tyler.durden
/
harbian-audit
mirror of https://github.com/hardenedlinux/harbian-audit.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add doc:how to config GRUB2 password protection

This commit is contained in:
samson 2018-11-23 22:16:16 +08:00
parent 70e6f42e56
commit 9ab41dceea
10 changed files with 67 additions and 243 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

67
docs/examples/manual-operation-docs/how_to_config_grub2_password_protection.mkd Normal file
View File

@ -0,0 +1,67 @@
# How to config grub2 password protection
## Generate hashed password for GRUB
This example use the following char as the password: "MangGuO93,*jqvt", a combination like this is a requirement to satisfy the robustness of the password.
```
# grub-mkpasswd-pbkdf2
Enter password:
Reenter password:
PBKDF2 hash of your password is grub.pbkdf2.sha512.10000.F5CFD948DC06B644E05531FBF9773C086B228A87033642B32D41DBE141B10D2FD0604C8ABCDD2D2D76C834297969EADC64687EB32662CB59BCA0898AD69D7FE6.C698997624F217CDCE83446E80632FF9F7AFB1A0A6AE0B5752A81392F1BAA9A44C37AF5B29D7CEE13B9DE7D1207D5FB4A173A49D1518B1492BB6D9FE45444656
```
It will generate a long password encrypted like this: grub.pbkdf2.sha512.10000........ Copy the complete generated code.
## Setting Up Password Protection
### Modify /etc/grub.d/10_linux
In /etc/grub.d/10_linux, find the following line:
```
printf "menuentry '${title}' ${CLASS} {\n" "${os}" "${version}"
```
Add --users '':
```
printf "menuentry '${title}' ${CLASS} --users '' {\n" "${os}" "${version}"
```
### Modify/etc/grub.d/30_os-prober
To alter the /etc/grub.d/30_os-prober to add password protection to all entries:
```
# sed 's/--class os /--class os --users /' -i /etc/grub.d/30_os-prober
```
### Add password protection to /etc/grub.d/40_header
```
set superusers="username"
password_pbkdf2 username password
```
Obviously you should replace the words "username" with your desired user name, and the word password for the encrypted password generated in the previous step.
The format for an encrypted password entry in /etc/grub.d/40_header would look similar to the following (shortened in the example):
```
set superusers="John"
password_pbkdf2 John grub.pbkdf2.sha512.10000.F5CFD948DC06B644E05531FBF9773C086B228A87033642B32D41DBE141B10D2FD0604C8ABCDD2D2D76C834297969EADC64687EB32662CB59BCA0898AD69D7FE6.C698997624F217CDCE83446E80632FF9F7AFB1A0A6AE0B5752A81392F1BAA9A44C37AF5B29D7CEE13B9DE7D1207D5FB4A173A49D1518B1492BB6D9FE45444656
```
Save the file and exit.
## Generate a grub2 config file
```
# update-grub2
Generating grub configuration file ...
Found linux image: /boot/vmlinuz-4.9.0-8-amd64
Found initrd image: /boot/initrd.img-4.9.0-8-amd64
done
```
That's all, your grub2 is protected.
## Troubleshooting
If add password protection to /etc/grub.d/00_header, maybe you get an error when exec update-grub2, like this following:
```
# update-grub2
/etc/grub.d/00_header :274 /etc/grub.d/00_header password_pbkdf2 not found
```
Remember that the correct file to edit is 40_custom simply because other files such as grub.cfg or even 00_header are updated automatically by the system in certain circumstances, and it would make you lose those changes.
## Reference
[https://help.ubuntu.com/community/Grub2/Passwords](https://help.ubuntu.com/community/Grub2/Passwords)

243
docs/examples/test-cases/nodejs-redis-mysql-usecase/README.md
View File

@ -1,243 +0,0 @@
# Nodejs + redis + mysql demo
## environment
* OS: Debian
* Nodejs: 10.13.0
* MySQL: 10.1.26-MariaDB-0+deb9u1
* Redis: 5.0.1
* Kernel: linux-image-4.12.0-grsec-evil191
### Install packages
#### Install mysql
```
apt install mysql-server
```
#### Configurate database
Create helloworld database
```
mysql -uroot
MariaDB [(none)]> CREATE DATABASE helloworld;
```
Grant proper access to the helloworld database:
```
MariaDB [(none)]> GRANT ALL PRIVILEGES ON helloworld.* TO 'helloworld'@'localhost' \
IDENTIFIED BY 'HELLOWORLD_DBPASS';
MariaDB [(none)]> GRANT ALL PRIVILEGES ON helloworld.* TO 'helloworld'@'%' \
IDENTIFIED BY 'HELLOWORLD_DBPASS';
```
Replace HEllOWORLD_DBPASS with a suitable password.
#### Install Redis
edit `/etc/apt/source.list` and add `stretch-backports` source
```
deb http://mirrors.163.com/debian/ stretch-backports main
deb-src http://mirrors.163.com/debian/ stretch-backports main
```
and update
```
apt update
```
install the package
```
apt -t stretch-backports install redis-server
```
#### Configurate Redis
modify `/etc/redis/redis.conf`, changce supervised no to
```
supervised systemd
```
Configuring a Redis Password
modify /etc/redis/redis.conf you can find the
```
# requirepass foobared
```
uncommnet it and change foobared to a suitable password
for example, you can gener:
```
openssl rand 60 | openssl base64 -A
jkO663LT4SLU522cIBaMrWshaEEP+67oRGIdDV3AEpIaS7IQ9yYWP78nmruBFM2cPdxSudvrrmlZeKil
```
systemctl restart redis
#### Install Nodejs
```
#as root
apt install curl -y
curl -sL https://deb.nodesource.com/setup_10.x | bash -
apt-get install -y nodejs
```
#### Install pax-bites
```
cat <<EOF > debian_auto_deploy.sh
#!/bin/bash
WORKDIR=/tmp/debian-grsec-configs
mkdir -p $WORKDIR
cd $WORKDIR
echo "###########################################################################"
echo -e "[+] \e[93mInstalling paxctl-ng/elfix...\e[0m"
echo "----------------------------------------------"
apt-get install -y vim libc6-dev libelf-dev libattr1-dev build-essential git
wget https://dev.gentoo.org/%7Eblueness/elfix/elfix-0.9.2.tar.gz && tar zxvf elfix-0.9.2.tar.gz
cd elfix-0.9.2
./configure --enable-ptpax --enable-xtpax --disable-tests
make && make install
cd $WORKDIR
echo "###########################################################################"
echo -e "[+] \e[93mDeploying configs....\e[0m"
echo "----------------------------------------------"
echo 'DPkg::Post-Invoke {"/bin/bash /usr/sbin/pax-bites.sh -e /etc/pax_flags_debian.config"; };' >77pax-bites
cp 77pax-bites /etc/apt/apt.conf.d/
wget https://github.com/hardenedlinux/hardenedlinux_profiles/raw/master/debian/pax_flags_debian.config
cp pax_flags_debian.config /etc/
echo "###########################################################################"
echo -e "[+] \e[93mDeploying pax-bites...\e[0m"
echo "----------------------------------------------"
git clone https://github.com/hardenedlinux/pax-bites.git
cp pax-bites/pax-bites.sh /usr/sbin/
pax-bites.sh -e /etc/pax_flags_debian.config
EOF
```
run command:
```
bash debian_auto_deploy.sh
```
after install paxctl and pax-bites
we should modify `/etc/pax_flags_debian.config`
add following content:
```
# Nodejs
/usr/bin/node;m
```
`-m` means `disable MPROTECT`
for more details you can check it from `paxctl-ng`
perform change
```
pax-bites.sh -e /etc/pax_flags_debian.config
```
### Add new user for helloworld service
adduser helloworld
### Usage
Using helloworld to install the dependencies.
unzip the helloworld.zip
```
//Installation all dependencies:
# su helloworld
$ unzip helloworld.zip
$ cd helloworld
$ npm install
```
### modify the config file locate in `config/config.js`
you can setup the mysql and redis
```
BASE_DIR = __dirname;
module.exports = {
port: 3000,
//mysql
mysql: {
host: 'localhost',
user: 'helloworld',
password: 'HELLOWORLD_DBPASS',
connectionLimit: 10,
charset: 'utf8mb4',
},
database: 'helloworld',
//redis
redis: {
tokenName: 'helloworld',
host: '127.0.0.1',
port: 6379,
password: 'jkO663LT4SLU522cIBaMrWshaEEP+67oRGIdDV3AEpIaS7IQ9yYWP78nmruBFM2cPdxSudvrrmlZeKil',
},
}
```
//Installation PM2:
```
# npm install pm2 -g
```
```
$ su helloworld
$ export NODE_ENV=production && pm2 start ./app.js --name helloworld
$ pm2 startup systemd
[PM2] Init System found: systemd
[PM2] To setup the Startup Script, copy/paste the following command:
sudo env PATH=$PATH:/usr/bin /usr/lib/node_modules/pm2/bin/pm2 startup systemd -u helloworld --hp /home/helloworld
```
change to root user and execute
```
# env PATH=$PATH:/usr/bin /usr/lib/node_modules/pm2/bin/pm2 startup systemd -u helloworld --hp /home/helloworld
```
and switch back to `helloworld` user
```
$ pm2 save
```
now start the service
```
# systemctl start pm2-helloworld
```
Open up http://{your server ip}:3000,then you can see the helloworld page.
Reference:
https://nodejs.org/en/
https://www.mysql.com/
http://pm2.keymetrics.io/
https://www.digitalocean.com/community/tutorials/how-to-set-up-a-node-js-application-for-production-on-debian-9

0
docs/examples/test-cases/nodejs-redis-mysql-usecase/helloworld/.DS_Store → docs/examples/use-cases/nodejs-redis-mysql-usecase/helloworld/.DS_Store vendored
View File

0
docs/examples/test-cases/nodejs-redis-mysql-usecase/helloworld/app.js → docs/examples/use-cases/nodejs-redis-mysql-usecase/helloworld/app.js
View File

0
docs/examples/test-cases/nodejs-redis-mysql-usecase/helloworld/config/config.js → docs/examples/use-cases/nodejs-redis-mysql-usecase/helloworld/config/config.js
View File

0
docs/examples/test-cases/nodejs-redis-mysql-usecase/helloworld/package-lock.json → docs/examples/use-cases/nodejs-redis-mysql-usecase/helloworld/package-lock.json generated
View File

0
docs/examples/test-cases/nodejs-redis-mysql-usecase/helloworld/package.json → docs/examples/use-cases/nodejs-redis-mysql-usecase/helloworld/package.json
View File

0
docs/examples/test-cases/nodejs-redis-mysql-usecase/helloworld/services/LogService.js → docs/examples/use-cases/nodejs-redis-mysql-usecase/helloworld/services/LogService.js
View File

0
docs/examples/test-cases/nodejs-redis-mysql-usecase/helloworld/services/RedisService.js → docs/examples/use-cases/nodejs-redis-mysql-usecase/helloworld/services/RedisService.js
View File

0
docs/examples/test-cases/nodejs-redis-mysql-usecase/helloworld/services/SqlService.js → docs/examples/use-cases/nodejs-redis-mysql-usecase/helloworld/services/SqlService.js
View File