From c4448979379d1b27da44a8cfd51184a19ec64444 Mon Sep 17 00:00:00 2001 From: Luke Macken Date: Thu, 4 Sep 2008 01:17:14 -0400 Subject: Add a freshly rebased kickstart file, with a bunch of new packages --- fedora-live-base.ks | 315 ++++++++++++++++++++++++++++ fedora-livecd-security.ks | 331 ++++++++++++++++++++++++++++++ livecd-fedora-security.ks | 465 ------------------------------------------ livecd-fedora-security.ks.old | 465 ++++++++++++++++++++++++++++++++++++++++++ 4 files changed, 1111 insertions(+), 465 deletions(-) create mode 100644 fedora-live-base.ks create mode 100644 fedora-livecd-security.ks delete mode 100644 livecd-fedora-security.ks create mode 100644 livecd-fedora-security.ks.old diff --git a/fedora-live-base.ks b/fedora-live-base.ks new file mode 100644 index 0000000..6f76bf3 --- /dev/null +++ b/fedora-live-base.ks @@ -0,0 +1,315 @@ +# fedora-live-base.ks +# +# Defines the basics for all kickstarts in the fedora-live branch +# Does not include package selection (other then mandatory) +# Does not include localization packages or configuration +# +# Does includes "default" language configuration (kickstarts including +# this template can override these settings) + +lang en_US.UTF-8 +keyboard us +timezone US/Eastern +auth --useshadow --enablemd5 +selinux --enforcing +firewall --disabled +xconfig --startxonboot +part / --size 4096 +services --enabled=NetworkManager --disabled=network,sshd + +# To compose against the current release tree, use the following "repo" (enabled by default) +#repo --name=released --mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=fedora-9&arch=$basearch +# To include updates, use the following "repo" (enabled by default) +#repo --name=updates --mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=updates-released-f9&arch=$basearch + +# To compose against rawhide, use the following "repo" (disabled by default) +repo --name=rawhide --mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=rawhide&arch=$basearch + +# To compose against local trees, (edit and) use: +#repo --name=f9 --baseurl=http://localrepo/fedora/releases/9/Everything/$basearch/os/ +#repo --name=f9-updates --baseurl=http://localrepo/fedora/updates/9/$basearch/ + +%packages +@base-x +@base +@core +@fonts +@admin-tools +@dial-up +@hardware-support +@printing +kernel +memtest86+ +firstaidkit-plugin-all + +# save some space +-specspo +-esc +-samba-client +-a2ps +-mpage +-redhat-lsb +-sox +-hplip +-hpijs +# smartcards won't really work on the livecd. +-coolkey +-ccid +# duplicate functionality +-pinfo +-vorbis-tools +-wget +# lose the compat stuff +-compat* + +# qlogic firmwares +-ql2100-firmware +-ql2200-firmware +-ql23xx-firmware +-ql2400-firmware + +# scanning takes quite a bit of space :/ +-xsane +-xsane-gimp +-sane-backends + +# livecd bits to set up the livecd and be able to install +anaconda +isomd5sum + +# make sure debuginfo doesn't end up on the live image +-*debuginfo +%end + +%post +# FIXME: it'd be better to get this installed from a package +cat > /etc/rc.d/init.d/fedora-live << EOF +#!/bin/bash +# +# live: Init script for live image +# +# chkconfig: 345 00 99 +# description: Init script for live image. + +. /etc/init.d/functions + +if ! strstr "\`cat /proc/cmdline\`" liveimg || [ "\$1" != "start" ] || [ -e /.liveimg-configured ] ; then + exit 0 +fi + +exists() { + which \$1 >/dev/null 2>&1 || return + \$* +} + +touch /.liveimg-configured + +# mount live image +if [ -b \`readlink -f /dev/live\` ]; then + mkdir -p /mnt/live + mount -o ro /dev/live /mnt/live +fi + +# enable swaps unless requested otherwise +swaps=\`blkid -t TYPE=swap -o device\` +if ! strstr "\`cat /proc/cmdline\`" noswap && [ -n "\$swaps" ] ; then + for s in \$swaps ; do + action "Enabling swap partition \$s" swapon \$s + done +fi + +mountPersistentHome() { + # support label/uuid + if [ "\${homedev##LABEL=}" != "\${homedev}" -o "\${homedev##UUID=}" != "\${homedev}" ]; then + homedev=\`/sbin/blkid -o device -t "\$homedev"\` + fi + + # if we're given a file rather than a blockdev, loopback it + if [ ! -b "\$homedev" ]; then + loopdev=\`losetup -f\` + if [ "\${homedev##/mnt/live}" != "\${homedev}" ]; then + action "Remounting live store r/w" mount -o remount,rw /mnt/live + fi + losetup \$loopdev \$homedev + homedev=\$loopdev + fi + + # if it's encrypted, we need to unlock it + if [ "\$(/lib/udev/vol_id -t \$homedev)" = "crypto_LUKS" ]; then + echo + echo "Setting up encrypted /home device" + plymouth ask-for-password --command="cryptsetup luksOpen \$homedev EncHome" + homedev=/dev/mapper/EncHome + fi + + # and finally do the mount + mount \$homedev /home + [ -x /sbin/restorecon ] && /sbin/restorecon /home + if [ -d /home/fedora ]; then USERADDARGS="-M" ; fi +} + +findPersistentHome() { + for arg in \`cat /proc/cmdline\` ; do + if [ "\${arg##persistenthome=}" != "\${arg}" ]; then + homedev=\${arg##persistenthome=} + return + fi + done +} + +if strstr "\`cat /proc/cmdline\`" persistenthome= ; then + findPersistentHome +elif [ -e /mnt/live/LiveOS/home.img ]; then + homedev=/mnt/live/LiveOS/home.img +fi + +# if we have a persistent /home, then we want to go ahead and mount it +if ! strstr "\`cat /proc/cmdline\`" nopersistenthome && [ -n "\$homedev" ] ; then + action "Mounting persistent /home" mountPersistentHome +fi + +# add fedora user with no passwd +action "Adding fedora user" useradd \$USERADDARGS -c "Fedora Live" fedora +passwd -d fedora > /dev/null + +# turn off firstboot for livecd boots +chkconfig --level 345 firstboot off 2>/dev/null + +# don't start yum-updatesd for livecd boots +chkconfig --level 345 yum-updatesd off 2>/dev/null + +# don't do packagekit checking by default +gconftool-2 --direct --config-source=xml:readwrite:/etc/gconf/gconf.xml.defaults -s -t string /apps/gnome-packagekit/frequency_get_updates never >/dev/null +gconftool-2 --direct --config-source=xml:readwrite:/etc/gconf/gconf.xml.defaults -s -t string /apps/gnome-packagekit/frequency_refresh_cache never >/dev/null +gconftool-2 --direct --config-source=xml:readwrite:/etc/gconf/gconf.xml.defaults -s -t bool /apps/gnome-packagekit/notify_available false >/dev/null + +# apparently, the gconf keys aren't enough +mkdir -p /home/fedora/.config/autostart +echo "X-GNOME-Autostart-enabled=false" >> /home/fedora/.config/autostart/gpk-update-icon.desktop +chown -R fedora:fedora /home/fedora/.config + + + +# don't start cron/at as they tend to spawn things which are +# disk intensive that are painful on a live image +chkconfig --level 345 crond off 2>/dev/null +chkconfig --level 345 atd off 2>/dev/null +chkconfig --level 345 anacron off 2>/dev/null +chkconfig --level 345 readahead_early off 2>/dev/null +chkconfig --level 345 readahead_later off 2>/dev/null + +# make it so that we don't do writing to the overlay for things which +# are just tmpdirs/caches +mount -t tmpfs varcacheyum /var/cache/yum +mount -t tmpfs tmp /tmp +mount -t tmpfs vartmp /var/tmp +[ -x /sbin/restorecon ] && /sbin/restorecon /var/cache/yum /tmp /var/tmp >/dev/null 2>&1 + +# Stopgap fix for RH #217966; should be fixed in HAL instead +touch /media/.hal-mtab + +# workaround clock syncing on shutdown that we don't want (#297421) +sed -i -e 's/hwclock/no-such-hwclock/g' /etc/rc.d/init.d/halt + +# and hack so that we eject the cd on shutdown if we're using a CD... +if strstr "\`cat /proc/cmdline\`" CDLABEL= ; then + cat >> /sbin/halt.local << FOE +#!/bin/bash +# we want to eject the cd on halt, but let's also try to avoid +# io errors due to not being able to get files... +cat /sbin/halt > /dev/null +cat /sbin/reboot > /dev/null +/usr/sbin/eject -p -m \$(readlink -f /dev/live) >/dev/null 2>&1 +FOE +chmod +x /sbin/halt.local +fi + +EOF + +# bah, hal starts way too late +cat > /etc/rc.d/init.d/fedora-late-live << EOF +#!/bin/bash +# +# live: Late init script for live image +# +# chkconfig: 345 99 01 +# description: Late init script for live image. + +. /etc/init.d/functions + +if ! strstr "\`cat /proc/cmdline\`" liveimg || [ "\$1" != "start" ] || [ -e /.liveimg-late-configured ] ; then + exit 0 +fi + +exists() { + which \$1 >/dev/null 2>&1 || return + \$* +} + +touch /.liveimg-late-configured + +# read some variables out of /proc/cmdline +for o in \`cat /proc/cmdline\` ; do + case \$o in + ks=*) + ks="\${o#ks=}" + ;; + xdriver=*) + xdriver="--set-driver=\${o#xdriver=}" + ;; + esac +done + + +# if liveinst or textinst is given, start anaconda +if strstr "\`cat /proc/cmdline\`" liveinst ; then + /usr/sbin/liveinst \$ks +fi +if strstr "\`cat /proc/cmdline\`" textinst ; then + /usr/sbin/liveinst --text \$ks +fi + +# configure X, allowing user to override xdriver +if [ -n "\$xdriver" ]; then + exists system-config-display --noui --reconfig --set-depth=24 \$xdriver +fi + +EOF + +# workaround avahi segfault (#279301) +touch /etc/resolv.conf +/sbin/restorecon /etc/resolv.conf + +chmod 755 /etc/rc.d/init.d/fedora-live +/sbin/restorecon /etc/rc.d/init.d/fedora-live +/sbin/chkconfig --add fedora-live + +chmod 755 /etc/rc.d/init.d/fedora-late-live +/sbin/restorecon /etc/rc.d/init.d/fedora-late-live +/sbin/chkconfig --add fedora-late-live + +# work around for poor key import UI in PackageKit +rm -f /var/lib/rpm/__db* +rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-fedora + +# go ahead and pre-make the man -k cache (#455968) +/usr/sbin/makewhatis -w + +# save a little bit of space at least... +rm -f /boot/initrd* +# make sure there aren't core files lying around +rm -f /core* + +%end + + +%post --nochroot +cp $INSTALL_ROOT/usr/share/doc/*-release-*/GPL $LIVE_ROOT/GPL +cp $INSTALL_ROOT/usr/share/doc/HTML/readme-live-image/en_US/readme-live-image-en_US.txt $LIVE_ROOT/README + +# only works on x86, x86_64 +if [ "$(uname -i)" = "i386" -o "$(uname -i)" = "x86_64" ]; then + if [ ! -d $LIVE_ROOT/LiveOS ]; then mkdir -p $LIVE_ROOT/LiveOS ; fi + cp /usr/bin/livecd-iso-to-disk $LIVE_ROOT/LiveOS +fi +%end diff --git a/fedora-livecd-security.ks b/fedora-livecd-security.ks new file mode 100644 index 0000000..333e05b --- /dev/null +++ b/fedora-livecd-security.ks @@ -0,0 +1,331 @@ +# Filename: +# fedora-livecd-security.ks +# Description: +# A fully functional live OS based on Fedora for use in security auditing, forensics research, and penetration testing. +# Maintainers: +# Luke Macken +# Acknowledgements: + +%include fedora-live-base.ks + +# --enforcing once rawhide is less broke +selinux --permissive + +firewall --enabled +bootloader --append noswap + +%packages + +# remove trademarks +-fedora-logos +generic-logos + +gparted +aide +aircrack-ng +airsnort +argus +chkrootkit +clamav +dd_rescue +hexedit +hping3 +john +kismet +lsof +nbtscan +nessus-client +nessus-gui +nessus-server +nc +nc6 +ngrep +nmap +nmap-frontend +p0f +pscan +rats +rkhunter +scanmem +scanssh +sectool-gui +snort +socat +splint +tcpdump +testdisk +tiger +tripwire +wireshark-gnome +xprobe2 +tcpxtract +ettercap +ettercap-gtk +nbtscan +halberd +hunt +firewalk +foremost +iptraf +tor +flawfinder +dsniff +pcapdiff + +pads +ntop +honeyd +picviz +#inetiviz not yet available +etherape +prewikka +prelude-notify +prelude-manager +prelude-lml + +# Other necessary components +screen +openbox +obconf +obmenu +desktop-backgrounds-basic +feh +vim-enhanced +gnome-terminal +gnome-menus + +# make sure debuginfo doesn't end up on the live image +-*debuginfo + +%end + +%post + +# remove trademarks +sed -i -e 's/Fedora/Generic/g' /etc/fedora-release + +# useful stuff +echo "alias grep='grep --color'" >> /home/fedora/.bashrc + +# create /etc/sysconfig/desktop (needed for installation) +cat > /etc/sysconfig/desktop <> /etc/rc.d/init.d/fedora-live << EOF + +#if [ -e /usr/share/icons/hicolor/96x96/apps/fedora-logo-icon.png ] ; then + # use image also for kdm +# mkdir -p /usr/share/apps/kdm/faces +# cp /usr/share/icons/hicolor/96x96/apps/fedora-logo-icon.png /usr/share/apps/kdm/faces/fedora.face.icon +#fi + +# openbox configuration +echo "openbox-session" > /home/fedora/.xsession +chmod a+x /home/fedora/.xsession +chown fedora:fedora /home/fedora/.xsession + +mkdir -p /home/fedora/.config/openbox +cat >> /home/fedora/.config/openbox/autostart.sh << OBDONE + +# Run the system-wide support stuff +. /etc/xdg/openbox/autostart.sh + +OBDONE + +# rc.xml +cp /etc/xdg/openbox/rc.xml /home/fedora/.config/openbox +sed -i -e 's/Clearlooks/Onyx/' /home/fedora/.config/openbox/rc.xml + +# menu.xml +cat >> /home/fedora/.config/openbox/menu.xml << OBDONE + + + + + + + gnome-terminal -e "su -c ettercap-gtk" + + + gnome-terminal -e "sh -c 'hping3; bash'" + + + gnome-terminal -e "sh -c 'nc6 -h; bash'" + + + gnome-terminal -e "sh -c 'nc; bash'" + + + gnome-terminal -e "sh -c 'ngrep -h; bash'" + + + gnome-terminal -e "sh -c 'nessus; bash'" + + + gnome-terminal -e "sh -c 'nmap; bash'" + + + gnome-terminal -e "sh -c 'p0f -h; bash'" + + + gnome-terminal -e "sh -c 'scanssh; bash'" + + + gnome-terminal -e "sh -c 'socat; bash'" + + + gnome-terminal -e "sh -c 'tcpdump -h; bash'" + + + gnome-terminal -e "sh -c 'tiger; bash'" + + + gnome-terminal -e "sh -c 'wireshark; bash'" + + + gnome-terminal -e "sh -c 'xprobe2; bash'" + + + gnome-terminal -e "sh -c 'nbtscan; bash'" + + + gnome-terminal -e "sh -c 'tcpxtract; bash'" + + + gnome-terminal -e "sh -c 'firewalk; bash'" + + + gnome-terminal -e "sh -c 'hunt; bash'" + + + gnome-terminal -e "sh -c 'halberd; bash'" + + + + + + gnome-terminal -e "sh -c 'chkrootkit; bash'" + + + gnome-terminal -e "sh -c 'clamscan; bash'" + + + gnome-terminal -e "sh -c 'dd_rescue; bash'" + + + gnome-terminal -e "sh -c 'gparted; bash'" + + + gnome-terminal -e "sh -c 'hexedit; bash'" + + + gnome-terminal -e "sh -c 'prelude; bash'" + + + gnome-terminal -e "sh -c 'testdisk; bash'" + + + gnome-terminal -e "sh -c 'foremost; bash'" + + + + + + gnome-terminal -e "sh -c 'aircrack-ng; bash'" + + + airsnort + + + kismet + + + dsniff + + + + + + gnome-terminal -e "sh -c 'pscan; bash'" + + + gnome-terminal -e "sh -c 'splint; bash'" + + + gnome-terminal -e "sh -c 'flawfinder; bash'" + + + + + + gnome-terminal -e "sh -c 'aide; bash'" + + + gnome-terminal -e "sh -c 'snort; bash'" + + + gnome-terminal -e "sh -c 'tripwire --help; bash'" + + + + + + gnome-terminal -e "sh -c 'john; bash'" + + + + + + + + + + + + + + + gnome-terminal + + + + + firefox + + + + + + + liveinst + + + + + + + + yesopenbox + obconf + + + + + + + + + + + + + +OBDONE + +# workaround to start nm-applet automatically +#cp /etc/xdg/autostart/nm-applet.desktop /usr/share/autostart/ + +%end diff --git a/livecd-fedora-security.ks b/livecd-fedora-security.ks deleted file mode 100644 index a6fa0c5..0000000 --- a/livecd-fedora-security.ks +++ /dev/null @@ -1,465 +0,0 @@ -lang en_US.UTF-8 -keyboard us -timezone US/Eastern -auth --useshadow --enablemd5 -selinux --enforcing -firewall --enabled -xconfig --startxonboot -part / --size 1792 -services --enabled=network,NetworkManager --disabled=network,sshd,cups,snortd,sendmail,avahi-daemon,bluetooth,firstboot,isdn,netfs,nfslock,rpcbind,rpcgssd - -repo --name="rawhide" --mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=rawhide&arch=i386 -#repo --name="Fedora 9" --baseurl=http://download.boston.redhat.com/pub/fedora/linux/releases/9/Everything/i386/os/ -#repo --name="Fedora 9 Updates" --baseurl=http://download.boston.redhat.com/pub/fedora/linux/updates/9/i386/ - - -%packages -@core -@base-x -@base -@dial-up -@hardware-support -kernel -memtest86+ -bash -passwd -policycoreutils -chkconfig -authconfig -rootfiles - -# save some space --specspo --esc --samba-client --a2ps --mpage --redhat-lsb --sox --hplip --hpijs -# smartcards won't really work on the livecd. --coolkey --ccid -# duplicate functionality --pinfo --vorbis-tools -# lose the compat stuff --compat* - -# scanning takes quite a bit of space :/ --xsane --xsane-gimp --sane-backends - -# dictionaries are big --aspell-* --man-pages-* --scim-tables-* --wqy-bitmap-fonts --dejavu-fonts-experimental --dejavu-fonts - -# more fun with space saving --scim-lang-chinese -scim-chewing -scim-pinyin - -# save some space --gnome-user-docs --gimp-help --anacron --avahi* --autofs --metacity --sendmail --gnome-desktop --gnome-panel --gnome-pilot --evolution --vino --system-config-network --system-config-language - -firefox - -# lots of people want to have this -gparted - -# livecd bits to set up the livecd and be able to install -anaconda -isomd5sum - -# security tools -aide -aircrack-ng -airsnort -argus -chkrootkit -clamav -dd_rescue -hexedit -hping3 -john -kismet -lsof -nbtscan -nessus-client -nessus-gui -nessus-server -nc -nc6 -ngrep -nmap -nmap-frontend -p0f -pscan -rats -rkhunter -scanmem -scanssh -sectool-gui -snort -socat -splint -tcpdump -testdisk -tiger -tripwire -wireshark-gnome -xprobe2 -tcpxtract -ettercap -ettercap-gtk -nbtscan -halberd -hunt -firewalk -foremost -iptraf -tor -flawfinder -dsniff -pcapdiff - -# Other useful stuff -screen -openbox -obconf -obmenu -desktop-backgrounds-basic -feh -vim-enhanced -gnome-terminal -gnome-menus -etherape - -# make sure debuginfo doesn't end up on the live image --*debuginfo - -%end - -%post -# FIXME: it'd be better to get this installed from a package -cat > /etc/rc.d/init.d/fedora-live << EOF -#!/bin/bash -# -# live: Init script for live image -# -# chkconfig: 345 00 99 -# description: Init script for live image. - -. /etc/init.d/functions - -if ! strstr "\`cat /proc/cmdline\`" liveimg || [ "\$1" != "start" ] || [ -e /.liveimg-configured ] ; then - exit 0 -fi - -exists() { - which \$1 >/dev/null 2>&1 || return - \$* -} - -touch /.liveimg-configured - -# mount live image -if [ -b /dev/live ]; then - mkdir -p /mnt/live - mount -o ro /dev/live /mnt/live -fi - -# configure X, allowing user to override xdriver -for o in \`cat /proc/cmdline\` ; do - case \$o in - xdriver=*) - xdriver="--set-driver=\${o#xdriver=}" - ;; - esac -done - -exists system-config-display --noui --reconfig --set-depth=24 \$xdriver - -# add fedora user with no passwd -useradd -c "Fedora Security" fedora -usermod -G wheel fedora -passwd -d fedora > /dev/null - -echo 'export PATH=$PATH:/sbin:/usr/sbin' >> /home/fedora/.bashrc - -# Hilight grep results - man dir_color for more colors -echo "alias grep='grep --color'" >> /home/fedora/.bashrc -echo "export GREP_COLOR='1;31'" >> /home/fedora/.bashrc - -## -## openbox configuration -## -echo "openbox-session" > /home/fedora/.xsession -chmod a+x /home/fedora/.xsession -chown fedora:fedora /home/fedora/.xsession - -mkdir -p /home/fedora/.config/openbox -cat >> /home/fedora/.config/openbox/autostart.sh << OBDONE - -# Run the system-wide support stuff -. /etc/xdg/openbox/autostart.sh - -OBDONE - -# rc.xml -cp /etc/xdg/openbox/rc.xml /home/fedora/.config/openbox -sed -i -e 's/Clearlooks/Onyx/' /home/fedora/.config/openbox/rc.xml - -# menu.xml -cat >> /home/fedora/.config/openbox/menu.xml << OBDONE - - - - - - - gnome-terminal -e "su -c ettercap-gtk" - - - gnome-terminal -e "sh -c 'hping3; bash'" - - - gnome-terminal -e "sh -c 'nc6 -h; bash'" - - - gnome-terminal -e "sh -c 'nc; bash'" - - - gnome-terminal -e "sh -c 'ngrep -h; bash'" - - - gnome-terminal -e "sh -c 'nessus; bash'" - - - gnome-terminal -e "sh -c 'nmap; bash'" - - - gnome-terminal -e "sh -c 'p0f -h; bash'" - - - gnome-terminal -e "sh -c 'scanssh; bash'" - - - gnome-terminal -e "sh -c 'socat; bash'" - - - gnome-terminal -e "sh -c 'tcpdump -h; bash'" - - - gnome-terminal -e "sh -c 'tiger; bash'" - - - gnome-terminal -e "sh -c 'wireshark; bash'" - - - gnome-terminal -e "sh -c 'xprobe2; bash'" - - - gnome-terminal -e "sh -c 'nbtscan; bash'" - - - gnome-terminal -e "sh -c 'tcpxtract; bash'" - - - gnome-terminal -e "sh -c 'firewalk; bash'" - - - gnome-terminal -e "sh -c 'hunt; bash'" - - - gnome-terminal -e "sh -c 'halberd; bash'" - - - - - - gnome-terminal -e "sh -c 'chkrootkit; bash'" - - - gnome-terminal -e "sh -c 'clamscan; bash'" - - - gnome-terminal -e "sh -c 'dd_rescue; bash'" - - - gnome-terminal -e "sh -c 'gparted; bash'" - - - gnome-terminal -e "sh -c 'hexedit; bash'" - - - gnome-terminal -e "sh -c 'prelude; bash'" - - - gnome-terminal -e "sh -c 'testdisk; bash'" - - - gnome-terminal -e "sh -c 'foremost; bash'" - - - - - - gnome-terminal -e "sh -c 'aircrack-ng; bash'" - - - airsnort - - - kismet - - - dsniff - - - - - - gnome-terminal -e "sh -c 'pscan; bash'" - - - gnome-terminal -e "sh -c 'splint; bash'" - - - gnome-terminal -e "sh -c 'flawfinder; bash'" - - - - - - gnome-terminal -e "sh -c 'aide; bash'" - - - gnome-terminal -e "sh -c 'snort; bash'" - - - gnome-terminal -e "sh -c 'tripwire --help; bash'" - - - - - - gnome-terminal -e "sh -c 'john; bash'" - - - - - - - - - - - - - - - gnome-terminal - - - - - firefox - - - - - - - liveinst - - - - - - - - yesopenbox - obconf - - - - - - - - - - - - - -OBDONE -## - -# turn off firstboot for livecd boots -echo "RUN_FIRSTBOOT=NO" > /etc/sysconfig/firstboot - -# don't start yum-updatesd for livecd boots -chkconfig --level 345 yum-updatesd off 2>/dev/null - -# don't start cron/at as they tend to spawn things which are -# disk intensive that are painful on a live image -chkconfig --level 345 crond off 2>/dev/null -chkconfig --level 345 atd off 2>/dev/null -chkconfig --level 345 anacron off 2>/dev/null -chkconfig --level 345 readahead_early off 2>/dev/null -chkconfig --level 345 readahead_later off 2>/dev/null -chkconfig --level 345 exim off 2>/dev/null - -# Stopgap fix for RH #217966; should be fixed in HAL instead -touch /media/.hal-mtab - -# workaround clock syncing on shutdown that we don't want (#297421) -sed -i -e 's/hwclock/no-such-hwclock/g' /etc/rc.d/init.d/halt - -# disable screensaver locking -gconftool-2 --direct --config-source=xml:readwrite:/etc/gconf/gconf.xml.defaults -s -t bool /apps/gnome-screensaver/lock_enabled false >/dev/null -# set up timed auto-login for after 60 seconds -sed -i -e 's/\[daemon\]/[daemon]\nTimedLoginEnable=true\nTimedLogin=fedora\nTimedLoginDelay=60/' /etc/gdm/custom.conf -if [ -e /usr/share/icons/hicolor/96x96/apps/fedora-logo-icon.png ] ; then - cp /usr/share/icons/hicolor/96x96/apps/fedora-logo-icon.png /home/fedora/.face - chown fedora:fedora /home/fedora/.face - # TODO: would be nice to get e-d-s to pick this one up too... but how? -fi - -EOF - -chmod 755 /etc/rc.d/init.d/fedora-live -/sbin/restorecon /etc/rc.d/init.d/fedora-live -/sbin/chkconfig --add fedora-live - -# save a little bit of space at least... -rm -f /boot/initrd* - -%end - - -%post --nochroot -cp $INSTALL_ROOT/usr/share/doc/*-release-*/GPL $LIVE_ROOT/GPL -cp $INSTALL_ROOT/usr/share/doc/HTML/readme-live-image/en_US/readme-live-image-en_US.txt $LIVE_ROOT/README -%end diff --git a/livecd-fedora-security.ks.old b/livecd-fedora-security.ks.old new file mode 100644 index 0000000..a6fa0c5 --- /dev/null +++ b/livecd-fedora-security.ks.old @@ -0,0 +1,465 @@ +lang en_US.UTF-8 +keyboard us +timezone US/Eastern +auth --useshadow --enablemd5 +selinux --enforcing +firewall --enabled +xconfig --startxonboot +part / --size 1792 +services --enabled=network,NetworkManager --disabled=network,sshd,cups,snortd,sendmail,avahi-daemon,bluetooth,firstboot,isdn,netfs,nfslock,rpcbind,rpcgssd + +repo --name="rawhide" --mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=rawhide&arch=i386 +#repo --name="Fedora 9" --baseurl=http://download.boston.redhat.com/pub/fedora/linux/releases/9/Everything/i386/os/ +#repo --name="Fedora 9 Updates" --baseurl=http://download.boston.redhat.com/pub/fedora/linux/updates/9/i386/ + + +%packages +@core +@base-x +@base +@dial-up +@hardware-support +kernel +memtest86+ +bash +passwd +policycoreutils +chkconfig +authconfig +rootfiles + +# save some space +-specspo +-esc +-samba-client +-a2ps +-mpage +-redhat-lsb +-sox +-hplip +-hpijs +# smartcards won't really work on the livecd. +-coolkey +-ccid +# duplicate functionality +-pinfo +-vorbis-tools +# lose the compat stuff +-compat* + +# scanning takes quite a bit of space :/ +-xsane +-xsane-gimp +-sane-backends + +# dictionaries are big +-aspell-* +-man-pages-* +-scim-tables-* +-wqy-bitmap-fonts +-dejavu-fonts-experimental +-dejavu-fonts + +# more fun with space saving +-scim-lang-chinese +scim-chewing +scim-pinyin + +# save some space +-gnome-user-docs +-gimp-help +-anacron +-avahi* +-autofs +-metacity +-sendmail +-gnome-desktop +-gnome-panel +-gnome-pilot +-evolution +-vino +-system-config-network +-system-config-language + +firefox + +# lots of people want to have this +gparted + +# livecd bits to set up the livecd and be able to install +anaconda +isomd5sum + +# security tools +aide +aircrack-ng +airsnort +argus +chkrootkit +clamav +dd_rescue +hexedit +hping3 +john +kismet +lsof +nbtscan +nessus-client +nessus-gui +nessus-server +nc +nc6 +ngrep +nmap +nmap-frontend +p0f +pscan +rats +rkhunter +scanmem +scanssh +sectool-gui +snort +socat +splint +tcpdump +testdisk +tiger +tripwire +wireshark-gnome +xprobe2 +tcpxtract +ettercap +ettercap-gtk +nbtscan +halberd +hunt +firewalk +foremost +iptraf +tor +flawfinder +dsniff +pcapdiff + +# Other useful stuff +screen +openbox +obconf +obmenu +desktop-backgrounds-basic +feh +vim-enhanced +gnome-terminal +gnome-menus +etherape + +# make sure debuginfo doesn't end up on the live image +-*debuginfo + +%end + +%post +# FIXME: it'd be better to get this installed from a package +cat > /etc/rc.d/init.d/fedora-live << EOF +#!/bin/bash +# +# live: Init script for live image +# +# chkconfig: 345 00 99 +# description: Init script for live image. + +. /etc/init.d/functions + +if ! strstr "\`cat /proc/cmdline\`" liveimg || [ "\$1" != "start" ] || [ -e /.liveimg-configured ] ; then + exit 0 +fi + +exists() { + which \$1 >/dev/null 2>&1 || return + \$* +} + +touch /.liveimg-configured + +# mount live image +if [ -b /dev/live ]; then + mkdir -p /mnt/live + mount -o ro /dev/live /mnt/live +fi + +# configure X, allowing user to override xdriver +for o in \`cat /proc/cmdline\` ; do + case \$o in + xdriver=*) + xdriver="--set-driver=\${o#xdriver=}" + ;; + esac +done + +exists system-config-display --noui --reconfig --set-depth=24 \$xdriver + +# add fedora user with no passwd +useradd -c "Fedora Security" fedora +usermod -G wheel fedora +passwd -d fedora > /dev/null + +echo 'export PATH=$PATH:/sbin:/usr/sbin' >> /home/fedora/.bashrc + +# Hilight grep results - man dir_color for more colors +echo "alias grep='grep --color'" >> /home/fedora/.bashrc +echo "export GREP_COLOR='1;31'" >> /home/fedora/.bashrc + +## +## openbox configuration +## +echo "openbox-session" > /home/fedora/.xsession +chmod a+x /home/fedora/.xsession +chown fedora:fedora /home/fedora/.xsession + +mkdir -p /home/fedora/.config/openbox +cat >> /home/fedora/.config/openbox/autostart.sh << OBDONE + +# Run the system-wide support stuff +. /etc/xdg/openbox/autostart.sh + +OBDONE + +# rc.xml +cp /etc/xdg/openbox/rc.xml /home/fedora/.config/openbox +sed -i -e 's/Clearlooks/Onyx/' /home/fedora/.config/openbox/rc.xml + +# menu.xml +cat >> /home/fedora/.config/openbox/menu.xml << OBDONE + + + + + + + gnome-terminal -e "su -c ettercap-gtk" + + + gnome-terminal -e "sh -c 'hping3; bash'" + + + gnome-terminal -e "sh -c 'nc6 -h; bash'" + + + gnome-terminal -e "sh -c 'nc; bash'" + + + gnome-terminal -e "sh -c 'ngrep -h; bash'" + + + gnome-terminal -e "sh -c 'nessus; bash'" + + + gnome-terminal -e "sh -c 'nmap; bash'" + + + gnome-terminal -e "sh -c 'p0f -h; bash'" + + + gnome-terminal -e "sh -c 'scanssh; bash'" + + + gnome-terminal -e "sh -c 'socat; bash'" + + + gnome-terminal -e "sh -c 'tcpdump -h; bash'" + + + gnome-terminal -e "sh -c 'tiger; bash'" + + + gnome-terminal -e "sh -c 'wireshark; bash'" + + + gnome-terminal -e "sh -c 'xprobe2; bash'" + + + gnome-terminal -e "sh -c 'nbtscan; bash'" + + + gnome-terminal -e "sh -c 'tcpxtract; bash'" + + + gnome-terminal -e "sh -c 'firewalk; bash'" + + + gnome-terminal -e "sh -c 'hunt; bash'" + + + gnome-terminal -e "sh -c 'halberd; bash'" + + + + + + gnome-terminal -e "sh -c 'chkrootkit; bash'" + + + gnome-terminal -e "sh -c 'clamscan; bash'" + + + gnome-terminal -e "sh -c 'dd_rescue; bash'" + + + gnome-terminal -e "sh -c 'gparted; bash'" + + + gnome-terminal -e "sh -c 'hexedit; bash'" + + + gnome-terminal -e "sh -c 'prelude; bash'" + + + gnome-terminal -e "sh -c 'testdisk; bash'" + + + gnome-terminal -e "sh -c 'foremost; bash'" + + + + + + gnome-terminal -e "sh -c 'aircrack-ng; bash'" + + + airsnort + + + kismet + + + dsniff + + + + + + gnome-terminal -e "sh -c 'pscan; bash'" + + + gnome-terminal -e "sh -c 'splint; bash'" + + + gnome-terminal -e "sh -c 'flawfinder; bash'" + + + + + + gnome-terminal -e "sh -c 'aide; bash'" + + + gnome-terminal -e "sh -c 'snort; bash'" + + + gnome-terminal -e "sh -c 'tripwire --help; bash'" + + + + + + gnome-terminal -e "sh -c 'john; bash'" + + + + + + + + + + + + + + + gnome-terminal + + + + + firefox + + + + + + + liveinst + + + + + + + + yesopenbox + obconf + + + + + + + + + + + + + +OBDONE +## + +# turn off firstboot for livecd boots +echo "RUN_FIRSTBOOT=NO" > /etc/sysconfig/firstboot + +# don't start yum-updatesd for livecd boots +chkconfig --level 345 yum-updatesd off 2>/dev/null + +# don't start cron/at as they tend to spawn things which are +# disk intensive that are painful on a live image +chkconfig --level 345 crond off 2>/dev/null +chkconfig --level 345 atd off 2>/dev/null +chkconfig --level 345 anacron off 2>/dev/null +chkconfig --level 345 readahead_early off 2>/dev/null +chkconfig --level 345 readahead_later off 2>/dev/null +chkconfig --level 345 exim off 2>/dev/null + +# Stopgap fix for RH #217966; should be fixed in HAL instead +touch /media/.hal-mtab + +# workaround clock syncing on shutdown that we don't want (#297421) +sed -i -e 's/hwclock/no-such-hwclock/g' /etc/rc.d/init.d/halt + +# disable screensaver locking +gconftool-2 --direct --config-source=xml:readwrite:/etc/gconf/gconf.xml.defaults -s -t bool /apps/gnome-screensaver/lock_enabled false >/dev/null +# set up timed auto-login for after 60 seconds +sed -i -e 's/\[daemon\]/[daemon]\nTimedLoginEnable=true\nTimedLogin=fedora\nTimedLoginDelay=60/' /etc/gdm/custom.conf +if [ -e /usr/share/icons/hicolor/96x96/apps/fedora-logo-icon.png ] ; then + cp /usr/share/icons/hicolor/96x96/apps/fedora-logo-icon.png /home/fedora/.face + chown fedora:fedora /home/fedora/.face + # TODO: would be nice to get e-d-s to pick this one up too... but how? +fi + +EOF + +chmod 755 /etc/rc.d/init.d/fedora-live +/sbin/restorecon /etc/rc.d/init.d/fedora-live +/sbin/chkconfig --add fedora-live + +# save a little bit of space at least... +rm -f /boot/initrd* + +%end + + +%post --nochroot +cp $INSTALL_ROOT/usr/share/doc/*-release-*/GPL $LIVE_ROOT/GPL +cp $INSTALL_ROOT/usr/share/doc/HTML/readme-live-image/en_US/readme-live-image-en_US.txt $LIVE_ROOT/README +%end -- cgit