From 0bc20d26c0bfffaf3bd7bfad22c1950ba53e74b7 Mon Sep 17 00:00:00 2001
From: Luke Macken <lmacken@fedoraproject.org>
Date: Thu, 25 Oct 2007 11:41:05 -0400
Subject: Rebase against minimal livecd configuration, and use a tricked-out
 openbox by default

---
 livecd-fedora-security.ks | 462 ++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 462 insertions(+)
 create mode 100644 livecd-fedora-security.ks

(limited to 'livecd-fedora-security.ks')

diff --git a/livecd-fedora-security.ks b/livecd-fedora-security.ks
new file mode 100644
index 0000000..0b5aa29
--- /dev/null
+++ b/livecd-fedora-security.ks
@@ -0,0 +1,462 @@
+lang en_US.UTF-8
+keyboard us
+timezone US/Eastern
+auth --useshadow --enablemd5
+selinux --enforcing
+firewall --enabled
+xconfig --startxonboot
+part / --size 1792
+services --enabled=NetworkManager --disabled=network,sshd,cups,snortd,sendmail,avahi-daemon,bluetooth,firstboot,isdn,netfs,nfslock,rpcbind,rpcgssd
+repo --name=development --mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=rawhide&arch=i386
+
+%packages
+@core
+@base-x
+@base
+@core
+@admin-tools
+@dial-up
+@hardware-support
+@graphical-internet
+kernel
+memtest86+
+bash
+passwd
+policycoreutils
+chkconfig
+authconfig
+rootfiles
+
+# save some space
+-specspo
+-esc
+-samba-client
+-a2ps
+-mpage
+-redhat-lsb
+-sox
+-hplip
+-hpijs
+# smartcards won't really work on the livecd.  
+-coolkey
+-ccid
+# duplicate functionality
+-pinfo
+-vorbis-tools
+-wget
+# lose the compat stuff
+-compat*
+
+# scanning takes quite a bit of space :/
+-xsane
+-xsane-gimp
+-sane-backends
+
+# dictionaries are big
+-aspell-*
+-man-pages-*
+-scim-tables-*
+-wqy-bitmap-fonts
+-dejavu-fonts-experimental
+-dejavu-fonts
+
+# more fun with space saving 
+-scim-lang-chinese
+scim-chewing
+scim-pinyin
+
+# save some space
+-gnome-user-docs
+-gimp-help
+-evolution-help
+-autofs
+-vino
+
+# lots of people want to have this
+gparted
+
+# livecd bits to set up the livecd and be able to install
+anaconda
+isomd5sum
+
+# security tools
+aide
+aircrack-ng
+airsnort
+chkrootkit
+clamav
+dd_rescue
+hexedit
+hping3
+john
+kismet
+lsof
+nessus-client
+nessus-gui
+nessus-server
+nc
+nc6
+ngrep
+nmap
+p0f
+pscan
+scanssh
+snort
+socat
+splint
+tcpdump
+testdisk
+tiger
+tripwire
+wireshark-gnome
+xprobe2
+tcpxtract
+ettercap
+nbtscan
+halberd
+hunt
+firewalk
+foremost
+iptraf
+tor
+
+# Other useful stuff
+screen
+openbox
+obconf
+obmenu
+desktop-backgrounds-basic
+feh
+vim-enhanced
+gnome-terminal
+gnome-menus
+
+# make sure debuginfo doesn't end up on the live image
+-*debuginfo
+
+%end
+
+%post
+# FIXME: it'd be better to get this installed from a package
+cat > /etc/rc.d/init.d/fedora-live << EOF
+#!/bin/bash
+#
+# live: Init script for live image
+#
+# chkconfig: 345 00 99
+# description: Init script for live image.
+
+. /etc/init.d/functions
+
+if ! strstr "\`cat /proc/cmdline\`" liveimg || [ "\$1" != "start" ] || [ -e /.liveimg-configured ] ; then
+    exit 0
+fi
+
+exists() {
+    which \$1 >/dev/null 2>&1 || return
+    \$*
+}
+
+touch /.liveimg-configured
+
+# mount live image
+if [ -b /dev/live ]; then
+   mkdir -p /mnt/live
+   mount -o ro /dev/live /mnt/live
+fi
+
+# enable swaps unless requested otherwise
+swaps=\`blkid -t TYPE=swap -o device\`
+if ! strstr "\`cat /proc/cmdline\`" noswap -a [ -n "\$swaps" ] ; then
+  for s in \$swaps ; do
+    action "Enabling swap partition \$s" swapon \$s
+  done
+fi
+
+# configure X, allowing user to override xdriver
+for o in \`cat /proc/cmdline\` ; do
+    case \$o in
+    xdriver=*)
+        xdriver="--set-driver=\${o#xdriver=}"
+        ;;
+    esac
+done
+
+exists system-config-display --noui --reconfig --set-depth=24 \$xdriver
+
+# add fedora user with no passwd
+useradd -c "Fedora Live" fedora
+passwd -d fedora > /dev/null
+
+echo 'export PATH=$PATH:/sbin:/usr/sbin' >> /home/fedora/.bashrc
+
+##
+## openbox configuration
+##
+echo "openbox-session" > /home/fedora/.xsession
+chmod a+x /home/fedora/.xsession
+chown fedora:fedora /home/fedora/.xsession
+
+mkdir -p /home/fedora/.config/openbox
+cat >> /home/fedora/.config/openbox/autostart.sh << OBDONE
+
+# Run the system-wide support stuff
+. /etc/xdg/openbox/autostart.sh
+
+# Set default Fedora background
+feh --bg-scale /usr/share/backgrounds/images/default.png
+
+OBDONE
+
+# rc.xml
+cp /etc/xdg/openbox/rc.xml /home/fedora/.config/openbox
+sed -i -e 's/Clearlooks/Onyx/' /home/fedora/.config/openbox/rc.xml
+
+# fedora pipe menu
+cat >> /home/fedora/.config/openbox/obgnome.py << OBGNOME
+#!/usr/bin/python -tt
+import gmenu
+def walk_menu(entry):
+    if entry.get_type() == gmenu.TYPE_DIRECTORY:
+        print '<menu id="%s" label="%s">' % (entry.menu_id, entry.get_name())
+        map(walk_menu, entry.get_contents())
+        print '</menu>'
+    elif entry.get_type() == gmenu.TYPE_ENTRY and not entry.is_excluded:
+        print """
+            <item label="%s">
+              <action name="Execute">
+                <command>%s</command>
+              </action>
+            </item>
+        """ % (entry.get_name(), entry.get_exec())
+
+print "<openbox_pipe_menu>"
+walk_menu(walk_menu, gmenu.lookup_tree('applications.menu').root.get_contents())
+print "</openbox_pipe_menu>"
+OBGNOME
+chown fedora:fedora /home/fedora/.config/openbox/obgnome.py
+chmod a+x /home/fedora/.config/openbox/obgnome.py
+
+# menu.xml
+cat >> /home/fedora/.config/openbox/menu.xml << OBDONE
+<?xml version="1.0" encoding="UTF-8"?>
+
+<openbox_menu xmlns="http://openbox.org/3.4/menu">
+
+<menu id="recon-menu" label="Reconnaissance">
+  <item label="hping3">
+    <action name="Execute"><command>gnome-terminal -e "sh -c 'hping3; bash'"</command></action>
+  </item>
+  <item label="nc6">
+    <action name="Execute"><command>gnome-terminal -e "sh -c 'nc6; bash'"</command></action>
+  </item>
+  <item label="nc">
+    <action name="Execute"><command>gnome-terminal -e "sh -c 'nc; bash'"</command></action>
+  </item>
+  <item label="ngrep">
+    <action name="Execute"><command>gnome-terminal -e "sh -c 'ngrep; bash'"</command></action>
+  </item>
+  <item label="nessus">
+    <action name="Execute"><command>gnome-terminal -e "sh -c 'nessus; bash'"</command></action>
+  </item>
+  <item label="nmap">
+    <action name="Execute"><command>gnome-terminal -e "sh -c 'nmap; bash'"</command></action>
+  </item>
+  <item label="p0f">
+    <action name="Execute"><command>gnome-terminal -e "sh -c 'p0f; bash'"</command></action>
+  </item>
+  <item label="scanssh">
+    <action name="Execute"><command>gnome-terminal -e "sh -c 'scanssh; bash'"</command></action>
+  </item>
+  <item label="socat">
+    <action name="Execute"><command>gnome-terminal -e "sh -c 'socat; bash'"</command></action>
+  </item>
+  <item label="tcpdump">
+    <action name="Execute"><command>gnome-terminal -e "sh -c 'tcpdump; bash'"</command></action>
+  </item>
+  <item label="tiger">
+    <action name="Execute"><command>gnome-terminal -e "sh -c 'tiger; bash'"</command></action>
+  </item>
+  <item label="wireshark">
+    <action name="Execute"><command>gnome-terminal -e "sh -c 'wireshark; bash'"</command></action>
+  </item>
+  <item label="xprobe2">
+    <action name="Execute"><command>gnome-terminal -e "sh -c 'xprobe2; bash'"</command></action>
+  </item>
+  <item label="nbtscan">
+    <action name="Execute"><command>gnome-terminal -e "sh -c 'nbtscan; bash'"</command></action>
+  </item>
+  <item label="tcpxtract">
+    <action name="Execute"><command>gnome-terminal -e "sh -c 'tcpxtract; bash'"</command></action>
+  </item>
+  <item label="firewalk">
+    <action name="Execute"><command>gnome-terminal -e "sh -c 'firewalk; bash'"</command></action>
+  </item>
+  <item label="hunt">
+    <action name="Execute"><command>gnome-terminal -e "sh -c 'hunt; bash'"</command></action>
+  </item>
+  <item label="halberd">
+    <action name="Execute"><command>gnome-terminal -e "sh -c 'halberd; bash'"</command></action>
+  </item>
+</menu>
+
+<menu id="forensics-menu" label="Forensics">
+  <item label="chkrootkit">
+    <action name="Execute"><command>gnome-terminal -e "sh -c 'chkrootkit; bash'"</command></action>
+  </item>
+  <item label="clamav">
+    <action name="Execute"><command>gnome-terminal -e "sh -c 'clamav; bash'"</command></action>
+  </item>
+  <item label="dd_rescue">
+    <action name="Execute"><command>gnome-terminal -e "sh -c 'dd_rescue; bash'"</command></action>
+  </item>
+  <item label="gparted">
+    <action name="Execute"><command>gnome-terminal -e "sh -c 'gparted; bash'"</command></action>
+  </item>
+  <item label="hexedit">
+    <action name="Execute"><command>gnome-terminal -e "sh -c 'hexedit; bash'"</command></action>
+  </item>
+  <item label="prelude">
+    <action name="Execute"><command>gnome-terminal -e "sh -c 'prelude; bash'"</command></action>
+  </item>
+  <item label="testdisk">
+    <action name="Execute"><command>gnome-terminal -e "sh -c 'testdisk; bash'"</command></action>
+  </item>
+  <item label="foremost">
+    <action name="Execute"><command>gnome-terminal -e "sh -c 'foremost; bash'"</command></action>
+  </item>
+</menu>
+
+<menu id="wireless-menu" label="Wireless">
+  <item label="aircrack-ng">
+    <action name="Execute"><command>gnome-terminal -e "sh -c 'aircrack-ng; bash'"</command></action>
+  </item>
+  <item label="airsnort">
+    <action name="Execute"><command>airsnort</command></action>
+  </item>
+  <item label="kismet">
+    <action name="Execute"><command>kismet</command></action>
+  </item>
+</menu>
+
+<menu id="code-menu" label="Code Analysis">
+  <item label="pscan">
+    <action name="Execute"><command>gnome-terminal -e "sh -c 'pscan; bash'"</command></action>
+  </item>
+  <item label="splint">
+    <action name="Execute"><command>gnome-terminal -e "sh -c 'splint; bash'"</command></action>
+  </item>
+</menu>
+
+<menu id="id-menu" label="Intrusion Detection">
+  <item label="aide">
+    <action name="Execute"><command>gnome-terminal -e "sh -c 'aide; bash'"</command></action>
+  </item>
+  <item label="snort">
+    <action name="Execute"><command>gnome-terminal -e "sh -c 'snort; bash'"</command></action>
+  </item>
+  <item label="tripwire">
+    <action name="Execute"><command>gnome-terminal -e "sh -c 'tripwire; bash'"</command></action>
+  </item>
+</menu>
+
+<menu id="password-menu" label="Password Tools">
+  <item label="john">
+    <action name="Execute"><command>gnome-terminal -e "sh -c 'john; bash'"</command></action>
+  </item>
+</menu>
+
+<menu id="root-menu" label="Fedora Security Spin">
+  <separator label="Fedora Security Spin" />
+  <menu id="recon-menu" />
+  <menu id="forensics-menu" />
+  <menu id="wireless-menu" />
+  <menu id="id-menu" />
+  <menu id="code-menu" />
+  <menu id="password-menu" />
+  <separator />
+  <item label="Terminal">
+    <action name="Execute">
+      <command>gnome-terminal</command>
+    </action>
+  </item>
+  <item label="Firefox">
+    <action name="Execute">
+      <command>firefox</command>
+    </action>
+  </item>
+  <separator />
+  <menu id="fedora" label="Fedora" execute="/home/fedora/.config/openbox/obgnome.py" />
+  <separator />
+  <menu id="client-list-menu" />
+  <separator />
+  <item label="ObConf">
+    <action name="Execute">
+      <startupnotify><enabled>yes</enabled><icon>openbox</icon></startupnotify>
+      <command>obconf</command>
+    </action>
+  </item>
+  <item label="Reconfigure">
+    <action name="Reconfigure" />
+  </item>
+  <separator />
+  <item label="Exit">
+    <action name="Exit" />
+  </item>
+</menu>
+
+</openbox_menu>
+
+OBDONE
+##
+
+# turn off firstboot for livecd boots
+echo "RUN_FIRSTBOOT=NO" > /etc/sysconfig/firstboot
+
+# don't start yum-updatesd for livecd boots
+chkconfig --level 345 yum-updatesd off 2>/dev/null
+
+# don't start cron/at as they tend to spawn things which are
+# disk intensive that are painful on a live image
+chkconfig --level 345 crond off 2>/dev/null
+chkconfig --level 345 atd off 2>/dev/null
+chkconfig --level 345 anacron off 2>/dev/null
+chkconfig --level 345 readahead_early off 2>/dev/null
+chkconfig --level 345 readahead_later off 2>/dev/null
+
+# Stopgap fix for RH #217966; should be fixed in HAL instead
+touch /media/.hal-mtab
+
+# workaround clock syncing on shutdown that we don't want (#297421)
+sed -i -e 's/hwclock/no-such-hwclock/g' /etc/rc.d/init.d/halt
+
+# disable screensaver locking
+gconftool-2 --direct --config-source=xml:readwrite:/etc/gconf/gconf.xml.defaults -s -t bool /apps/gnome-screensaver/lock_enabled false >/dev/null
+# set up timed auto-login for after 60 seconds
+sed -i -e 's/\[daemon\]/[daemon]\nTimedLoginEnable=true\nTimedLogin=fedora\nTimedLoginDelay=60/' /etc/gdm/custom.conf
+if [ -e /usr/share/icons/hicolor/96x96/apps/fedora-logo-icon.png ] ; then
+    cp /usr/share/icons/hicolor/96x96/apps/fedora-logo-icon.png /home/fedora/.face
+    chown fedora:fedora /home/fedora/.face
+    # TODO: would be nice to get e-d-s to pick this one up too... but how?
+fi
+
+EOF
+
+# workaround avahi segfault (#279301)
+touch /etc/resolv.conf
+/sbin/restorecon /etc/resolv.conf
+
+chmod 755 /etc/rc.d/init.d/fedora-live
+/sbin/restorecon /etc/rc.d/init.d/fedora-live
+/sbin/chkconfig --add fedora-live
+
+# save a little bit of space at least...
+rm -f /boot/initrd*
+
+%end
+
+
+%post --nochroot
+cp $INSTALL_ROOT/usr/share/doc/*-release-*/GPL $LIVE_ROOT/GPL
+cp $INSTALL_ROOT/usr/share/doc/HTML/readme-live-image/en_US/readme-live-image-en_US.txt $LIVE_ROOT/README
+%end
-- 
cgit