mirror of
https://github.com/optim-enterprises-bv/secureblue.git
synced 2025-11-03 11:58:26 +00:00
chore: switch to bluebuild's justfile module with validation (#556)
This commit is contained in:
RoyalOughtness
@@ -39,7 +39,7 @@ ujust enroll-secure-boot-key
|
|||||||
## Set hardened kargs
|
## Set hardened kargs
|
||||||
|
|
||||||
> [!NOTE]
|
> [!NOTE]
|
||||||
> Learn about the hardening applied by the kargs set by the command below [here](/files/system/usr/share/ublue-os/just/70-secureblue.just.readme.md).
|
> Learn about the hardening applied by the kargs set by the command below [here](KARGS.md).
|
||||||
|
|
||||||
```
|
```
|
||||||
ujust set-kargs-hardening
|
ujust set-kargs-hardening
|
||||||
|
|||||||
@@ -37,7 +37,7 @@ The following are not in scope:
|
|||||||
- Adds per-network MAC randomization
|
- Adds per-network MAC randomization
|
||||||
- Blacklisting numerous unused kernel modules to reduce attack surface <sup>[details](https://github.com/secureblue/secureblue/blob/live/files/system/etc/modprobe.d/blacklist.conf)</sup>
|
- Blacklisting numerous unused kernel modules to reduce attack surface <sup>[details](https://github.com/secureblue/secureblue/blob/live/files/system/etc/modprobe.d/blacklist.conf)</sup>
|
||||||
- Enabling only the [flathub-verified](https://flathub.org/apps/collection/verified/1) remote by default
|
- Enabling only the [flathub-verified](https://flathub.org/apps/collection/verified/1) remote by default
|
||||||
- Sets numerous hardening kernel arguments (Inspired by [Madaidan's Hardening Guide](https://madaidans-insecurities.github.io/guides/linux-hardening.html)) <sup>[details](https://github.com/secureblue/secureblue/blob/live/files/system/usr/share/ublue-os/just/70-secureblue.just.readme.md)</sup>
|
- Sets numerous hardening kernel arguments (Inspired by [Madaidan's Hardening Guide](https://madaidans-insecurities.github.io/guides/linux-hardening.html)) <sup>[details](KARGS.md)</sup>
|
||||||
- Reduce the sudo timeout to 1 minute
|
- Reduce the sudo timeout to 1 minute
|
||||||
- Require wheel user authentication via polkit for `rpm-ostree install` <sup>[why?](https://github.com/rohanssrao/silverblue-privesc)
|
- Require wheel user authentication via polkit for `rpm-ostree install` <sup>[why?](https://github.com/rohanssrao/silverblue-privesc)
|
||||||
- Brute force protection by locking user accounts for 24 hours after 50 failed login attempts, hardened password encryption and password quality suggestions
|
- Brute force protection by locking user accounts for 24 hours after 50 failed login attempts, hardened password encryption and password quality suggestions
|
||||||
|
|||||||
@@ -17,8 +17,8 @@ install-brew:
|
|||||||
echo "Capitalization matters when you type \"YES I UNDERSTAND\""
|
echo "Capitalization matters when you type \"YES I UNDERSTAND\""
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Removes homebrew from system
|
# Removes homebrew from system
|
||||||
remove-brew:
|
remove-brew:
|
||||||
echo "Removing homebrew ..."
|
echo "Removing homebrew ..."
|
||||||
/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/uninstall.sh)"
|
/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/uninstall.sh)"
|
||||||
@@ -160,7 +160,7 @@ override-enable-module mod_name:
|
|||||||
sudo chmod 644 $MOD_FILE
|
sudo chmod 644 $MOD_FILE
|
||||||
echo "Override created to enable $MOD_NAME module. Reboot to take effect."
|
echo "Override created to enable $MOD_NAME module. Reboot to take effect."
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# reset the override by `just override-enable-module`, i.e. disable the module again (requires restart)
|
# reset the override by `just override-enable-module`, i.e. disable the module again (requires restart)
|
||||||
override-reset-module mod_name:
|
override-reset-module mod_name:
|
||||||
#!/usr/bin/pkexec /usr/bin/bash
|
#!/usr/bin/pkexec /usr/bin/bash
|
||||||
@@ -173,7 +173,6 @@ override-reset-module mod_name:
|
|||||||
echo "No override found for $MOD_NAME module."
|
echo "No override found for $MOD_NAME module."
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
|
||||||
# Setup USBGuard
|
# Setup USBGuard
|
||||||
setup-usbguard:
|
setup-usbguard:
|
||||||
#!/usr/bin/bash
|
#!/usr/bin/bash
|
||||||
@@ -193,7 +192,6 @@ setup-usbguard:
|
|||||||
rerun-yafti:
|
rerun-yafti:
|
||||||
yafti -f /usr/share/ublue-os/firstboot/yafti.yml
|
yafti -f /usr/share/ublue-os/firstboot/yafti.yml
|
||||||
|
|
||||||
|
|
||||||
# Toggle anticheat support by changing ptrace scope (requires restart)
|
# Toggle anticheat support by changing ptrace scope (requires restart)
|
||||||
toggle-anticheat-support:
|
toggle-anticheat-support:
|
||||||
#!/usr/bin/pkexec /usr/bin/bash
|
#!/usr/bin/pkexec /usr/bin/bash
|
||||||
@@ -495,7 +493,6 @@ audit-secureblue:
|
|||||||
print_status "$USBGUARD_TEST_STRING" "$STATUS_FAILURE"
|
print_status "$USBGUARD_TEST_STRING" "$STATUS_FAILURE"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
|
||||||
CHRONYD_TEST_STRING="Ensuring chronyd is active"
|
CHRONYD_TEST_STRING="Ensuring chronyd is active"
|
||||||
if systemctl is-active --quiet chronyd; then
|
if systemctl is-active --quiet chronyd; then
|
||||||
print_status "$CHRONYD_TEST_STRING" "$STATUS_SUCCESS"
|
print_status "$CHRONYD_TEST_STRING" "$STATUS_SUCCESS"
|
||||||
@@ -620,7 +617,7 @@ audit-secureblue:
|
|||||||
print_status "$remote_string" "$STATUS_SUCCESS"
|
print_status "$remote_string" "$STATUS_SUCCESS"
|
||||||
fi
|
fi
|
||||||
done <<< "$remotes"
|
done <<< "$remotes"
|
||||||
|
|
||||||
declare -A flatpaks
|
declare -A flatpaks
|
||||||
while read -r ref version; do
|
while read -r ref version; do
|
||||||
flatpaks+=(["${ref}"]="${ref}//${version}")
|
flatpaks+=(["${ref}"]="${ref}//${version}")
|
||||||
@@ -671,4 +668,3 @@ audit-secureblue:
|
|||||||
done
|
done
|
||||||
done
|
done
|
||||||
fi
|
fi
|
||||||
|
|
||||||
@@ -1,10 +0,0 @@
|
|||||||
#!/usr/bin/env bash
|
|
||||||
|
|
||||||
# Tell build process to exit if there are any errors.
|
|
||||||
set -oue pipefail
|
|
||||||
|
|
||||||
brewimport='import "/usr/share/ublue-os/just/50-brew.just"'
|
|
||||||
|
|
||||||
if ! grep -qF "$brewimport" /usr/share/ublue-os/justfile; then
|
|
||||||
echo "$brewimport" >> /usr/share/ublue-os/justfile
|
|
||||||
fi
|
|
||||||
@@ -1,9 +0,0 @@
|
|||||||
#!/usr/bin/env bash
|
|
||||||
|
|
||||||
# Tell this script to exit if there are any errors.
|
|
||||||
# You should have this in every custom script, to ensure that your completed
|
|
||||||
# builds actually ran successfully without any errors!
|
|
||||||
set -oue pipefail
|
|
||||||
|
|
||||||
# add our just config
|
|
||||||
echo 'import "/usr/share/ublue-os/just/70-secureblue.just"' >> /usr/share/ublue-os/justfile
|
|
||||||
@@ -1,4 +1,6 @@
|
|||||||
modules:
|
modules:
|
||||||
|
- type: justfiles
|
||||||
|
validate: true
|
||||||
- type: script
|
- type: script
|
||||||
scripts:
|
scripts:
|
||||||
- createautostartdir.sh
|
- createautostartdir.sh
|
||||||
|
|||||||
@@ -7,6 +7,4 @@ scripts:
|
|||||||
- createmissingdirectories.sh
|
- createmissingdirectories.sh
|
||||||
- removesuid.sh
|
- removesuid.sh
|
||||||
- disablegeoclue.sh
|
- disablegeoclue.sh
|
||||||
- addjustconfig.sh
|
|
||||||
- addbrewjustimport.sh
|
|
||||||
- hardencontainerpolicy.sh
|
- hardencontainerpolicy.sh
|
||||||
|
|||||||
Reference in New Issue
Block a user