diff options
Diffstat (limited to 'data/live-build-config/hooks')
4 files changed, 29 insertions, 18 deletions
diff --git a/data/live-build-config/hooks/live/18-enable-disable_services.chroot b/data/live-build-config/hooks/live/18-enable-disable_services.chroot index 3b4efe38..04ca7f3e 100755 --- a/data/live-build-config/hooks/live/18-enable-disable_services.chroot +++ b/data/live-build-config/hooks/live/18-enable-disable_services.chroot @@ -1,6 +1,7 @@ #!/bin/sh echo I: Disabling services +systemctl disable syslog.service systemctl disable rsyslog.service systemctl disable arpwatch.service systemctl disable smartd.service @@ -41,7 +42,6 @@ systemctl disable snmpd.service systemctl disable conserver-server.service systemctl disable dropbear.service systemctl disable fancontrol.service -systemctl disable fastnetmon.service systemctl disable ddclient.service systemctl disable ocserv.service systemctl disable tuned.service @@ -71,7 +71,7 @@ systemctl disable zabbix-agent2.service systemctl disable suricata.service systemctl disable vyconfd.service systemctl disable vpp.service -systemctl disable vyos-commitd.service +systemctl disable netplug.service echo I: Enabling services systemctl enable vyos-hostsd.service @@ -79,6 +79,7 @@ systemctl enable acpid.service systemctl enable vyos-router.service systemctl enable vyos-configd.service systemctl enable vyos-grub-update.service +systemctl enable vyos-commitd.service echo I: Masking services systemctl mask systemd-journald-audit.socket diff --git a/data/live-build-config/hooks/live/40-init-cracklib-db.chroot b/data/live-build-config/hooks/live/40-init-cracklib-db.chroot new file mode 100755 index 00000000..4d94b08e --- /dev/null +++ b/data/live-build-config/hooks/live/40-init-cracklib-db.chroot @@ -0,0 +1,13 @@ +#!/bin/sh + +CRACKLIB_DIR=/var/cache/cracklib +CRACKLIB_DB=cracklib_dict + +if [ ! -f "${CRACKLIB_DIR}/${CRACKLIB_DB}.pwd" ]; then + echo "I: Creating the cracklib database ${CRACKLIB_DIR}/${CRACKLIB_DB}" + mkdir -p $CRACKLIB_DIR + + /usr/sbin/create-cracklib-dict -o $CRACKLIB_DIR/$CRACKLIB_DB \ + /usr/share/dict/cracklib-small +fi + diff --git a/data/live-build-config/hooks/live/82-import-vyos-gpg-signing-key.chroot b/data/live-build-config/hooks/live/82-import-vyos-gpg-signing-key.chroot deleted file mode 100755 index 478b88fb..00000000 --- a/data/live-build-config/hooks/live/82-import-vyos-gpg-signing-key.chroot +++ /dev/null @@ -1,12 +0,0 @@ -#!/bin/sh - -if ! command -v gpg &> /dev/null; then - echo "gpg binary could not be found" - exit 1 -fi - -GPG_KEY="/usr/share/vyos/keys/vyos-release.pub.asc" - -echo I: Import GPG key -gpg --import ${GPG_KEY} -exit $? diff --git a/data/live-build-config/hooks/live/93-sb-sign-kernel.chroot b/data/live-build-config/hooks/live/93-sb-sign-kernel.chroot index 1dc03186..8494a5c8 100755 --- a/data/live-build-config/hooks/live/93-sb-sign-kernel.chroot +++ b/data/live-build-config/hooks/live/93-sb-sign-kernel.chroot @@ -1,7 +1,7 @@ #!/bin/sh SIGN_FILE=$(find /usr/lib -name sign-file) -MOK_KEY="/var/lib/shim-signed/mok/MOK.key" -MOK_CERT="/var/lib/shim-signed/mok/MOK.pem" +KERNEL_KEY="/var/lib/shim-signed/mok/vyos-dev-2025-linux.key" +KERNEL_CERT="/var/lib/shim-signed/mok/vyos-dev-2025-linux.pem" VMLINUZ=$(readlink /boot/vmlinuz) # All Linux Kernel modules need to be cryptographically signed @@ -13,10 +13,19 @@ find /lib/modules -type f -name \*.ko | while read MODULE; do fi done -if [ ! -f ${MOK_KEY} ]; then +if [ ! -f ${KERNEL_KEY} ] && [ ! -f ${KERNEL_CERT} ]; then echo "I: Signing key for Linux Kernel not found - Secure Boot not possible" else echo "I: Signing Linux Kernel for Secure Boot" - sbsign --key ${MOK_KEY} --cert ${MOK_CERT} /boot/${VMLINUZ} --output /boot/${VMLINUZ} + sbsign --key ${KERNEL_KEY} --cert ${KERNEL_CERT} /boot/${VMLINUZ} --output /boot/${VMLINUZ} sbverify --list /boot/${VMLINUZ} + rm -f ${KERNEL_KEY} fi + +for cert in $(ls /var/lib/shim-signed/mok/); do + if grep -rq "BEGIN PRIVATE KEY" /var/lib/shim-signed/mok/${cert}; then + echo "Found private key - bailing out" + exit 1 + fi +done + |