diff options
author | Yves-Alexis Perez <corsac@debian.org> | 2013-02-07 13:27:27 +0100 |
---|---|---|
committer | Yves-Alexis Perez <corsac@debian.org> | 2013-02-07 13:27:27 +0100 |
commit | 7585facf05d927eb6df3929ce09ed5e60d905437 (patch) | |
tree | e4d14b4dc180db20356b6b01ce0112f3a2d7897e /testing/hosts/default | |
parent | c1343b3278cdf99533b7902744d15969f9d6fdc1 (diff) | |
download | vyos-strongswan-7585facf05d927eb6df3929ce09ed5e60d905437.tar.gz vyos-strongswan-7585facf05d927eb6df3929ce09ed5e60d905437.zip |
Imported Upstream version 5.0.2
Diffstat (limited to 'testing/hosts/default')
-rw-r--r-- | testing/hosts/default/etc/default/slapd | 45 | ||||
-rw-r--r-- | testing/hosts/default/etc/fstab | 1 | ||||
-rw-r--r-- | testing/hosts/default/etc/ip6tables.flush | 15 | ||||
-rw-r--r-- | testing/hosts/default/etc/ip6tables.rules | 39 | ||||
-rw-r--r-- | testing/hosts/default/etc/iptables.drop | 12 | ||||
-rw-r--r-- | testing/hosts/default/etc/iptables.flush | 21 | ||||
-rw-r--r-- | testing/hosts/default/etc/iptables.rules | 28 | ||||
-rw-r--r-- | testing/hosts/default/etc/profile.d/coredumps.sh | 5 | ||||
-rw-r--r-- | testing/hosts/default/etc/rsyslog.conf | 125 | ||||
-rw-r--r-- | testing/hosts/default/etc/security/limits.conf | 58 | ||||
-rw-r--r-- | testing/hosts/default/etc/ssh/sshd_config | 13 | ||||
-rw-r--r-- | testing/hosts/default/etc/sysctl.conf | 62 | ||||
-rw-r--r-- | testing/hosts/default/root/.ssh/config | 3 | ||||
-rwxr-xr-x | testing/hosts/default/usr/local/bin/expect-connection | 27 |
14 files changed, 454 insertions, 0 deletions
diff --git a/testing/hosts/default/etc/default/slapd b/testing/hosts/default/etc/default/slapd new file mode 100644 index 000000000..a4a0a6e2a --- /dev/null +++ b/testing/hosts/default/etc/default/slapd @@ -0,0 +1,45 @@ +# Default location of the slapd.conf file or slapd.d cn=config directory. If +# empty, use the compiled-in default (/etc/ldap/slapd.d with a fallback to +# /etc/ldap/slapd.conf). +SLAPD_CONF=/etc/ldap/slapd.conf + +# System account to run the slapd server under. If empty the server +# will run as root. +SLAPD_USER="openldap" + +# System group to run the slapd server under. If empty the server will +# run in the primary group of its user. +SLAPD_GROUP="openldap" + +# Path to the pid file of the slapd server. If not set the init.d script +# will try to figure it out from $SLAPD_CONF (/etc/ldap/slapd.conf by +# default) +SLAPD_PIDFILE= + +# slapd normally serves ldap only on all TCP-ports 389. slapd can also +# service requests on TCP-port 636 (ldaps) and requests via unix +# sockets. +# Example usage: +# SLAPD_SERVICES="ldap://127.0.0.1:389/ ldaps:/// ldapi:///" +SLAPD_SERVICES="ldap:///" + +# If SLAPD_NO_START is set, the init script will not start or restart +# slapd (but stop will still work). Uncomment this if you are +# starting slapd via some other means or if you don't want slapd normally +# started at boot. +#SLAPD_NO_START=1 + +# If SLAPD_SENTINEL_FILE is set to path to a file and that file exists, +# the init script will not start or restart slapd (but stop will still +# work). Use this for temporarily disabling startup of slapd (when doing +# maintenance, for example, or through a configuration management system) +# when you don't want to edit a configuration file. +SLAPD_SENTINEL_FILE=/etc/ldap/noslapd + +# For Kerberos authentication (via SASL), slapd by default uses the system +# keytab file (/etc/krb5.keytab). To use a different keytab file, +# uncomment this line and change the path. +#export KRB5_KTNAME=/etc/krb5.keytab + +# Additional options to pass to slapd +SLAPD_OPTIONS="" diff --git a/testing/hosts/default/etc/fstab b/testing/hosts/default/etc/fstab new file mode 100644 index 000000000..12747232e --- /dev/null +++ b/testing/hosts/default/etc/fstab @@ -0,0 +1 @@ +/hostshare /root/shared 9p trans=virtio,version=9p2000.L 0 0 diff --git a/testing/hosts/default/etc/ip6tables.flush b/testing/hosts/default/etc/ip6tables.flush new file mode 100644 index 000000000..c3f5a9254 --- /dev/null +++ b/testing/hosts/default/etc/ip6tables.flush @@ -0,0 +1,15 @@ +*filter + +-F + +-P INPUT ACCEPT +-P OUTPUT ACCEPT +-P FORWARD ACCEPT + +COMMIT + +*mangle + +-F + +COMMIT diff --git a/testing/hosts/default/etc/ip6tables.rules b/testing/hosts/default/etc/ip6tables.rules new file mode 100644 index 000000000..6a2c6af8e --- /dev/null +++ b/testing/hosts/default/etc/ip6tables.rules @@ -0,0 +1,39 @@ +*filter + +# default policy is DROP +-P INPUT DROP +-P OUTPUT DROP +-P FORWARD DROP + +# allow esp +-A INPUT -i eth0 -p 50 -j ACCEPT +-A OUTPUT -o eth0 -p 50 -j ACCEPT + +# allow IKE +-A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT + +# allow MobIKE +-A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT + +# allow last UDP fragment +-A INPUT -i eth0 -p udp -m frag --fraglast -j ACCEPT + +# allow ICMPv6 neighbor-solicitations +-A INPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT +-A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT + +# allow ICMPv6 neighbor-advertisements +-A INPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT +-A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT + +# allow crl and certficate fetch from winnetou +-A INPUT -i eth0 -p tcp --sport 80 -s fec0::15 -j ACCEPT +-A OUTPUT -o eth0 -p tcp --dport 80 -d fec0::15 -j ACCEPT + +# log dropped packets +-A INPUT -j LOG --log-prefix " IN: " +-A OUTPUT -j LOG --log-prefix " OUT: " + +COMMIT diff --git a/testing/hosts/default/etc/iptables.drop b/testing/hosts/default/etc/iptables.drop new file mode 100644 index 000000000..445c45669 --- /dev/null +++ b/testing/hosts/default/etc/iptables.drop @@ -0,0 +1,12 @@ +*filter + +# default policy is DROP +-P INPUT DROP +-P OUTPUT DROP +-P FORWARD DROP + +# allow ssh +-A INPUT -p tcp --dport 22 -j ACCEPT +-A OUTPUT -p tcp --sport 22 -j ACCEPT + +COMMIT diff --git a/testing/hosts/default/etc/iptables.flush b/testing/hosts/default/etc/iptables.flush new file mode 100644 index 000000000..b3ab63c51 --- /dev/null +++ b/testing/hosts/default/etc/iptables.flush @@ -0,0 +1,21 @@ +*filter + +-F + +-P INPUT ACCEPT +-P OUTPUT ACCEPT +-P FORWARD ACCEPT + +COMMIT + +*nat + +-F + +COMMIT + +*mangle + +-F + +COMMIT diff --git a/testing/hosts/default/etc/iptables.rules b/testing/hosts/default/etc/iptables.rules new file mode 100644 index 000000000..c3f036cf9 --- /dev/null +++ b/testing/hosts/default/etc/iptables.rules @@ -0,0 +1,28 @@ +*filter + +# default policy is DROP +-P INPUT DROP +-P OUTPUT DROP +-P FORWARD DROP + +# allow esp +-A INPUT -i eth0 -p 50 -j ACCEPT +-A OUTPUT -o eth0 -p 50 -j ACCEPT + +# allow IKE +-A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT + +# allow MobIKE +-A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT + +# allow ssh +-A INPUT -p tcp --dport 22 -j ACCEPT +-A OUTPUT -p tcp --sport 22 -j ACCEPT + +# allow crl fetch from winnetou +-A INPUT -i eth0 -p tcp --sport 80 -s 192.168.0.150 -j ACCEPT +-A OUTPUT -o eth0 -p tcp --dport 80 -d 192.168.0.150 -j ACCEPT + +COMMIT diff --git a/testing/hosts/default/etc/profile.d/coredumps.sh b/testing/hosts/default/etc/profile.d/coredumps.sh new file mode 100644 index 000000000..ea44c0ef6 --- /dev/null +++ b/testing/hosts/default/etc/profile.d/coredumps.sh @@ -0,0 +1,5 @@ +#!/bin/sh -e + +ulimit -c unlimited >/dev/null 2>&1 +install -m 1777 -d /var/local/dumps >/dev/null 2>&1 +echo "/var/local/dumps/core.%e.%p" > /proc/sys/kernel/core_pattern diff --git a/testing/hosts/default/etc/rsyslog.conf b/testing/hosts/default/etc/rsyslog.conf new file mode 100644 index 000000000..9f76da36e --- /dev/null +++ b/testing/hosts/default/etc/rsyslog.conf @@ -0,0 +1,125 @@ +# /etc/rsyslog.conf Configuration file for rsyslog. +# +# For more information see +# /usr/share/doc/rsyslog-doc/html/rsyslog_conf.html + + +################# +#### MODULES #### +################# + +$ModLoad imuxsock # provides support for local system logging +$ModLoad imklog # provides kernel logging support +#$ModLoad immark # provides --MARK-- message capability + +# Don't drop messages +$SystemLogRateLimitInterval 0 +$RepeatedMsgReduction off + +# provides UDP syslog reception +#$ModLoad imudp +#$UDPServerRun 514 + +# provides TCP syslog reception +#$ModLoad imtcp +#$InputTCPServerRun 514 + + +########################### +#### GLOBAL DIRECTIVES #### +########################### + +# +# Use traditional timestamp format. +# To enable high precision timestamps, comment out the following line. +# +$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat + +# +# Set the default permissions for all log files. +# +$FileOwner root +$FileGroup adm +$FileCreateMode 0640 +$DirCreateMode 0755 +$Umask 0022 + +# +# Where to place spool and state files +# +$WorkDirectory /var/spool/rsyslog + +# +# Include all config files in /etc/rsyslog.d/ +# +$IncludeConfig /etc/rsyslog.d/*.conf + + +############### +#### RULES #### +############### + +# +# First some standard log files. Log by facility. +# +auth,authpriv.* /var/log/auth.log +*.*;auth,authpriv.none -/var/log/syslog +#cron.* /var/log/cron.log +daemon.* /var/log/daemon.log +kern.* -/var/log/kern.log +lpr.* -/var/log/lpr.log +mail.* -/var/log/mail.log +user.* -/var/log/user.log + +# +# Logging for the mail system. Split it up so that +# it is easy to write scripts to parse these files. +# +mail.info -/var/log/mail.info +mail.warn -/var/log/mail.warn +mail.err /var/log/mail.err + +# +# Logging for INN news system. +# +news.crit /var/log/news/news.crit +news.err /var/log/news/news.err +news.notice -/var/log/news/news.notice + +# +# Some "catch-all" log files. +# +*.=debug;\ + auth,authpriv.none;\ + news.none;mail.none -/var/log/debug +*.=info;*.=notice;*.=warn;\ + auth,authpriv.none;\ + cron,daemon.none;\ + mail,news.none -/var/log/messages + +# +# Emergencies are sent to everybody logged in. +# +*.emerg :omusrmsg:* + +# +# I like to have messages displayed on the console, but only on a virtual +# console I usually leave idle. +# +#daemon,mail.*;\ +# news.=crit;news.=err;news.=notice;\ +# *.=debug;*.=info;\ +# *.=notice;*.=warn /dev/tty8 + +# The named pipe /dev/xconsole is for the `xconsole' utility. To use it, +# you must invoke `xconsole' with the `-file' option: +# +# $ xconsole -file /dev/xconsole [...] +# +# NOTE: adjust the list below, or you'll go crazy if you have a reasonably +# busy site.. +# +daemon.*;mail.*;\ + news.err;\ + *.=debug;*.=info;\ + *.=notice;*.=warn |/dev/xconsole diff --git a/testing/hosts/default/etc/security/limits.conf b/testing/hosts/default/etc/security/limits.conf new file mode 100644 index 000000000..2658b3236 --- /dev/null +++ b/testing/hosts/default/etc/security/limits.conf @@ -0,0 +1,58 @@ +# /etc/security/limits.conf +# +#Each line describes a limit for a user in the form: +# +#<domain> <type> <item> <value> +# +#Where: +#<domain> can be: +# - an user name +# - a group name, with @group syntax +# - the wildcard *, for default entry +# - the wildcard %, can be also used with %group syntax, +# for maxlogin limit +# - NOTE: group and wildcard limits are not applied to root. +# To apply a limit to the root user, <domain> must be +# the literal username root. +# +#<type> can have the two values: +# - "soft" for enforcing the soft limits +# - "hard" for enforcing hard limits +# +#<item> can be one of the following: +# - core - limits the core file size (KB) +# - data - max data size (KB) +# - fsize - maximum filesize (KB) +# - memlock - max locked-in-memory address space (KB) +# - nofile - max number of open files +# - rss - max resident set size (KB) +# - stack - max stack size (KB) +# - cpu - max CPU time (MIN) +# - nproc - max number of processes +# - as - address space limit (KB) +# - maxlogins - max number of logins for this user +# - maxsyslogins - max number of logins on the system +# - priority - the priority to run user process with +# - locks - max number of file locks the user can hold +# - sigpending - max number of pending signals +# - msgqueue - max memory used by POSIX message queues (bytes) +# - nice - max nice priority allowed to raise to values: [-20, 19] +# - rtprio - max realtime priority +# - chroot - change root to directory (Debian-specific) +# +#<domain> <type> <item> <value> +# + +#* soft core 0 +#root hard core 100000 +#* hard rss 10000 +#@student hard nproc 20 +#@faculty soft nproc 20 +#@faculty hard nproc 50 +#ftp hard nproc 0 +#ftp - chroot /ftp +#@student - maxlogins 4 + +* soft core unlimited + +# End of file diff --git a/testing/hosts/default/etc/ssh/sshd_config b/testing/hosts/default/etc/ssh/sshd_config new file mode 100644 index 000000000..07b7e78e5 --- /dev/null +++ b/testing/hosts/default/etc/ssh/sshd_config @@ -0,0 +1,13 @@ +Port 22 +Protocol 2 +HostKey /etc/ssh/ssh_host_rsa_key +HostKey /etc/ssh/ssh_host_dsa_key +HostKey /etc/ssh/ssh_host_ecdsa_key +UsePrivilegeSeparation no +PermitRootLogin yes +StrictModes no +PubkeyAuthentication no +PermitEmptyPasswords yes +PrintMotd no +PrintLastLog no +UsePAM no diff --git a/testing/hosts/default/etc/sysctl.conf b/testing/hosts/default/etc/sysctl.conf new file mode 100644 index 000000000..43010d52e --- /dev/null +++ b/testing/hosts/default/etc/sysctl.conf @@ -0,0 +1,62 @@ +# +# /etc/sysctl.conf - Configuration file for setting system variables +# See /etc/sysctl.d/ for additonal system variables +# See sysctl.conf (5) for information. +# + +#kernel.domainname = example.com + +# Uncomment the following to stop low-level messages on console +#kernel.printk = 3 4 1 3 + +##############################################################3 +# Functions previously found in netbase +# + +# Uncomment the next two lines to enable Spoof protection (reverse-path filter) +# Turn on Source Address Verification in all interfaces to +# prevent some spoofing attacks +#net.ipv4.conf.default.rp_filter=1 +#net.ipv4.conf.all.rp_filter=1 + +# Uncomment the next line to enable TCP/IP SYN cookies +# See http://lwn.net/Articles/277146/ +# Note: This may impact IPv6 TCP sessions too +#net.ipv4.tcp_syncookies=1 + +# Uncomment the next line to enable packet forwarding for IPv4 +net.ipv4.ip_forward=1 + +# Uncomment the next line to enable packet forwarding for IPv6 +# Enabling this option disables Stateless Address Autoconfiguration +# based on Router Advertisements for this host +net.ipv6.conf.all.forwarding=1 + + +################################################################### +# Additional settings - these settings can improve the network +# security of the host and prevent against some network attacks +# including spoofing attacks and man in the middle attacks through +# redirection. Some network environments, however, require that these +# settings are disabled so review and enable them as needed. +# +# Do not accept ICMP redirects (prevent MITM attacks) +#net.ipv4.conf.all.accept_redirects = 0 +#net.ipv6.conf.all.accept_redirects = 0 +# _or_ +# Accept ICMP redirects only for gateways listed in our default +# gateway list (enabled by default) +# net.ipv4.conf.all.secure_redirects = 1 +# +# Do not send ICMP redirects (we are not a router) +#net.ipv4.conf.all.send_redirects = 0 +# +# Do not accept IP source route packets (we are not a router) +#net.ipv4.conf.all.accept_source_route = 0 +#net.ipv6.conf.all.accept_source_route = 0 +# +# Log Martian Packets +#net.ipv4.conf.all.log_martians = 1 + +# Enable coredump for suid binaries +fs.suid_dumpable = 1 diff --git a/testing/hosts/default/root/.ssh/config b/testing/hosts/default/root/.ssh/config new file mode 100644 index 000000000..aa102a144 --- /dev/null +++ b/testing/hosts/default/root/.ssh/config @@ -0,0 +1,3 @@ +Host * + StrictHostKeyChecking no + UserKnownHostsFile /dev/null diff --git a/testing/hosts/default/usr/local/bin/expect-connection b/testing/hosts/default/usr/local/bin/expect-connection new file mode 100755 index 000000000..10a709255 --- /dev/null +++ b/testing/hosts/default/usr/local/bin/expect-connection @@ -0,0 +1,27 @@ +#!/bin/bash +# +# Wait until a given IPsec connection becomes available +# +# Params: +# $1 - connection name +# $2 - maximum time to wait in seconds, default is 5 seconds + +if [[ $# -lt 1 || $# -gt 2 ]] +then + echo "invalid arguments" + exit 1 +fi + +secs=$2 +[ ! $secs ] && secs=5 + +let steps=$secs*10 +for i in `seq 1 $steps` +do + ipsec statusall 2>&1 | grep ^[[:space:]]*$1: >/dev/null + [ $? -eq 0 ] && exit 0 + sleep 0.1 +done + +echo "Connection '$1' not available after $secs second(s)" +exit 1 |