Merge pull request #33 from cedwards/master

May 2019 update: HardenedBSD, tzdata, NS

LICENSE

@@ -1,6 +1,6 @@
 BSD 3-Clause License
 
-Copyright (c) 2018, Christer Edwards <christer.edwards@gmail.com>
+Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com>
 All rights reserved.
 
 Redistribution and use in source and binary forms, with or without

README.md

@@ -6,22 +6,29 @@ easily create and manage FreeBSD jail.
 
 Installation
 ------------
-Bastille is not (yet) in the official ports tree, but I have built and verified
-binary packages.
-
-To install using one of the BETA binary packages, copy the URL for the latest
-release here (TXZ file): https://github.com/bastillebsd/bastille/releases
-
-Then, install via `pkg`. 
-Example:
-
-```shell
-pkg add https://github.com/BastilleBSD/bastille/releases/download/0.3.20181130/bastille-0.3.20181130_2.txz
-```
-
-BETA binary packages are signed. These can be verified with this pubkey:
+Bastille is available in the official ports tree.
 
 ```
+pkg install bastille
+```
+
+Development builds are available on the `pkg.bastillebsd.org` package server.
+To subscribe to this repo, use the following two configuration additions.
+
+Note: The BastilleBSD pkg server will usually be ahead of FreeBSD latest.
+
+```
+## /usr/local/etc/pkg/repos/BastilleBSD.conf
+BastilleBSD: {
+  url: "https://pkg.bastillebsd.org/pkg/${ABI}",
+  signature_type: "pubkey",
+  pubkey: "/usr/local/etc/ssl/poudriere.pub",
+  enabled: yes
+}
+```
+
+```
+## /usr/local/etc/ssl/poudriere.pub
 -----BEGIN PUBLIC KEY-----
 MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAq28OLDhJ12JmsKKcJpnn
 pCW3fFYBNI1BtdvTvFx57ZXvQ2qecBvnR9+XWi83hKS9ALTKZI6CLC2uTv1fIsZl
@@ -68,10 +75,7 @@ Use "bastille command -h|--help" for more information about a command.
 
 ## 0.3-beta
 This document outlines the basic usage of the Bastille jail management
-framework. This release, obviously, is beta quality. I make no guarantees of
-quality, and if it screws up your system... Sorry, bro. 
-
-With all that said, here's how to use this tool in its current beta state...
+framework. This release is still considered beta.
 
 
 ## Network Requirements
@@ -101,7 +105,7 @@ set block-policy drop
 scrub in on $ext_if all fragment reassemble
 
 set skip on lo
-nat on $ext_if from !($ext_if) -> ($ext_if:0)
+nat on $ext_if from lo1:network to any -> ($ext_if)
 
 ## rdr example
 ## rdr pass inet proto tcp from any to any port {80, 443} -> 10.88.9.45
@@ -149,9 +153,9 @@ This step only needs to be done once in order to prepare the host.
 
 bastille bootstrap
 ------------------
-The first step is to "bootstrap" a release. Current supported release is
-11.2-RELEASE, but you can bootstrap anything in the ftp.FreeBSD.org RELEASES
-directory. 
+The first step is to "bootstrap" a release. Current supported releases are
+11.2-RELEASE and 12.0-RELEASE, but you can bootstrap anything in the
+ftp.FreeBSD.org RELEASES directory.
 
 Note: your mileage may vary with unsupported releases and releases newer than
 the host system likely will NOT work at all.
@@ -160,17 +164,17 @@ To `bootstrap` a release, run the bootstrap sub-command with the
 release version as the argument.
 
 ```shell
-ishmael ~ # bastille bootstrap 11.2-RELEASE
 ishmael ~ # bastille bootstrap 12.0-RELEASE
+ishmael ~ # bastille bootstrap 11.2-RELEASE
 ```
 
 This command will ensure the required directory structures are in place and
 download the requested release. For each requested release, `bootstrap` will
-download the base.txz and lib32.txz. These are both verified (sha256 via
-MANIFEST file) before they are extracted for use.
+download the base.txz. These are verified (sha256 via MANIFEST file) before
+they are extracted for use.
 
 Downloaded artifacts are stored in the `cache` directory. "bootstrapped"
-releases are stored in `releases/version`.
+releases are stored in `releases/$RELEASE`.
 
 The bootstrap subcommand is generally only used once to prepare the system. The
 only other use case for the bootstrap command is when a new FreeBSD version is
@@ -183,7 +187,7 @@ command.
 bastille create
 ---------------
 Bastille create uses any available bootstrapped release to create a lightweight
-jailized system. To create a jail simply provide a name, release and
+jailed system. To create a jail simply provide a name, release and
 a private (rfc1918) IP address.
 
 - name
@@ -191,15 +195,14 @@ a private (rfc1918) IP address.
 - ip
 
 ```shell
-ishmael ~ # bastille create folsom 11.2-RELEASE 10.8.62.1
+ishmael ~ # bastille create folsom 12.0-RELEASE 10.8.62.1
 
-RELEASE: 11.2-RELEASE.
+RELEASE: 12.0-RELEASE.
 NAME: folsom.
 IP: 10.8.62.1.
-
 ```
 
-This command will create a 11.2-RELEASE jail assigning the 10.8.62.1 ip address
+This command will create a 12.0-RELEASE jail assigning the 10.8.62.1 ip address
 to the new system.
 
 I recommend using private (rfc1918) ip address ranges for your jails.
@@ -373,11 +376,11 @@ ishmael ~ # bastille pkg ALL upgrade
 Targeting all jails.
 
 [bastion]:
-Updating iniquity.io repository catalogue...
+Updating pkg.bastillebsd.org repository catalogue...
 [bastion] Fetching meta.txz: 100%    560 B   0.6kB/s    00:01
 [bastion] Fetching packagesite.txz: 100%  118 KiB 121.3kB/s    00:01
 Processing entries: 100%
-iniquity.io repository update completed. 493 packages processed.
+pkg.bastillebsd.org repository update completed. 493 packages processed.
 All repositories are up to date.
 Checking for upgrades (1 candidates): 100%
 Processing candidates (1 candidates): 100%
@@ -385,11 +388,11 @@ Checking integrity... done (0 conflicting)
 Your packages are up to date.
 
 [unbound0]:
-Updating iniquity.io repository catalogue...
+Updating pkg.bastillebsd.org repository catalogue...
 [unbound0] Fetching meta.txz: 100%    560 B   0.6kB/s    00:01
 [unbound0] Fetching packagesite.txz: 100%  118 KiB 121.3kB/s    00:01
 Processing entries: 100%
-iniquity.io repository update completed. 493 packages processed.
+pkg.bastillebsd.org repository update completed. 493 packages processed.
 All repositories are up to date.
 Checking for upgrades (0 candidates): 100%
 Processing candidates (0 candidates): 100%
@@ -397,11 +400,11 @@ Checking integrity... done (0 conflicting)
 Your packages are up to date.
 
 [unbound1]:
-Updating iniquity.io repository catalogue...
+Updating pkg.bastillebsd.org repository catalogue...
 [unbound1] Fetching meta.txz: 100%    560 B   0.6kB/s    00:01
 [unbound1] Fetching packagesite.txz: 100%  118 KiB 121.3kB/s    00:01
 Processing entries: 100%
-iniquity.io repository update completed. 493 packages processed.
+pkg.bastillebsd.org repository update completed. 493 packages processed.
 All repositories are up to date.
 Checking for upgrades (0 candidates): 100%
 Processing candidates (0 candidates): 100%
@@ -409,11 +412,11 @@ Checking integrity... done (0 conflicting)
 Your packages are up to date.
 
 [squid]:
-Updating iniquity.io repository catalogue...
+Updating pkg.bastillebsd.org repository catalogue...
 [squid] Fetching meta.txz: 100%    560 B   0.6kB/s    00:01
 [squid] Fetching packagesite.txz: 100%  118 KiB 121.3kB/s    00:01
 Processing entries: 100%
-iniquity.io repository update completed. 493 packages processed.
+pkg.bastillebsd.org repository update completed. 493 packages processed.
 All repositories are up to date.
 Checking for upgrades (0 candidates): 100%
 Processing candidates (0 candidates): 100%
@@ -421,11 +424,11 @@ Checking integrity... done (0 conflicting)
 Your packages are up to date.
 
 [nginx]:
-Updating iniquity.io repository catalogue...
+Updating pkg.bastillebsd.org repository catalogue...
 [nginx] Fetching meta.txz: 100%    560 B   0.6kB/s    00:01
 [nginx] Fetching packagesite.txz: 100%  118 KiB 121.3kB/s    00:01
 Processing entries: 100%
-iniquity.io repository update completed. 493 packages processed.
+pkg.bastillebsd.org repository update completed. 493 packages processed.
 All repositories are up to date.
 Checking for upgrades (1 candidates): 100%
 Processing candidates (1 candidates): 100%
@@ -477,7 +480,7 @@ Bastille supports a templating system allowing you to apply files, pkgs and
 execute commands inside the jail automatically.
 
 Currently supported template hooks are: `PRE`, `CONFIG`, `PKG`, `SYSRC`, `CMD`.
-Planned template hooks include: `FSTAB`, `PF`
+Planned template hooks include: `FSTAB`, `PF`, `LOG`
 
 Templates are created in `${bastille_prefix}/templates` and can leverage any of
 the template hooks. Simply create a new directory named after the template. eg;
@@ -498,12 +501,18 @@ echo "etc root usr" > /usr/local/bastille/templates/base/CONFIG
 Template hooks are executed in specific order and require specific syntax to
 work as expected. This table outlines those requirements:
 
-| HOOK    | format           | example                              |
-|---------|------------------|--------------------------------------|
-| PRE/CMD | /bin/sh command  | /usr/bin/chsh -s /usr/local/bin/zsh  |
-| CONFIG  | path             | etc root usr                         |
-| PKG     | port/pkg name(s) | vim-console zsh git-lite tree htop   |
-| SYSRC   | sysrc command(s) | nginx_enable=YES                     |
+| SUPPORTED | format           | example                                                        |
+|-----------|------------------|----------------------------------------------------------------|
+| PRE/CMD   | /bin/sh command  | /usr/bin/chsh -s /usr/local/bin/zsh                            |
+| CONFIG    | path             | etc root usr                                                   |
+| PKG       | port/pkg name(s) | vim-console zsh git-lite tree htop                             |
+| SYSRC     | sysrc command(s) | nginx_enable=YES                                               |
+
+| PLANNED | format           | example                                                        |
+|---------|------------------|----------------------------------------------------------------|
+| PF      | pf rdr entry     | rdr pass inet proto tcp from any to any port 80 -> 10.17.89.80 |
+| LOG     | path             | /var/log/nginx/access.log                                      |
+| FSTAB   | fstab syntax     | /path/on/host /path/in/jail nullfs ro 0 0                      |
 
 Note: SYSRC requires NO quotes or that quotes (`"`) be escaped. ie; `\"`)
 
@@ -531,6 +540,7 @@ The above example "etc usr" will include anything under "etc" and "usr" inside
 the template. You do not need to list individual files. Just include the
 top-level directory name.
 
+
 Applying Templates
 ------------------
 
@@ -623,6 +633,7 @@ At this point you are logged in to the jail and have full shell access.
 The system is yours to use and/or abuse as you like. Any changes made inside
 the jail are limited to the jail. 
 
+
 bastille cp
 -----------
 Note: this sub-command may need a little work. 

docs/conf.py

@@ -8,7 +8,7 @@ else:
 # -- Project information -----------------------------------------------------
 
 project = 'Bastille'
-copyright = '2018, Christer Edwards'
+copyright = '2018-2019, Christer Edwards'
 author = 'Christer Edwards'
 
 # The short X.Y version

usr/local/bin/bastille

@@ -1,6 +1,6 @@
 #!/bin/sh
 # 
-# Copyright (c) 2018, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 # 
 # Redistribution and use in source and binary forms, with or without
@@ -32,7 +32,7 @@
 . /usr/local/etc/bastille/bastille.conf
 
 ## version
-BASTILLE_VERSION="0.3.20190102"
+BASTILLE_VERSION="0.3.20190204"
 
 usage() {
     cat << EOF
@@ -88,16 +88,16 @@ esac
 # Filter out all non-commands
 case "${CMD}" in
 cmd|cp|create|destroy|list|pkg|restart|start|stop|sysrc|template|verify)
-	;;
+    ;;
 update|upgrade)
-	;;
+    ;;
 console|bootstrap|htop|top)
     ;;
 bootstrap|update|upgrade)
-	;;
+    ;;
 *)
-	usage
-	;;
+usage
+    ;;
 esac
 
 SCRIPTPATH="${bastille_sharedir}/${CMD}.sh"

usr/local/etc/bastille/bastille.conf

@@ -9,3 +9,9 @@ bastille_logsdir=${bastille_prefix}/logs
 bastille_releasesdir=${bastille_prefix}/releases
 bastille_templatesdir=${bastille_prefix}/templates
 bastille_sharedir=/usr/local/share/bastille
+bastille_bootstrap_archives="base"
+bastille_tzdata="America/Denver"
+bastille_nameserver1="1.1.1.1"
+bastille_nameserver2="1.0.0.1"
+bastille_nameserver3=""
+bastille_nameserver_options="options edns0 rotate"

usr/local/share/bastille/bootstrap.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 # 
-# Copyright (c) 2018, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 # 
 # Redistribution and use in source and binary forms, with or without
@@ -58,28 +58,39 @@ bootstrap_release() {
         mkdir -p "${bastille_cachedir}/${RELEASE}"
     fi
 
-    ### create $bastille_base/release/$release directory
-    ### fetch $release/base.txz -o $bastille_base/cache/$release/base.txz
-    ### fetch $release/lib32.txz -o $bastille_base/cache/$release/lib32.txz
-    ### extract $release/base.txz to $bastille_base/release/$release
-    ### extract $release/lib32.txz to $bastille_base/release/$release
-    if [ ! -d "${bastille_releasesdir}/${RELEASE}" ]; then
+    ## if release exists, quit
+    if [ -d "${bastille_releasesdir}/${RELEASE}" ]; then
+        echo -e "${COLOR_RED}Bootstrap appears complete.${COLOR_RESET}"
+        exit 1
+    fi
+
+    ## if existing ${CACHEDIR}/${RELEASE}/base.txz; extract
+    if [ -f "${bastille_cachedir}/${RELEASE}/base.txz" ] && [ ! -d "${bastille_releasesdir}/${RELEASE}" ]; then
         mkdir -p "${bastille_releasesdir}/${RELEASE}"
-        sh ${bastille_sharedir}/freebsd_dist_fetch.sh -r ${RELEASE} base lib32
-
-        echo
-        echo -e "${COLOR_GREEN}Extracting FreeBSD ${RELEASE} base.txz.${COLOR_RESET}"
-        /usr/bin/tar -C "${bastille_releasesdir}/${RELEASE}" -xf "${bastille_cachedir}/${RELEASE}/base.txz"
-
-        echo -e "${COLOR_GREEN}Extracting FreeBSD ${RELEASE} lib32.txz.${COLOR_RESET}"
-        /usr/bin/tar -C "${bastille_releasesdir}/${RELEASE}" -xf "${bastille_cachedir}/${RELEASE}/lib32.txz"
+        for _archive in ${bastille_bootstrap_archives}; do
+            echo -e "${COLOR_GREEN}Extracting FreeBSD ${RELEASE} ${_archive}.txz.${COLOR_RESET}"
+            /usr/bin/tar -C "${bastille_releasesdir}/${RELEASE}" -xf "${bastille_cachedir}/${RELEASE}/${_archive}.txz"
+        done
+
+        echo -e "${COLOR_GREEN}Bootstrap successful.${COLOR_RESET}"
+        echo -e "${COLOR_GREEN}See 'bastille --help' for available commands.${COLOR_RESET}"
+        echo
+    fi
+
+    ## if no existing ${CACHEDIR}/${RELEASE} download and extract
+    if [ ! -f "${bastille_cachedir}/${RELEASE}/base.txz" ] && [ ! -d "${bastille_releasesdir}/${RELEASE}" ]; then
+        mkdir -p "${bastille_releasesdir}/${RELEASE}"
+	fetch ${UPSTREAM_URL}/base.txz -o ${bastille_cachedir}/${RELEASE}/base.txz
+
+        echo
+        for _archive in ${bastille_bootstrap_archives}; do
+            echo -e "${COLOR_GREEN}Extracting FreeBSD ${RELEASE} ${_archive}.txz.${COLOR_RESET}"
+            /usr/bin/tar -C "${bastille_releasesdir}/${RELEASE}" -xf "${bastille_cachedir}/${RELEASE}/${_archive}.txz"
+        done
 
         echo -e "${COLOR_GREEN}Bootstrap successful.${COLOR_RESET}"
         echo -e "${COLOR_GREEN}See 'bastille --help' for available commands.${COLOR_RESET}"
         echo
-    else
-        echo -e "${COLOR_RED}Bootstrap appears complete.${COLOR_RESET}"
-        exit 1
     fi
 }
 
@@ -162,24 +173,29 @@ bootstrap_template() {
 
 #Usage: bastille bootstrap [release|template].${COLOR_RESET}"
 
+HW_MACHINE=$(sysctl hw.machine | awk '{ print $2 }')
+HW_MACHINE_ARCH=$(sysctl hw.machine_arch | awk '{ print $2 }')
+
 # Filter sane release names
 case "${1}" in
-10.1-RELEASE|10.2-RELEASE|10.3-RELEASE|10.4-RELEASE)
-    RELEASE="${1}"
-    bootstrap_release
-    echo -e "${COLOR_RED}WARNING: FreeBSD 10.1-RELEASE HAS PASSED ITS END-OF-LIFE DATE.${COLOR_RESET}"
-    ;;
-11.0-RELEASE|11.1-RELEASE)
-    RELEASE="${1}"
-    bootstrap_release
-    echo -e "${COLOR_RED}WARNING: FreeBSD 11.0-RELEASE HAS PASSED ITS END-OF-LIFE DATE.${COLOR_RESET}"
-    ;;
 11.2-RELEASE)
     RELEASE="${1}"
+    UPSTREAM_URL="http://ftp.freebsd.org/pub/FreeBSD/releases/${HW_MACHINE}/${HW_MACHINE_ARCH}/11.2-RELEASE/"
     bootstrap_release
     ;;
 12.0-RELEASE)
     RELEASE="${1}"
+    UPSTREAM_URL="http://ftp.freebsd.org/pub/FreeBSD/releases/${HW_MACHINE}/${HW_MACHINE_ARCH}/12.0-RELEASE/"
+    bootstrap_release
+    ;;
+11-stable-LAST)
+    RELEASE="${1}"
+    UPSTREAM_URL="https://installer.hardenedbsd.org/pub/HardenedBSD/releases/${HW_MACHINE}/${HW_MACHINE_ARCH}/hardenedbsd-11-stable-LAST/"
+    bootstrap_release
+    ;;
+12-stable-LAST)
+    RELEASE="${1}"
+    UPSTREAM_URL="https://installer.hardenedbsd.org/pub/HardenedBSD/releases/${HW_MACHINE}/${HW_MACHINE_ARCH}/hardenedbsd-12-stable-LAST/"
     bootstrap_release
     ;;
 http?://github.com/*/*)

usr/local/share/bastille/cmd.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 # 
-# Copyright (c) 2018, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 # 
 # Redistribution and use in source and binary forms, with or without

usr/local/share/bastille/console.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 # 
-# Copyright (c) 2018, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 # 
 # Redistribution and use in source and binary forms, with or without

usr/local/share/bastille/cp.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 # 
-# Copyright (c) 2018, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 # 
 # Redistribution and use in source and binary forms, with or without

usr/local/share/bastille/create.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 # 
-# Copyright (c) 2018, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 # 
 # Redistribution and use in source and binary forms, with or without
@@ -65,7 +65,7 @@ create_jail() {
     bastille_jail_fstab="${bastille_jailsdir}/${NAME}/fstab"  ## file
     bastille_jail_conf="${bastille_jailsdir}/${NAME}/jail.conf"  ## file
     bastille_jail_log="${bastille_logsdir}/${NAME}_console.log"  ## file
-    bastille_jail_rc_conf="${bastille_jailsdir}/${NAME}/root/etc/rc.conf.local" ## file
+    bastille_jail_rc_conf="${bastille_jailsdir}/${NAME}/root/etc/rc.conf" ## file
     bastille_jail_resolv_conf="${bastille_jailsdir}/${NAME}/root/etc/resolv.conf" ## file
 
     if [ ! -d "${bastille_jail_base}" ]; then
@@ -124,22 +124,30 @@ create_jail() {
     cp -a "${bastille_releasesdir}/${RELEASE}/usr/obj" "${bastille_jail_path}"
     if [ "${RELEASE}" == "11.2-RELEASE" ]; then cp -a "${bastille_releasesdir}/${RELEASE}/usr/tests" "${bastille_jail_path}"; fi
 
-    ## rc.conf.local
+    ## rc.conf
     ##  + syslogd_flags="-ss"
     ##  + sendmail_none="NONE"
     ##  + cron_flags="-J 60" ## cedwards 20181118
-    ## resolv.conf
     if [ ! -f "${bastille_jail_rc_conf}" ]; then
-        echo -e "syslogd_flags=\"-ss\"\nsendmail_enable=\"NONE\"" > ${bastille_jail_rc_conf}
-	echo -e "cron_flags=\"-J 60\"" >> ${bastille_jail_rc_conf}
+        touch "${bastille_jail_rc_conf}"
+        /usr/sbin/sysrc -f "${bastille_jail_rc_conf}" syslogd_flags=-ss
+        /usr/sbin/sysrc -f "${bastille_jail_rc_conf}" sendmail_enable=NONE
+        /usr/sbin/sysrc -f "${bastille_jail_rc_conf}" cron_flags='-J 60'
+        echo
     fi
 
+    ## resolv.conf
+    ##  + default nameservers configurable; 1 required, 3 optional ## cedwards 20190522
+    ##  + nameserver options supported
     if [ ! -f "${bastille_jail_resolv_conf}" ]; then
-        echo -e "nameserver 1.1.1.1\nnameserver 1.0.0.1\noptions edns0 rotate" > ${bastille_jail_resolv_conf}
+        [ ! -z "${bastille_nameserver1}" ] && echo -e "nameserver ${bastille_nameserver1}" >> ${bastille_jail_resolv_conf}
+        [ ! -z "${bastille_nameserver2}" ] && echo -e "nameserver ${bastille_nameserver2}" >> ${bastille_jail_resolv_conf}
+        [ ! -z "${bastille_nameserver3}" ] && echo -e "nameserver ${bastille_nameserver3}" >> ${bastille_jail_resolv_conf}
+        [ ! -z "${bastille_nameserver_options}" ] && echo -e "${bastille_nameserver_options}" >> ${bastille_jail_resolv_conf}
     fi
 
-    ## TZ: UTC
-    ln -s /usr/share/zoneinfo/Etc/UTC etc/localtime
+    ## TZ: configurable (default: etc/UTC)
+    ln -s /usr/share/zoneinfo/${bastille_tzdata} etc/localtime
 }
 
 # Handle special-case commands first.
@@ -159,50 +167,17 @@ IP="$3"
 
 ## verify release
 case "${RELEASE}" in
-10.1-RELEASE)
-    RELEASE="10.1-RELEASE"
-	;;
-10.2-RELEASE)
-    RELEASE="10.2-RELEASE"
-	;;
-10.3-RELEASE)
-    RELEASE="10.3-RELEASE"
-	;;
-10.4-RELEASE)
-    RELEASE="10.4-RELEASE"
-    ;;
-11.0-RELEASE)
-    RELEASE="11.0-RELEASE"
-    ;;
-11.1-RELEASE)
-    RELEASE="11.1-RELEASE"
-    ;;
 11.2-RELEASE)
     RELEASE="11.2-RELEASE"
     ;;
 12.0-RELEASE)
     RELEASE="12.0-RELEASE"
     ;;
-12.0-BETA1)
-    RELEASE="12.0-BETA1"
+11-stable-LAST)
+    RELEASE="11-stable-LAST"
     ;;
-12.0-BETA2)
-    RELEASE="12.0-BETA2"
-    ;;
-12.0-BETA3)
-    RELEASE="12.0-BETA3"
-    ;;
-12.0-BETA4)
-    RELEASE="12.0-BETA4"
-    ;;
-12.0-RC1)
-    RELEASE="12.0-RC1"
-    ;;
-12.0-RC2)
-    RELEASE="12.0-RC2"
-    ;;
-12.0-RC3)
-    RELEASE="12.0-RC3"
+12-stable-LAST)
+    RELEASE="12-stable-LAST"
     ;;
 *)
     echo -e "${COLOR_RED}Unknown Release.${COLOR_RESET}"

usr/local/share/bastille/destroy.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 # 
-# Copyright (c) 2018, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 # 
 # Redistribution and use in source and binary forms, with or without
@@ -55,8 +55,9 @@ destroy_jail() {
         echo -e "${COLOR_GREEN}Deleting Jail: ${NAME}.${COLOR_RESET}"
         chflags -R noschg ${bastille_jail_base}
         rm -rf ${bastille_jail_base}
-        echo -e "${COLOR_GREEN}Note: jail console logs not destroyed.${COLOR_RESET}"
-	echo -e "${COLOR_GREEN}${bastille_jail_log}${COLOR_RESET}"
+        mv ${bastille_jail_log} ${bastille_jail_log}-$(date +%F)
+        echo -e "${COLOR_GREEN}Note: jail console logs archived.${COLOR_RESET}"
+        echo -e "${COLOR_GREEN}${bastille_jail_log}-$(date +%F)${COLOR_RESET}"
         echo
     fi
 }

usr/local/share/bastille/htop.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 # 
-# Copyright (c) 2018, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 # 
 # Redistribution and use in source and binary forms, with or without

usr/local/share/bastille/list.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 # 
-# Copyright (c) 2018, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 # 
 # Redistribution and use in source and binary forms, with or without

usr/local/share/bastille/pkg.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 # 
-# Copyright (c) 2018, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 # 
 # Redistribution and use in source and binary forms, with or without

usr/local/share/bastille/restart.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 # 
-# Copyright (c) 2018, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 # 
 # Redistribution and use in source and binary forms, with or without

usr/local/share/bastille/service.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 # 
-# Copyright (c) 2018, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 # 
 # Redistribution and use in source and binary forms, with or without

usr/local/share/bastille/start.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 # 
-# Copyright (c) 2018, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 # 
 # Redistribution and use in source and binary forms, with or without

usr/local/share/bastille/stop.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 # 
-# Copyright (c) 2018, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 # 
 # Redistribution and use in source and binary forms, with or without
@@ -57,6 +57,5 @@ fi
 for _jail in ${JAILS}; do
     echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}"
     jail -f "${bastille_jailsdir}/${_jail}/jail.conf" -r ${_jail}
-    pfctl -f /etc/pf.conf
     echo
 done

usr/local/share/bastille/sysrc.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 # 
-# Copyright (c) 2018, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 # 
 # Redistribution and use in source and binary forms, with or without

usr/local/share/bastille/template.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 # 
-# Copyright (c) 2018, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 # 
 # Redistribution and use in source and binary forms, with or without

usr/local/share/bastille/top.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 # 
-# Copyright (c) 2018, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 # 
 # Redistribution and use in source and binary forms, with or without

usr/local/share/bastille/update.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 # 
-# Copyright (c) 2018, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 # 
 # Redistribution and use in source and binary forms, with or without
@@ -49,6 +49,11 @@ fi
 
 RELEASE=$1
 
+if [ ! -z "$(freebsd-version | grep -i HBSD)" ]; then
+    echo -e "${COLOR_RED}Not yet supported on HardenedBSD.${COLOR_RESET}"
+    exit 1
+fi
+
 if [ -d "${bastille_releasesdir}/${RELEASE}" ]; then
     freebsd-update -b "${bastille_releasesdir}/${RELEASE}" fetch install --currently-running ${RELEASE}
 else

usr/local/share/bastille/upgrade.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 # 
-# Copyright (c) 2018, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 # 
 # Redistribution and use in source and binary forms, with or without
@@ -50,6 +50,12 @@ fi
 RELEASE=$1
 NEWRELEASE=$2
 
+if [ ! -z "$(freebsd-version | grep -i HBSD)" ]; then
+    echo -e "${COLOR_RED}Not yet supported on HardenedBSD.${COLOR_RESET}"
+    exit 1
+fi
+
+
 if [ -d "${bastille_releasesdir}/${RELEASE}" ]; then
     freebsd-update -b "${bastille_releasesdir}/${RELEASE}" -r ${NEWRELEASE} upgrade
 else

usr/local/share/bastille/verify.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 # 
-# Copyright (c) 2018, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 # 
 # Redistribution and use in source and binary forms, with or without
@@ -49,6 +49,11 @@ fi
 
 RELEASE=$1
 
+if [ ! -z "$(freebsd-version | grep -i HBSD)" ]; then
+    echo -e "${COLOR_RED}Not yet supported on HardenedBSD.${COLOR_RESET}"
+    exit 1
+fi
+
 if [ -d "${bastille_releasesdir}/${RELEASE}" ]; then
     freebsd-update -b "${bastille_releasesdir}/${RELEASE}" IDS
 else