From eb4aab01f9183575bc439b8e63191826ba19afe7 Mon Sep 17 00:00:00 2001 From: Christer Edwards Date: Wed, 28 Nov 2018 21:02:42 -0700 Subject: [PATCH] 0.3.20181128 go go gadget git clone templates --- docs/chapters/targeting.rst | 66 +++++++++++ usr/local/bin/bastille | 2 +- usr/local/etc/rc.d/bastille | 35 ++++-- usr/local/share/bastille/bootstrap.sh | 163 +++++++++++++++++--------- 4 files changed, 198 insertions(+), 68 deletions(-) diff --git a/docs/chapters/targeting.rst b/docs/chapters/targeting.rst index 256d2b02..b9e08897 100644 --- a/docs/chapters/targeting.rst +++ b/docs/chapters/targeting.rst @@ -1,3 +1,69 @@ ========= Targeting ========= + +Bastille uses a `command-target-args` syntax, meaning that each command +requires a target. Targets are usually jails, but can also be releases. + +Targeting a jail is done by providing the exact jail name. + +Targeting a release is done by providing the release name. (Note: do note +include the `-pX` point-release version.) + +Bastille includes a pre-defined keyword ALL to target all running jails. + +In the future I would like to support more options, including globbing, lists +and regular-expressions. + +Examples: Jails +=============== + +.. code-block:: shell + + ishmael ~ # bastille ... + + ++-----------+--------+------------------+-------------------------------------------------------------+ +| command | target | args | description | ++===========+========+==================+=============================================================+ +| cmd | ALL | 'sockstat -4' | execute `sockstat -4` in ALL jails (listening ip4 sockets) | ++-----------+--------+-----+------------+-------------------------------------------------------------+ +| console | mariadb02 | --- | console (shell) access to mariadb02 | ++----+------+----+---------+------------+--------------+----------------------------------------------+ +| pkg | web01 | 'install nginx' | install nginx package in web01 jail | ++-----------+--------+------------------+-------------------------------------------------------------+ +| pkg | ALL | upgrade | upgrade packages in ALL jails | ++-----------+--------+------------------+-------------------------------------------------------------+ +| pkg | ALL | audit | (CVE) audit packages in ALL jails | ++-----------+--------+------------------+-------------------------------------------------------------+ +| sysrc | web01 | nginx_enable=YES | execute `sysrc nginx_enable=YES` in web01 jail | ++-----------+--------+------------------+-------------------------------------------------------------+ +| template | ALL | base | apply `base` template to ALL jails | ++-----------+--------+------------------+-------------------------------------------------------------+ +| start | web02 | --- | start web02 jail | ++-----------+--------+-----+------------+-------------------------------------------------------------+ +| cp | bastion03 | /tmp/resolv.conf-cf etc/resolv.conf | copy host-path to jail-path in bastion03 | ++----+------+----+---+------------------+--------------+----------------------------------------------+ +| create | folsom | 12.0-RELEASE 10.10.10.10 | create v12.0 jail named `folsom` with IP | ++-----------+--------+------------------+--------------+----------------------------------------------+ + + +Examples: Releases +================== + +.. code-block:: shell + + ishmael ~ # bastille ... + + ++-----------+--------------+--------------+-------------------------------------------------------------+ +| command | target | args | description | ++===========+==============+==============+=============================================================+ +| bootstrap | 12.0-RELEASE | --- | bootstrap 12.0-RELEASE release | ++-----------+--------------+--------------+-------------------------------------------------------------+ +| update | 11.2-RELEASE | --- | update 11.2-RELEASE release | ++-----------+--------------+--------------+-------------------------------------------------------------+ +| upgrade | 11.1-RELEASE | 11.2-RELEASE | update 11.2-RELEASE release | ++-----------+--------------+--------------+-------------------------------------------------------------+ +| verify | 11.2-RELEASE | --- | update 11.2-RELEASE release | ++-----------+--------------+--------------+-------------------------------------------------------------+ diff --git a/usr/local/bin/bastille b/usr/local/bin/bastille index ea8eff6e..4f355bc7 100755 --- a/usr/local/bin/bastille +++ b/usr/local/bin/bastille @@ -32,7 +32,7 @@ . /usr/local/etc/bastille/bastille.conf ## version -BASTILLE_VERSION="0.3.20181124" +BASTILLE_VERSION="0.3.20181128" usage() { cat << EOF diff --git a/usr/local/etc/rc.d/bastille b/usr/local/etc/rc.d/bastille index 7777036f..3466c036 100755 --- a/usr/local/etc/rc.d/bastille +++ b/usr/local/etc/rc.d/bastille @@ -1,6 +1,6 @@ #!/bin/sh -# $FreeBSD: $ +# Bastille jail startup script # # PROVIDE: bastille # REQUIRE: LOGIN @@ -10,7 +10,7 @@ # # bastille_enable (bool): Set to NO by default. # Set it to YES to enable bastille. -# bastille_list (string): Set to "" by default. +# bastille_list (string): Set to "ALL" by default. # Space separated list of jails to start. # @@ -19,27 +19,42 @@ name=bastille rcvar=${name}_enable -command="/usr/local/bin/${name}" - -start_cmd="${name}_start" -stop_cmd="${name}_stop" +load_rc_config ${name} : ${bastille_enable:=NO} : ${bastille_list:="ALL"} +start_command="/usr/local/bin/bastille start" +stop_command="/usr/local/bin/bastille stop" + bastille_start() { + if [ ! -n "${bastille_list}" ]; then + echo "${bastille_list} is undefined" + return 1 + fi + + local _jail + for _jail in ${bastille_list}; do - ${command} start ${_jail} + echo "Starting Bastille Jail: ${_jail}" + ${start_command} ${_jail} done } bastille_stop() { + if [ ! -n "${bastille_list}" ]; then + echo "${bastille_list} is undefined" + return 1 + fi + + local _jail + for _jail in ${bastille_list}; do - ${command} stop ${_jail} + echo "Stopping Bastille Jail: ${_jail}" + ${stop_command} ${_jail} done } -load_rc_config ${name} -run_rc_command "$@" +run_rc_command "$1" diff --git a/usr/local/share/bastille/bootstrap.sh b/usr/local/share/bastille/bootstrap.sh index c007a3ff..afdcbf08 100644 --- a/usr/local/share/bastille/bootstrap.sh +++ b/usr/local/share/bastille/bootstrap.sh @@ -32,7 +32,7 @@ . /usr/local/etc/bastille/bastille.conf usage() { - echo -e "${COLOR_RED}Usage: bastille bootstrap release.${COLOR_RESET}" + echo -e "${COLOR_RED}Usage: bastille bootstrap [release|template].${COLOR_RESET}" exit 1 } @@ -43,9 +43,7 @@ help|-h|--help) ;; esac -RELEASE=$1 - -bootstrap() { +bootstrap_release() { ## ensure required directories are in place if [ ! -d ${bastille_jailsdir} ]; then mkdir -p ${bastille_jailsdir} @@ -85,66 +83,117 @@ bootstrap() { fi } +bootstrap_template() { + ## define basic variables + _url=${BASTILLE_TEMPLATE_URL} + _user=${BASTILLE_TEMPLATE_USER} + _repo=${BASTILLE_TEMPLATE_REPO} + _template=${bastille_templatesdir}/${_user}/${_repo} + + ## verify essential directories are in place + if [ ! -d ${bastille_jailsdir} ]; then + mkdir -p ${bastille_jailsdir} + fi + if [ ! -d ${bastille_logsdir} ]; then + mkdir -p ${bastille_logsdir} + fi + if [ ! -d ${bastille_templatesdir} ]; then + mkdir -p ${bastille_templatesdir} + fi + if [ ! -d ${_template} ]; then + mkdir -p ${_template} + fi + + ## support for non-git + if [ ! -x /usr/local/bin/git ]; then + echo -e "${COLOR_RED}We're gonna have to use fetch. Strap in.${COLOR_RESET}" + echo -e "${COLOR_RED}Not yet implemented...${COLOR_RESET}" + fi + + ## support for git + if [ -x /usr/local/bin/git ]; then + if [ ! -d "${_template}/.git" ]; then + /usr/local/bin/git clone "${_url}" "${_template}" ||\ + echo -e "${COLOR_RED}Clone unsuccessful.${COLOR_RESET}" + echo + elif [ -d "${_template}/.git" ]; then + cd ${_template} && + /usr/local/bin/git pull ||\ + echo -e "${COLOR_RED}Template update unsuccessful.${COLOR_RESET}" + echo + fi + fi + + ## template validation + _hook_validate=0 + for _hook in PRE FSTAB PF PKG SYSRC CMD; do + if [ -s ${_template}/${_hook} ]; then + _hook_validate=$((_hook_validate+1)) + echo -e "${COLOR_GREEN}Detected ${_hook} hook.${COLOR_RESET}" + echo -e "${COLOR_GREEN}[${_hook}]:${COLOR_RESET}" + cat "${_template}/${_hook}" + echo + fi + done + if [ -s ${_template}/CONFIG ]; then + _hook_validate=$((_hook_validate+1)) + echo -e "${COLOR_GREEN}Detected CONFIG hook.${COLOR_RESET}" + while read _dir; do + echo -e "${COLOR_GREEN}[${_dir}]:${COLOR_RESET}" + tree -a ${_template}/${_dir} + done < ${_template}/CONFIG + echo + fi + + ## remove bad templates + if [ ${_hook_validate} -lt 1 ]; then + echo -e "${COLOR_GREEN}Template validation failed.${COLOR_RESET}" + echo -e "${COLOR_GREEN}Deleting template.${COLOR_RESET}" + rm -rf ${_template} + exit 1 + fi + + ## if validated; ready to use + if [ ${_hook_validate} -gt 0 ]; then + echo -e "${COLOR_GREEN}Template ready to use.${COLOR_RESET}" + echo + fi +} + +#Usage: bastille bootstrap [release|template].${COLOR_RESET}" + # Filter sane release names -case "${RELEASE}" in -10.1-RELEASE) - bootstrap +case "${1}" in +10.1-RELEASE|10.2-RELEASE|10.3-RELEASE|10.4-RELEASE) + bootstrap_release echo -e "${COLOR_RED}WARNING: FreeBSD 10.1-RELEASE HAS PASSED ITS END-OF-LIFE DATE.${COLOR_RESET}" - ;; -10.2-RELEASE) - bootstrap - echo -e "${COLOR_RED}WARNING: FreeBSD 10.2-RELEASE HAS PASSED ITS END-OF-LIFE DATE.${COLOR_RESET}" - ;; -10.3-RELEASE) - bootstrap - echo -e "${COLOR_RED}WARNING: FreeBSD 10.3-RELEASE HAS PASSED ITS END-OF-LIFE DATE.${COLOR_RESET}" - ;; -10.4-RELEASE) - bootstrap - echo -e "${COLOR_RED}WARNING: FreeBSD 10.4-RELEASE HAS PASSED ITS END-OF-LIFE DATE.${COLOR_RESET}" - ;; -11.0-RELEASE) - bootstrap + ;; +11.0-RELEASE|11.1-RELEASE) + bootstrap_release echo -e "${COLOR_RED}WARNING: FreeBSD 11.0-RELEASE HAS PASSED ITS END-OF-LIFE DATE.${COLOR_RESET}" - ;; -11.1-RELEASE) - bootstrap - echo -e "${COLOR_RED}WARNING: FreeBSD 11.1-RELEASE HAS PASSED ITS END-OF-LIFE DATE.${COLOR_RESET}" - ;; + ;; 11.2-RELEASE) - bootstrap - ;; + bootstrap_release + ;; 12.0-RELEASE) - bootstrap - ;; -12.0-BETA1) - bootstrap + bootstrap_release + ;; +12.0-BETA1|12.0-BETA2|12.0-BETA3|12.0-BETA4) + bootstrap_release echo -e "${COLOR_RED}BETA releases are completely untested.${COLOR_RESET}" - ;; -12.0-BETA2) - bootstrap - echo -e "${COLOR_RED}BETA releases are completely untested.${COLOR_RESET}" - ;; -12.0-BETA3) - bootstrap - echo -e "${COLOR_RED}BETA releases are completely untested.${COLOR_RESET}" - ;; -12.0-BETA4) - bootstrap - echo -e "${COLOR_RED}BETA releases are completely untested.${COLOR_RESET}" - ;; -12.0-RC1) - bootstrap + ;; +12.0-RC1|12.0-RC2|12.0-RC3) + bootstrap_release echo -e "${COLOR_RED}RC releases are completely untested.${COLOR_RESET}" - ;; -12.0-RC2) - bootstrap - echo -e "${COLOR_RED}RC releases are completely untested.${COLOR_RESET}" - ;; -12.0-RC3) - bootstrap - echo -e "${COLOR_RED}RC releases are completely untested.${COLOR_RESET}" - ;; + ;; +http?://github.com/*/*) + BASTILLE_TEMPLATE_URL=${1} + BASTILLE_TEMPLATE_USER=$(echo "${1}" | awk -F / '{ print $4 }') + BASTILLE_TEMPLATE_REPO=$(echo "${1}" | awk -F / '{ print $5 }') + echo -e "${COLOR_GREEN}Template: ${1}${COLOR_RESET}" + echo + bootstrap_template + ;; *) usage ;;