tools-hardened/desktop: initial commit of hardened amd64 desktop

This is a revamping of the TinHat build, see

    http://opensource.dyc.edu/tinhat

Signed-off-by: Anthony G. Basile <blueness@gentoo.org>

tools-hardened/desktop/files/Save/clean-docs.sh

@@ -0,0 +1,6 @@
+#!/bin/bash
+
+rm -rf /usr/share/doc/*
+rm -rf /usr/share/gnome/help/*
+rm -rf /usr/share/gtk-doc/*
+

tools-hardened/desktop/files/Save/clean.sh

@@ -0,0 +1,58 @@
+#!/bin/bash
+
+
+rm -rf /root/.ssh
+rm -f  /root/.bash_history /root/.lesshst /root/.recently-used.xbel /root/.recently-used.xbel /root/.viminfo
+
+rm -f /etc/ssh/ssh_host_*
+
+rm -f /etc/udev/rules.d/70-persistent-cd.rules  /etc/udev/rules.d/70-persistent-net.rules
+
+rm -f /var/lib/dhcpcd-eth*
+rm -f /var/lib/dhcpcd/*
+
+
+>/var/log/everything/current
+rm -f /var/log/everything/log*
+
+>/var/log/critical/current
+rm -f /var/log/critical/log*
+
+>/var/log/cron/current
+rm -f /var/log/cron/log*
+
+>/var/log/mail/current
+rm -f /var/log/mail/log*
+
+>/var/log/pm-powersave.log
+rm -f /var/log/pm-powersave/log*
+
+>/var/log/pwdfail/current
+rm -f /var/log/pwdfail/log*
+
+>/var/log/tallylog
+
+>/var/log/sshd/current
+rm -f /var/log/sshd/log*
+
+>/var/log/kernel/current
+rm -f /var/log/kernel/log*
+
+>/var/log/gdm/:0.log
+rm -f /var/log/gdm/:0.log.*
+
+>/var/log/Xorg.0.log
+rm -f /var/log/Xorg.0.log.old
+
+>/var/log/dmesg
+>/var/log/emerge.log
+>/var/log/emerge-fetch.log
+>/var/log/faillog
+>/var/log/genkernel.log
+>/var/log/lastlog
+>/var/log/wtmp
+>/var/log/portage/elog/summary.log
+>/var/log/ConsoleKit/history
+
+find /var/log/ -size +1c -type f
+

tools-hardened/desktop/files/Save/configs/ABOUT.html

@@ -0,0 +1,10 @@
+<HTML>
+<HEAD>
+	<TITLE>Welcome to Tin Hat Linux</TITLE>
+	<META HTTP-EQUIV="refresh" content="10;URL=http://opensource.dyc.edu/tinhat">
+</HEAD>
+<BODY>
+Redirecting to <A HREF="http://opensource.dyc.edu/tinhat">http://opensource.dyc.edu/tinhat</A> in 10 seconds ...
+</BODY>
+</HTML>
+

tools-hardened/desktop/files/Save/configs/init

@@ -0,0 +1,45 @@
+#!/bin/sh
+
+/bin/mount -t proc proc /proc
+/bin/mount -t sysfs sysfs /sys
+/bin/mount -o remount,rw /
+
+/bin/mknod /dev/null c 1 3
+/bin/mknod /dev/tty c 5 0
+
+echo
+echo "Waiting for slow devices ... "
+echo
+
+sleep 10
+
+mdev -s
+
+FOUND=''
+for CDROM in hda hdb hdc hdd sr0 sr1 sr2 sr3 sda1 sdb1 sdc1 sdd1 sde1 sdf1 sdg1
+do
+	if [ "x$FOUND" == "x" ]
+	then
+		/bin/mount /dev/${CDROM} /mnt/cdrom
+		[ -f /mnt/cdrom/tinroot ] && FOUND=$CDROM || /bin/umount /dev/${CDROM}
+	fi
+done
+
+if [ "x$FOUND" == "x" ]
+then
+	echo "Boot device not found, very confusing"
+	echo "Dropping to shell"
+	exec /bin/sh
+fi
+
+/bin/mount -o loop -t squashfs /mnt/cdrom/tinroot /mnt/squashfs
+/bin/mount -o size=3400m,nr_inodes=1m,mode=755 -t tmpfs none /mnt/tmpfs
+/bin/cp -a /mnt/squashfs/* /mnt/tmpfs/
+
+/bin/umount /mnt/squashfs
+/bin/umount /mnt/cdrom
+/bin/umount /sys
+/bin/umount /proc
+
+exec /sbin/switch_root /mnt/tmpfs /sbin/init
+

tools-hardened/desktop/files/Save/configs/menu.lst

@@ -0,0 +1,4 @@
+timeout 10
+title TinHat
+        kernel /boot/tinhat
+        initrd /boot/tinhat.igz

tools-hardened/desktop/files/Save/configs/syslinux.cfg

@@ -0,0 +1,6 @@
+default TinHat
+timeout 1
+label TinHat
+ kernel tinhat
+ append initrd=tinhat.igz
+

tools-hardened/desktop/files/Save/howto-save.txt

@@ -0,0 +1,32 @@
+1. To save your running Tin Hat system, first prepare a working directory:
+
+	sudo su -
+	cd ~
+	cp -a ~thuser/Save .
+	cd Save
+	chmod 755 *.sh
+
+
+2. If you want to clean out logs, ssh keys, udev persistent rules (eg. for a
+prestine release), then
+
+	./clean.sh
+
+
+3. If you want information about your release, then
+
+	./info.sh
+
+
+4. To make the ISO, do
+
+	./make.sh
+
+
+5. After having made the ISO, you can optionally transfer the image to a pen drive
+using
+
+	./iso2usb.sh
+
+
+

tools-hardened/desktop/files/Save/info.sh

@@ -0,0 +1,11 @@
+#!/bin/bash
+
+[ $(uname -m) == "x86_64" ] && ARCH=amd64
+[ $(uname -m) == "i686"   ] && ARCH=i686
+
+cat /etc/make.conf > make-conf.${ARCH}.txt
+emerge --info      > emerge-info.${ARCH}.txt
+epm -qa | sort     > epm-qa.${ARCH}.txt
+emerge -vep world  > emerge-world.${ARCH}.txt
+zcat /proc/config.gz > kernel-config.${ARCH}.txt
+

tools-hardened/desktop/files/Save/iso2usb.sh

@@ -0,0 +1,96 @@
+#!/bin/bash
+
+WORKING=$(pwd)
+
+welcome ()
+{
+	echo
+	echo "================================================================================"
+	echo "= This script will transfer the contents of a bootable iso to a usb stick.     ="
+	echo "=                                                                              ="
+	echo "=        WARNING: IT WILL DESTROY THE CONTENTS OF THE USB STICK!!!             ="
+	echo "=                                                                              ="
+	echo "================================================================================"
+	echo  
+}
+
+
+check ()
+{
+	echo
+	echo "Enter the device name of the USB drive, eg sda                                 "
+	echo "Don't worry, I'll show you the device's partition table before we wipe it      "
+	echo
+	echo -n "Device: "
+
+	read DEVICE
+
+	echo
+
+	parted /dev/${DEVICE} print 
+
+	echo -n "Are you sure? (Type uppercase yes): "
+
+	read ANSWER
+
+	if [[ $ANSWER != "YES" ]] ; then
+		echo
+		echo "ABORT! ABORT! ABORT!"
+		echo
+		exit
+	fi
+}
+
+
+partition ()
+{
+	dd if=/dev/zero of=/dev/${DEVICE} bs=1 count=1024 >/dev/null 2>&1
+	dd if=/usr/lib/syslinux/mbr.bin of=/dev/${DEVICE} >/dev/null 2>&1
+	parted -s /dev/${DEVICE} mklabel msdos mkpartfs primary fat32 0 100% >/dev/null 2>&1
+	parted -s /dev/${DEVICE} set 1 boot >/dev/null 2>&1
+}
+
+
+copyiso()
+{
+	echo
+	echo "Enter the name of the iso image relative to ${WORKING} "
+	echo
+	echo -n "Name: "
+
+	read IMAGE
+
+	if [[ ! -f ${WORKING}/${IMAGE} ]] ; then
+		echo
+		echo "Cannot find iso image, exiting."
+		echo
+		exit
+	fi
+
+	cd ${WORKING}
+	mkdir -p iso usb
+	mount -o loop ${IMAGE} iso
+	mount /dev/${DEVICE}1 usb
+
+	cp iso/tinroot usb
+	cp iso/boot/tinhat usb
+	cp iso/boot/tinhat.igz usb
+	cp configs/syslinux.cfg usb
+
+	umount iso && rmdir iso
+	umount usb && rmdir usb
+}
+
+
+finishup()
+{
+	syslinux /dev/${DEVICE}1
+}
+
+
+welcome
+check
+partition
+copyiso
+finishup
+

tools-hardened/desktop/files/Save/make.sh

@@ -0,0 +1,134 @@
+#!/bin/bash
+
+WORKING=$(pwd)
+SKIP=$(echo $WORKING | sed -e 's/^\///')
+
+welcome()
+{
+	echo
+	echo "================================================================================"
+	echo "= Building iso image from template ...                                         ="
+	echo "= Hit Control-C at any continuation prompt to stop at that point               ="
+	echo "================================================================================"
+	echo  
+}
+
+
+cleanup()
+{
+	echo
+	echo "================================================================================"
+	echo "= Cleaning up any remaining tmp files from previous builds                     ="
+	echo "= Removing ramdisk.iso tinhat.igz init/ iso/                                   ="
+	echo "================================================================================"
+	echo -n "Continue? " 
+	read ANSWER
+
+	cd ${WORKING}
+	rm -f ramdisk.iso
+	rm -f tinhat.igz
+	rm -rf init
+	rm -rf iso
+}
+
+
+mkinitramfs()
+{
+	echo
+	echo "================================================================================"
+	echo "= Building initramfs image which will be named tinhat.igz                      ="
+	echo "================================================================================"
+	echo -n "Continue? " 
+	read ANSWER
+
+	cd ${WORKING}
+
+	mkdir init
+	cd init
+
+	mkdir -p bin dev etc mnt/cdrom mnt/squashfs mnt/tmpfs proc sbin sys tmp usr/bin usr/sbin var
+
+	cp ../configs/busybox bin
+	cp ../configs/init .
+	chmod 755 bin/busybox
+	chmod 755 init 
+
+	chroot . /bin/busybox --install -s
+
+	find . | cpio -H newc -o | gzip -9 > ../tinhat.igz
+
+	cd ${WORKING}
+
+	rm -rf init
+}
+
+
+mkiso()
+{
+	echo
+	echo "================================================================================"
+	echo "= Building the iso image which will be named ramdisk.iso                       ="
+	echo "================================================================================"
+	echo -n "Continue? " 
+	read ANSWER
+
+	cd ${WORKING}
+
+	mkdir -p iso/boot/grub
+
+	mv tinhat.igz iso/boot
+
+	cp -L /boot/kernel iso/boot/tinhat
+
+	cp /lib/grub/i386-pc/stage2_eltorito iso/boot/grub
+
+	cp configs/menu.lst  iso/boot/grub/menu.lst
+
+
+	mkdir -p root
+	mount -o ro --bind / root
+	mksquashfs root iso/tinroot -e usr/portage $SKIP usr/src var/cache/edb
+	umount root
+	rmdir root
+
+
+	cp configs/ABOUT.html  iso/ABOUT.html
+
+	mkisofs -R -b boot/grub/stage2_eltorito -no-emul-boot -boot-load-size 4 -boot-info-table -o ramdisk.iso iso
+
+	rm -rf iso
+
+	cd ${WORKING}
+}
+
+
+nameit()
+{
+	echo
+	echo "================================================================================"
+	echo "= Renaming the iso image as th-ARCH-DATE.iso                                   ="
+	echo "================================================================================"
+	echo -n "Continue? " 
+	read ANSWER
+
+	echo
+	echo -n "Enter the RC suffix, empty for none: "
+	read RC
+
+	[ $(uname -m) == "x86_64" ] && ARCH="amd64"
+	[ $(uname -m) == "i686"   ] && ARCH="i686"
+
+	DATE=$(date +%Y%m%d)
+
+	[ -z $RC ] && NAME="th-${ARCH}-${DATE}.iso" ||  NAME="th-${ARCH}-${DATE}-${RC}.iso"
+
+	[ -f ramdisk.iso ] && mv ramdisk.iso $NAME || echo "Can't name ramdisk.iso, I didn't find it."
+}
+
+
+welcome
+cleanup
+mkinitramfs
+mkiso
+nameit
+