summaryrefslogtreecommitdiff
path: root/testing/hosts/default
diff options
context:
space:
mode:
authorYves-Alexis Perez <corsac@debian.org>2013-02-07 13:27:27 +0100
committerYves-Alexis Perez <corsac@debian.org>2013-02-07 13:27:27 +0100
commit7585facf05d927eb6df3929ce09ed5e60d905437 (patch)
treee4d14b4dc180db20356b6b01ce0112f3a2d7897e /testing/hosts/default
parentc1343b3278cdf99533b7902744d15969f9d6fdc1 (diff)
downloadvyos-strongswan-7585facf05d927eb6df3929ce09ed5e60d905437.tar.gz
vyos-strongswan-7585facf05d927eb6df3929ce09ed5e60d905437.zip
Imported Upstream version 5.0.2
Diffstat (limited to 'testing/hosts/default')
-rw-r--r--testing/hosts/default/etc/default/slapd45
-rw-r--r--testing/hosts/default/etc/fstab1
-rw-r--r--testing/hosts/default/etc/ip6tables.flush15
-rw-r--r--testing/hosts/default/etc/ip6tables.rules39
-rw-r--r--testing/hosts/default/etc/iptables.drop12
-rw-r--r--testing/hosts/default/etc/iptables.flush21
-rw-r--r--testing/hosts/default/etc/iptables.rules28
-rw-r--r--testing/hosts/default/etc/profile.d/coredumps.sh5
-rw-r--r--testing/hosts/default/etc/rsyslog.conf125
-rw-r--r--testing/hosts/default/etc/security/limits.conf58
-rw-r--r--testing/hosts/default/etc/ssh/sshd_config13
-rw-r--r--testing/hosts/default/etc/sysctl.conf62
-rw-r--r--testing/hosts/default/root/.ssh/config3
-rwxr-xr-xtesting/hosts/default/usr/local/bin/expect-connection27
14 files changed, 454 insertions, 0 deletions
diff --git a/testing/hosts/default/etc/default/slapd b/testing/hosts/default/etc/default/slapd
new file mode 100644
index 000000000..a4a0a6e2a
--- /dev/null
+++ b/testing/hosts/default/etc/default/slapd
@@ -0,0 +1,45 @@
+# Default location of the slapd.conf file or slapd.d cn=config directory. If
+# empty, use the compiled-in default (/etc/ldap/slapd.d with a fallback to
+# /etc/ldap/slapd.conf).
+SLAPD_CONF=/etc/ldap/slapd.conf
+
+# System account to run the slapd server under. If empty the server
+# will run as root.
+SLAPD_USER="openldap"
+
+# System group to run the slapd server under. If empty the server will
+# run in the primary group of its user.
+SLAPD_GROUP="openldap"
+
+# Path to the pid file of the slapd server. If not set the init.d script
+# will try to figure it out from $SLAPD_CONF (/etc/ldap/slapd.conf by
+# default)
+SLAPD_PIDFILE=
+
+# slapd normally serves ldap only on all TCP-ports 389. slapd can also
+# service requests on TCP-port 636 (ldaps) and requests via unix
+# sockets.
+# Example usage:
+# SLAPD_SERVICES="ldap://127.0.0.1:389/ ldaps:/// ldapi:///"
+SLAPD_SERVICES="ldap:///"
+
+# If SLAPD_NO_START is set, the init script will not start or restart
+# slapd (but stop will still work). Uncomment this if you are
+# starting slapd via some other means or if you don't want slapd normally
+# started at boot.
+#SLAPD_NO_START=1
+
+# If SLAPD_SENTINEL_FILE is set to path to a file and that file exists,
+# the init script will not start or restart slapd (but stop will still
+# work). Use this for temporarily disabling startup of slapd (when doing
+# maintenance, for example, or through a configuration management system)
+# when you don't want to edit a configuration file.
+SLAPD_SENTINEL_FILE=/etc/ldap/noslapd
+
+# For Kerberos authentication (via SASL), slapd by default uses the system
+# keytab file (/etc/krb5.keytab). To use a different keytab file,
+# uncomment this line and change the path.
+#export KRB5_KTNAME=/etc/krb5.keytab
+
+# Additional options to pass to slapd
+SLAPD_OPTIONS=""
diff --git a/testing/hosts/default/etc/fstab b/testing/hosts/default/etc/fstab
new file mode 100644
index 000000000..12747232e
--- /dev/null
+++ b/testing/hosts/default/etc/fstab
@@ -0,0 +1 @@
+/hostshare /root/shared 9p trans=virtio,version=9p2000.L 0 0
diff --git a/testing/hosts/default/etc/ip6tables.flush b/testing/hosts/default/etc/ip6tables.flush
new file mode 100644
index 000000000..c3f5a9254
--- /dev/null
+++ b/testing/hosts/default/etc/ip6tables.flush
@@ -0,0 +1,15 @@
+*filter
+
+-F
+
+-P INPUT ACCEPT
+-P OUTPUT ACCEPT
+-P FORWARD ACCEPT
+
+COMMIT
+
+*mangle
+
+-F
+
+COMMIT
diff --git a/testing/hosts/default/etc/ip6tables.rules b/testing/hosts/default/etc/ip6tables.rules
new file mode 100644
index 000000000..6a2c6af8e
--- /dev/null
+++ b/testing/hosts/default/etc/ip6tables.rules
@@ -0,0 +1,39 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow last UDP fragment
+-A INPUT -i eth0 -p udp -m frag --fraglast -j ACCEPT
+
+# allow ICMPv6 neighbor-solicitations
+-A INPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
+-A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
+
+# allow ICMPv6 neighbor-advertisements
+-A INPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
+-A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
+
+# allow crl and certficate fetch from winnetou
+-A INPUT -i eth0 -p tcp --sport 80 -s fec0::15 -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d fec0::15 -j ACCEPT
+
+# log dropped packets
+-A INPUT -j LOG --log-prefix " IN: "
+-A OUTPUT -j LOG --log-prefix " OUT: "
+
+COMMIT
diff --git a/testing/hosts/default/etc/iptables.drop b/testing/hosts/default/etc/iptables.drop
new file mode 100644
index 000000000..445c45669
--- /dev/null
+++ b/testing/hosts/default/etc/iptables.drop
@@ -0,0 +1,12 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow ssh
+-A INPUT -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+COMMIT
diff --git a/testing/hosts/default/etc/iptables.flush b/testing/hosts/default/etc/iptables.flush
new file mode 100644
index 000000000..b3ab63c51
--- /dev/null
+++ b/testing/hosts/default/etc/iptables.flush
@@ -0,0 +1,21 @@
+*filter
+
+-F
+
+-P INPUT ACCEPT
+-P OUTPUT ACCEPT
+-P FORWARD ACCEPT
+
+COMMIT
+
+*nat
+
+-F
+
+COMMIT
+
+*mangle
+
+-F
+
+COMMIT
diff --git a/testing/hosts/default/etc/iptables.rules b/testing/hosts/default/etc/iptables.rules
new file mode 100644
index 000000000..c3f036cf9
--- /dev/null
+++ b/testing/hosts/default/etc/iptables.rules
@@ -0,0 +1,28 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT -i eth0 -p tcp --sport 80 -s 192.168.0.150 -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d 192.168.0.150 -j ACCEPT
+
+COMMIT
diff --git a/testing/hosts/default/etc/profile.d/coredumps.sh b/testing/hosts/default/etc/profile.d/coredumps.sh
new file mode 100644
index 000000000..ea44c0ef6
--- /dev/null
+++ b/testing/hosts/default/etc/profile.d/coredumps.sh
@@ -0,0 +1,5 @@
+#!/bin/sh -e
+
+ulimit -c unlimited >/dev/null 2>&1
+install -m 1777 -d /var/local/dumps >/dev/null 2>&1
+echo "/var/local/dumps/core.%e.%p" > /proc/sys/kernel/core_pattern
diff --git a/testing/hosts/default/etc/rsyslog.conf b/testing/hosts/default/etc/rsyslog.conf
new file mode 100644
index 000000000..9f76da36e
--- /dev/null
+++ b/testing/hosts/default/etc/rsyslog.conf
@@ -0,0 +1,125 @@
+# /etc/rsyslog.conf Configuration file for rsyslog.
+#
+# For more information see
+# /usr/share/doc/rsyslog-doc/html/rsyslog_conf.html
+
+
+#################
+#### MODULES ####
+#################
+
+$ModLoad imuxsock # provides support for local system logging
+$ModLoad imklog # provides kernel logging support
+#$ModLoad immark # provides --MARK-- message capability
+
+# Don't drop messages
+$SystemLogRateLimitInterval 0
+$RepeatedMsgReduction off
+
+# provides UDP syslog reception
+#$ModLoad imudp
+#$UDPServerRun 514
+
+# provides TCP syslog reception
+#$ModLoad imtcp
+#$InputTCPServerRun 514
+
+
+###########################
+#### GLOBAL DIRECTIVES ####
+###########################
+
+#
+# Use traditional timestamp format.
+# To enable high precision timestamps, comment out the following line.
+#
+$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
+
+#
+# Set the default permissions for all log files.
+#
+$FileOwner root
+$FileGroup adm
+$FileCreateMode 0640
+$DirCreateMode 0755
+$Umask 0022
+
+#
+# Where to place spool and state files
+#
+$WorkDirectory /var/spool/rsyslog
+
+#
+# Include all config files in /etc/rsyslog.d/
+#
+$IncludeConfig /etc/rsyslog.d/*.conf
+
+
+###############
+#### RULES ####
+###############
+
+#
+# First some standard log files. Log by facility.
+#
+auth,authpriv.* /var/log/auth.log
+*.*;auth,authpriv.none -/var/log/syslog
+#cron.* /var/log/cron.log
+daemon.* /var/log/daemon.log
+kern.* -/var/log/kern.log
+lpr.* -/var/log/lpr.log
+mail.* -/var/log/mail.log
+user.* -/var/log/user.log
+
+#
+# Logging for the mail system. Split it up so that
+# it is easy to write scripts to parse these files.
+#
+mail.info -/var/log/mail.info
+mail.warn -/var/log/mail.warn
+mail.err /var/log/mail.err
+
+#
+# Logging for INN news system.
+#
+news.crit /var/log/news/news.crit
+news.err /var/log/news/news.err
+news.notice -/var/log/news/news.notice
+
+#
+# Some "catch-all" log files.
+#
+*.=debug;\
+ auth,authpriv.none;\
+ news.none;mail.none -/var/log/debug
+*.=info;*.=notice;*.=warn;\
+ auth,authpriv.none;\
+ cron,daemon.none;\
+ mail,news.none -/var/log/messages
+
+#
+# Emergencies are sent to everybody logged in.
+#
+*.emerg :omusrmsg:*
+
+#
+# I like to have messages displayed on the console, but only on a virtual
+# console I usually leave idle.
+#
+#daemon,mail.*;\
+# news.=crit;news.=err;news.=notice;\
+# *.=debug;*.=info;\
+# *.=notice;*.=warn /dev/tty8
+
+# The named pipe /dev/xconsole is for the `xconsole' utility. To use it,
+# you must invoke `xconsole' with the `-file' option:
+#
+# $ xconsole -file /dev/xconsole [...]
+#
+# NOTE: adjust the list below, or you'll go crazy if you have a reasonably
+# busy site..
+#
+daemon.*;mail.*;\
+ news.err;\
+ *.=debug;*.=info;\
+ *.=notice;*.=warn |/dev/xconsole
diff --git a/testing/hosts/default/etc/security/limits.conf b/testing/hosts/default/etc/security/limits.conf
new file mode 100644
index 000000000..2658b3236
--- /dev/null
+++ b/testing/hosts/default/etc/security/limits.conf
@@ -0,0 +1,58 @@
+# /etc/security/limits.conf
+#
+#Each line describes a limit for a user in the form:
+#
+#<domain> <type> <item> <value>
+#
+#Where:
+#<domain> can be:
+# - an user name
+# - a group name, with @group syntax
+# - the wildcard *, for default entry
+# - the wildcard %, can be also used with %group syntax,
+# for maxlogin limit
+# - NOTE: group and wildcard limits are not applied to root.
+# To apply a limit to the root user, <domain> must be
+# the literal username root.
+#
+#<type> can have the two values:
+# - "soft" for enforcing the soft limits
+# - "hard" for enforcing hard limits
+#
+#<item> can be one of the following:
+# - core - limits the core file size (KB)
+# - data - max data size (KB)
+# - fsize - maximum filesize (KB)
+# - memlock - max locked-in-memory address space (KB)
+# - nofile - max number of open files
+# - rss - max resident set size (KB)
+# - stack - max stack size (KB)
+# - cpu - max CPU time (MIN)
+# - nproc - max number of processes
+# - as - address space limit (KB)
+# - maxlogins - max number of logins for this user
+# - maxsyslogins - max number of logins on the system
+# - priority - the priority to run user process with
+# - locks - max number of file locks the user can hold
+# - sigpending - max number of pending signals
+# - msgqueue - max memory used by POSIX message queues (bytes)
+# - nice - max nice priority allowed to raise to values: [-20, 19]
+# - rtprio - max realtime priority
+# - chroot - change root to directory (Debian-specific)
+#
+#<domain> <type> <item> <value>
+#
+
+#* soft core 0
+#root hard core 100000
+#* hard rss 10000
+#@student hard nproc 20
+#@faculty soft nproc 20
+#@faculty hard nproc 50
+#ftp hard nproc 0
+#ftp - chroot /ftp
+#@student - maxlogins 4
+
+* soft core unlimited
+
+# End of file
diff --git a/testing/hosts/default/etc/ssh/sshd_config b/testing/hosts/default/etc/ssh/sshd_config
new file mode 100644
index 000000000..07b7e78e5
--- /dev/null
+++ b/testing/hosts/default/etc/ssh/sshd_config
@@ -0,0 +1,13 @@
+Port 22
+Protocol 2
+HostKey /etc/ssh/ssh_host_rsa_key
+HostKey /etc/ssh/ssh_host_dsa_key
+HostKey /etc/ssh/ssh_host_ecdsa_key
+UsePrivilegeSeparation no
+PermitRootLogin yes
+StrictModes no
+PubkeyAuthentication no
+PermitEmptyPasswords yes
+PrintMotd no
+PrintLastLog no
+UsePAM no
diff --git a/testing/hosts/default/etc/sysctl.conf b/testing/hosts/default/etc/sysctl.conf
new file mode 100644
index 000000000..43010d52e
--- /dev/null
+++ b/testing/hosts/default/etc/sysctl.conf
@@ -0,0 +1,62 @@
+#
+# /etc/sysctl.conf - Configuration file for setting system variables
+# See /etc/sysctl.d/ for additonal system variables
+# See sysctl.conf (5) for information.
+#
+
+#kernel.domainname = example.com
+
+# Uncomment the following to stop low-level messages on console
+#kernel.printk = 3 4 1 3
+
+##############################################################3
+# Functions previously found in netbase
+#
+
+# Uncomment the next two lines to enable Spoof protection (reverse-path filter)
+# Turn on Source Address Verification in all interfaces to
+# prevent some spoofing attacks
+#net.ipv4.conf.default.rp_filter=1
+#net.ipv4.conf.all.rp_filter=1
+
+# Uncomment the next line to enable TCP/IP SYN cookies
+# See http://lwn.net/Articles/277146/
+# Note: This may impact IPv6 TCP sessions too
+#net.ipv4.tcp_syncookies=1
+
+# Uncomment the next line to enable packet forwarding for IPv4
+net.ipv4.ip_forward=1
+
+# Uncomment the next line to enable packet forwarding for IPv6
+# Enabling this option disables Stateless Address Autoconfiguration
+# based on Router Advertisements for this host
+net.ipv6.conf.all.forwarding=1
+
+
+###################################################################
+# Additional settings - these settings can improve the network
+# security of the host and prevent against some network attacks
+# including spoofing attacks and man in the middle attacks through
+# redirection. Some network environments, however, require that these
+# settings are disabled so review and enable them as needed.
+#
+# Do not accept ICMP redirects (prevent MITM attacks)
+#net.ipv4.conf.all.accept_redirects = 0
+#net.ipv6.conf.all.accept_redirects = 0
+# _or_
+# Accept ICMP redirects only for gateways listed in our default
+# gateway list (enabled by default)
+# net.ipv4.conf.all.secure_redirects = 1
+#
+# Do not send ICMP redirects (we are not a router)
+#net.ipv4.conf.all.send_redirects = 0
+#
+# Do not accept IP source route packets (we are not a router)
+#net.ipv4.conf.all.accept_source_route = 0
+#net.ipv6.conf.all.accept_source_route = 0
+#
+# Log Martian Packets
+#net.ipv4.conf.all.log_martians = 1
+
+# Enable coredump for suid binaries
+fs.suid_dumpable = 1
diff --git a/testing/hosts/default/root/.ssh/config b/testing/hosts/default/root/.ssh/config
new file mode 100644
index 000000000..aa102a144
--- /dev/null
+++ b/testing/hosts/default/root/.ssh/config
@@ -0,0 +1,3 @@
+Host *
+ StrictHostKeyChecking no
+ UserKnownHostsFile /dev/null
diff --git a/testing/hosts/default/usr/local/bin/expect-connection b/testing/hosts/default/usr/local/bin/expect-connection
new file mode 100755
index 000000000..10a709255
--- /dev/null
+++ b/testing/hosts/default/usr/local/bin/expect-connection
@@ -0,0 +1,27 @@
+#!/bin/bash
+#
+# Wait until a given IPsec connection becomes available
+#
+# Params:
+# $1 - connection name
+# $2 - maximum time to wait in seconds, default is 5 seconds
+
+if [[ $# -lt 1 || $# -gt 2 ]]
+then
+ echo "invalid arguments"
+ exit 1
+fi
+
+secs=$2
+[ ! $secs ] && secs=5
+
+let steps=$secs*10
+for i in `seq 1 $steps`
+do
+ ipsec statusall 2>&1 | grep ^[[:space:]]*$1: >/dev/null
+ [ $? -eq 0 ] && exit 0
+ sleep 0.1
+done
+
+echo "Connection '$1' not available after $secs second(s)"
+exit 1