desktop/files/Save/make.sh Normal file
View file

@ -0,0 +1,134 @@
#!/bin/bash
WORKING=$(pwd)
SKIP=$(echo $WORKING | sed -e 's/^\///')
welcome()
{
echo
echo "================================================================================"
echo "= Building iso image from template ... ="
echo "= Hit Control-C at any continuation prompt to stop at that point ="
echo "================================================================================"
echo
}
cleanup()
{
echo
echo "================================================================================"
echo "= Cleaning up any remaining tmp files from previous builds ="
echo "= Removing ramdisk.iso tinhat.igz init/ iso/ ="
echo "================================================================================"
echo -n "Continue? "
read ANSWER
cd ${WORKING}
rm -f ramdisk.iso
rm -f tinhat.igz
rm -rf init
rm -rf iso
}
mkinitramfs()
{
echo
echo "================================================================================"
echo "= Building initramfs image which will be named tinhat.igz ="
echo "================================================================================"
echo -n "Continue? "
read ANSWER
cd ${WORKING}
mkdir init
cd init
mkdir -p bin dev etc mnt/cdrom mnt/squashfs mnt/tmpfs proc sbin sys tmp usr/bin usr/sbin var
cp ../configs/busybox bin
cp ../configs/init .
chmod 755 bin/busybox
chmod 755 init
chroot . /bin/busybox --install -s
find . | cpio -H newc -o | gzip -9 > ../tinhat.igz
cd ${WORKING}
rm -rf init
}
mkiso()
{
echo
echo "================================================================================"
echo "= Building the iso image which will be named ramdisk.iso ="
echo "================================================================================"
echo -n "Continue? "
read ANSWER
cd ${WORKING}
mkdir -p iso/boot/grub
mv tinhat.igz iso/boot
cp -L /boot/kernel iso/boot/tinhat
cp /lib/grub/i386-pc/stage2_eltorito iso/boot/grub
cp configs/menu.lst iso/boot/grub/menu.lst
mkdir -p root
mount -o ro --bind / root
mksquashfs root iso/tinroot -e usr/portage $SKIP usr/src var/cache/edb
umount root
rmdir root
cp configs/ABOUT.html iso/ABOUT.html
mkisofs -R -b boot/grub/stage2_eltorito -no-emul-boot -boot-load-size 4 -boot-info-table -o ramdisk.iso iso
rm -rf iso
cd ${WORKING}
}
nameit()
{
echo
echo "================================================================================"
echo "= Renaming the iso image as th-ARCH-DATE.iso ="
echo "================================================================================"
echo -n "Continue? "
read ANSWER
echo
echo -n "Enter the RC suffix, empty for none: "
read RC
[ $(uname -m) == "x86_64" ] && ARCH="amd64"
[ $(uname -m) == "i686" ] && ARCH="i686"
DATE=$(date +%Y%m%d)
[ -z $RC ] && NAME="th-${ARCH}-${DATE}.iso" || NAME="th-${ARCH}-${DATE}-${RC}.iso"
[ -f ramdisk.iso ] && mv ramdisk.iso $NAME || echo "Can't name ramdisk.iso, I didn't find it."
}
welcome
cleanup
mkinitramfs
mkiso
nameit

25
tools-hardened/desktop/files/Utilities/README Normal file
View file

@ -0,0 +1,25 @@
This directory contains utilities which are relavant to
Tin Hat's design goals. . As of the current release,
there is only one, but more will be added.
1. checksec.sh - Checks binaries or running processes for
the following security enhancements:
RELRO - Default Read Only Marking.
STACK CANARY (aka SSP) - Stack Smashing Protector
NX - No eXecute
PIE - Position Independent Executables
ASLR - Address Space Layout Randomization
For a better explanation of these see
http://www.gentoo.org/proj/en/hardened/hardened-toolchain.xml
http://en.wikipedia.org/wiki/NX_bit
http://en.wikipedia.org/wiki/ASLR
This script was written by Tobias Klein. Thank you!
See his informative blog at
http://www.trapkit.de

883
tools-hardened/desktop/files/Utilities/checksec.sh Normal file
View file

@ -0,0 +1,883 @@
#!/bin/bash
#
# The BSD License (http://www.opensource.org/licenses/bsd-license.php)
# specifies the terms and conditions of use for checksec.sh:
#
# Copyright (c) 2009-2011, Tobias Klein.
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions
# are met:
#
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above copyright
# notice, this list of conditions and the following disclaimer in
# the documentation and/or other materials provided with the
# distribution.
# * Neither the name of Tobias Klein nor the name of trapkit.de may be
# used to endorse or promote products derived from this software
# without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
# FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
# COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
# BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS
# OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
# AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF
# THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
# DAMAGE.
#
# Name : checksec.sh
# Version : 1.5
# Author : Tobias Klein
# Date : November 2011
# Download: http://www.trapkit.de/tools/checksec.html
# Changes : http://www.trapkit.de/tools/checksec_changes.txt
#
# Description:
#
# Modern Linux distributions offer some mitigation techniques to make it
# harder to exploit software vulnerabilities reliably. Mitigations such
# as RELRO, NoExecute (NX), Stack Canaries, Address Space Layout
# Randomization (ASLR) and Position Independent Executables (PIE) have
# made reliably exploiting any vulnerabilities that do exist far more
# challenging. The checksec.sh script is designed to test what *standard*
# Linux OS and PaX (http://pax.grsecurity.net/) security features are being
# used.
#
# As of version 1.3 the script also lists the status of various Linux kernel
# protection mechanisms.
#
# Credits:
#
# Thanks to Brad Spengler (grsecurity.net) for the PaX support.
# Thanks to Jon Oberheide (jon.oberheide.org) for the kernel support.
# Thanks to Ollie Whitehouse (Research In Motion) for rpath/runpath support.
#
# Others that contributed to checksec.sh (in no particular order):
#
# Simon Ruderich, Denis Scherbakov, Stefan Kuttler, Radoslaw Madej,
# Anthony G. Basile, Martin Vaeth and Brian Davis.
#
# global vars
have_readelf=1
verbose=false
# FORTIFY_SOURCE vars
FS_end=_chk
FS_cnt_total=0
FS_cnt_checked=0
FS_cnt_unchecked=0
FS_chk_func_libc=0
FS_functions=0
FS_libc=0
# version information
version() {
echo "checksec v1.5, Tobias Klein, www.trapkit.de, November 2011"
echo
}
# help
help() {
echo "Usage: checksec [OPTION]"
echo
echo "Options:"
echo
echo " --file <executable-file>"
echo " --dir <directory> [-v]"
echo " --proc <process name>"
echo " --proc-all"
echo " --proc-libs <process ID>"
echo " --kernel"
echo " --fortify-file <executable-file>"
echo " --fortify-proc <process ID>"
echo " --version"
echo " --help"
echo
echo "For more information, see:"
echo " http://www.trapkit.de/tools/checksec.html"
echo
}
# check if command exists
command_exists () {
type $1 > /dev/null 2>&1;
}
# check if directory exists
dir_exists () {
if [ -d $1 ] ; then
return 0
else
return 1
fi
}
# check user privileges
root_privs () {
if [ $(/usr/bin/id -u) -eq 0 ] ; then
return 0
else
return 1
fi
}
# check if input is numeric
isNumeric () {
echo "$@" | grep -q -v "[^0-9]"
}
# check if input is a string
isString () {
echo "$@" | grep -q -v "[^A-Za-z]"
}
# check file(s)
filecheck() {
# check for RELRO support
if readelf -l $1 2>/dev/null | grep -q 'GNU_RELRO'; then
if readelf -d $1 2>/dev/null | grep -q 'BIND_NOW'; then
echo -n -e '\033[32mFull RELRO \033[m '
else
echo -n -e '\033[33mPartial RELRO\033[m '
fi
else
echo -n -e '\033[31mNo RELRO \033[m '
fi
# check for stack canary support
if readelf -s $1 2>/dev/null | grep -q '__stack_chk_fail'; then
echo -n -e '\033[32mCanary found \033[m '
else
echo -n -e '\033[31mNo canary found\033[m '
fi
# check for NX support
if readelf -W -l $1 2>/dev/null | grep 'GNU_STACK' | grep -q 'RWE'; then
echo -n -e '\033[31mNX disabled\033[m '
else
echo -n -e '\033[32mNX enabled \033[m '
fi
# check for PIE support
if readelf -h $1 2>/dev/null | grep -q 'Type:[[:space:]]*EXEC'; then
echo -n -e '\033[31mNo PIE \033[m '
elif readelf -h $1 2>/dev/null | grep -q 'Type:[[:space:]]*DYN'; then
if readelf -d $1 2>/dev/null | grep -q '(DEBUG)'; then
echo -n -e '\033[32mPIE enabled \033[m '
else
echo -n -e '\033[33mDSO \033[m '
fi
else
echo -n -e '\033[33mNot an ELF file\033[m '
fi
# check for rpath / run path
if readelf -d $1 2>/dev/null | grep -q 'rpath'; then
echo -n -e '\033[31mRPATH \033[m '
else
echo -n -e '\033[32mNo RPATH \033[m '
fi
if readelf -d $1 2>/dev/null | grep -q 'runpath'; then
echo -n -e '\033[31mRUNPATH \033[m '
else
echo -n -e '\033[32mNo RUNPATH \033[m '
fi
}
# check process(es)
proccheck() {
# check for RELRO support
if readelf -l $1/exe 2>/dev/null | grep -q 'Program Headers'; then
if readelf -l $1/exe 2>/dev/null | grep -q 'GNU_RELRO'; then
if readelf -d $1/exe 2>/dev/null | grep -q 'BIND_NOW'; then
echo -n -e '\033[32mFull RELRO \033[m '
else
echo -n -e '\033[33mPartial RELRO \033[m '
fi
else
echo -n -e '\033[31mNo RELRO \033[m '
fi
else
echo -n -e '\033[31mPermission denied (please run as root)\033[m\n'
exit 1
fi
# check for stack canary support
if readelf -s $1/exe 2>/dev/null | grep -q 'Symbol table'; then
if readelf -s $1/exe 2>/dev/null | grep -q '__stack_chk_fail'; then
echo -n -e '\033[32mCanary found \033[m '
else
echo -n -e '\033[31mNo canary found \033[m '
fi
else
if [ "$1" != "1" ] ; then
echo -n -e '\033[33mPermission denied \033[m '
else
echo -n -e '\033[33mNo symbol table found\033[m '
fi
fi
# first check for PaX support
if cat $1/status 2> /dev/null | grep -q 'PaX:'; then
pageexec=( $(cat $1/status 2> /dev/null | grep 'PaX:' | cut -b6) )
segmexec=( $(cat $1/status 2> /dev/null | grep 'PaX:' | cut -b10) )
mprotect=( $(cat $1/status 2> /dev/null | grep 'PaX:' | cut -b8) )
randmmap=( $(cat $1/status 2> /dev/null | grep 'PaX:' | cut -b9) )
if [[ "$pageexec" = "P" || "$segmexec" = "S" ]] && [[ "$mprotect" = "M" && "$randmmap" = "R" ]] ; then
echo -n -e '\033[32mPaX enabled\033[m '
elif [[ "$pageexec" = "p" && "$segmexec" = "s" && "$randmmap" = "R" ]] ; then
echo -n -e '\033[33mPaX ASLR only\033[m '
elif [[ "$pageexec" = "P" || "$segmexec" = "S" ]] && [[ "$mprotect" = "m" && "$randmmap" = "R" ]] ; then
echo -n -e '\033[33mPaX mprot off \033[m'
elif [[ "$pageexec" = "P" || "$segmexec" = "S" ]] && [[ "$mprotect" = "M" && "$randmmap" = "r" ]] ; then
echo -n -e '\033[33mPaX ASLR off\033[m '
elif [[ "$pageexec" = "P" || "$segmexec" = "S" ]] && [[ "$mprotect" = "m" && "$randmmap" = "r" ]] ; then
echo -n -e '\033[33mPaX NX only\033[m '
else
echo -n -e '\033[31mPaX disabled\033[m '
fi
# fallback check for NX support
elif readelf -W -l $1/exe 2>/dev/null | grep 'GNU_STACK' | grep -q 'RWE'; then
echo -n -e '\033[31mNX disabled\033[m '
else
echo -n -e '\033[32mNX enabled \033[m '
fi
# check for PIE support
if readelf -h $1/exe 2>/dev/null | grep -q 'Type:[[:space:]]*EXEC'; then
echo -n -e '\033[31mNo PIE \033[m '
elif readelf -h $1/exe 2>/dev/null | grep -q 'Type:[[:space:]]*DYN'; then
if readelf -d $1/exe 2>/dev/null | grep -q '(DEBUG)'; then
echo -n -e '\033[32mPIE enabled \033[m '
else
echo -n -e '\033[33mDynamic Shared Object\033[m '
fi
else
echo -n -e '\033[33mNot an ELF file \033[m '
fi
}
# check mapped libraries
libcheck() {
libs=( $(awk '{ print $6 }' /proc/$1/maps | grep '/' | sort -u | xargs file | grep ELF | awk '{ print $1 }' | sed 's/:/ /') )
printf "\n* Loaded libraries (file information, # of mapped files: ${#libs[@]}):\n\n"
for element in $(seq 0 $((${#libs[@]} - 1)))
do
echo " ${libs[$element]}:"
echo -n " "
filecheck ${libs[$element]}
printf "\n\n"
done
}
# check for system-wide ASLR support
aslrcheck() {
# PaX ASLR support
if !(cat /proc/1/status 2> /dev/null | grep -q 'Name:') ; then
echo -n -e ':\033[33m insufficient privileges for PaX ASLR checks\033[m\n'
echo -n -e ' Fallback to standard Linux ASLR check'
fi
if cat /proc/1/status 2> /dev/null | grep -q 'PaX:'; then
printf ": "
if cat /proc/1/status 2> /dev/null | grep 'PaX:' | grep -q 'R'; then
echo -n -e '\033[32mPaX ASLR enabled\033[m\n\n'
else
echo -n -e '\033[31mPaX ASLR disabled\033[m\n\n'
fi
else
# standard Linux 'kernel.randomize_va_space' ASLR support
# (see the kernel file 'Documentation/sysctl/kernel.txt' for a detailed description)
printf " (kernel.randomize_va_space): "
if /sbin/sysctl -a 2>/dev/null | grep -q 'kernel.randomize_va_space = 1'; then
echo -n -e '\033[33mOn (Setting: 1)\033[m\n\n'
printf " Description - Make the addresses of mmap base, stack and VDSO page randomized.\n"
printf " This, among other things, implies that shared libraries will be loaded to \n"
printf " random addresses. Also for PIE-linked binaries, the location of code start\n"
printf " is randomized. Heap addresses are *not* randomized.\n\n"
elif /sbin/sysctl -a 2>/dev/null | grep -q 'kernel.randomize_va_space = 2'; then
echo -n -e '\033[32mOn (Setting: 2)\033[m\n\n'
printf " Description - Make the addresses of mmap base, heap, stack and VDSO page randomized.\n"
printf " This, among other things, implies that shared libraries will be loaded to random \n"
printf " addresses. Also for PIE-linked binaries, the location of code start is randomized.\n\n"
elif /sbin/sysctl -a 2>/dev/null | grep -q 'kernel.randomize_va_space = 0'; then
echo -n -e '\033[31mOff (Setting: 0)\033[m\n'
else
echo -n -e '\033[31mNot supported\033[m\n'
fi
printf " See the kernel file 'Documentation/sysctl/kernel.txt' for more details.\n\n"
fi
}
# check cpu nx flag
nxcheck() {
if grep -q nx /proc/cpuinfo; then
echo -n -e '\033[32mYes\033[m\n\n'
else
echo -n -e '\033[31mNo\033[m\n\n'
fi
}
# check for kernel protection mechanisms
kernelcheck() {
printf " Description - List the status of kernel protection mechanisms. Rather than\n"
printf " inspect kernel mechanisms that may aid in the prevention of exploitation of\n"
printf " userspace processes, this option lists the status of kernel configuration\n"
printf " options that harden the kernel itself against attack.\n\n"
printf " Kernel config: "
if [ -f /proc/config.gz ] ; then
kconfig="zcat /proc/config.gz"
printf "\033[32m/proc/config.gz\033[m\n\n"
elif [ -f /boot/config-`uname -r` ] ; then
kconfig="cat /boot/config-`uname -r`"
printf "\033[33m/boot/config-`uname -r`\033[m\n\n"
printf " Warning: The config on disk may not represent running kernel config!\n\n";
elif [ -f "${KBUILD_OUTPUT:-/usr/src/linux}"/.config ] ; then
kconfig="cat ${KBUILD_OUTPUT:-/usr/src/linux}/.config"
printf "\033[33m%s\033[m\n\n" "${KBUILD_OUTPUT:-/usr/src/linux}/.config"
printf " Warning: The config on disk may not represent running kernel config!\n\n";
else
printf "\033[31mNOT FOUND\033[m\n\n"
exit 0
fi
printf " GCC stack protector support: "
if $kconfig | grep -qi 'CONFIG_CC_STACKPROTECTOR=y'; then
printf "\033[32mEnabled\033[m\n"
else
printf "\033[31mDisabled\033[m\n"
fi
printf " Strict user copy checks: "
if $kconfig | grep -qi 'CONFIG_DEBUG_STRICT_USER_COPY_CHECKS=y'; then
printf "\033[32mEnabled\033[m\n"
else
printf "\033[31mDisabled\033[m\n"
fi
printf " Enforce read-only kernel data: "
if $kconfig | grep -qi 'CONFIG_DEBUG_RODATA=y'; then
printf "\033[32mEnabled\033[m\n"
else
printf "\033[31mDisabled\033[m\n"
fi
printf " Restrict /dev/mem access: "
if $kconfig | grep -qi 'CONFIG_STRICT_DEVMEM=y'; then
printf "\033[32mEnabled\033[m\n"
else
printf "\033[31mDisabled\033[m\n"
fi
printf " Restrict /dev/kmem access: "
if $kconfig | grep -qi 'CONFIG_DEVKMEM=y'; then
printf "\033[31mDisabled\033[m\n"
else
printf "\033[32mEnabled\033[m\n"
fi
printf "\n"
printf "* grsecurity / PaX: "
if $kconfig | grep -qi 'CONFIG_GRKERNSEC=y'; then
if $kconfig | grep -qi 'CONFIG_GRKERNSEC_HIGH=y'; then
printf "\033[32mHigh GRKERNSEC\033[m\n\n"
elif $kconfig | grep -qi 'CONFIG_GRKERNSEC_MEDIUM=y'; then
printf "\033[33mMedium GRKERNSEC\033[m\n\n"
elif $kconfig | grep -qi 'CONFIG_GRKERNSEC_LOW=y'; then
printf "\033[31mLow GRKERNSEC\033[m\n\n"
else
printf "\033[33mCustom GRKERNSEC\033[m\n\n"
fi
printf " Non-executable kernel pages: "
if $kconfig | grep -qi 'CONFIG_PAX_KERNEXEC=y'; then
printf "\033[32mEnabled\033[m\n"
else
printf "\033[31mDisabled\033[m\n"
fi
printf " Prevent userspace pointer deref: "
if $kconfig | grep -qi 'CONFIG_PAX_MEMORY_UDEREF=y'; then
printf "\033[32mEnabled\033[m\n"
else
printf "\033[31mDisabled\033[m\n"
fi
printf " Prevent kobject refcount overflow: "
if $kconfig | grep -qi 'CONFIG_PAX_REFCOUNT=y'; then
printf "\033[32mEnabled\033[m\n"
else
printf "\033[31mDisabled\033[m\n"
fi
printf " Bounds check heap object copies: "
if $kconfig | grep -qi 'CONFIG_PAX_USERCOPY=y'; then
printf "\033[32mEnabled\033[m\n"
else
printf "\033[31mDisabled\033[m\n"
fi
printf " Disable writing to kmem/mem/port: "
if $kconfig | grep -qi 'CONFIG_GRKERNSEC_KMEM=y'; then
printf "\033[32mEnabled\033[m\n"
else
printf "\033[31mDisabled\033[m\n"
fi
printf " Disable privileged I/O: "
if $kconfig | grep -qi 'CONFIG_GRKERNSEC_IO=y'; then
printf "\033[32mEnabled\033[m\n"
else
printf "\033[31mDisabled\033[m\n"
fi
printf " Harden module auto-loading: "
if $kconfig | grep -qi 'CONFIG_GRKERNSEC_MODHARDEN=y'; then
printf "\033[32mEnabled\033[m\n"
else
printf "\033[31mDisabled\033[m\n"
fi
printf " Hide kernel symbols: "
if $kconfig | grep -qi 'CONFIG_GRKERNSEC_HIDESYM=y'; then
printf "\033[32mEnabled\033[m\n"
else
printf "\033[31mDisabled\033[m\n"
fi
else
printf "\033[31mNo GRKERNSEC\033[m\n\n"
printf " The grsecurity / PaX patchset is available here:\n"
printf " http://grsecurity.net/\n"
fi
printf "\n"
printf "* Kernel Heap Hardening: "
if $kconfig | grep -qi 'CONFIG_KERNHEAP=y'; then
if $kconfig | grep -qi 'CONFIG_KERNHEAP_FULLPOISON=y'; then
printf "\033[32mFull KERNHEAP\033[m\n\n"
else
printf "\033[33mPartial KERNHEAP\033[m\n\n"
fi
else
printf "\033[31mNo KERNHEAP\033[m\n\n"
printf " The KERNHEAP hardening patchset is available here:\n"
printf " https://www.subreption.com/kernheap/\n\n"
fi
}
# --- FORTIFY_SOURCE subfunctions (start) ---
# is FORTIFY_SOURCE supported by libc?
FS_libc_check() {
printf "* FORTIFY_SOURCE support available (libc) : "
if [ "${#FS_chk_func_libc[@]}" != "0" ] ; then
printf "\033[32mYes\033[m\n"
else
printf "\033[31mNo\033[m\n"
exit 1
fi
}
# was the binary compiled with FORTIFY_SOURCE?
FS_binary_check() {
printf "* Binary compiled with FORTIFY_SOURCE support: "
for FS_elem_functions in $(seq 0 $((${#FS_functions[@]} - 1)))
do
if [[ ${FS_functions[$FS_elem_functions]} =~ _chk ]] ; then
printf "\033[32mYes\033[m\n"
return
fi
done
printf "\033[31mNo\033[m\n"
exit 1
}
FS_comparison() {
echo
printf " ------ EXECUTABLE-FILE ------- . -------- LIBC --------\n"
printf " FORTIFY-able library functions | Checked function names\n"
printf " -------------------------------------------------------\n"
for FS_elem_libc in $(seq 0 $((${#FS_chk_func_libc[@]} - 1)))
do
for FS_elem_functions in $(seq 0 $((${#FS_functions[@]} - 1)))
do
FS_tmp_func=${FS_functions[$FS_elem_functions]}
FS_tmp_libc=${FS_chk_func_libc[$FS_elem_libc]}
if [[ $FS_tmp_func =~ ^$FS_tmp_libc$ ]] ; then
printf " \033[31m%-30s\033[m | __%s%s\n" $FS_tmp_func $FS_tmp_libc $FS_end
let FS_cnt_total++
let FS_cnt_unchecked++
elif [[ $FS_tmp_func =~ ^$FS_tmp_libc(_chk) ]] ; then
printf " \033[32m%-30s\033[m | __%s%s\n" $FS_tmp_func $FS_tmp_libc $FS_end
let FS_cnt_total++
let FS_cnt_checked++
fi
done
done
}
FS_summary() {
echo
printf "SUMMARY:\n\n"
printf "* Number of checked functions in libc : ${#FS_chk_func_libc[@]}\n"
printf "* Total number of library functions in the executable: ${#FS_functions[@]}\n"
printf "* Number of FORTIFY-able functions in the executable : %s\n" $FS_cnt_total
printf "* Number of checked functions in the executable : \033[32m%s\033[m\n" $FS_cnt_checked
printf "* Number of unchecked functions in the executable : \033[31m%s\033[m\n" $FS_cnt_unchecked
echo
}
# --- FORTIFY_SOURCE subfunctions (end) ---
if !(command_exists readelf) ; then
printf "\033[31mWarning: 'readelf' not found! It's required for most checks.\033[m\n\n"
have_readelf=0
fi
# parse command-line arguments
case "$1" in
--version)
version
exit 0
;;
--help)
help
exit 0
;;
--dir)
if [ "$3" = "-v" ] ; then
verbose=true
fi
if [ $have_readelf -eq 0 ] ; then
exit 1
fi
if [ -z "$2" ] ; then
printf "\033[31mError: Please provide a valid directory.\033[m\n\n"
exit 1
fi
# remove trailing slashes
tempdir=`echo $2 | sed -e "s/\/*$//"`
if [ ! -d $tempdir ] ; then
printf "\033[31mError: The directory '$tempdir' does not exist.\033[m\n\n"
exit 1
fi
cd $tempdir
printf "RELRO STACK CANARY NX PIE RPATH RUNPATH FILE\n"
for N in [A-Za-z]*; do
if [ "$N" != "[A-Za-z]*" ]; then
# read permissions?
if [ ! -r $N ]; then
printf "\033[31mError: No read permissions for '$tempdir/$N' (run as root).\033[m\n"
else
# ELF executable?
out=`file $N`
if [[ ! $out =~ ELF ]] ; then
if [ "$verbose" = "true" ] ; then
printf "\033[34m*** Not an ELF file: $tempdir/"
file $N
printf "\033[m"
fi
else
filecheck $N
if [ `find $tempdir/$N \( -perm -004000 -o -perm -002000 \) -type f -print` ]; then
printf "\033[37;41m%s%s\033[m" $2 $N
else
printf "%s%s" $tempdir/ $N
fi
echo
fi
fi
fi
done
exit 0
;;
--file)
if [ $have_readelf -eq 0 ] ; then
exit 1
fi
if [ -z "$2" ] ; then
printf "\033[31mError: Please provide a valid file.\033[m\n\n"
exit 1
fi
# does the file exist?
if [ ! -e $2 ] ; then
printf "\033[31mError: The file '$2' does not exist.\033[m\n\n"
exit 1
fi
# read permissions?
if [ ! -r $2 ] ; then
printf "\033[31mError: No read permissions for '$2' (run as root).\033[m\n\n"
exit 1
fi
# ELF executable?
out=`file $2`
if [[ ! $out =~ ELF ]] ; then
printf "\033[31mError: Not an ELF file: "
file $2
printf "\033[m\n"
exit 1
fi
printf "RELRO STACK CANARY NX PIE RPATH RUNPATH FILE\n"
filecheck $2
if [ `find $2 \( -perm -004000 -o -perm -002000 \) -type f -print` ] ; then
printf "\033[37;41m%s%s\033[m" $2 $N
else
printf "%s" $2
fi
echo
exit 0
;;
--proc-all)
if [ $have_readelf -eq 0 ] ; then
exit 1
fi
cd /proc
printf "* System-wide ASLR"
aslrcheck
printf "* Does the CPU support NX: "
nxcheck
printf " COMMAND PID RELRO STACK CANARY NX/PaX PIE\n"
for N in [1-9]*; do
if [ $N != $$ ] && readlink -q $N/exe > /dev/null; then
printf "%16s" `head -1 $N/status | cut -b 7-`
printf "%7d " $N
proccheck $N
echo
fi
done
if [ ! -e /usr/bin/id ] ; then
printf "\n\033[33mNote: If you are running 'checksec.sh' as an unprivileged user, you\n"
printf " will not see all processes. Please run the script as root.\033[m\n\n"
else
if !(root_privs) ; then
printf "\n\033[33mNote: You are running 'checksec.sh' as an unprivileged user.\n"
printf " Too see all processes, please run the script as root.\033[m\n\n"
fi
fi
exit 0
;;
--proc)
if [ $have_readelf -eq 0 ] ; then
exit 1
fi
if [ -z "$2" ] ; then
printf "\033[31mError: Please provide a valid process name.\033[m\n\n"
exit 1
fi
if !(isString "$2") ; then
printf "\033[31mError: Please provide a valid process name.\033[m\n\n"
exit 1
fi
cd /proc
printf "* System-wide ASLR"
aslrcheck
printf "* Does the CPU support NX: "
nxcheck
printf " COMMAND PID RELRO STACK CANARY NX/PaX PIE\n"
for N in `ps -Ao pid,comm | grep $2 | cut -b1-6`; do
if [ -d $N ] ; then
printf "%16s" `head -1 $N/status | cut -b 7-`
printf "%7d " $N
# read permissions?
if [ ! -r $N/exe ] ; then
if !(root_privs) ; then
printf "\033[31mNo read permissions for '/proc/$N/exe' (run as root).\033[m\n\n"
exit 1
fi
if [ ! `readlink $N/exe` ] ; then
printf "\033[31mPermission denied. Requested process ID belongs to a kernel thread.\033[m\n\n"
exit 1
fi
exit 1
fi
proccheck $N
echo
fi
done
exit 0
;;
--proc-libs)
if [ $have_readelf -eq 0 ] ; then
exit 1
fi
if [ -z "$2" ] ; then
printf "\033[31mError: Please provide a valid process ID.\033[m\n\n"
exit 1
fi
if !(isNumeric "$2") ; then
printf "\033[31mError: Please provide a valid process ID.\033[m\n\n"
exit 1
fi
cd /proc
printf "* System-wide ASLR"
aslrcheck
printf "* Does the CPU support NX: "
nxcheck
printf "* Process information:\n\n"
printf " COMMAND PID RELRO STACK CANARY NX/PaX PIE\n"
N=$2
if [ -d $N ] ; then
printf "%16s" `head -1 $N/status | cut -b 7-`
printf "%7d " $N
# read permissions?
if [ ! -r $N/exe ] ; then
if !(root_privs) ; then
printf "\033[31mNo read permissions for '/proc/$N/exe' (run as root).\033[m\n\n"
exit 1
fi
if [ ! `readlink $N/exe` ] ; then
printf "\033[31mPermission denied. Requested process ID belongs to a kernel thread.\033[m\n\n"
exit 1
fi
exit 1
fi
proccheck $N
echo
libcheck $N
fi
exit 0
;;
--kernel)
cd /proc
printf "* Kernel protection information:\n\n"
kernelcheck
exit 0
;;
--fortify-file)
if [ $have_readelf -eq 0 ] ; then
exit 1
fi
if [ -z "$2" ] ; then
printf "\033[31mError: Please provide a valid file.\033[m\n\n"
exit 1
fi
# does the file exist?
if [ ! -e $2 ] ; then
printf "\033[31mError: The file '$2' does not exist.\033[m\n\n"
exit 1
fi
# read permissions?
if [ ! -r $2 ] ; then
printf "\033[31mError: No read permissions for '$2' (run as root).\033[m\n\n"
exit 1
fi
# ELF executable?
out=`file $2`
if [[ ! $out =~ ELF ]] ; then
printf "\033[31mError: Not an ELF file: "
file $2
printf "\033[m\n"
exit 1
fi
if [ -e /lib/libc.so.6 ] ; then
FS_libc=/lib/libc.so.6
elif [ -e /lib64/libc.so.6 ] ; then
FS_libc=/lib64/libc.so.6
elif [ -e /lib/i386-linux-gnu/libc.so.6 ] ; then
FS_libc=/lib/i386-linux-gnu/libc.so.6
elif [ -e /lib/x86_64-linux-gnu/libc.so.6 ] ; then
FS_libc=/lib/x86_64-linux-gnu/libc.so.6
else
printf "\033[31mError: libc not found.\033[m\n\n"
exit 1
fi
FS_chk_func_libc=( $(readelf -s $FS_libc | grep _chk@@ | awk '{ print $8 }' | cut -c 3- | sed -e 's/_chk@.*//') )
FS_functions=( $(readelf -s $2 | awk '{ print $8 }' | sed 's/_*//' | sed -e 's/@.*//') )
FS_libc_check
FS_binary_check
FS_comparison
FS_summary
exit 0
;;
--fortify-proc)
if [ $have_readelf -eq 0 ] ; then
exit 1
fi
if [ -z "$2" ] ; then
printf "\033[31mError: Please provide a valid process ID.\033[m\n\n"
exit 1
fi
if !(isNumeric "$2") ; then
printf "\033[31mError: Please provide a valid process ID.\033[m\n\n"
exit 1
fi
cd /proc
N=$2
if [ -d $N ] ; then
# read permissions?
if [ ! -r $N/exe ] ; then
if !(root_privs) ; then
printf "\033[31mNo read permissions for '/proc/$N/exe' (run as root).\033[m\n\n"
exit 1
fi
if [ ! `readlink $N/exe` ] ; then
printf "\033[31mPermission denied. Requested process ID belongs to a kernel thread.\033[m\n\n"
exit 1
fi
exit 1
fi
if [ -e /lib/libc.so.6 ] ; then
FS_libc=/lib/libc.so.6
elif [ -e /lib64/libc.so.6 ] ; then
FS_libc=/lib64/libc.so.6
elif [ -e /lib/i386-linux-gnu/libc.so.6 ] ; then
FS_libc=/lib/i386-linux-gnu/libc.so.6
elif [ -e /lib/x86_64-linux-gnu/libc.so.6 ] ; then
FS_libc=/lib/x86_64-linux-gnu/libc.so.6
else
printf "\033[31mError: libc not found.\033[m\n\n"
exit 1
fi
printf "* Process name (PID) : %s (%d)\n" `head -1 $N/status | cut -b 7-` $N
FS_chk_func_libc=( $(readelf -s $FS_libc | grep _chk@@ | awk '{ print $8 }' | cut -c 3- | sed -e 's/_chk@.*//') )
FS_functions=( $(readelf -s $2/exe | awk '{ print $8 }' | sed 's/_*//' | sed -e 's/@.*//') )
FS_libc_check
FS_binary_check
FS_comparison
FS_summary
fi
exit 0
;;
*)
if [ "$#" != "0" ] ; then
printf "\033[31mError: Unknown option '$1'.\033[m\n\n"
fi
help
exit 1
;;
esac

5
tools-hardened/desktop/files/Utilities/post_gnome3_install.sh Executable file
View file

@ -0,0 +1,5 @@
#! /bin/bash
gsettings set org.gnome.settings-daemon.plugins.cursor active false
gsettings set org.gnome.desktop.background picture-uri "file:///usr/share/backgrounds/background.jpg"

43
tools-hardened/desktop/files/fluxbox-world Normal file
View file

@ -0,0 +1,43 @@
app-admin/metalog
app-admin/sudo
app-admin/sysstat
app-arch/file-roller
app-arch/sharutils
app-arch/unrar
app-cdr/cdrtools
app-editors/leafpad
app-editors/nano
app-editors/vim
app-office/abiword
app-office/gnumeric
app-portage/gentoolkit
app-text/tree
mail-client/mailx
mail-client/sylpheed
mail-mta/postfix
media-video/vlc
media-gfx/ristretto
media-sound/alsa-utils
net-irc/hexchat
net-misc/dhcpcd
net-misc/openssh
sys-apps/gradm
sys-apps/iproute2
sys-boot/grub
sys-boot/syslinux
sys-fs/btrfs-progs
sys-fs/cryptsetup
sys-fs/dosfstools
sys-fs/mtools
sys-fs/squashfs-tools
sys-fs/eudev
sys-kernel/linux-firmware
sys-power/cpufrequtils
sys-process/at
sys-process/fcron
www-client/firefox
x11-base/xorg-server
x11-misc/slim
x11-terms/xfce4-terminal
x11-wm/fluxbox
xfce-base/thunar

2
tools-hardened/desktop/files/fstab Normal file
View file

@ -0,0 +1,2 @@
tmpfs / tmpfs size=4000m,nr_inodes=1m 0 1
shm /dev/shm tmpfs nodev,nosuid,noexec 0 0

32
tools-hardened/desktop/files/gnome-world Normal file
View file

@ -0,0 +1,32 @@
app-admin/metalog
app-admin/sudo
app-admin/sysstat
app-arch/sharutils
app-cdr/cdrtools
app-editors/nano
app-editors/vim
app-office/abiword
app-office/gnumeric
app-portage/gentoolkit
app-text/tree
gnome-base/gnome
mail-client/mailx
mail-mta/postfix
media-sound/alsa-utils
net-misc/dhcpcd
net-misc/openssh
sys-apps/gradm
sys-apps/iproute2
sys-boot/grub
sys-boot/syslinux
sys-fs/btrfs-progs
sys-fs/cryptsetup
sys-fs/dosfstools
sys-fs/mtools
sys-fs/squashfs-tools
sys-kernel/linux-firmware
sys-power/cpufrequtils
sys-process/at
sys-process/fcron
www-client/firefox
x11-base/xorg-server

1
tools-hardened/desktop/files/kernel-config Symbolic link
View file

@ -0,0 +1 @@
3.13.5-hardened.config

4
tools-hardened/desktop/files/locale/02locale Normal file
View file

@ -0,0 +1,4 @@
# Configuration file for eselect
# This file has been automatically generated.
LANG="en_US.utf8"
LC_COLLATE="C"

31
tools-hardened/desktop/files/locale/locale.gen Normal file
View file

@ -0,0 +1,31 @@
# /etc/locale.gen: list all of the locales you want to have on your system
#
# The format of each line:
# <locale> <charmap>
#
# Where <locale> is a locale located in /usr/share/i18n/locales/ and
# where <charmap> is a charmap located in /usr/share/i18n/charmaps/.
#
# All blank lines and lines starting with # are ignored.
#
# For the default list of supported combinations, see the file:
# /usr/share/i18n/SUPPORTED
#
# Whenever glibc is emerged, the locales listed here will be automatically
# rebuilt for you. After updating this file, you can simply run `locale-gen`
# yourself instead of re-emerging glibc.
#en_US ISO-8859-1
en_US.UTF-8 UTF-8
#ja_JP.EUC-JP EUC-JP
ja_JP.UTF-8 UTF-8
#ja_JP EUC-JP
#en_HK ISO-8859-1
#en_PH ISO-8859-1
#de_DE ISO-8859-1
#de_DE@euro ISO-8859-15
#es_MX ISO-8859-1
fa_IR UTF-8
#fr_FR ISO-8859-1
#fr_FR@euro ISO-8859-15
#it_IT ISO-8859-1

24
tools-hardened/desktop/files/portage/make.gnome.1 Normal file
View file

@ -0,0 +1,24 @@
CFLAGS="-O2 -pipe"
CXXFLAGS="${CFLAGS}"
CHOST="x86_64-pc-linux-gnu"
#MAKEOPTS="-j9"
#
USE="mmx sse sse2 ipv6 loop-aes static-libs"
#USE="${USE} bindist suid"
USE="${USE} suid mudflap -bindist"
USE="${USE} X -xorg kdrive gnome gnome-shell cairo dbus dconf device-mapper fam gd gtk gtk3 gdu gudev hwdb udisks icu -systemd -openrc libnotify xa"
USE="${USE} ads -client avahi autoipd eds ldap mbox mdnsresponder-compat policykit -consolekit samba sqlite winbind"
USE="${USE} cdr cdda dvdr"
USE="${USE} cups extras ppds"
USE="${USE} exif gif jpeg jpeg2k mng apng png raw svg tiff wmf"
USE="${USE} a52 alsa dvb dvd esd ffmpeg flac gstreamer lame mad mpeg ogg theora vorbis xv aac mp3 speex twolame pulseaudio"
USE="${USE} python perl vala"
#
INPUT_DEVICES="evdev keyboard mouse acecad aiptek elographics fpit joystick penmount synaptics vmmouse void wacom"
VIDEO_CARDS="fbdev glint intel mach64 mga nouveau nv r128 radeon savage sis tdfx trident v4l vesa via vmware apm ark ast chips cirrus epson fglrx i128 rendition s3 s3virge siliconmotion sisusb tga tseng"
# Set PORTDIR for backward compatibility with various tools:
# gentoo-bashcomp - bug #478444
# euse - bug #474574
# euses and ufed - bug #478318
PORTDIR="/usr/portage"

24
tools-hardened/desktop/files/portage/make.gnome.2 Normal file
View file

@ -0,0 +1,24 @@
CFLAGS="-O2 -pipe"
CXXFLAGS="${CFLAGS}"
CHOST="x86_64-pc-linux-gnu"
#MAKEOPTS="-j9"
#
USE="mmx sse sse2 ipv6 loop-aes static-libs"
#USE="${USE} bindist suid"
USE="${USE} suid mudflap bindist"
USE="${USE} X xorg kdrive gnome gnome-shell cairo dbus dconf device-mapper fam gd gtk gtk3 gdu gudev hwdb udisks icu systemd -openrc libnotify xa"
USE="${USE} ads -client avahi autoipd eds ldap mbox mdnsresponder-compat policykit -consolekit samba sqlite winbind"
USE="${USE} cdr cdda dvdr"
USE="${USE} cups extras ppds"
USE="${USE} exif gif jpeg jpeg2k mng apng png raw svg tiff wmf"
USE="${USE} a52 alsa dvb dvd esd ffmpeg flac gstreamer lame mad mpeg ogg theora vorbis xv aac mp3 speex twolame pulseaudio"
USE="${USE} python perl vala"
#
INPUT_DEVICES="evdev keyboard mouse acecad aiptek elographics fpit joystick penmount synaptics vmmouse void wacom"
VIDEO_CARDS="fbdev glint intel mach64 mga nouveau nv r128 radeon savage sis tdfx trident v4l vesa via vmware apm ark ast chips cirrus epson fglrx i128 rendition s3 s3virge siliconmotion sisusb tga tseng"
# Set PORTDIR for backward compatibility with various tools:
# gentoo-bashcomp - bug #478444
# euse - bug #474574
# euses and ufed - bug #478318
PORTDIR="/usr/portage"

24
tools-hardened/desktop/files/portage/make.xfce4.1 Normal file
View file

@ -0,0 +1,24 @@
CFLAGS="-O2 -pipe"
CXXFLAGS="${CFLAGS}"
CHOST="x86_64-pc-linux-gnu"
#MAKEOPTS="-j9"
#
USE="mmx sse sse2 ipv6 loop-aes static-libs"
#USE="${USE} bindist suid"
USE="${USE} suid mudflap bindist"
USE="${USE} X -xorg kdrive -gnome cairo dbus dconf device-mapper fam gd gtk gtk3 gdu gudev hwdb udisks icu openrc libnotify xa thunar"
USE="${USE} ads -client avahi autoipd eds ldap mbox mdnsresponder-compat policykit consolekit samba sqlite winbind"
USE="${USE} cdr cdda dvdr"
USE="${USE} cups extras ppds"
USE="${USE} exif gif jpeg jpeg2k mng apng png raw svg tiff wmf"
USE="${USE} a52 alsa dvb dvd esd ffmpeg flac gstreamer lame mad mpeg ogg theora vorbis xv aac mp3 speex twolame pulseaudio"
USE="${USE} python perl vala"
#
INPUT_DEVICES="evdev keyboard mouse acecad aiptek elographics fpit joystick penmount synaptics vmmouse void wacom"
VIDEO_CARDS="fbdev glint intel mach64 mga nouveau nv r128 radeon savage sis tdfx trident v4l vesa via vmware apm ark ast chips cirrus epson fglrx i128 rendition s3 s3virge siliconmotion sisusb tga tseng"
# Set PORTDIR for backward compatibility with various tools:
# gentoo-bashcomp - bug #478444
# euse - bug #474574
# euses and ufed - bug #478318
PORTDIR="/usr/portage"

24
tools-hardened/desktop/files/portage/make.xfce4.2 Normal file
View file

@ -0,0 +1,24 @@
CFLAGS="-O2 -pipe"
CXXFLAGS="${CFLAGS}"
CHOST="x86_64-pc-linux-gnu"
#MAKEOPTS="-j9"
#
USE="mmx sse sse2 ipv6 loop-aes static-libs"
#USE="${USE} bindist suid"
USE="${USE} suid mudflap bindist"
USE="${USE} X xorg kdrive -gnome cairo dbus dconf device-mapper fam gd gtk gtk3 gdu gudev hwdb udisks icu openrc libnotify xa thunar"
USE="${USE} ads -client avahi autoipd eds ldap mbox mdnsresponder-compat policykit consolekit samba sqlite winbind"
USE="${USE} cdr cdda dvdr"
USE="${USE} cups extras ppds"
USE="${USE} exif gif jpeg jpeg2k mng apng png raw svg tiff wmf"
USE="${USE} a52 alsa dvb dvd esd ffmpeg flac gstreamer lame mad mpeg ogg theora vorbis xv aac mp3 speex twolame pulseaudio"
USE="${USE} python perl vala"
#
INPUT_DEVICES="evdev keyboard mouse acecad aiptek elographics fpit joystick penmount synaptics vmmouse void wacom"
VIDEO_CARDS="fbdev glint intel mach64 mga nouveau nv r128 radeon savage sis tdfx trident v4l vesa via vmware apm ark ast chips cirrus epson fglrx i128 rendition s3 s3virge siliconmotion sisusb tga tseng"
# Set PORTDIR for backward compatibility with various tools:
# gentoo-bashcomp - bug #478444
# euse - bug #474574
# euses and ufed - bug #478318
PORTDIR="/usr/portage"

1
tools-hardened/desktop/files/portage/package.gnome.accept_keywords Normal file
View file

@ -0,0 +1 @@
sys-kernel/hardened-sources ~amd64

10
tools-hardened/desktop/files/portage/package.gnome.use Normal file
View file

@ -0,0 +1,10 @@
x11-libs/libdrm libkms
virtual/udev -static-libs
sys-fs/lvm2 -static-libs
sys-fs/cryptsetup -static-libs
media-sound/cdparanoia -static-libs
net-misc/openssh -bindist
dev-libs/openssl -bindist
x11-base/xorg-server xorg
sys-libs/zlib minizip
x11-libs/cairo opengl

3
tools-hardened/desktop/files/portage/package.xfce4.accept_keywords Normal file
View file

@ -0,0 +1,3 @@
sys-kernel/hardened-sources ~amd64
xfce-extra/xfce4-composite-editor ~amd64
xfce-extra/xfce-theme-manager ~amd64

8
tools-hardened/desktop/files/portage/package.xfce4.use Normal file
View file

@ -0,0 +1,8 @@
x11-libs/libdrm libkms
virtual/udev -static-libs
sys-fs/lvm2 -static-libs
sys-fs/cryptsetup -static-libs
media-sound/cdparanoia -static-libs
x11-base/xorg-server xorg
sys-libs/zlib minizip
x11-libs/cairo opengl

1
tools-hardened/desktop/files/portage/profile/package.use Normal file
View file

@ -0,0 +1 @@
x11-drivers/ati-drivers -modules

7
tools-hardened/desktop/files/portage/repos.conf/gentoo.conf Normal file
View file

@ -0,0 +1,7 @@
[DEFAULT]
main-repo = gentoo
[gentoo]
location = /usr/portage
sync-type = rsync
sync-uri = rsync://rsync.gentoo.org/gentoo-portage

5
tools-hardened/desktop/files/resolv.conf Normal file
View file

@ -0,0 +1,5 @@
# Add your own name server here.
# This is only for the build. It
# will be removed in the final image.
nameserver 209.18.47.61
nameserver 209.18.47.62

92
tools-hardened/desktop/files/usermenu Normal file
View file

@ -0,0 +1,92 @@
[begin] (Fluxbox 1.3.2)
[encoding] {UTF-8}
[exec] (xfce4-terminal) {xfce4-terminal}
</var/tmp/portage/x11-wm/fluxbox-1.3.2/temp/home/.fluxbox/icons/utilities-terminal.xpm>
[submenu] (Terminals)
[exec] (xfce4-terminal) {xfce4-terminal}
</var/tmp/portage/x11-wm/fluxbox-1.3.2/temp/home/.fluxbox/icons/utilities-terminal.xpm>
[end]
[submenu] (Net)
[submenu] (Browsers)
[exec] (firefox) {firefox}
</var/tmp/portage/x11-wm/fluxbox-1.3.2/temp/home/.fluxbox/icons/firefox.xpm>
[end]
[submenu] (Mail)
[exec] (sylpheed) {sylpheed}
</var/tmp/portage/x11-wm/fluxbox-1.3.2/temp/home/.fluxbox/icons/sylpheed.xpm>
[end]
[submenu] (IRC client)
[exec] (hexchat) {hexchat}
[end]
[end]
[submenu] (Editors)
[exec] (leafpad) {leafpad}
</var/tmp/portage/x11-wm/fluxbox-1.3.2/temp/home/.fluxbox/icons/accessories-text-editor.xpm>
[exec] (nano) {xfce4-terminal -e nano}
[exec] (vim) {xfce4-terminal -e vim}
[exec] (vi) {xfce4-terminal -e vi}
</var/tmp/portage/x11-wm/fluxbox-1.3.2/temp/home/.fluxbox/icons/vinagre.xpm>
[end]
[submenu] (File utils)
[exec] (thunar) {thunar}
</var/tmp/portage/x11-wm/fluxbox-1.3.2/temp/home/.fluxbox/icons/system-file-manager.xpm>
[end]
[submenu] (Multimedia)
[submenu] (Audio)
[exec] (alsamixer) {xfce4-terminal -e alsamixer}
[end]
[submenu] (Video)
[exec] (vlc) {vlc}
</usr/share/icons/hicolor/48x48/apps/vlc.xpm>
[end]
[submenu] (Image)
[exec] (ristretto)
[submenu] (X-utils)
[exec] (Reload .Xdefaults) {xrdb -load $HOME/.Xdefaults}
[end]
[end]
[submenu] (Office)
[exec] (galculator) {galculator}
[exec] (abiword) {abiword}
[exec] (gnumeric) {gnumeric}
</var/tmp/portage/x11-wm/fluxbox-1.3.2/temp/home/.fluxbox/icons/abiword_48.xpm>
[end]
[submenu] (System Tools)
[submenu] (Burning)
[exec] (xcdroast) {xcdroast}
</usr/share/icons/hicolor/48x48/apps/xcdroast.xpm>
[end]
[exec] (porthole) {porthole}
</var/tmp/portage/x11-wm/fluxbox-1.3.2/temp/home/.fluxbox/icons/porthole-icon.xpm>
[exec] (top) {xfce4-terminal -e top}
[end]
[submenu] (Fluxbox menu)
[config] (Configure)
[submenu] (Styles)
[include] (/usr/share/fluxbox/menu.d/styles/)
[end]
[workspaces] (Workspace List)
[submenu] (Tools)
[exec] (Window name) {xprop WM_CLASS|cut -d \" -f 2|gxmessage
-file - -center}
[exec] (Screenshot - JPG) {import screenshot.jpg && display
-resize 50% screenshot.jpg}
[exec] (Screenshot - PNG) {import screenshot.png && display
-resize 50% screenshot.png}
[end]
[submenu] (Window Managers)
[restart] (xfce4) {xfwm4}
[restart] (gnome) {gnome-session}
</var/tmp/portage/x11-wm/fluxbox-1.3.2/temp/home/.fluxbox/icons/session-properties.xpm>
[end]
[commanddialog] (Fluxbox Command)
[reconfig] (Reload config)
[restart] (Restart)
[exec] (About) {(fluxbox -v; fluxbox -info | sed 1d) | gxmessage
-file - -center}
[separator]
[exit] (Exit)
[end]
[endencoding]
[end]

62
tools-hardened/desktop/files/xfce4-world Normal file
View file

@ -0,0 +1,62 @@
app-admin/metalog
app-admin/sudo
app-admin/sysstat
app-arch/file-roller
app-arch/sharutils
app-arch/unrar
app-cdr/cdrtools
app-editors/leafpad
app-editors/nano
app-editors/vim
app-office/abiword
app-office/gnumeric
app-portage/gentoolkit
app-text/tree
mail-client/mailx
mail-client/sylpheed
mail-mta/postfix
media-video/vlc
media-gfx/ristretto
media-sound/alsa-utils
net-irc/hexchat
net-misc/dhcpcd
net-misc/openssh
sci-calculators/galculator
sys-apps/gradm
sys-apps/iproute2
sys-apps/pciutils
sys-boot/grub
sys-boot/syslinux
sys-fs/btrfs-progs
sys-fs/cryptsetup
sys-fs/dosfstools
sys-fs/mtools
sys-fs/squashfs-tools
sys-fs/eudev
sys-kernel/linux-firmware
sys-power/cpufrequtils
sys-process/at
sys-process/cronie
www-client/firefox
x11-base/xorg-server
x11-misc/slim
x11-terms/xfce4-terminal
xfce-base/thunar
xfce-base/xfce4-meta
xfce-extra/thunar-archive-plugin
xfce-extra/tumbler
xfce-extra/xfce-theme-manager
xfce-extra/xfce4-composite-editor
xfce-extra/xfce4-cpufreq-plugin
xfce-extra/xfce4-cpugraph-plugin
xfce-extra/xfce4-datetime-plugin
xfce-extra/xfce4-diskperf-plugin
xfce-extra/xfce4-mixer
xfce-extra/xfce4-notes-plugin
xfce-extra/xfce4-places-plugin
xfce-extra/xfce4-screenshooter
xfce-extra/xfce4-systemload-plugin
xfce-extra/xfce4-taskmanager
xfce-extra/xfce4-weather-plugin
xfce-extra/xfce4-whiskermenu-plugin
xfce-base/xfconf