From 0bc20d26c0bfffaf3bd7bfad22c1950ba53e74b7 Mon Sep 17 00:00:00 2001
From: Luke Macken <lmacken@fedoraproject.org>
Date: Thu, 25 Oct 2007 11:41:05 -0400
Subject: Rebase against minimal livecd configuration, and use a tricked-out
 openbox by default

---
 fedora-security-livecd.ks     | 165 ---------------
 livecd-fedora-base-desktop.ks | 121 -----------
 livecd-fedora-security.ks     | 462 ++++++++++++++++++++++++++++++++++++++++++
 spin-livecd.sh                |   5 -
 4 files changed, 462 insertions(+), 291 deletions(-)
 delete mode 100644 fedora-security-livecd.ks
 delete mode 100644 livecd-fedora-base-desktop.ks
 create mode 100644 livecd-fedora-security.ks
 delete mode 100755 spin-livecd.sh

diff --git a/fedora-security-livecd.ks b/fedora-security-livecd.ks
deleted file mode 100644
index 2f5eb00..0000000
--- a/fedora-security-livecd.ks
+++ /dev/null
@@ -1,165 +0,0 @@
-%include livecd-fedora-base-desktop.ks
-
-%packages
-@graphical-internet
-@gnome-desktop
-
-@afrikaans-support
-@albanian-support
-@arabic-support
-@armenian-support
-@assamese-support
-@basque-support
-@belarusian-support
-@bengali-support
-@bhutanese-support
-@bosnian-support
-@brazilian-support
-@breton-support
-@british-support
-@bulgarian-support
-@catalan-support
-@chinese-support
-@croatian-support
-@czech-support
-@danish-support
-@dutch-support
-@estonian-support
-@ethiopic-support
-@faeroese-support
-@filipino-support
-@finnish-support
-@french-support
-@gaelic-support
-@galician-support
-@georgian-support
-@german-support
-@greek-support
-@gujarati-support
-@hebrew-support
-@hindi-support
-@hungarian-support
-@icelandic-support
-@indonesian-support
-@inuktitut-support
-@irish-support
-@italian-support
-@japanese-support
-@kannada-support
-@khmer-support
-@korean-support
-@lao-support
-@latvian-support
-@lithuanian-support
-@malay-support
-@malayalam-support
-@maori-support
-@marathi-support
-@northern-sotho-support
-@norwegian-support
-@oriya-support
-@persian-support
-@polish-support
-@portuguese-support
-@punjabi-support
-@romanian-support
-@russian-support
-@samoan-support
-@serbian-support
-@sinhala-support
-@slovak-support
-@slovenian-support
-@somali-support
-@southern-ndebele-support
-@southern-sotho-support
-@spanish-support
-@swati-support
-@swedish-support
-@tagalog-support
-@tamil-support
-@telugu-support
-@thai-support
-@tibetan-support
-@tonga-support
-@tsonga-support
-@tswana-support
-@turkish-support
-@ukrainian-support
-@urdu-support
-@venda-support
-@vietnamese-support
-@welsh-support
-@xhosa-support
-@zulu-support
-
-# dictionaries are big
--aspell-*
--m17n-db-*
--man-pages-*
--scim-tables-*
-
-# save some space
--gnome-user-docs
--vino
--tomboy
--gimp-help
-
-# security tools
-aide
-aircrack-ng
-airsnort
-chkrootkit
-clamav
-dd_rescue
-gpart
-hexedit
-hping3
-john
-kismet
-lsof
-nessus-client
-nessus-gui
-nessus-server
-nc
-nc6
-ngrep
-nmap
-p0f
-pscan
-scanssh
-snort
-socat
-splint
-tcpdump
-testdisk
-tiger
-tripwire
-wireshark-gnome
-xprobe2
-tcpxtract
-ettercap
-nbtscan
-halberd
-hunt
-firewalk
-foremost
-iptraf
-tor
-screen
-%end
-
-%post
-cat >> /etc/rc.d/init.d/fedora-live << EOF
-# disable screensaver locking
-gconftool-2 --direct --config-source=xml:readwrite:/etc/gconf/gconf.xml.defaults -s -t bool /apps/gnome-screensaver/lock_enabled false >/dev/null
-# set up timed auto-login for after 60 seconds
-sed -i -e 's/\[daemon\]/[daemon]\nTimedLoginEnable=true\nTimedLogin=fedora\nTimedLoginDelay=60/' /etc/gdm/custom.conf
-if [ -e /usr/share/icons/hicolor/96x96/apps/fedora-logo-icon.png ] ; then
-    cp /usr/share/icons/hicolor/96x96/apps/fedora-logo-icon.png /home/fedora/.face
-    chown fedora:fedora /home/fedora/.face
-    # TODO: would be nice to get e-d-s to pick this one up too... but how?
-fi
-
-EOF
-
-%end
diff --git a/livecd-fedora-base-desktop.ks b/livecd-fedora-base-desktop.ks
deleted file mode 100644
index 6d2f46a..0000000
--- a/livecd-fedora-base-desktop.ks
+++ /dev/null
@@ -1,121 +0,0 @@
-lang en_US.UTF-8
-keyboard us
-timezone US/Eastern
-auth --useshadow --enablemd5
-selinux --enforcing
-firewall --disabled
-xconfig --startxonboot
-services --enabled=NetworkManager,dhcdbd --disabled=network,sshd
-
-repo --name=development --baseurl=http://download.fedoraproject.org/pub/fedora/linux/development/i386/os
-
-%packages
-@base-x
-@base
-@core
-@admin-tools
-@dial-up
-@hardware-support
-kernel
-memtest86+
-
-# save some space
--specspo
--esc
--samba-client
--a2ps
--redhat-lsb
--sox
--hplip
--hpijs
-# smartcards won't really work on the livecd.  
--coolkey
--ccid
-# duplicate functionality
--pinfo
--vorbis-tools
--wget
-# lose the compat stuff
--compat*
-
-# scanning takes quite a bit of space :/
--xsane
--xsane-gimp
--sane-backends
-
-# lots of people want to have this
-gparted
-
-# livecd bits to set up the livecd and be able to install
-anaconda
-isomd5sum
-
-# make sure debuginfo doesn't end up on the live image
--*debuginfo
-%end
-
-%post
-# FIXME: it'd be better to get this installed from a package
-cat > /etc/rc.d/init.d/fedora-live << EOF
-#!/bin/bash
-#
-# live: Init script for live image
-#
-# chkconfig: 345 00 99
-# description: Init script for live image.
-
-. /etc/init.d/functions
-
-if ! strstr "\`cat /proc/cmdline\`" liveimg || [ "\$1" != "start" ] || [ -e /.liveimg-configured ] ; then
-    exit 0
-fi
-
-exists() {
-    which \$1 >/dev/null 2>&1 || return
-    \$*
-}
-
-touch /.liveimg-configured
-
-# mount live image
-if [ -b /dev/live ]; then
-   mkdir -p /mnt/live
-   mount -o ro /dev/live /mnt/live
-fi
-
-# configure X
-exists system-config-display --noui --reconfig --set-depth=24
-
-# unmute sound card
-exists alsaunmute 0 2> /dev/null
-
-# add fedora user with no passwd
-useradd -c "Fedora Live" fedora
-passwd -d fedora > /dev/null
-
-# turn off firstboot for livecd boots
-echo "RUN_FIRSTBOOT=NO" > /etc/sysconfig/firstboot
-
-# don't start yum-updatesd for livecd boots
-chkconfig --level 345 yum-updatesd off
-
-# don't start cron/at as they tend to spawn things which are
-# disk intensive that are painful on a live image
-chkconfig --level 345 crond off
-chkconfig --level 345 atd off
-chkconfig --level 345 anacron off
-chkconfig --level 345 readahead_early off
-chkconfig --level 345 readahead_later off
-
-# Stopgap fix for RH #217966; should be fixed in HAL instead
-touch /media/.hal-mtab
-EOF
-
-chmod 755 /etc/rc.d/init.d/fedora-live
-/sbin/restorecon /etc/rc.d/init.d/fedora-live
-/sbin/chkconfig --add fedora-live
-
-# save a little bit of space at least...
-rm -f /boot/initrd*
-
-%end
diff --git a/livecd-fedora-security.ks b/livecd-fedora-security.ks
new file mode 100644
index 0000000..0b5aa29
--- /dev/null
+++ b/livecd-fedora-security.ks
@@ -0,0 +1,462 @@
+lang en_US.UTF-8
+keyboard us
+timezone US/Eastern
+auth --useshadow --enablemd5
+selinux --enforcing
+firewall --enabled
+xconfig --startxonboot
+part / --size 1792
+services --enabled=NetworkManager --disabled=network,sshd,cups,snortd,sendmail,avahi-daemon,bluetooth,firstboot,isdn,netfs,nfslock,rpcbind,rpcgssd
+repo --name=development --mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=rawhide&arch=i386
+
+%packages
+@core
+@base-x
+@base
+@core
+@admin-tools
+@dial-up
+@hardware-support
+@graphical-internet
+kernel
+memtest86+
+bash
+passwd
+policycoreutils
+chkconfig
+authconfig
+rootfiles
+
+# save some space
+-specspo
+-esc
+-samba-client
+-a2ps
+-mpage
+-redhat-lsb
+-sox
+-hplip
+-hpijs
+# smartcards won't really work on the livecd.  
+-coolkey
+-ccid
+# duplicate functionality
+-pinfo
+-vorbis-tools
+-wget
+# lose the compat stuff
+-compat*
+
+# scanning takes quite a bit of space :/
+-xsane
+-xsane-gimp
+-sane-backends
+
+# dictionaries are big
+-aspell-*
+-man-pages-*
+-scim-tables-*
+-wqy-bitmap-fonts
+-dejavu-fonts-experimental
+-dejavu-fonts
+
+# more fun with space saving 
+-scim-lang-chinese
+scim-chewing
+scim-pinyin
+
+# save some space
+-gnome-user-docs
+-gimp-help
+-evolution-help
+-autofs
+-vino
+
+# lots of people want to have this
+gparted
+
+# livecd bits to set up the livecd and be able to install
+anaconda
+isomd5sum
+
+# security tools
+aide
+aircrack-ng
+airsnort
+chkrootkit
+clamav
+dd_rescue
+hexedit
+hping3
+john
+kismet
+lsof
+nessus-client
+nessus-gui
+nessus-server
+nc
+nc6
+ngrep
+nmap
+p0f
+pscan
+scanssh
+snort
+socat
+splint
+tcpdump
+testdisk
+tiger
+tripwire
+wireshark-gnome
+xprobe2
+tcpxtract
+ettercap
+nbtscan
+halberd
+hunt
+firewalk
+foremost
+iptraf
+tor
+
+# Other useful stuff
+screen
+openbox
+obconf
+obmenu
+desktop-backgrounds-basic
+feh
+vim-enhanced
+gnome-terminal
+gnome-menus
+
+# make sure debuginfo doesn't end up on the live image
+-*debuginfo
+
+%end
+
+%post
+# FIXME: it'd be better to get this installed from a package
+cat > /etc/rc.d/init.d/fedora-live << EOF
+#!/bin/bash
+#
+# live: Init script for live image
+#
+# chkconfig: 345 00 99
+# description: Init script for live image.
+
+. /etc/init.d/functions
+
+if ! strstr "\`cat /proc/cmdline\`" liveimg || [ "\$1" != "start" ] || [ -e /.liveimg-configured ] ; then
+    exit 0
+fi
+
+exists() {
+    which \$1 >/dev/null 2>&1 || return
+    \$*
+}
+
+touch /.liveimg-configured
+
+# mount live image
+if [ -b /dev/live ]; then
+   mkdir -p /mnt/live
+   mount -o ro /dev/live /mnt/live
+fi
+
+# enable swaps unless requested otherwise
+swaps=\`blkid -t TYPE=swap -o device\`
+if ! strstr "\`cat /proc/cmdline\`" noswap -a [ -n "\$swaps" ] ; then
+  for s in \$swaps ; do
+    action "Enabling swap partition \$s" swapon \$s
+  done
+fi
+
+# configure X, allowing user to override xdriver
+for o in \`cat /proc/cmdline\` ; do
+    case \$o in
+    xdriver=*)
+        xdriver="--set-driver=\${o#xdriver=}"
+        ;;
+    esac
+done
+
+exists system-config-display --noui --reconfig --set-depth=24 \$xdriver
+
+# add fedora user with no passwd
+useradd -c "Fedora Live" fedora
+passwd -d fedora > /dev/null
+
+echo 'export PATH=$PATH:/sbin:/usr/sbin' >> /home/fedora/.bashrc
+
+##
+## openbox configuration
+##
+echo "openbox-session" > /home/fedora/.xsession
+chmod a+x /home/fedora/.xsession
+chown fedora:fedora /home/fedora/.xsession
+
+mkdir -p /home/fedora/.config/openbox
+cat >> /home/fedora/.config/openbox/autostart.sh << OBDONE
+
+# Run the system-wide support stuff
+. /etc/xdg/openbox/autostart.sh
+
+# Set default Fedora background
+feh --bg-scale /usr/share/backgrounds/images/default.png
+
+OBDONE
+
+# rc.xml
+cp /etc/xdg/openbox/rc.xml /home/fedora/.config/openbox
+sed -i -e 's/Clearlooks/Onyx/' /home/fedora/.config/openbox/rc.xml
+
+# fedora pipe menu
+cat >> /home/fedora/.config/openbox/obgnome.py << OBGNOME
+#!/usr/bin/python -tt
+import gmenu
+def walk_menu(entry):
+    if entry.get_type() == gmenu.TYPE_DIRECTORY:
+        print '<menu id="%s" label="%s">' % (entry.menu_id, entry.get_name())
+        map(walk_menu, entry.get_contents())
+        print '</menu>'
+    elif entry.get_type() == gmenu.TYPE_ENTRY and not entry.is_excluded:
+        print """
+            <item label="%s">
+              <action name="Execute">
+                <command>%s</command>
+              </action>
+            </item>
+        """ % (entry.get_name(), entry.get_exec())
+
+print "<openbox_pipe_menu>"
+walk_menu(walk_menu, gmenu.lookup_tree('applications.menu').root.get_contents())
+print "</openbox_pipe_menu>"
+OBGNOME
+chown fedora:fedora /home/fedora/.config/openbox/obgnome.py
+chmod a+x /home/fedora/.config/openbox/obgnome.py
+
+# menu.xml
+cat >> /home/fedora/.config/openbox/menu.xml << OBDONE
+<?xml version="1.0" encoding="UTF-8"?>
+
+<openbox_menu xmlns="http://openbox.org/3.4/menu">
+
+<menu id="recon-menu" label="Reconnaissance">
+  <item label="hping3">
+    <action name="Execute"><command>gnome-terminal -e "sh -c 'hping3; bash'"</command></action>
+  </item>
+  <item label="nc6">
+    <action name="Execute"><command>gnome-terminal -e "sh -c 'nc6; bash'"</command></action>
+  </item>
+  <item label="nc">
+    <action name="Execute"><command>gnome-terminal -e "sh -c 'nc; bash'"</command></action>
+  </item>
+  <item label="ngrep">
+    <action name="Execute"><command>gnome-terminal -e "sh -c 'ngrep; bash'"</command></action>
+  </item>
+  <item label="nessus">
+    <action name="Execute"><command>gnome-terminal -e "sh -c 'nessus; bash'"</command></action>
+  </item>
+  <item label="nmap">
+    <action name="Execute"><command>gnome-terminal -e "sh -c 'nmap; bash'"</command></action>
+  </item>
+  <item label="p0f">
+    <action name="Execute"><command>gnome-terminal -e "sh -c 'p0f; bash'"</command></action>
+  </item>
+  <item label="scanssh">
+    <action name="Execute"><command>gnome-terminal -e "sh -c 'scanssh; bash'"</command></action>
+  </item>
+  <item label="socat">
+    <action name="Execute"><command>gnome-terminal -e "sh -c 'socat; bash'"</command></action>
+  </item>
+  <item label="tcpdump">
+    <action name="Execute"><command>gnome-terminal -e "sh -c 'tcpdump; bash'"</command></action>
+  </item>
+  <item label="tiger">
+    <action name="Execute"><command>gnome-terminal -e "sh -c 'tiger; bash'"</command></action>
+  </item>
+  <item label="wireshark">
+    <action name="Execute"><command>gnome-terminal -e "sh -c 'wireshark; bash'"</command></action>
+  </item>
+  <item label="xprobe2">
+    <action name="Execute"><command>gnome-terminal -e "sh -c 'xprobe2; bash'"</command></action>
+  </item>
+  <item label="nbtscan">
+    <action name="Execute"><command>gnome-terminal -e "sh -c 'nbtscan; bash'"</command></action>
+  </item>
+  <item label="tcpxtract">
+    <action name="Execute"><command>gnome-terminal -e "sh -c 'tcpxtract; bash'"</command></action>
+  </item>
+  <item label="firewalk">
+    <action name="Execute"><command>gnome-terminal -e "sh -c 'firewalk; bash'"</command></action>
+  </item>
+  <item label="hunt">
+    <action name="Execute"><command>gnome-terminal -e "sh -c 'hunt; bash'"</command></action>
+  </item>
+  <item label="halberd">
+    <action name="Execute"><command>gnome-terminal -e "sh -c 'halberd; bash'"</command></action>
+  </item>
+</menu>
+
+<menu id="forensics-menu" label="Forensics">
+  <item label="chkrootkit">
+    <action name="Execute"><command>gnome-terminal -e "sh -c 'chkrootkit; bash'"</command></action>
+  </item>
+  <item label="clamav">
+    <action name="Execute"><command>gnome-terminal -e "sh -c 'clamav; bash'"</command></action>
+  </item>
+  <item label="dd_rescue">
+    <action name="Execute"><command>gnome-terminal -e "sh -c 'dd_rescue; bash'"</command></action>
+  </item>
+  <item label="gparted">
+    <action name="Execute"><command>gnome-terminal -e "sh -c 'gparted; bash'"</command></action>
+  </item>
+  <item label="hexedit">
+    <action name="Execute"><command>gnome-terminal -e "sh -c 'hexedit; bash'"</command></action>
+  </item>
+  <item label="prelude">
+    <action name="Execute"><command>gnome-terminal -e "sh -c 'prelude; bash'"</command></action>
+  </item>
+  <item label="testdisk">
+    <action name="Execute"><command>gnome-terminal -e "sh -c 'testdisk; bash'"</command></action>
+  </item>
+  <item label="foremost">
+    <action name="Execute"><command>gnome-terminal -e "sh -c 'foremost; bash'"</command></action>
+  </item>
+</menu>
+
+<menu id="wireless-menu" label="Wireless">
+  <item label="aircrack-ng">
+    <action name="Execute"><command>gnome-terminal -e "sh -c 'aircrack-ng; bash'"</command></action>
+  </item>
+  <item label="airsnort">
+    <action name="Execute"><command>airsnort</command></action>
+  </item>
+  <item label="kismet">
+    <action name="Execute"><command>kismet</command></action>
+  </item>
+</menu>
+
+<menu id="code-menu" label="Code Analysis">
+  <item label="pscan">
+    <action name="Execute"><command>gnome-terminal -e "sh -c 'pscan; bash'"</command></action>
+  </item>
+  <item label="splint">
+    <action name="Execute"><command>gnome-terminal -e "sh -c 'splint; bash'"</command></action>
+  </item>
+</menu>
+
+<menu id="id-menu" label="Intrusion Detection">
+  <item label="aide">
+    <action name="Execute"><command>gnome-terminal -e "sh -c 'aide; bash'"</command></action>
+  </item>
+  <item label="snort">
+    <action name="Execute"><command>gnome-terminal -e "sh -c 'snort; bash'"</command></action>
+  </item>
+  <item label="tripwire">
+    <action name="Execute"><command>gnome-terminal -e "sh -c 'tripwire; bash'"</command></action>
+  </item>
+</menu>
+
+<menu id="password-menu" label="Password Tools">
+  <item label="john">
+    <action name="Execute"><command>gnome-terminal -e "sh -c 'john; bash'"</command></action>
+  </item>
+</menu>
+
+<menu id="root-menu" label="Fedora Security Spin">
+  <separator label="Fedora Security Spin" />
+  <menu id="recon-menu" />
+  <menu id="forensics-menu" />
+  <menu id="wireless-menu" />
+  <menu id="id-menu" />
+  <menu id="code-menu" />
+  <menu id="password-menu" />
+  <separator />
+  <item label="Terminal">
+    <action name="Execute">
+      <command>gnome-terminal</command>
+    </action>
+  </item>
+  <item label="Firefox">
+    <action name="Execute">
+      <command>firefox</command>
+    </action>
+  </item>
+  <separator />
+  <menu id="fedora" label="Fedora" execute="/home/fedora/.config/openbox/obgnome.py" />
+  <separator />
+  <menu id="client-list-menu" />
+  <separator />
+  <item label="ObConf">
+    <action name="Execute">
+      <startupnotify><enabled>yes</enabled><icon>openbox</icon></startupnotify>
+      <command>obconf</command>
+    </action>
+  </item>
+  <item label="Reconfigure">
+    <action name="Reconfigure" />
+  </item>
+  <separator />
+  <item label="Exit">
+    <action name="Exit" />
+  </item>
+</menu>
+
+</openbox_menu>
+
+OBDONE
+##
+
+# turn off firstboot for livecd boots
+echo "RUN_FIRSTBOOT=NO" > /etc/sysconfig/firstboot
+
+# don't start yum-updatesd for livecd boots
+chkconfig --level 345 yum-updatesd off 2>/dev/null
+
+# don't start cron/at as they tend to spawn things which are
+# disk intensive that are painful on a live image
+chkconfig --level 345 crond off 2>/dev/null
+chkconfig --level 345 atd off 2>/dev/null
+chkconfig --level 345 anacron off 2>/dev/null
+chkconfig --level 345 readahead_early off 2>/dev/null
+chkconfig --level 345 readahead_later off 2>/dev/null
+
+# Stopgap fix for RH #217966; should be fixed in HAL instead
+touch /media/.hal-mtab
+
+# workaround clock syncing on shutdown that we don't want (#297421)
+sed -i -e 's/hwclock/no-such-hwclock/g' /etc/rc.d/init.d/halt
+
+# disable screensaver locking
+gconftool-2 --direct --config-source=xml:readwrite:/etc/gconf/gconf.xml.defaults -s -t bool /apps/gnome-screensaver/lock_enabled false >/dev/null
+# set up timed auto-login for after 60 seconds
+sed -i -e 's/\[daemon\]/[daemon]\nTimedLoginEnable=true\nTimedLogin=fedora\nTimedLoginDelay=60/' /etc/gdm/custom.conf
+if [ -e /usr/share/icons/hicolor/96x96/apps/fedora-logo-icon.png ] ; then
+    cp /usr/share/icons/hicolor/96x96/apps/fedora-logo-icon.png /home/fedora/.face
+    chown fedora:fedora /home/fedora/.face
+    # TODO: would be nice to get e-d-s to pick this one up too... but how?
+fi
+
+EOF
+
+# workaround avahi segfault (#279301)
+touch /etc/resolv.conf
+/sbin/restorecon /etc/resolv.conf
+
+chmod 755 /etc/rc.d/init.d/fedora-live
+/sbin/restorecon /etc/rc.d/init.d/fedora-live
+/sbin/chkconfig --add fedora-live
+
+# save a little bit of space at least...
+rm -f /boot/initrd*
+
+%end
+
+
+%post --nochroot
+cp $INSTALL_ROOT/usr/share/doc/*-release-*/GPL $LIVE_ROOT/GPL
+cp $INSTALL_ROOT/usr/share/doc/HTML/readme-live-image/en_US/readme-live-image-en_US.txt $LIVE_ROOT/README
+%end
diff --git a/spin-livecd.sh b/spin-livecd.sh
deleted file mode 100755
index 725e4e0..0000000
--- a/spin-livecd.sh
+++ /dev/null
@@ -1,5 +0,0 @@
-#!/bin/bash
-
-time livecd-creator \
-    --config=fedora-security-livecd.ks \
-    --fslabel=Fedora7-SecurityLiveCD
-- 
cgit