May 2019 update: HardenedBSD, tzdata, NS

- closes #32: support HardenedBSD - adds support for defined nameservers in new jails (up to three) - adds support for defined nameserver options (eg; options edns0 rotate) - adds support for defined tzdata in new jails (eg; America/Denver, etc/UTC) - adds support for dynamic hw.machine/hw.machine_arch downloads - new jails now output default rc.conf settings (sysrc) at creation - no longer use freebsd_dist_fetch.sh; replaced with simpler fetch
2025-12-11 17:39:52 +01:00 · 2019-05-22 21:50:29 -06:00
parent cccf4ff31f
commit c9ebc886fd
7 changed files with 84 additions and 66 deletions
--- a/usr/local/bin/bastille
+++ b/usr/local/bin/bastille
@@ -96,7 +96,7 @@ console|bootstrap|htop|top)
 bootstrap|update|upgrade)
    ;;
 *)
-	usage
+usage
    ;;
 esac

--- a/usr/local/etc/bastille/bastille.conf
+++ b/usr/local/etc/bastille/bastille.conf
@@ -9,4 +9,9 @@ bastille_logsdir=${bastille_prefix}/logs
 bastille_releasesdir=${bastille_prefix}/releases
 bastille_templatesdir=${bastille_prefix}/templates
 bastille_sharedir=/usr/local/share/bastille
-bastille_bootstrap_archives=base
+bastille_bootstrap_archives="base"
+bastille_tzdata="America/Denver"
+bastille_nameserver1="1.1.1.1"
+bastille_nameserver2="1.0.0.1"
+bastille_nameserver3=""
+bastille_nameserver_options="options edns0 rotate"
--- a/usr/local/share/bastille/bootstrap.sh
+++ b/usr/local/share/bastille/bootstrap.sh
@@ -58,9 +58,29 @@ bootstrap_release() {
        mkdir -p "${bastille_cachedir}/${RELEASE}"
    fi

-    if [ ! -d "${bastille_releasesdir}/${RELEASE}" ]; then
+    ## if release exists, quit
+    if [ -d "${bastille_releasesdir}/${RELEASE}" ]; then
+        echo -e "${COLOR_RED}Bootstrap appears complete.${COLOR_RESET}"
+        exit 1
+    fi
+
+    ## if existing ${CACHEDIR}/${RELEASE}/base.txz; extract
+    if [ -f "${bastille_cachedir}/${RELEASE}/base.txz" ] && [ ! -d "${bastille_releasesdir}/${RELEASE}" ]; then
        mkdir -p "${bastille_releasesdir}/${RELEASE}"
-        sh ${bastille_sharedir}/freebsd_dist_fetch.sh -r ${RELEASE} ${bastille_bootstrap_archives}
+        for _archive in ${bastille_bootstrap_archives}; do
+            echo -e "${COLOR_GREEN}Extracting FreeBSD ${RELEASE} ${_archive}.txz.${COLOR_RESET}"
+            /usr/bin/tar -C "${bastille_releasesdir}/${RELEASE}" -xf "${bastille_cachedir}/${RELEASE}/${_archive}.txz"
+        done
+
+        echo -e "${COLOR_GREEN}Bootstrap successful.${COLOR_RESET}"
+        echo -e "${COLOR_GREEN}See 'bastille --help' for available commands.${COLOR_RESET}"
+        echo
+    fi
+
+    ## if no existing ${CACHEDIR}/${RELEASE} download and extract
+    if [ ! -f "${bastille_cachedir}/${RELEASE}/base.txz" ] && [ ! -d "${bastille_releasesdir}/${RELEASE}" ]; then
+        mkdir -p "${bastille_releasesdir}/${RELEASE}"
+	fetch ${UPSTREAM_URL}/base.txz -o ${bastille_cachedir}/${RELEASE}/base.txz

        echo
        for _archive in ${bastille_bootstrap_archives}; do
@@ -71,9 +91,6 @@ bootstrap_release() {
        echo -e "${COLOR_GREEN}Bootstrap successful.${COLOR_RESET}"
        echo -e "${COLOR_GREEN}See 'bastille --help' for available commands.${COLOR_RESET}"
        echo
-    else
-        echo -e "${COLOR_RED}Bootstrap appears complete.${COLOR_RESET}"
-        exit 1
    fi
 }

@@ -156,24 +173,29 @@ bootstrap_template() {

 #Usage: bastille bootstrap [release|template].${COLOR_RESET}"

+HW_MACHINE=$(sysctl hw.machine | awk '{ print $2 }')
+HW_MACHINE_ARCH=$(sysctl hw.machine_arch | awk '{ print $2 }')
+
 # Filter sane release names
 case "${1}" in
-10.1-RELEASE|10.2-RELEASE|10.3-RELEASE|10.4-RELEASE)
-    RELEASE="${1}"
-    bootstrap_release
-    echo -e "${COLOR_RED}WARNING: FreeBSD 10.1-RELEASE HAS PASSED ITS END-OF-LIFE DATE.${COLOR_RESET}"
-    ;;
-11.0-RELEASE|11.1-RELEASE)
-    RELEASE="${1}"
-    bootstrap_release
-    echo -e "${COLOR_RED}WARNING: FreeBSD 11.0-RELEASE HAS PASSED ITS END-OF-LIFE DATE.${COLOR_RESET}"
-    ;;
 11.2-RELEASE)
    RELEASE="${1}"
+    UPSTREAM_URL="http://ftp.freebsd.org/pub/FreeBSD/releases/${HW_MACHINE}/${HW_MACHINE_ARCH}/11.2-RELEASE/"
    bootstrap_release
    ;;
 12.0-RELEASE)
    RELEASE="${1}"
+    UPSTREAM_URL="http://ftp.freebsd.org/pub/FreeBSD/releases/${HW_MACHINE}/${HW_MACHINE_ARCH}/12.0-RELEASE/"
+    bootstrap_release
+    ;;
+11-stable-LAST)
+    RELEASE="${1}"
+    UPSTREAM_URL="https://installer.hardenedbsd.org/pub/HardenedBSD/releases/${HW_MACHINE}/${HW_MACHINE_ARCH}/hardenedbsd-11-stable-LAST/"
+    bootstrap_release
+    ;;
+12-stable-LAST)
+    RELEASE="${1}"
+    UPSTREAM_URL="https://installer.hardenedbsd.org/pub/HardenedBSD/releases/${HW_MACHINE}/${HW_MACHINE_ARCH}/hardenedbsd-12-stable-LAST/"
    bootstrap_release
    ;;
 http?://github.com/*/*)
--- a/usr/local/share/bastille/create.sh
+++ b/usr/local/share/bastille/create.sh
@@ -65,7 +65,7 @@ create_jail() {
    bastille_jail_fstab="${bastille_jailsdir}/${NAME}/fstab"  ## file
    bastille_jail_conf="${bastille_jailsdir}/${NAME}/jail.conf"  ## file
    bastille_jail_log="${bastille_logsdir}/${NAME}_console.log"  ## file
-    bastille_jail_rc_conf="${bastille_jailsdir}/${NAME}/root/etc/rc.conf.local" ## file
+    bastille_jail_rc_conf="${bastille_jailsdir}/${NAME}/root/etc/rc.conf" ## file
    bastille_jail_resolv_conf="${bastille_jailsdir}/${NAME}/root/etc/resolv.conf" ## file

    if [ ! -d "${bastille_jail_base}" ]; then
@@ -124,22 +124,30 @@ create_jail() {
    cp -a "${bastille_releasesdir}/${RELEASE}/usr/obj" "${bastille_jail_path}"
    if [ "${RELEASE}" == "11.2-RELEASE" ]; then cp -a "${bastille_releasesdir}/${RELEASE}/usr/tests" "${bastille_jail_path}"; fi

-    ## rc.conf.local
+    ## rc.conf
    ##  + syslogd_flags="-ss"
    ##  + sendmail_none="NONE"
    ##  + cron_flags="-J 60" ## cedwards 20181118
-    ## resolv.conf
    if [ ! -f "${bastille_jail_rc_conf}" ]; then
-        echo -e "syslogd_flags=\"-ss\"\nsendmail_enable=\"NONE\"" > ${bastille_jail_rc_conf}
-	echo -e "cron_flags=\"-J 60\"" >> ${bastille_jail_rc_conf}
+        touch "${bastille_jail_rc_conf}"
+        /usr/sbin/sysrc -f "${bastille_jail_rc_conf}" syslogd_flags=-ss
+        /usr/sbin/sysrc -f "${bastille_jail_rc_conf}" sendmail_enable=NONE
+        /usr/sbin/sysrc -f "${bastille_jail_rc_conf}" cron_flags='-J 60'
+        echo
    fi

+    ## resolv.conf
+    ##  + default nameservers configurable; 1 required, 3 optional ## cedwards 20190522
+    ##  + nameserver options supported
    if [ ! -f "${bastille_jail_resolv_conf}" ]; then
-        echo -e "nameserver 1.1.1.1\nnameserver 1.0.0.1\noptions edns0 rotate" > ${bastille_jail_resolv_conf}
+        [ ! -z "${bastille_nameserver1}" ] && echo -e "nameserver ${bastille_nameserver1}" >> ${bastille_jail_resolv_conf}
+        [ ! -z "${bastille_nameserver2}" ] && echo -e "nameserver ${bastille_nameserver2}" >> ${bastille_jail_resolv_conf}
+        [ ! -z "${bastille_nameserver3}" ] && echo -e "nameserver ${bastille_nameserver3}" >> ${bastille_jail_resolv_conf}
+        [ ! -z "${bastille_nameserver_options}" ] && echo -e "${bastille_nameserver_options}" >> ${bastille_jail_resolv_conf}
    fi

-    ## TZ: UTC
-    ln -s /usr/share/zoneinfo/Etc/UTC etc/localtime
+    ## TZ: configurable (default: etc/UTC)
+    ln -s /usr/share/zoneinfo/${bastille_tzdata} etc/localtime
 }

 # Handle special-case commands first.
@@ -159,50 +167,17 @@ IP="$3"

 ## verify release
 case "${RELEASE}" in
-10.1-RELEASE)
-    RELEASE="10.1-RELEASE"
-	;;
-10.2-RELEASE)
-    RELEASE="10.2-RELEASE"
-	;;
-10.3-RELEASE)
-    RELEASE="10.3-RELEASE"
-	;;
-10.4-RELEASE)
-    RELEASE="10.4-RELEASE"
-    ;;
-11.0-RELEASE)
-    RELEASE="11.0-RELEASE"
-    ;;
-11.1-RELEASE)
-    RELEASE="11.1-RELEASE"
-    ;;
 11.2-RELEASE)
    RELEASE="11.2-RELEASE"
    ;;
 12.0-RELEASE)
    RELEASE="12.0-RELEASE"
    ;;
-12.0-BETA1)
-    RELEASE="12.0-BETA1"
+11-stable-LAST)
+    RELEASE="11-stable-LAST"
    ;;
-12.0-BETA2)
-    RELEASE="12.0-BETA2"
-    ;;
-12.0-BETA3)
-    RELEASE="12.0-BETA3"
-    ;;
-12.0-BETA4)
-    RELEASE="12.0-BETA4"
-    ;;
-12.0-RC1)
-    RELEASE="12.0-RC1"
-    ;;
-12.0-RC2)
-    RELEASE="12.0-RC2"
-    ;;
-12.0-RC3)
-    RELEASE="12.0-RC3"
+12-stable-LAST)
+    RELEASE="12-stable-LAST"
    ;;
 *)
    echo -e "${COLOR_RED}Unknown Release.${COLOR_RESET}"
--- a/usr/local/share/bastille/update.sh
+++ b/usr/local/share/bastille/update.sh
@@ -49,6 +49,11 @@ fi

 RELEASE=$1

+if [ ! -z "$(freebsd-version | grep -i HBSD)" ]; then
+    echo -e "${COLOR_RED}Not yet supported on HardenedBSD.${COLOR_RESET}"
+    exit 1
+fi
+
 if [ -d "${bastille_releasesdir}/${RELEASE}" ]; then
    freebsd-update -b "${bastille_releasesdir}/${RELEASE}" fetch install --currently-running ${RELEASE}
 else
--- a/usr/local/share/bastille/upgrade.sh
+++ b/usr/local/share/bastille/upgrade.sh
@@ -50,6 +50,12 @@ fi
 RELEASE=$1
 NEWRELEASE=$2

+if [ ! -z "$(freebsd-version | grep -i HBSD)" ]; then
+    echo -e "${COLOR_RED}Not yet supported on HardenedBSD.${COLOR_RESET}"
+    exit 1
+fi
+
+
 if [ -d "${bastille_releasesdir}/${RELEASE}" ]; then
    freebsd-update -b "${bastille_releasesdir}/${RELEASE}" -r ${NEWRELEASE} upgrade
 else
--- a/usr/local/share/bastille/verify.sh
+++ b/usr/local/share/bastille/verify.sh
@@ -49,6 +49,11 @@ fi

 RELEASE=$1

+if [ ! -z "$(freebsd-version | grep -i HBSD)" ]; then
+    echo -e "${COLOR_RED}Not yet supported on HardenedBSD.${COLOR_RESET}"
+    exit 1
+fi
+
 if [ -d "${bastille_releasesdir}/${RELEASE}" ]; then
    freebsd-update -b "${bastille_releasesdir}/${RELEASE}" IDS
 else