Compare commits

..

5 commits

Author SHA1 Message Date
Cayo Puigdefabregas 629a2a172e change EreuseWorkbench for workbench-script 2024-10-21 11:30:05 +02:00
pedro 9aa156628b prepare a first integration of usody-sanitize
in session with cayo we see this just works for Monday
2024-10-18 18:32:07 +02:00
Cayo Puigdefabregas efe028aea1 deactivate confirm 2024-10-18 13:05:44 +02:00
Cayo Puigdefabregas 731567b8ea use of sanitize in workbench-script 2024-10-18 12:16:00 +02:00
pedro be28ec2a1f move alternate erase functions to docs 2024-10-18 10:54:45 +02:00
10 changed files with 248 additions and 413 deletions

View file

@ -44,14 +44,20 @@ boot_iso_uefi_secureboot:
-drive file=deploy/iso/workbench_debug.iso,cache=none,if=virtio,format=raw,index=0,media=disk \ -drive file=deploy/iso/workbench_debug.iso,cache=none,if=virtio,format=raw,index=0,media=disk \
-boot menu=on -boot menu=on
# when you change something, you need to refresh it this way test_usody_sanitize:
regenerate_pxe_install: # TODO adapt settings accordingly for this test
./deploy-workbench.sh # ERASE=y ./deploy-workbench.sh
pxe/install-pxe.sh # create 3 disks for testing
qemu-img create -f raw test_sanitize_disk1.img 1G
qemu-img create -f raw test_sanitize_disk2.img 1G
qemu-img create -f raw test_sanitize_disk3.img 1G
sudo qemu-system-x86_64 \
-enable-kvm -m 2G -vga qxl -netdev user,id=wan -device virtio-net,netdev=wan,id=nic1 \
-drive format=raw,file=iso/workbench_debug.iso,cache=none,if=virtio \
-drive format=raw,file=test_sanitize_disk1.img,cache=none,if=virtio \
-drive format=raw,file=test_sanitize_disk2.img,cache=none,if=virtio \
-drive format=raw,file=test_sanitize_disk3.img,cache=none,if=virtio
es_gen:
$(MAKE) es_gen_po
$(MAKE) es_gen_mo
es_gen_po: es_gen_po:
cp locale/es/LC_MESSAGES/messages.po locale/es/LC_MESSAGES/messages.pot.bak cp locale/es/LC_MESSAGES/messages.po locale/es/LC_MESSAGES/messages.pot.bak

View file

@ -199,12 +199,12 @@ create_persistence_partition() {
mkdir -p "${tmp_rw_mount}" mkdir -p "${tmp_rw_mount}"
${SUDO} mount "$(pwd)/${rw_img_path}" "${tmp_rw_mount}" ${SUDO} mount "$(pwd)/${rw_img_path}" "${tmp_rw_mount}"
${SUDO} mkdir -p "${tmp_rw_mount}" ${SUDO} mkdir -p "${tmp_rw_mount}"
if [ ! -f "settings.ini" ]; then if [ -f "settings.ini" ]; then
${SUDO} cp -v settings.ini.example settings.ini
echo "WARNING: settings.ini was not there, settings.ini.example was copied, this only happens once"
fi
${SUDO} cp -v settings.ini "${tmp_rw_mount}/settings.ini" ${SUDO} cp -v settings.ini "${tmp_rw_mount}/settings.ini"
else
echo "ERROR: settings.ini does not exist yet, cannot read config from there. You can take inspiration with file settings.ini.example"
exit 1
fi
${SUDO} umount "${tmp_rw_mount}" ${SUDO} umount "${tmp_rw_mount}"
uuid="$(blkid "${rw_img_path}" | awk '{ print $3; }')" uuid="$(blkid "${rw_img_path}" | awk '{ print $3; }')"
@ -253,27 +253,6 @@ END2
END END
)" )"
# thanks https://wiki.debian.org/Keyboard
chroot_kbd_conf_str="$(cat<<END
chroot_kbd_conf() {
###################
# configure keyboard
cat > /etc/default/keyboard <<END2
# KEYBOARD CONFIGURATION FILE
# generated by deploy-workbench.sh
# Consult the keyboard(5) manual page.
XKBMODEL="pc105"
XKBLAYOUT="\${CUSTOM_LANG}"
BACKSPACE="guess"
END2
}
END
)"
prepare_app() { prepare_app() {
# prepare app during prepare_chroot_env # prepare app during prepare_chroot_env
workbench_dir="${ISO_PATH}/chroot/opt/workbench" workbench_dir="${ISO_PATH}/chroot/opt/workbench"
@ -285,6 +264,8 @@ prepare_app() {
# startup script execution # startup script execution
cat > "${ISO_PATH}/chroot/root/.profile" <<END cat > "${ISO_PATH}/chroot/root/.profile" <<END
# pipx path for usody-sanitize
PATH="${PATH}:/root/.local/bin"
if [ -f /tmp/workbench_lock ]; then if [ -f /tmp/workbench_lock ]; then
return 0 return 0
else else
@ -301,15 +282,13 @@ if [ "\${nfs_host}" ]; then
mount --bind /run/live/medium /mnt mount --bind /run/live/medium /mnt
# debian live nfs path is readonly, do a trick # debian live nfs path is readonly, do a trick
# to make snapshots subdir readwrite # to make snapshots subdir readwrite
mount -v \${nfs_host}:/snapshots /run/live/medium/snapshots mount \${nfs_host}:/snapshots /run/live/medium/snapshots
# reload mounts on systemd # reload mounts on systemd
systemctl daemon-reload systemctl daemon-reload
fi fi
# clearly specify the right working directory, used in the python script as os.getcwd() # clearly specify the right working directory, used in the python script as os.getcwd()
cd /mnt cd /mnt
#pipenv run python /opt/workbench/workbench-script.py --config /mnt/settings.ini pipenv run python /opt/workbench/workbench-script.py --config /mnt/settings.ini
# works meanwhile this project is vanilla python
python /opt/workbench/workbench-script.py --config /mnt/settings.ini
stty echo stty echo
set +x set +x
@ -325,16 +304,18 @@ echo 'Install requirements'
# Install debian requirements # Install debian requirements
apt-get install -y --no-install-recommends \ apt-get install -y --no-install-recommends \
sudo locales keyboard-configuration console-setup qrencode \ sudo locales \
python-is-python3 python3 python3-dev python3-pip pipenv \ python-is-python3 python3 python3-dev python3-pip pipenv \
dmidecode smartmontools hwinfo pciutils lshw nfs-common inxi < /dev/null dmidecode smartmontools hwinfo pciutils lshw nfs-common pipx < /dev/null
pipx install usody-sanitize
# Install lshw B02.19 utility using backports (DEPRECATED in Debian 12) # Install lshw B02.19 utility using backports (DEPRECATED in Debian 12)
#apt install -y -t ${VERSION_CODENAME}-backports lshw < /dev/null #apt install -y -t ${VERSION_CODENAME}-backports lshw < /dev/null
echo 'Install sanitize requirements' echo 'Install usody-sanitize requirements'
# Install sanitize debian requirements # Install usody-sanitize debian requirements
apt-get install -y --no-install-recommends \ apt-get install -y --no-install-recommends \
hdparm nvme-cli < /dev/null hdparm nvme-cli < /dev/null
@ -383,15 +364,8 @@ ${install_app_str}
# thanks src https://serverfault.com/questions/362903/how-do-you-set-a-locale-non-interactively-on-debian-ubuntu # thanks src https://serverfault.com/questions/362903/how-do-you-set-a-locale-non-interactively-on-debian-ubuntu
export LANG=${LANG} export LANG=${LANG}
export LC_ALL=${LANG} export LC_ALL=${LANG}
echo "${MYLOCALE}" > /etc/locale.gen
# Generate the locale
locale-gen
# feeds /etc/default/locale for the shell env var
update-locale LANG=${LANG} LC_ALL=${LANG}
# this is a high level command that does locale-gen and update-locale altogether # this is a high level command that does locale-gen and update-locale altogether
# but it is too interactive dpkg-reconfigure --frontend=noninteractive locales
#dpkg-reconfigure --frontend=noninteractive locales
# DEBUG
locale -a locale -a
# Autologin root user # Autologin root user
@ -416,9 +390,6 @@ apt-get install -y --no-install-recommends \
< /dev/null < /dev/null
${chroot_netdns_conf_str} ${chroot_netdns_conf_str}
CUSTOM_LANG=${CUSTOM_LANG}
${chroot_kbd_conf_str}
chroot_kbd_conf
# Set up root user # Set up root user
# this is the root password # this is the root password
@ -438,19 +409,7 @@ CHROOT
} }
prepare_chroot_env() { prepare_chroot_env() {
CUSTOM_LANG="${CUSTOM_LANG:-es}" LANG="${CUSTOM_LANG:-es_ES.UTF-8}"
case "${CUSTOM_LANG}" in
es)
export LANG="es_ES.UTF-8"
export MYLOCALE="${LANG} UTF-8"
;;
en)
export LANG="en_US.UTF-8"
;;
*)
echo "ERROR: CUSTOM_LANG not supported. Available: es"
exit 1
esac
# version of debian the bootstrap is going to build # version of debian the bootstrap is going to build
# if no VERSION_CODENAME is specified we assume that the bootstrap is going to # if no VERSION_CODENAME is specified we assume that the bootstrap is going to
# be build with the same version of debian being executed because some files # be build with the same version of debian being executed because some files
@ -474,7 +433,6 @@ prepare_chroot_env() {
prepare_app prepare_app
} }
# thanks https://willhaley.com/blog/custom-debian-live-environment/ # thanks https://willhaley.com/blog/custom-debian-live-environment/
install_requirements() { install_requirements() {
# Install requirements # Install requirements

112
docs/dev-es.md Normal file
View file

@ -0,0 +1,112 @@
## borrado minimalista
Un enfoque inicial que teníamos para el borrado de disco son las siguientes funciones, esto lo hemos descartado para usar una herramienta más avanzada en el borrado [usody-sanitize](https://github.com/usody/sanitize/)
```python
## Xavier Functions ##
def erase_basic(disk):
"""
Basic Erasure
https://tsapps.nist.gov/publication/get_pdf.cfm?pub_id=917935
Settings for basic data erasure using shred Linux command.
A software-based fast non-100%-secured way of erasing data storage.
Performs 1 pass overwriting one round using all zeros.
Compliant with NIST SP-800-8y8.
In settings appear:
WB_ERASE = EraseBasic
WB_ERASE_STEPS = 1
WB_ERASE_LEADING_ZEROS = False
"""
cmd = f'shred -vn 1 /dev/{disk}'
return [exec_cmd_erase(cmd)]
def erase_baseline(disk):
"""
Baseline Secure Erasure
Settings for advanced data erasure using badblocks Linux software.
A secured-way of erasing data storages, erase hidden areas,
checking the erase sector by sector.
Performs 1 pass overwriting each sector with zeros and a final verification.
Compliant with HMG Infosec Standard 5 Baseline.
In settings appear:
WB_ERASE = EraseSectors
WB_ERASE_STEPS = 1
WB_ERASE_LEADING_ZEROS = True
WB_ERASE_1_METHOD = EraseBasic
WB_ERASE_1_STEP_TYPE = 0
WB_ERASE_2_METHOD = EraseSectors
WB_ERASE_2_STEP_TYPE = 1
"""
result = []
cmd = f'shred -zvn 0 /dev/{disk}'
result.append(exec_cmd_erase(cmd))
cmd = f'badblocks -st random -w /dev/{disk}'
result.append(exec_cmd_erase(cmd))
return result
def erase_enhanced(disk):
"""
Enhanced Secure Erasure
Settings for advanced data erasure using badblocks Linux software.
A secured-way of erasing data storages, erase hidden areas,
checking the erase sector by sector.
Performs 3 passes overwriting every sector with zeros and ones,
and final verification. Compliant with HMG Infosec Standard 5 Enhanced.
In settings appear:
WB_ERASE = EraseSectors
WB_ERASE_LEADING_ZEROS = True
WB_ERASE_1_METHOD = EraseBasic
WB_ERASE_1_STEP_TYPE = 1
WB_ERASE_2_METHOD = EraseBasic
WB_ERASE_2_STEP_TYPE = 0
WB_ERASE_3_METHOD = EraseSectors
WB_ERASE_3_STEP_TYPE = 1
"""
result = []
cmd = f'shred -vn 1 /dev/{disk}'
result.append(exec_cmd_erase(cmd))
cmd = f'shred -zvn 0 /dev/{disk}'
result.append(exec_cmd_erase(cmd))
## creo que realmente seria asi (3 pases y una extra poniendo a ceros):
# shred -zvn 3 /def/{disk}
# tampoco estoy seguro que el badblocks haga un proceso de verificacion.
cmd = f'badblocks -st random -w /dev/{disk}'
result.append(exec_cmd_erase(cmd))
return result
## End Xavier Functions ##
## Erase Functions ##
def ata_secure_erase_null(disk):
cmd_baseline = f'hdparm --user-master u --security-erase NULL /dev/{disk}'
return [exec_cmd_erase(cmd_baseline)]
def ata_secure_erase_enhanced(disk):
cmd_enhanced = f'hdparm --user-master u --security-erase-enhanced /dev/{disk}'
return [exec_cmd_erase(cmd_enhanced)]
def nvme_secure_erase(disk):
cmd_encrypted = f'nvme format /dev/{disk} --ses=1'
return [exec_cmd_erase(cmd_encrypted)]
## End Erase Functions ##
```

View file

@ -9,7 +9,7 @@ set -u
set -x set -x
main() { main() {
sudo apt install qrencode smartmontools lshw hwinfo dmidecode inxi sudo apt install smartmontools lshw hwinfo dmidecode
} }
main "${@}" main "${@}"

Binary file not shown.

View file

@ -8,7 +8,7 @@ msgid ""
msgstr "" msgstr ""
"Project-Id-Version: PACKAGE VERSION\n" "Project-Id-Version: PACKAGE VERSION\n"
"Report-Msgid-Bugs-To: \n" "Report-Msgid-Bugs-To: \n"
"POT-Creation-Date: 2024-11-08 18:25+0100\n" "POT-Creation-Date: 2024-10-15 21:15+0200\n"
"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n" "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
"Language-Team: LANGUAGE <LL@li.org>\n" "Language-Team: LANGUAGE <LL@li.org>\n"
@ -17,19 +17,19 @@ msgstr ""
"Content-Type: text/plain; charset=UTF-8\n" "Content-Type: text/plain; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n" "Content-Transfer-Encoding: 8bit\n"
#: workbench-script.py:49 workbench-script.py:54 #: workbench-script.py:48 workbench-script.py:53
msgid "Running command `%s`" msgid "Running command `%s`"
msgstr "Ejecutando comando `%s`" msgstr "Ejecutando comando `%s`"
#: workbench-script.py:279 #: workbench-script.py:284
msgid "Created snapshots directory at '%s'" msgid "Created snapshots directory at '%s'"
msgstr "Creado directorio de snapshots en '%s'" msgstr "Creado directorio de snapshots en '%s'"
#: workbench-script.py:282 #: workbench-script.py:287
msgid "Snapshot written in path '%s'" msgid "Snapshot written in path '%s'"
msgstr "Snapshot escrito en ruta '%s'" msgstr "Snapshot escrito en ruta '%s'"
#: workbench-script.py:285 #: workbench-script.py:290
msgid "" msgid ""
"Attempting to save file in actual path. Reason: Failed to write in snapshots " "Attempting to save file in actual path. Reason: Failed to write in snapshots "
"directory:\n" "directory:\n"
@ -39,11 +39,11 @@ msgstr ""
"escribir en el directorio de snapshots:\n" "escribir en el directorio de snapshots:\n"
" %s." " %s."
#: workbench-script.py:292 #: workbench-script.py:297
msgid "Snapshot written in fallback path '%s'" msgid "Snapshot written in fallback path '%s'"
msgstr "Snapshot escrito en ruta alternativa '%s'" msgstr "Snapshot escrito en ruta alternativa '%s'"
#: workbench-script.py:294 #: workbench-script.py:299
msgid "" msgid ""
"Could not save snapshot locally. Reason: Failed to write in fallback path:\n" "Could not save snapshot locally. Reason: Failed to write in fallback path:\n"
" %s" " %s"
@ -52,53 +52,49 @@ msgstr ""
"alternativa:\n" "alternativa:\n"
" %s" " %s"
#: workbench-script.py:317 #: workbench-script.py:316
msgid "Snapshot successfully sent to '%s'" msgid "Snapshot successfully sent to '%s'"
msgstr "Snapshot enviado con éxito a '%s'" msgstr "Snapshot enviado con éxito a '%s'"
#: workbench-script.py:335 #: workbench-script.py:331
msgid "Snapshot %s could not be sent to URL '%s'"
msgstr "Snapshot %s no se pudo enviar a la URL '%s'"
#: workbench-script.py:338
msgid "" msgid ""
"Snapshot %s not remotely sent to URL '%s'. Do you have internet? Is your " "Snapshot not remotely sent to URL '%s'. Do you have internet? Is your server "
"server up & running? Is the url token authorized?\n" "up & running? Is the url token authorized?\n"
" %s" " %s"
msgstr "" msgstr ""
"Snapshot %s no enviado remotamente a la URL '%s'. Tienes internet? Está el " "Snapshot no enviado remotamente a la URL '%s'. Tienes internet? Está el "
"servidor en marcha? Está autorizado el url token?\n" "servidor en marcha? Está autorizado el url token?\n"
" %s" " %s"
#: workbench-script.py:350 #: workbench-script.py:342
msgid "Found config file in path: %s." msgid "Found config file in path: %s."
msgstr "Encontrado fichero de configuración en ruta: %s." msgstr "Encontrado fichero de configuración en ruta: %s."
#: workbench-script.py:361 #: workbench-script.py:353
msgid "Config file '%s' not found. Using default values." msgid "Config file '%s' not found. Using default values."
msgstr "" msgstr ""
"Fichero de configuración '%s' no encontrado. Utilizando valores por defecto." "Fichero de configuración '%s' no encontrado. Utilizando valores por defecto."
#: workbench-script.py:379 #: workbench-script.py:373
msgid "workbench-script.py [-h] [--config CONFIG]" msgid "workbench-script.py [-h] [--config CONFIG]"
msgstr "" msgstr ""
#: workbench-script.py:380 #: workbench-script.py:374
msgid "Optional config loader for workbench." msgid "Optional config loader for workbench."
msgstr "Cargador opcional de configuración para workbench" msgstr "Cargador opcional de configuración para workbench"
#: workbench-script.py:383 #: workbench-script.py:377
msgid "" msgid ""
"path to the config file. Defaults to 'settings.ini' in the current directory." "path to the config file. Defaults to 'settings.ini' in the current directory."
msgstr "" msgstr ""
"ruta al fichero de configuración. Por defecto es 'settings.ini' en el " "ruta al fichero de configuración. Por defecto es 'settings.ini' en el "
"directorio actual" "directorio actual"
#: workbench-script.py:416 #: workbench-script.py:410
msgid "START" msgid "START"
msgstr "INICIO" msgstr "INICIO"
#: workbench-script.py:430 #: workbench-script.py:423
msgid "" msgid ""
"This script must be run as root. Collected data will be incomplete or " "This script must be run as root. Collected data will be incomplete or "
"unusable" "unusable"
@ -106,6 +102,6 @@ msgstr ""
"Es conveniente que este script sea ejecutado como administrador (root). Los " "Es conveniente que este script sea ejecutado como administrador (root). Los "
"datos recopilados serán incompletos o no usables." "datos recopilados serán incompletos o no usables."
#: workbench-script.py:448 #: workbench-script.py:441
msgid "END" msgid "END"
msgstr "FIN" msgstr "FIN"

View file

@ -1,5 +1,4 @@
# assuming server_ip using qemu server_ip=192.168.1.2
server_ip=10.0.2.1 nfs_allowed_lan=192.168.1.0/24
nfs_allowed_lan=10.0.2.0/24
tftp_path='/srv/pxe-tftp' tftp_path='/srv/pxe-tftp'
nfs_path='/srv/pxe-nfs' nfs_path='/srv/pxe-nfs'

View file

@ -37,7 +37,7 @@ backup_file() {
if [ -f "${target}" ]; then if [ -f "${target}" ]; then
if ! grep -q 'we should do a backup' "${target}"; then if ! grep -q 'we should do a backup' "${target}"; then
${SUDO} cp -v -a "${target}" "${target}-bak_${ts}" ${SUDO} cp -a "${target}" "${target}-bak_${ts}"
fi fi
fi fi
} }
@ -69,14 +69,14 @@ END
# reload nfs exports # reload nfs exports
${SUDO} exportfs -vra ${SUDO} exportfs -vra
if [ ! -f ./settings.ini ]; then
cp -v ./settings.ini.example ./settings.ini
echo "WARNING: settings.ini was not there, settings.ini.example was copied, this only happens once"
fi
if [ ! -f "${nfs_path}/settings.ini" ]; then if [ ! -f "${nfs_path}/settings.ini" ]; then
${SUDO} cp -v settings.ini "${nfs_path}/settings.ini" if [ -f "settings.ini" ]; then
echo "WARNING: ${nfs_path}/settings.ini was not there, ./settings.ini was copied, this only happens once" ${SUDO} cp settings.ini "${nfs_path}/settings.ini"
else
echo "ERROR: $(pwd)/settings.ini does not exist yet, cannot read config from there. You can take inspiration with file $(pwd)/settings.ini.example"
exit 1
fi
fi fi
} }
@ -93,7 +93,6 @@ pxe-service=x86PC,"Network Boot",pxelinux
enable-tftp enable-tftp
tftp-root=${tftp_path} tftp-root=${tftp_path}
END END
sudo systemctl restart dnsmasq || true
} }
install_netboot() { install_netboot() {
@ -111,12 +110,8 @@ install_netboot() {
${SUDO} cp -fv "${PXE_DIR}/../iso/staging/live/vmlinuz" "${tftp_path}/" ${SUDO} cp -fv "${PXE_DIR}/../iso/staging/live/vmlinuz" "${tftp_path}/"
${SUDO} cp -fv "${PXE_DIR}/../iso/staging/live/initrd" "${tftp_path}/" ${SUDO} cp -fv "${PXE_DIR}/../iso/staging/live/initrd" "${tftp_path}/"
${SUDO} cp -v /usr/lib/syslinux/memdisk "${tftp_path}/" ${SUDO} cp /usr/lib/syslinux/memdisk "${tftp_path}/"
${SUDO} cp -v /usr/lib/syslinux/modules/bios/* "${tftp_path}/" ${SUDO} cp /usr/lib/syslinux/modules/bios/* "${tftp_path}/"
if [ ! -f ./pxe-menu.cfg ]; then
${SUDO} cp -v ./pxe-menu.cfg.example pxe-menu.cfg
echo "WARNING: pxe-menu.cfg was not there, pxe-menu.cfg.example was copied, this only happens once"
fi
envsubst < ./pxe-menu.cfg | ${SUDO} tee "${tftp_path}/pxelinux.cfg/default" envsubst < ./pxe-menu.cfg | ${SUDO} tee "${tftp_path}/pxelinux.cfg/default"
fi fi
@ -133,11 +128,11 @@ init_config() {
PXE_DIR="$(pwd)" PXE_DIR="$(pwd)"
if [ ! -f ./.env ]; then if [ -f ./.env ]; then
cp -v ./.env.example ./.env
echo "WARNING: .env was not there, .env.example was copied, this only happens once"
fi
. ./.env . ./.env
else
echo "PXE: WARNING: $(pwd)/.env does not exist yet, cannot read config from there. You can take inspiration with file $(pwd)/.env.example"
fi
VERSION_CODENAME="${VERSION_CODENAME:-bookworm}" VERSION_CODENAME="${VERSION_CODENAME:-bookworm}"
tftp_path="${tftp_path:-/srv/pxe-tftp}" tftp_path="${tftp_path:-/srv/pxe-tftp}"
# vars used in envsubst require to be exported: # vars used in envsubst require to be exported:

View file

@ -1,14 +1,7 @@
[settings] [settings]
url = http://localhost:8000/api/v1/snapshot/ url = http://localhost:8000/api/snapshot/
#url = https://demo.ereuse.org/api/v1/snapshot/ token = '1234'
# sample token that works with default deployment such as the previous two urls
token = 5018dd65-9abd-4a62-8896-80f34ac66150
# Idhub
# wb_sign_token = 27de6ad7-cee2-4fe8-84d4-c7eea9c969c8
# url_wallet = http://localhost/webhook/sign/
# path = /path/to/save # path = /path/to/save
# device = your_device_name # device = your_device_name
# # erase = basic # # erase = basic
# legacy = True # legacy = true

View file

@ -6,7 +6,6 @@ import uuid
import hashlib import hashlib
import argparse import argparse
import configparser import configparser
import urllib.parse
import urllib.request import urllib.request
import gettext import gettext
@ -16,17 +15,20 @@ import logging
from datetime import datetime from datetime import datetime
SNAPSHOT_BASE = { ## Legacy Functions ##
'timestamp': str(datetime.now()), def convert_to_legacy_snapshot(snapshot):
'type': 'Snapshot', snapshot["sid"] = str(uuid.uuid4()).split("-")[0]
'uuid': str(uuid.uuid4()), snapshot["software"] = "workbench-script"
'software': "workbench-script", snapshot["version"] = "dev"
'version': "0.0.1", snapshot["schema_api"] = "1.0.0"
'operator_id': "", snapshot["settings_version"] = "No Settings Version (NaN)"
'data': {}, snapshot["timestamp"] = snapshot["timestamp"].replace(" ", "T")
'erase': [] snapshot["data"]["smart"] = snapshot["data"]["disks"]
} snapshot["data"].pop("disks")
snapshot.pop("code")
snapshot.pop("erase")
## End Legacy Functions ##
## Utility Functions ## ## Utility Functions ##
@ -46,151 +48,32 @@ def exec_cmd(cmd):
logger.info(_('Running command `%s`'), cmd) logger.info(_('Running command `%s`'), cmd)
return os.popen(cmd).read() return os.popen(cmd).read()
@logs @logs
def exec_cmd_erase(cmd): def exec_cmd_erase(cmd):
logger.info(_('Running command `%s`'), cmd) logger.info(_('Running command `%s`'), cmd)
return '' return ''
# return os.popen(cmd).read() # return os.popen(cmd).read()
def gen_code():
uid = str(uuid.uuid4()).encode('utf-8')
return hashlib.shake_256(uid).hexdigest(3)
## End Utility functions ## ## End Utility functions ##
## Legacy Functions ## SNAPSHOT_BASE = {
'timestamp': str(datetime.now()),
def convert_to_legacy_snapshot(snapshot): 'type': 'Snapshot',
snapshot["sid"] = str(uuid.uuid4()).split("-")[1] 'uuid': str(uuid.uuid4()),
snapshot["software"] = "workbench-script" 'code': gen_code(),
snapshot["version"] = "dev" 'software': "workbench-script",
snapshot["schema_api"] = "1.0.0" 'version': "0.0.1",
snapshot["settings_version"] = "No Settings Version (NaN)" 'data': {},
snapshot["timestamp"] = snapshot["timestamp"].replace(" ", "T") 'erase': []
snapshot["data"]["smart"] = json.loads(snapshot["data"]["smartctl"]) }
snapshot["data"].pop("smartctl")
snapshot["data"].pop("inxi")
snapshot.pop("operator_id")
snapshot.pop("erase")
lshw = 'sudo lshw -json'
hwinfo = 'sudo hwinfo --reallyall'
lspci = 'sudo lspci -vv'
data = {
'lshw': exec_cmd(lshw) or "{}",
'hwinfo': exec_cmd(hwinfo),
'lspci': exec_cmd(lspci)
}
snapshot['data'].update(data)
## End Legacy Functions ##
## Command Functions ## ## Command Functions ##
## Erase Functions ##
## Xavier Functions ##
def erase_basic(disk):
"""
Basic Erasure
https://tsapps.nist.gov/publication/get_pdf.cfm?pub_id=917935
Settings for basic data erasure using shred Linux command.
A software-based fast non-100%-secured way of erasing data storage.
Performs 1 pass overwriting one round using all zeros.
Compliant with NIST SP-800-8y8.
In settings appear:
WB_ERASE = EraseBasic
WB_ERASE_STEPS = 1
WB_ERASE_LEADING_ZEROS = False
"""
cmd = f'shred -vn 1 /dev/{disk}'
return [exec_cmd_erase(cmd)]
def erase_baseline(disk):
"""
Baseline Secure Erasure
Settings for advanced data erasure using badblocks Linux software.
A secured-way of erasing data storages, erase hidden areas,
checking the erase sector by sector.
Performs 1 pass overwriting each sector with zeros and a final verification.
Compliant with HMG Infosec Standard 5 Baseline.
In settings appear:
WB_ERASE = EraseSectors
WB_ERASE_STEPS = 1
WB_ERASE_LEADING_ZEROS = True
WB_ERASE_1_METHOD = EraseBasic
WB_ERASE_1_STEP_TYPE = 0
WB_ERASE_2_METHOD = EraseSectors
WB_ERASE_2_STEP_TYPE = 1
"""
result = []
cmd = f'shred -zvn 0 /dev/{disk}'
result.append(exec_cmd_erase(cmd))
cmd = f'badblocks -st random -w /dev/{disk}'
result.append(exec_cmd_erase(cmd))
return result
def erase_enhanced(disk):
"""
Enhanced Secure Erasure
Settings for advanced data erasure using badblocks Linux software.
A secured-way of erasing data storages, erase hidden areas,
checking the erase sector by sector.
Performs 3 passes overwriting every sector with zeros and ones,
and final verification. Compliant with HMG Infosec Standard 5 Enhanced.
In settings appear:
WB_ERASE = EraseSectors
WB_ERASE_LEADING_ZEROS = True
WB_ERASE_1_METHOD = EraseBasic
WB_ERASE_1_STEP_TYPE = 1
WB_ERASE_2_METHOD = EraseBasic
WB_ERASE_2_STEP_TYPE = 0
WB_ERASE_3_METHOD = EraseSectors
WB_ERASE_3_STEP_TYPE = 1
"""
result = []
cmd = f'shred -vn 1 /dev/{disk}'
result.append(exec_cmd_erase(cmd))
cmd = f'shred -zvn 0 /dev/{disk}'
result.append(exec_cmd_erase(cmd))
## creo que realmente seria asi (3 pases y una extra poniendo a ceros):
# shred -zvn 3 /def/{disk}
# tampoco estoy seguro que el badblocks haga un proceso de verificacion.
cmd = f'badblocks -st random -w /dev/{disk}'
result.append(exec_cmd_erase(cmd))
return result
## End Xavier Functions ##
def ata_secure_erase_null(disk):
cmd_baseline = f'hdparm --user-master u --security-erase NULL /dev/{disk}'
return [exec_cmd_erase(cmd_baseline)]
def ata_secure_erase_enhanced(disk):
cmd_enhanced = f'hdparm --user-master u --security-erase-enhanced /dev/{disk}'
return [exec_cmd_erase(cmd_enhanced)]
def nvme_secure_erase(disk):
cmd_encrypted = f'nvme format /dev/{disk} --ses=1'
return [exec_cmd_erase(cmd_encrypted)]
## End Erase Functions ##
@logs @logs
def get_disks(): def get_disks():
@ -199,39 +82,13 @@ def get_disks():
) )
return disks.get('blockdevices', []) return disks.get('blockdevices', [])
@logs @logs
def gen_erase(all_disks, type_erase, user_disk=None): def gen_erase(type_erase, user_disk=None):
erase = [] if user_disk:
for disk in all_disks: return exec_cmd(f"sanitize -d {user_disk} -m {type_erase}")
if user_disk and disk['name'] not in user_disk: return exec_cmd(f"sanitize -a -m {type_erase}")
continue # return exec_cmd(f"sanitize -a -m {type_erase} --confirm")
if disk['type'] != 'disk':
continue
if 'boot' in disk['mountpoints']:
continue
if not disk['rota']:
# if soport nvme erase
erase.append(nvme_secure_erase(disk['name']))
elif disk['tran'] in ['ata', 'sata']:
# if soport ata erase
if type_erase == 'basic':
erase.append(ata_secure_erase_null(disk['name']))
elif type_erase == 'baseline':
erase.append(ata_secure_erase_null(disk['name']))
elif type_erase == 'enhanced':
erase.append(ata_secure_erase_enhanced(disk['name']))
else:
# For old disks
if type_erase == 'basic':
erase.append(erase_basic(disk['name']))
elif type_erase == 'baseline':
erase.append(erase_baseline(disk['name']))
elif type_erase == 'enhanced':
erase.append(erase_enhanced(disk['name']))
return erase
@logs @logs
@ -252,7 +109,7 @@ def smartctl(all_disks, disk=None):
data = exec_smart(disk['name']) data = exec_smart(disk['name'])
data_list.append(data) data_list.append(data)
return json.dumps(data_list) return data_list
## End Command Functions ## ## End Command Functions ##
@ -260,13 +117,16 @@ def smartctl(all_disks, disk=None):
# TODO permitir selección # TODO permitir selección
# TODO permitir que vaya más rápido # TODO permitir que vaya más rápido
def get_data(all_disks): def get_data(all_disks):
lshw = 'sudo lshw -json'
hwinfo = 'sudo hwinfo --reallyall'
dmidecode = 'sudo dmidecode' dmidecode = 'sudo dmidecode'
inxi = "sudo inxi -afmnGEMABD -x 3 --edid --output json --output-file print" lspci = 'sudo lspci -vv'
data = { data = {
'smartctl': smartctl(all_disks), 'lshw': exec_cmd(lshw) or "{}",
'disks': smartctl(all_disks),
'hwinfo': exec_cmd(hwinfo),
'dmidecode': exec_cmd(dmidecode), 'dmidecode': exec_cmd(dmidecode),
'inxi': exec_cmd(inxi) 'lspci': exec_cmd(lspci)
} }
return data return data
@ -278,20 +138,20 @@ def gen_snapshot(all_disks):
return snapshot return snapshot
def save_snapshot_in_disk(snapshot, path, snap_uuid): def save_snapshot_in_disk(snapshot, path):
snapshot_path = os.path.join(path, 'snapshots') snapshot_path = os.path.join(path, 'snapshots')
filename = "{}/{}_{}.json".format( filename = "{}/{}_{}.json".format(
snapshot_path, snapshot_path,
datetime.now().strftime("%Y%m%d-%H_%M_%S"), datetime.now().strftime("%Y%m%d-%H_%M_%S"),
snap_uuid) snapshot['uuid'])
try: try:
if not os.path.exists(snapshot_path): if not os.path.exists(snapshot_path):
os.makedirs(snapshot_path) os.makedirs(snapshot_path)
logger.info(_("Created snapshots directory at '%s'"), snapshot_path) logger.info(_("Created snapshots directory at '%s'"), snapshot_path)
with open(filename, "w") as f: with open(filename, "w") as f:
f.write(snapshot) f.write(json.dumps(snapshot))
logger.info(_("Snapshot written in path '%s'"), filename) logger.info(_("Snapshot written in path '%s'"), filename)
except Exception as e: except Exception as e:
try: try:
@ -299,69 +159,22 @@ def save_snapshot_in_disk(snapshot, path, snap_uuid):
fallback_filename = "{}/{}_{}.json".format( fallback_filename = "{}/{}_{}.json".format(
path, path,
datetime.now().strftime("%Y%m%d-%H_%M_%S"), datetime.now().strftime("%Y%m%d-%H_%M_%S"),
snap_uuid) snapshot['uuid'])
with open(fallback_filename, "w") as f: with open(fallback_filename, "w") as f:
f.write(snapshot) f.write(json.dumps(snapshot))
logger.warning(_("Snapshot written in fallback path '%s'"), fallback_filename) logger.warning(_("Snapshot written in fallback path '%s'"), fallback_filename)
except Exception as e: except Exception as e:
logger.error(_("Could not save snapshot locally. Reason: Failed to write in fallback path:\n %s"), e) logger.error(_("Could not save snapshot locally. Reason: Failed to write in fallback path:\n %s"), e)
def send_to_sign_credential(snapshot, token, url):
headers = {
"Authorization": f"Bearer {token}",
"Content-Type": "application/json"
}
try:
cred = {
"type": "DeviceSnapshotV1",
"save": False,
"data": {
"operator_id": snapshot["operator_id"],
"dmidecode": snapshot["data"]["dmidecode"],
"inxi": snapshot["data"]["inxi"],
"smartctl": snapshot["data"]["smartctl"],
"uuid": snapshot["uuid"],
}
}
data = json.dumps(cred).encode('utf-8')
request = urllib.request.Request(url, data=data, headers=headers)
with urllib.request.urlopen(request) as response:
status_code = response.getcode()
response_text = response.read().decode('utf-8')
if 200 <= status_code < 300:
logger.info(_("Credential successfully signed"))
res = json.loads(response_text)
if res.get("status") == "success" and res.get("data"):
return res["data"]
return json.dumps(snapshot)
else:
logger.error(_("Credential cannot signed in '%s'"), url)
return json.dumps(snapshot)
except Exception as e:
logger.error(_("Credential not remotely builded to URL '%s'. Do you have internet? Is your server up & running? Is the url token authorized?\n %s"), url, e)
return json.dumps(snapshot)
# TODO sanitize url, if url is like this, it fails # TODO sanitize url, if url is like this, it fails
# url = 'http://127.0.0.1:8000/api/snapshot/' # url = 'http://127.0.0.1:8000/api/snapshot/'
def send_snapshot_to_devicehub(snapshot, token, url, ev_uuid, legacy): def send_snapshot_to_devicehub(snapshot, token, url):
url_components = urllib.parse.urlparse(url)
ev_path = f"evidence/{ev_uuid}"
components = (url_components.scheme, url_components.netloc, ev_path, '', '', '')
ev_url = urllib.parse.urlunparse(components)
# apt install qrencode
headers = { headers = {
"Authorization": f"Bearer {token}", "Authorization": f"Bearer {token}",
"Content-Type": "application/json" "Content-Type": "application/json"
} }
try: try:
data = snapshot.encode('utf-8') data = json.dumps(snapshot).encode('utf-8')
request = urllib.request.Request(url, data=data, headers=headers) request = urllib.request.Request(url, data=data, headers=headers)
with urllib.request.urlopen(request) as response: with urllib.request.urlopen(request) as response:
status_code = response.getcode() status_code = response.getcode()
@ -369,31 +182,22 @@ def send_snapshot_to_devicehub(snapshot, token, url, ev_uuid, legacy):
if 200 <= status_code < 300: if 200 <= status_code < 300:
logger.info(_("Snapshot successfully sent to '%s'"), url) logger.info(_("Snapshot successfully sent to '%s'"), url)
if legacy:
try: try:
response = json.loads(response_text) response = json.loads(response_text)
public_url = response.get('public_url') if response.get('url'):
dhid = response.get('dhid')
if public_url:
# apt install qrencode # apt install qrencode
qr = "echo {} | qrencode -t ANSI".format(public_url) qr = "echo {} | qrencode -t ANSI".format(response['url'])
print(exec_cmd(qr)) print(exec_cmd(qr))
print("url: {}".format(public_url)) print("url: {}".format(response['url']))
if dhid: if response.get("dhid"):
print("dhid: {}".format(dhid)) print("dhid: {}".format(response['dhid']))
except Exception: except Exception:
logger.error(response_text) logger.error(response_text)
else:
qr = "echo {} | qrencode -t ANSI".format(ev_url)
print(exec_cmd(qr))
print(f"url: {ev_url}")
else:
logger.error(_("Snapshot %s not remotely sent to URL '%s'. Server responded with error:\n %s"), ev_uuid, url, response_text)
except Exception as e: except Exception as e:
logger.error(_("Snapshot not remotely sent to URL '%s'. Do you have internet? Is your server up & running? Is the url token authorized?\n %s"), url, e) logger.error(_("Snapshot not remotely sent to URL '%s'. Do you have internet? Is your server up & running? Is the url token authorized?\n %s"), url, e)
def load_config(config_file="settings.ini"): def load_config(config_file="settings.ini"):
""" """
Tries to load configuration from a config file. Tries to load configuration from a config file.
@ -413,12 +217,10 @@ def load_config(config_file="settings.ini"):
device = config.get('settings', 'device', fallback=None) device = config.get('settings', 'device', fallback=None)
erase = config.get('settings', 'erase', fallback=None) erase = config.get('settings', 'erase', fallback=None)
legacy = config.get('settings', 'legacy', fallback=None) legacy = config.get('settings', 'legacy', fallback=None)
url_wallet = config.get('settings', 'url_wallet', fallback=None)
wb_sign_token = config.get('settings', 'wb_sign_token', fallback=None)
else: else:
logger.error(_("Config file '%s' not found. Using default values."), config_file) logger.error(_("Config file '%s' not found. Using default values."), config_file)
path = os.path.join(os.getcwd()) path = os.path.join(os.getcwd())
url, token, device, erase, legacy, url_wallet, wb_sign_token = (None,)*7 url, token, device, erase, legacy = None, None, None, None, None
return { return {
'path': path, 'path': path,
@ -426,9 +228,7 @@ def load_config(config_file="settings.ini"):
'token': token, 'token': token,
'device': device, 'device': device,
'erase': erase, 'erase': erase,
'legacy': legacy, 'legacy': legacy
'wb_sign_token': wb_sign_token,
'url_wallet': url_wallet
} }
def parse_args(): def parse_args():
@ -482,7 +282,6 @@ def main():
config_file = args.config config_file = args.config
config = load_config(config_file) config = load_config(config_file)
legacy = config.get("legacy")
# TODO show warning if non root, means data is not complete # TODO show warning if non root, means data is not complete
# if annotate as potentially invalid snapshot (pending the new API to be done) # if annotate as potentially invalid snapshot (pending the new API to be done)
@ -491,39 +290,16 @@ def main():
all_disks = get_disks() all_disks = get_disks()
snapshot = gen_snapshot(all_disks) snapshot = gen_snapshot(all_disks)
snap_uuid = snapshot["uuid"]
if config['erase'] and config['device'] and not legacy: if config.get("legacy"):
snapshot['erase'] = gen_erase(all_disks, config['erase'], user_disk=config['device'])
elif config['erase'] and not legacy:
snapshot['erase'] = gen_erase(all_disks, config['erase'])
if legacy:
convert_to_legacy_snapshot(snapshot) convert_to_legacy_snapshot(snapshot)
snapshot = json.dumps(snapshot)
else: else:
url_wallet = config.get("url_wallet") snapshot['erase'] = gen_erase(config['erase'], user_disk=config['device'])
wb_sign_token = config.get("wb_sign_token")
if wb_sign_token: save_snapshot_in_disk(snapshot, config['path'])
tk = wb_sign_token.encode("utf8")
snapshot["operator_id"] = hashlib.sha3_256(tk).hexdigest()
if url_wallet and wb_sign_token:
snapshot = send_to_sign_credential(snapshot, wb_sign_token, url_wallet)
else:
snapshot = json.dumps(snapshot)
save_snapshot_in_disk(snapshot, config['path'], snap_uuid)
if config['url']: if config['url']:
send_snapshot_to_devicehub( send_snapshot_to_devicehub(snapshot, config['token'], config['url'])
snapshot,
config['token'],
config['url'],
snap_uuid,
legacy
)
logger.info(_("END")) logger.info(_("END"))