├── .gitignore ├── CHANGELOG ├── CONFIGURE.md ├── LICENSE ├── README.md ├── boot ├── loader.conf.sample └── vulture.pcx.sample ├── etc ├── cron.d │ └── logrotate ├── csh.cshrc.sample ├── hosts.allow ├── hosts.deniedssh.sample ├── login.conf.sample ├── motd ├── motd.template ├── periodic.conf.sample ├── rc.conf.d │ ├── cron │ ├── dnsmasq │ ├── haproxy │ ├── htcacheclean │ ├── jail │ ├── ntpd │ ├── openvpn_server │ ├── pf │ ├── pflog │ ├── postfix │ ├── secadm │ ├── sendmail │ ├── sshd │ ├── ssmtp │ ├── syslogd │ ├── tshark │ ├── vultured │ └── zfs ├── rc.conf.local.sample ├── rc.local ├── ssh │ └── sshd_config.sample ├── sysctl.conf ├── syslog.conf └── ttys ├── home ├── vlt-adm │ ├── .cshrc │ ├── .login │ ├── .profile │ ├── admin.sh │ ├── gui │ │ ├── cluster_create.sh │ │ ├── cluster_join.sh │ │ ├── configure.sh │ │ └── django_migration.sh │ └── system │ │ ├── configure_jail_hosts.sh │ │ ├── geli-passphrase.sh │ │ ├── hostname.sh │ │ ├── keymap.sh │ │ ├── netconfig-resolv.sh │ │ ├── netconfig.sh │ │ ├── network-ips.sh │ │ ├── proxy.sh │ │ ├── register_vulture_repos.sh │ │ ├── time.sh │ │ ├── update_system.sh │ │ ├── upgrade_to_13.sh │ │ ├── write_aliases.sh │ │ ├── write_hostname.sh │ │ └── write_ntp.sh └── vlt-os │ └── run │ └── .vulturekeep ├── usr └── local │ ├── bin │ ├── free │ ├── pfctl-get_management.sh │ └── pfctl-init.sh │ └── etc │ ├── cloud │ └── cloud.cfg.d │ │ ├── 02_growpart.cfg │ │ ├── 05_logging.cfg │ │ └── 10_vulture.cfg │ ├── crontab │ ├── dnsmasq.conf │ ├── haproxy.d │ └── backend_session.cfg │ ├── logrotate.d │ └── vulture.conf │ ├── openvpn │ └── openvpn_server.conf │ ├── pkg │ └── repos │ │ └── .gitkeep │ ├── rc.d │ ├── tshark │ └── vultured │ ├── rsyslog.d │ ├── 05-tpl-00-generic.conf │ ├── 05-tpl-01-haproxy.conf │ ├── 05-tpl-01-haproxy_tcp.conf │ ├── 99-output.conf │ ├── haproxy_internal.conf │ └── pf.rb │ ├── secadm.rules │ └── sudoers.d │ ├── base_sudoers │ └── vulture_sudoers └── var └── db └── pkg └── .gitkeep /.gitignore: -------------------------------------------------------------------------------- 1 | # Created by https://www.gitignore.io/api/vim,code,pycharm 2 | # Edit at https://www.gitignore.io/?templates=vim,code,pycharm 3 | 4 | ### Code ### 5 | .vscode/* 6 | !.vscode/settings.json 7 | !.vscode/tasks.json 8 | !.vscode/launch.json 9 | !.vscode/extensions.json 10 | 11 | ### PyCharm ### 12 | # Covers JetBrains IDEs: IntelliJ, RubyMine, PhpStorm, AppCode, PyCharm, CLion, Android Studio and WebStorm 13 | # Reference: https://intellij-support.jetbrains.com/hc/en-us/articles/206544839 14 | 15 | # User-specific stuff 16 | .idea/**/workspace.xml 17 | .idea/**/tasks.xml 18 | .idea/**/usage.statistics.xml 19 | .idea/**/dictionaries 20 | .idea/**/shelf 21 | 22 | # Generated files 23 | .idea/**/contentModel.xml 24 | 25 | # Sensitive or high-churn files 26 | .idea/**/dataSources/ 27 | .idea/**/dataSources.ids 28 | .idea/**/dataSources.local.xml 29 | .idea/**/sqlDataSources.xml 30 | .idea/**/dynamic.xml 31 | .idea/**/uiDesigner.xml 32 | .idea/**/dbnavigator.xml 33 | 34 | # Gradle 35 | .idea/**/gradle.xml 36 | .idea/**/libraries 37 | 38 | # Gradle and Maven with auto-import 39 | # When using Gradle or Maven with auto-import, you should exclude module files, 40 | # since they will be recreated, and may cause churn. Uncomment if using 41 | # auto-import. 42 | # .idea/modules.xml 43 | # .idea/*.iml 44 | # .idea/modules 45 | # *.iml 46 | # *.ipr 47 | 48 | # CMake 49 | cmake-build-*/ 50 | 51 | # Mongo Explorer plugin 52 | .idea/**/mongoSettings.xml 53 | 54 | # File-based project format 55 | *.iws 56 | 57 | # IntelliJ 58 | out/ 59 | 60 | # mpeltonen/sbt-idea plugin 61 | .idea_modules/ 62 | 63 | # JIRA plugin 64 | atlassian-ide-plugin.xml 65 | 66 | # Cursive Clojure plugin 67 | .idea/replstate.xml 68 | 69 | # Crashlytics plugin (for Android Studio and IntelliJ) 70 | com_crashlytics_export_strings.xml 71 | crashlytics.properties 72 | crashlytics-build.properties 73 | fabric.properties 74 | 75 | # Editor-based Rest Client 76 | .idea/httpRequests 77 | 78 | # Android studio 3.1+ serialized cache file 79 | .idea/caches/build_file_checksums.ser 80 | 81 | ### PyCharm Patch ### 82 | # Comment Reason: https://github.com/joeblau/gitignore.io/issues/186#issuecomment-215987721 83 | 84 | # *.iml 85 | # modules.xml 86 | # .idea/misc.xml 87 | # *.ipr 88 | 89 | # Sonarlint plugin 90 | .idea/**/sonarlint/ 91 | 92 | # SonarQube Plugin 93 | .idea/**/sonarIssues.xml 94 | 95 | # Markdown Navigator plugin 96 | .idea/**/markdown-navigator.xml 97 | .idea/**/markdown-navigator/ 98 | 99 | ### Vim ### 100 | # Swap 101 | [._]*.s[a-v][a-z] 102 | [._]*.sw[a-p] 103 | [._]s[a-rt-v][a-z] 104 | [._]ss[a-gi-z] 105 | [._]sw[a-p] 106 | 107 | # Session 108 | Session.vim 109 | Sessionx.vim 110 | 111 | # Temporary 112 | .netrwhist 113 | *~ 114 | 115 | # Auto-generated tag files 116 | tags 117 | 118 | # Persistent undo 119 | [._]*.un~ 120 | 121 | # Coc configuration directory 122 | .vim 123 | 124 | # End of https://www.gitignore.io/api/vim,code,pycharm 125 | -------------------------------------------------------------------------------- /CHANGELOG: -------------------------------------------------------------------------------- 1 | # Changelog 2 | All notable changes to this project will be documented in this file. 3 | 4 | The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), 5 | and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). 6 | 7 | 8 | ## [Unreleased] 9 | 10 | 11 | ## [2.1.16] - 2025-05-16 12 | ### Fixed 13 | - [SUDOERS] Allow '-f' flag when removing filebeat configs 14 | 15 | 16 | ## [2.1.15] - 2025-04-30 17 | ### Changed 18 | - [TSHARK] Allow to define custom tshark options, and limit default dumpfile size and quantity 19 | 20 | 21 | ## [2.1.14] - 2025-03-28 22 | ### Added 23 | - [HOSTNAME] Set hostname in the new .env files if present 24 | ### Removed 25 | - [SSHD] Remove custom Addendum from Version Headers 26 | 27 | 28 | ## [2.1.13] - 2025-02-25 29 | ### Removed 30 | - [SUDOERS] Remove deprecated entries for vlt-os user 31 | ### Changed 32 | - [SUDOERS] Update sudoers' permissions for filebeat management 33 | 34 | 35 | ## [2.1.12] - 2024-11-13 36 | ### Fixed 37 | - [CLOUD_INIT] Avoid automatic cache invalidation when datasources change on a machine 38 | 39 | 40 | ## [2.1.11] - 2024-09-12 41 | ### Changed 42 | - [RSYSLOG_TEMPLATES] Control uuid generation in bulkid-template 43 | 44 | 45 | ## [2.1.10] - 2024-04-25 46 | ### Fixed 47 | - [UPDATE_SYSTEM] Don't upgrade secadm-kmod in jails 48 | ### Changed 49 | - [JAILS] Don't install Kernel in jails 50 | 51 | 52 | ## [2.1.9]- 2024-03-04 53 | ### Removed 54 | - [JAILS] remove now-useless mkjail-* scripts 55 | - [BASE_SUDOERS] mentions of mkjail-* 56 | ### Changed 57 | - [SCRIPTS] Update Redis/Sentinel's announce-ip through redis commands when changing Vulture management IP 58 | - [SYSTEM] [CSHRC] Add usefull keyboard bindings 59 | - [UPDATE_SYSTEM] Stop vultured service during upgrades 60 | - [UPDATE_SYSTEM] Install kernel/base in a separate Boot Environment 61 | ### Fixed 62 | - [CLUSTER_JOIN] Fix wrong ca.key after cluster_join 63 | - [NETWORK_IPS] Init pf rules before redis access 64 | - [HOSTNAME] Restart gunicorn after db migration 65 | 66 | 67 | ## [2.1.8] - 2024-01-10 68 | ### Removed 69 | - [UPDATE_SYSTEM] Don't upgrade/restart Darwin service specifically 70 | ### Changed 71 | - [MISC] Some code cleanups and minor fixes 72 | ### Fixed 73 | - [UPDATE_SYSTEM] Avoid linker errors during pkg upgrades by deactivating harden_rtld during upgrade 74 | 75 | 76 | ## [2.1.7] - 2023-09-12 77 | ### Fixed 78 | - [UPGRADE_TO_13] Put the Node into MAINTENANCE mode during upgrades 79 | - [UPGRADE_TO_13] Ensure Node is completely restarted before continuing 80 | 81 | 82 | ## [2.1.6] - 2023-08-22 83 | ### Added 84 | - [UPDATE_SYSTEM] Updating toggle maintenance 85 | - [RSYSLOG_TEMPLATES] bulkid-template for ELS datastream support 86 | ### Fixed 87 | - [UPGRADE_TO_13] Motd template 88 | - [UPDATE_SYSTEM] Force maintenance state during update 89 | 90 | 91 | ## [2.1.5] - 2023-07-20 92 | ### Added 93 | - [UPDATE_SYSTEM] Add timestamps in logs when starting/stopping an upgrade 94 | ### Changed 95 | - [HAPROXY] [RSYSLOG_TEMPLATES] Update templates to use new _json versions 96 | ### Removed 97 | - [SYSCTL] Obsolete parameter 'net.inet.ip.rfc1122_strong_es' 98 | 99 | 100 | ## [2.1.4] - 2023-07-11 101 | ### Fixed 102 | - [PROXY.SH] Remove scheme from provided proxy value 103 | 104 | 105 | ## [2.1.3] - 2023-07-10 106 | ### Changed 107 | - [UPDATE_SYSTEM] Lock/unlock vulture packages between upgrades 108 | - [UPDATE_SYSTEM] Properly stop crontabs during upgrades 109 | ### Fixed 110 | - [UPDATE_SYSTEM] Ensure secadm version stays up-to-date with the kernel version 111 | - [UPGRADE_TO_13] Use Boot Environments to have a safer upgrade 112 | 113 | 114 | ## [2.1.2] - 2023-05-24 115 | ### Fixed 116 | - [UPGRADE_TO_13] Use a Boot Environment to avoid problems during system upgrade 117 | ### Changed 118 | - [LOADER] Update loader.conf to reflect changes made on Vulture OS/release 119 | - [ADMIN] Deprecate use of mkjail_* scripts 120 | - [CLUSTER_CREATE] Improve script by returning status code 121 | - [CLUSTER_CREATE] Correctly handle vultured start/restart at the end of the script 122 | 123 | 124 | ## [2.1.1] - 2023-03-30 125 | ### Changed 126 | - [UPDATE] [SYSTEM] Default base upgrade merge strategy is now 'mine-full' (keep local versions) 127 | ### Fixed 128 | - [UPDATE] [SYSTEM] Ensure options used during hbsd-update are all kept for jails' upgrades 129 | 130 | 131 | ## [2.1.0] - 2023-03-16 132 | ### Added 133 | - [UPGRADE] [HBSD13] Add a script to register new Vulture's HBSD13 own repositories (and disable previous ones) 134 | - [UPGRADE] [HBSD13] Add an upgrade script to go from HBSD12 to HBSD13 (and switch to Vulture's own repositories) 135 | ### Changed 136 | - [SYSTEM] [MOTD] Updated MOTD to notify about new script to upgrade to HBSD13 137 | ### Fixed 138 | - [UPDATE] [SYSTEM] Ensure system update is downloaded before trying to upgrade the system or a jail 139 | 140 | 141 | ## [2.0.11] - 2023-03-01 142 | ### Fixed 143 | - [HAPROXY] [SYSTEM_LOGGING] Internal Haproxy logging through Rsyslog didn't work 144 | 145 | 146 | ## [2.0.10] - 2023-03-01 147 | ### Changed 148 | - [LOGROTATE] decrease retention time of /var/log/pf/pf.log files to 7 149 | - [MKJAIL_RSYSLOG] Mount /var/log/pf as RW in Rsyslog jail 150 | - [MOTD] Adapt Vulture MOTD to HBSD13 151 | ### Added 152 | - [LOGROTATE] Add log rotation for new /zroot/rsyslog/var/log/internal/pf.conf parsed pf logs 153 | ### Removed 154 | - [SYSTEM] Don't package a custom netif script anymore 155 | 156 | 157 | ## [2.0.9] - 2023-02-16 158 | ### Changed 159 | - [UPDATE_SYSTEM] Reload Haproxy after an upgrade instead of stopping/starting it 160 | - [SYSTEM] [RC] Set system network config in /etc/rc.conf instead of /etc/rc.conf.d/network 161 | ### Added 162 | - [RSYSLOG] [CONFIG] new static ruleset for haproxy global logs parsing and writing 163 | ### Fixed 164 | - [LOGROTATE] [CONFIG] Wrong extension '.gz.gz' on logrotated haproxy log files 165 | 166 | 167 | ## [2.0.8] - 2023-01-18 168 | ### Fixed 169 | - [UPDATE_SYSTEM] Don't use the jail's hbsd-update.conf file for jail system upgrades 170 | ### Changed 171 | - [LOADER] Update zfs options to increase ARC size and increase disk performances 172 | 173 | 174 | ## [2.0.7] - 2022-12-21 175 | ### Fixed 176 | - [SCRIPTS] [PROXY.SH] Correctly reload PF configuration when changing proxy settings 177 | 178 | 179 | ## [2.0.6] - 2022-12-15 180 | ### Fixed 181 | - [SCRIPTS] [PROXY.SH] Wrong proxy configuration set in pkg.conf 182 | - [SCRIPTS] Remove several references to removed apache24 package 183 | 184 | 185 | ## [2.0.5] - 2022-12-09 186 | ### Removed 187 | - [JAIL] [APACHE] Disable and uninstall apache from jail 188 | ### Fixed 189 | [CLUSTER_JOIN] Correctly stop and restart local services during cluster join 190 | [CLUSTER_JOIN] Correctly add the master's hostname/ip in /etc/hosts 191 | ### Added 192 | - [JAIL] [APACHE] Install nginx and gunicorn in the apache jail 193 | - [JAIL] [APACHE] Ensure python is installed in the apache jail 194 | - [SYSTEM] Create a new /var/sockets/gui folder and mount it RW in the apache jail 195 | - [SUDO] Allow vlt-os to manage gunicorn/nginx services 196 | - [UPDATE_SYSTEM] stop gunicorn services before upgrading vulture-gui 197 | ### Changed 198 | - [UPDATE_SYSTEM] stop/start/reload nginx/gunicorn during system updates 199 | - [LOGROTATE] reload nginx and gunicorn in the apache jail after rotating gui logs 200 | 201 | 202 | ## [2.0.4] - 2022-11-21 203 | ### Added 204 | - [CLOUD_INIT] Default logging configuration 205 | - [SYSTEM] [CSHRC] Additional bindings for terminal manipulation 206 | 207 | 208 | ## [2.0.3] - 2022-11-10 209 | ### Changed 210 | - [CLOUD_INIT] Support for 'NoCloud' datasource in replacement of (unused) ConfigDrive 211 | - [CLOUD_INIT] add support for more partition names for growpart module 212 | - [CLUSTER_SCRIPTS] Allow calling cluster_* scripts with parameters 213 | ### Added 214 | - [UPDATE_SYSTEM.SH] jail update support for new appliances (common jail base) 215 | - [PROXY.SH] Set proxy settings in pkg.conf to use proxy transparently 216 | ### Fixed 217 | - [PFCTL_INIT] Reload pf rules after rewriting them 218 | 219 | 220 | ## [2.0.2] - 2022-10-27 221 | ### Fixed 222 | - [SCRIPTS] resolve formatting and typing mistakes in network-ips.sh 223 | 224 | 225 | ## [2.0.1] - 2022-10-19 226 | ### Removed 227 | - [DENYHOSTS] Completely remove denyhosts for the time being 228 | ### Changed 229 | - [MKJAIL] Use hbsd-update instead of manual download/check/untar of update archives when creating jails 230 | - [DEPENDENCY] Changed installations from package name to origin which considers the default python version of the HBSD image 231 | - [DEPENDENCY] Changed uses of python 3.8 binary to python3 to accommodate systems' default version of python 232 | 233 | 234 | ## [2.0.0] - 2022-09-07 235 | ### Removed 236 | - [DEPRECATED] [UPDATE_SCRIPTS] Removed update_system_lite.sh (update_system.sh can be used to get the same result with the '-u' flag) 237 | - [PF] [INIT CONFIGURATION] useless NAT rules for DNS 238 | - [PREDATOR] reputation.sh script to get reputation databases from predator 239 | - [DASHBOARD] vulture-dashboard does not exist anymore 240 | - [DEPRECATED] [DOCUMENTATION] GUI/API documentation has been removed 241 | - [DEPRECATED] [DEFENDER] mod_defender capabilities have been removed 242 | - [DEPRECATED] [VM] VM capabilities (through bhyve) have been removed 243 | - [NETWORK] tap0/vm_public interfaces have been removed 244 | ### Changed 245 | - [HAPROXY] [RSYSLOG TEMPLATES] Updated templates to use correct and updated fields 246 | - [DNSMASQ] [CONFIGURATION] Several changes to the service configuration file 247 | - remove useless DHCP settings 248 | - bind service on lo0 instead of tap0 249 | - remove 'bind-interfaces' setting 250 | - [NODE] [STATUS] replaced .node_ok and .install files with database/manage.py checks 251 | - [JAILS] [RESOLUTION] Update jails' resolv.conf to use loopback interface instead of tap0 252 | - [JAILS] [CONFIG FILES] Dissociate apache and portal jails' configuration in package 253 | - [ADMIN][MANAGEMENT] Changed the use of management.ip file to using rc configuration 254 | - [ADMIN][MANAGEMENT] Added options in the CLI to change: 255 | - internet_ip 256 | - backends_outgoing_ip 257 | - logom_outgoing_ip 258 | - [ADMIN][MANAGEMENT] Modified management.sh to change the above ips 259 | - [ADMIN][MANAGEMENT] Renamed management.sh to network-ips.sh 260 | - [NETWORK-IPS][APACHE] Changed from reloading configuration to reloading the service 261 | ### Added 262 | - [UPDATE] Restart dnsmasq at the end of the update process, and after upgrading vulture-gui/vulture-base 263 | - [CLUSTER_CREATE] Restart apache at the end of the cluster creation to reload cluster status in loaded code 264 | - [RSYSLOG] [TEMPLATES] Missing elastic templates for haproxy log output templates 265 | - [CHANGELOG] Created file with past known releases 266 | ### Fixed 267 | - [SYSCTL] Renamed sysctl variable 'net.inet.ip.check_interface' into new 'net.inet.ip.rfc1122_strong_es' 268 | - [SYSCTL] Removed sysctl variable 'net.inet.tcp.recvbuf_inc=131072' 269 | - [NETCONFIG] Improved detection of DHCP-enabled interfaces on which to reload dhcp client during network configuration changes 270 | - [UPDATE_SYSTEM] Ensure no cronjobs are running or can start during upgrades 271 | 272 | 273 | ## [1.3.2] - 2022-08-05 274 | ### Removed 275 | - [DOC] Do not specify installing vulture-libtensorflow package in installation instructions 276 | - [DEPENDENCIES] do not depend on vulture-libtensorflow anymore 277 | 278 | 279 | ## [1.3.1] - 2022-06-30 280 | ### Removed 281 | - [ZAP] all zap files, services and integrations (`deprecated`) 282 | ### Fixed 283 | - [MKJAIL][APACHE] create timeouts.conf file in apache jail if absent 284 | - [UPDATE_SYSTEM] use `yes` (/usr/bin/yes) instead of echo to automatically resolve hbsd-update/etcupdate interactive requests during system upgrades 285 | - [CLOUDINIT] Enable Ec2 datasource (was disabled by default) 286 | 287 | 288 | ## [1.3.0] - 2022-06-17 289 | ### Fixed 290 | - [MKJAIL][PORTAL] add missing python38 package in the portal jail during jail creation 291 | ### Changed 292 | - [SYSTEM][UPGRADE] Complete rework of update_system.sh 293 | - ability to only download packages and system upgrades on a temporary directory 294 | - ability to remove/keep temporary directory used during upgrade 295 | - ability to use a custom version while upgrading system (compatible with HardenedBSD only) 296 | - ability to clean pkg cache (system and jails) after a successful upgrade 297 | - ability to specify if DNSSEC should be used during system upgrade (default NO) 298 | - ability to only upgrade packages, not system (equivalent to update_system_lite) 299 | - ability to only upgrade system and jails, not packages 300 | - ability to specify a custom temporary directory 301 | - ability to specify an 'automatic' resolution process during HardenedBSD system upgrades (etcupdate resolve strategy) for non-interactive upgrades 302 | - WARNING: the script no longer tries system upgrade package validation with DNSSEC, user SHOULD use -d to activate DNSSEC validation when necessary 303 | - OBSOLETE: update_system_lite.sh will be obsoleted in the next release 304 | ### Added 305 | - [CLOUDINIT] basic configuration files for cloud-init integration 306 | 307 | 308 | ## [1.2.3] - 2022-06-15 309 | ### Added 310 | - [FRONTEND][HAPROXY-LOGS] Add missing fields and microseconds in timestamp 311 | 312 | 313 | ## [1.2.2] - 2022-03-31 314 | ### Added 315 | - [UPGRADE_SCRIPT][MONGO] ensure secadm exceptions are enforced for `mongo` executable in mongodb jail 316 | - [BOOTSTRAP] Install vulture-haproxy binary dependencies to apache jail (pcre2) 317 | - [BOOTSTRAP] copy haproxy binary and libraries from vulture-haproxy package to apache jail 318 | ### Removed 319 | - [BOOTSTRAP] Don't install haproxy package to apache jail 320 | 321 | 322 | ## [1.2.1] - 2022-02-21 323 | ### Added 324 | - [UPGRADE SCRIPT] force disable **mprotect** and **pageexec** protections on mongo executable in mongodb jail 325 | 326 | 327 | ## [1.2.0] - 2022-02-03 328 | ### Added 329 | - [ADMIN][Restriction] Prevent (mis)use of `pkg upgrade` (use `update_system(_lite).sh` instead) 330 | ### Changed 331 | - [PORTAL] Use **[gunicorn](https://docs.gunicorn.org/en/stable/)** instead of **[apache wsgi](https://pypi.org/project/mod-wsgi/)** to host portal engine 332 | 333 | 334 | ## [1.1.9] - 2022-01-04 335 | ### Fixed 336 | - [LOGROTATE] : Use copytruncate for python logs (/var/log/vulture/os/**.log -> some logs where lost -> django crontabs continued to write into rotated file 337 | 338 | 339 | ## [1.1.8] - 2021-11-29 340 | ### Changed 341 | - [UPGRADE][SCRIPTS] Completely disable Secadm rules on host and in jails before upgrading anything, reactivate the rules at the end 342 | ### Fixed 343 | - [BOOTSTRAP] Correct name for package 'openldap-client' -> 'openldap24-client' 344 | 345 | 346 | ## [1.1.7] - 2021-08-25 347 | ### Fixed 348 | - [UPGRADE SCRIPTS] disable secadm rules temporarily on host before updating gui to prevent errors while reinstalling python env 349 | 350 | 351 | ## [1.1.6] - 2021-08-09 352 | ### Added 353 | - [Sudoers] : Add needed rules for filebeat service management 354 | - [Filebeat] : Add "filebeat_enable=YES" into Rsyslog make-jail script 355 | ### Fixed 356 | - [Netconfig] : Remove duplicated lines in generated /etc/rc.conf.d/network file 357 | - [Cluster_join] : Fix script for IPv6 master joining 358 | - [Admin.sh/time] : Fix ntp configuration reuse 359 | - [Dnsmasq] : Remove useless 'local=/lan/' directive - which caused resolution bugs on *.lan domains 360 | - [LogRotate] : Fix permissions on Darwin rotated log files 361 | ### Removed 362 | - [Apache/Portal] : Remove obsolete "jpeg" package : replaced by jpeg-turbo 363 | ### Changed 364 | - [Admin.sh/upgrade] : Do not use dnssec validation when archive has already been downloaded 365 | - [PYTHON] Upgrade python version from 3.7 to 3.8 366 | 367 | 368 | ## [1.1.3] - 2021-04-16 369 | ### Fixed 370 | - Rsyslog template : Add missing defender_score field in Rsyslog template for haproxy logs sent to Mongodb database 371 | - Update : Upgrade darwin before vulture-gui in update_system & update_system_lite, to handle configuration changes 372 | - Jails : Install missing needed packages into jails 373 | 374 | 375 | ## [1.1.1] - 2021-02-03 376 | ### Removed 377 | - [HAPROXY LOG TEMPLATES] remove obsoleted/unused fields (haproxy 'http_{receive,response}_time' and 'tcp_request_time') 378 | - [HAPROXY LOG TEMPLATES] remove obsolete darwin_* fields 379 | ### Fixed 380 | - [HAPROXY LOG TEMPLATES] safe representation of fields for json format 381 | - [HAPROXY LOG TEMPLATES] numbers are represented without quotes 382 | - [HAPROXY LOG TEMPLATES] add missing quotes in some fields 383 | - [IMPCAP LOG TEMPLATES] safe representation of fields for json format 384 | - [IMPCAP LOG TEMPLATES] numbers are represented without quotes 385 | - [IMPCAP LOG TEMPLATES] add missing quotes in some fields 386 | ### Added 387 | - [HAPROXY LOG TEMPLATES] add redis templates for Darwin context caching 388 | - [HAPROXY LOG TEMPLATES] add 'advens' enrichment field 389 | - [IMPCAP LOG TEMPLATES] add 'advens' enrichment field 390 | 391 | 392 | ## [1.0.2] - 2020-03-09 393 | ### Added 394 | - Add OWASP ZAP scanner 395 | - Add Java dependencies 396 | - Add dashboard update mechanism 397 | - Add host's secadm rules 398 | 399 | 400 | ## [1.0.1] - 2020-02-27 401 | ### Added 402 | - KERNEL : Add support for Kernel tools in install-kernel 403 | - KERNEL : Add secadm service (packaged into vulture-kernel) 404 | - KERNEL : Add pax exception for node binary 405 | - KERNEL : Add pax exception for python binary 406 | - APACHE : Add libucl in ApacheJail + secadm support 407 | - RSYSLOG : add template for new rsyslog's omhiredis 'set' option 408 | ### Changed 409 | - ADMIN.SH : Reload apache config if management ip has changed 410 | - ADMIN.SH : Do not start vultured if upgrade is done before install 411 | - APACHE : Install radiusclient instead of freeradius-client in Apache/Portal jails (freeradius-client is unfetchable now) 412 | - JAILS : Install Hardened base.txz into all jails 413 | - JAILS : Install openssl instead of openssl111 into Apache,Portal,Rsyslog jails 414 | - KERNEL : Install-kernel now updates gptzfsboot, needed to decrypt ZFS partitions 415 | - LOADER.CONF : Load kernel module if_tap (not built-in in Hardened kernel) 416 | - PKG : A node support into apache jail for vulture-dashboard 417 | - PYTHON : Upgrade python version 3.6 -> 3.7 418 | - REDIS : Use /var/db/vulture-redis for database save path (issue with default /var/db/redis path) 419 | - RSYSLOG : Install libgcrypt into Rsyslog jail 420 | - SHELLINABOX : Rename shellinabox service files to vulture-shellinabox to prevent overwrite by shellinabox official package 421 | - VULTURED : Check vultured service status with pid file and not with ps (by default), to solve 'not running' with old python3 env 422 | ### Removed 423 | - RSYSLOG : Remove 98-pstats conf file, it's a template in vulture-gui now 424 | ### Fixed 425 | - ADMIN.SH : Fix creation of '2' files in vlt-adm HOME, caused by dialog 426 | - ADMIN.SH : Fix darwin upgrade for version 1.2.1-2 427 | - LOGROTATE : Add missing pstats-sec rotation conf 428 | - MKJAILS : Add missing option in virtualenv creation 429 | - SYSCTL : Fix erroneous oid 430 | - SYSCTL : Fix invalid parameter 'kern.timecounter.hardware' 431 | -------------------------------------------------------------------------------- /CONFIGURE.md: -------------------------------------------------------------------------------- 1 | # The base FreeBSD Operating System for Vulture 4 2 | 3 | ## Configuration of Operating System 4 | 5 | To configure VultureOS, use the `vlt-adm` account, and the `admin` command :
6 | 7 | Using this menu, you have the following choices : 8 | - **Keymap** : Configure keymap, like during installation of FreeBSD, 9 | - **Time** : Configure timezone and ntp server, 10 | - **Password** : Change vlt-adm password, 11 | - **Geli Change** : Change the ZFS disk encryption password, 12 | - **Email** : Define the administration SMTP Email address, 13 | - **Netconfig** : Manage network configuration, like during installation of FreeBSD, 14 | - **Proxy** : Configure proxy, 15 | - **Management** : Modify current management IP used to bind services, 16 | - **Hostname** : Configure hostname, 17 | - **Shell** : Launch a CSH shell as vlt-adm, 18 | - **RootShell** : Launch a CSH shell as root, 19 | - **Update OS** : Update system and jails, with pkg and freebsd-update, 20 | - **Exit** : Exit admin menu. 21 | 22 | **You should, at least, ensure the system time and management IP are correct (or update/change them) and configure the hostname (in this order) before bootstraping Vulture** 23 | 24 | 25 | ## Bootstraping Vulture 4 26 | 27 | Depending on what you want do to, you have 2 scripts available : 28 | - `/home/vlt-adm/gui/cluster_create.sh` : To create a new **Master** node 29 | - `/home/vlt-adm/gui/cluster_join.sh` : To create a **Slave** and join a Cluster 30 | 31 | The first script, to create a new Master, has the following usage : 32 | 33 | sudo /home/vlt-adm/gui/cluster_create.sh 34 | 35 | The second, to add the node to an existing cluster, has the following usage : 36 | 37 | sudo /home/vlt-adm/gui/cluster_join.sh 38 | 39 | After that, start **vultured** if it is down :
40 | `service vultured start` 41 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | GNU LESSER GENERAL PUBLIC LICENSE 2 | Version 3, 29 June 2007 3 | 4 | Copyright (C) 2007 Free Software Foundation, Inc. 5 | Everyone is permitted to copy and distribute verbatim copies 6 | of this license document, but changing it is not allowed. 7 | 8 | 9 | This version of the GNU Lesser General Public License incorporates 10 | the terms and conditions of version 3 of the GNU General Public 11 | License, supplemented by the additional permissions listed below. 12 | 13 | 0. Additional Definitions. 14 | 15 | As used herein, "this License" refers to version 3 of the GNU Lesser 16 | General Public License, and the "GNU GPL" refers to version 3 of the GNU 17 | General Public License. 18 | 19 | "The Library" refers to a covered work governed by this License, 20 | other than an Application or a Combined Work as defined below. 21 | 22 | An "Application" is any work that makes use of an interface provided 23 | by the Library, but which is not otherwise based on the Library. 24 | Defining a subclass of a class defined by the Library is deemed a mode 25 | of using an interface provided by the Library. 26 | 27 | A "Combined Work" is a work produced by combining or linking an 28 | Application with the Library. The particular version of the Library 29 | with which the Combined Work was made is also called the "Linked 30 | Version". 31 | 32 | The "Minimal Corresponding Source" for a Combined Work means the 33 | Corresponding Source for the Combined Work, excluding any source code 34 | for portions of the Combined Work that, considered in isolation, are 35 | based on the Application, and not on the Linked Version. 36 | 37 | The "Corresponding Application Code" for a Combined Work means the 38 | object code and/or source code for the Application, including any data 39 | and utility programs needed for reproducing the Combined Work from the 40 | Application, but excluding the System Libraries of the Combined Work. 41 | 42 | 1. Exception to Section 3 of the GNU GPL. 43 | 44 | You may convey a covered work under sections 3 and 4 of this License 45 | without being bound by section 3 of the GNU GPL. 46 | 47 | 2. Conveying Modified Versions. 48 | 49 | If you modify a copy of the Library, and, in your modifications, a 50 | facility refers to a function or data to be supplied by an Application 51 | that uses the facility (other than as an argument passed when the 52 | facility is invoked), then you may convey a copy of the modified 53 | version: 54 | 55 | a) under this License, provided that you make a good faith effort to 56 | ensure that, in the event an Application does not supply the 57 | function or data, the facility still operates, and performs 58 | whatever part of its purpose remains meaningful, or 59 | 60 | b) under the GNU GPL, with none of the additional permissions of 61 | this License applicable to that copy. 62 | 63 | 3. Object Code Incorporating Material from Library Header Files. 64 | 65 | The object code form of an Application may incorporate material from 66 | a header file that is part of the Library. You may convey such object 67 | code under terms of your choice, provided that, if the incorporated 68 | material is not limited to numerical parameters, data structure 69 | layouts and accessors, or small macros, inline functions and templates 70 | (ten or fewer lines in length), you do both of the following: 71 | 72 | a) Give prominent notice with each copy of the object code that the 73 | Library is used in it and that the Library and its use are 74 | covered by this License. 75 | 76 | b) Accompany the object code with a copy of the GNU GPL and this license 77 | document. 78 | 79 | 4. Combined Works. 80 | 81 | You may convey a Combined Work under terms of your choice that, 82 | taken together, effectively do not restrict modification of the 83 | portions of the Library contained in the Combined Work and reverse 84 | engineering for debugging such modifications, if you also do each of 85 | the following: 86 | 87 | a) Give prominent notice with each copy of the Combined Work that 88 | the Library is used in it and that the Library and its use are 89 | covered by this License. 90 | 91 | b) Accompany the Combined Work with a copy of the GNU GPL and this license 92 | document. 93 | 94 | c) For a Combined Work that displays copyright notices during 95 | execution, include the copyright notice for the Library among 96 | these notices, as well as a reference directing the user to the 97 | copies of the GNU GPL and this license document. 98 | 99 | d) Do one of the following: 100 | 101 | 0) Convey the Minimal Corresponding Source under the terms of this 102 | License, and the Corresponding Application Code in a form 103 | suitable for, and under terms that permit, the user to 104 | recombine or relink the Application with a modified version of 105 | the Linked Version to produce a modified Combined Work, in the 106 | manner specified by section 6 of the GNU GPL for conveying 107 | Corresponding Source. 108 | 109 | 1) Use a suitable shared library mechanism for linking with the 110 | Library. A suitable mechanism is one that (a) uses at run time 111 | a copy of the Library already present on the user's computer 112 | system, and (b) will operate properly with a modified version 113 | of the Library that is interface-compatible with the Linked 114 | Version. 115 | 116 | e) Provide Installation Information, but only if you would otherwise 117 | be required to provide such information under section 6 of the 118 | GNU GPL, and only to the extent that such information is 119 | necessary to install and execute a modified version of the 120 | Combined Work produced by recombining or relinking the 121 | Application with a modified version of the Linked Version. (If 122 | you use option 4d0, the Installation Information must accompany 123 | the Minimal Corresponding Source and Corresponding Application 124 | Code. If you use option 4d1, you must provide the Installation 125 | Information in the manner specified by section 6 of the GNU GPL 126 | for conveying Corresponding Source.) 127 | 128 | 5. Combined Libraries. 129 | 130 | You may place library facilities that are a work based on the 131 | Library side by side in a single library together with other library 132 | facilities that are not Applications and are not covered by this 133 | License, and convey such a combined library under terms of your 134 | choice, if you do both of the following: 135 | 136 | a) Accompany the combined library with a copy of the same work based 137 | on the Library, uncombined with any other library facilities, 138 | conveyed under the terms of this License. 139 | 140 | b) Give prominent notice with the combined library that part of it 141 | is a work based on the Library, and explaining where to find the 142 | accompanying uncombined form of the same work. 143 | 144 | 6. Revised Versions of the GNU Lesser General Public License. 145 | 146 | The Free Software Foundation may publish revised and/or new versions 147 | of the GNU Lesser General Public License from time to time. Such new 148 | versions will be similar in spirit to the present version, but may 149 | differ in detail to address new problems or concerns. 150 | 151 | Each version is given a distinguishing version number. If the 152 | Library as you received it specifies that a certain numbered version 153 | of the GNU Lesser General Public License "or any later version" 154 | applies to it, you have the option of following the terms and 155 | conditions either of that published version or of any later version 156 | published by the Free Software Foundation. If the Library as you 157 | received it does not specify a version number of the GNU Lesser 158 | General Public License, you may choose any version of the GNU Lesser 159 | General Public License ever published by the Free Software Foundation. 160 | 161 | If the Library as you received it specifies that a proxy can decide 162 | whether future versions of the GNU Lesser General Public License shall 163 | apply, that proxy's public statement of acceptance of any version is 164 | permanent authorization for you to choose that version for the 165 | Library. 166 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # The base package for Vulture 4 Operating System 2 | 3 | ## Purpose 4 | 5 | This is the root package of the Vulture4 project. 6 | 7 | What it basically does is: 8 | - Harden the operating system 9 | - Install packages needed by Vulture 10 | - Install system scripts to bootstrap Vulture services and Jails 11 | 12 | 13 | ## Getting Vulture4 (the easy way) 14 | How to get Vulture4 ? 15 | - Download it from http://hbsd.vultureproject.org/13-stable/amd64/amd64/BUILD-LATEST/ 16 | 17 | We provide hypervisor images with QCOW2, RAW, VHD(X) and VMDK formats that have all packages installed. 18 | We also provide iso files, which currently are bare HardenedBSD installation drives (they don't contain Vulture packages). 19 | You can also directly download base, kernel, ports and src archives containing the built version supported by Vulture. 20 | 21 | 22 | ## Building from scratch (the hard way) 23 | You want to build your own VultureOS from scratch ? 24 | - Follow [The Building Guide](https://github.com/VultureProject/vulture-from-scratch) 25 | 26 | 27 | ## Setup 28 | Once you have a valid image, follow the [Initial Configuration](CONFIGURE.md) 29 | -------------------------------------------------------------------------------- /boot/loader.conf.sample: -------------------------------------------------------------------------------- 1 | aesni_load="YES" 2 | carp_load="YES" 3 | cryptodev_load="YES" 4 | geom_eli_load="YES" 5 | if_tap_load="YES" 6 | if_vlan_load="YES" 7 | nmdm_load="YES" 8 | secadm_load="YES" 9 | zfs_load="YES" 10 | nvme_load="YES" 11 | # Needed by Amazon EC3 12 | if_ena_load="YES" 13 | 14 | net.fibs=2 15 | #net.add_addr_allfibs=1 # has to be moved to /etc/sysctl.conf 16 | 17 | #This is to avoid kernel panic on HP Proliant server at boot 18 | vm.boot_pages=120 19 | 20 | #Enable for Google Cloud Platform 21 | #hw.vtnet.mq_disable=1 22 | #kern.timecounter.hardware=ACPI-safe 23 | 24 | #This may fix a QEmu bug, enable if needed 25 | #hw.broken_txfifo="1" 26 | 27 | autoboot_delay="-1" 28 | 29 | kern.ipc.somaxconn = 2048 30 | console="vidconsole" 31 | 32 | vfs.zfs.arc_max=1024M 33 | vfs.zfs.vdev.cache.size=32M 34 | vfs.zfs.txg.timeout=5 35 | 36 | kern.hz=100 37 | kern.geom.label.disk_ident.enable=0 38 | kern.geom.label.gpt.enable=1 39 | kern.geom.label.gptid.enable=0 40 | kern.randompid=1 41 | 42 | machdep.hyperthreading_allowed=0 43 | 44 | net.inet.tcp.hostcache.cachelimit=0 45 | net.inet.tcp.soreceive_stream=1 46 | net.inet.tcp.syncache.bucketlimit=32 47 | net.inet.tcp.syncache.cachelimit=1048576 48 | net.inet.tcp.syncache.hashsize=32768 49 | net.isr.bindthreads=1 50 | net.link.ifqmaxlen=1024 51 | 52 | -------------------------------------------------------------------------------- /boot/vulture.pcx.sample: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/VultureProject/vulture-base/0667ebb4c58e064dbeb22f5bfa711e7a63625034/boot/vulture.pcx.sample -------------------------------------------------------------------------------- /etc/cron.d/logrotate: -------------------------------------------------------------------------------- 1 | # VultureOS: 2020-03-11 13:00:00Z$ 2 | # 3 | SHELL=/bin/sh 4 | PATH=/etc:/bin:/sbin:/usr/bin:/usr/sbin 5 | 6 | # See crontab(5) for field format. 7 | 1 * * * * root /usr/local/sbin/logrotate /usr/local/etc/logrotate.conf 8 | -------------------------------------------------------------------------------- /etc/csh.cshrc.sample: -------------------------------------------------------------------------------- 1 | # $FreeBSD$ 2 | # 3 | # System-wide .cshrc file for csh(1). 4 | if ($?prompt) then 5 | if ( $?tcsh ) then 6 | bindkey "^W" backward-delete-word 7 | bindkey -k up history-search-backward 8 | bindkey -k down history-search-forward 9 | bindkey "\e[1~" beginning-of-line # Home 10 | bindkey "\e[7~" beginning-of-line # Home rxvt 11 | bindkey "\e[2~" overwrite-mode # Ins 12 | bindkey "\e[3~" delete-char # Delete 13 | bindkey "\e[3;5~" delete-word # Ctrl Delete 14 | bindkey "\e[4~" end-of-line # End 15 | bindkey "\e[8~" end-of-line # End rxvt 16 | bindkey "\e[1;5C" forward-word # Right arrow 17 | bindkey "\e[1;5D" backward-word # Left arrow 18 | endif 19 | endif 20 | -------------------------------------------------------------------------------- /etc/hosts.allow: -------------------------------------------------------------------------------- 1 | ALL : ALL : allow 2 | 3 | ALL : PARANOID : RFC931 20 : deny 4 | 5 | ALL : localhost 127.0.0.1 : allow 6 | ALL : [::1] : allow 7 | 8 | sendmail : localhost : allow 9 | sendmail : ALL : allow 10 | 11 | exim : localhost : allow 12 | exim : ALL : allow 13 | 14 | rpcbind : ALL : deny 15 | 16 | ypserv : localhost : allow 17 | ypserv : ALL : deny 18 | 19 | ftpd : localhost : allow 20 | ftpd : ALL : allow 21 | 22 | fingerd : ALL \ 23 | : spawn (echo Finger. | \ 24 | /usr/bin/mail -s "tcpd\: %u@%h[%a] fingered me!" root) & \ 25 | : deny 26 | 27 | ALL : ALL \ 28 | : severity auth.info \ 29 | : twist /bin/echo "You are not welcome to use %d from %h." 30 | 31 | sshd : /etc/hosts.deniedssh : deny 32 | sshd : ALL : allow -------------------------------------------------------------------------------- /etc/hosts.deniedssh.sample: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/VultureProject/vulture-base/0667ebb4c58e064dbeb22f5bfa711e7a63625034/etc/hosts.deniedssh.sample -------------------------------------------------------------------------------- /etc/login.conf.sample: -------------------------------------------------------------------------------- 1 | default:\ 2 | :passwd_format=bcrypt:\ 3 | :copyright=/etc/COPYRIGHT:\ 4 | :welcome=/etc/motd:\ 5 | :setenv=MAIL=/var/mail/$,BLOCKSIZE=K:\ 6 | :path=/sbin /bin /usr/sbin /usr/bin /usr/local/sbin /usr/local/bin ~/bin:\ 7 | :nologin=/var/run/nologin:\ 8 | :cputime=unlimited:\ 9 | :datasize=unlimited:\ 10 | :stacksize=unlimited:\ 11 | :memorylocked=64K:\ 12 | :memoryuse=unlimited:\ 13 | :filesize=unlimited:\ 14 | :coredumpsize=unlimited:\ 15 | :openfiles=unlimited:\ 16 | :maxproc=unlimited:\ 17 | :sbsize=unlimited:\ 18 | :vmemoryuse=unlimited:\ 19 | :swapuse=unlimited:\ 20 | :pseudoterminals=unlimited:\ 21 | :kqueues=unlimited:\ 22 | :umtxp=unlimited:\ 23 | :priority=0:\ 24 | :ignoretime@:\ 25 | :umask=022:\ 26 | :charset=UTF-8:\ 27 | :lang=en_US.UTF-8: 28 | 29 | 30 | # 31 | # A collection of common class names - forward them all to 'default' 32 | # (login would normally do this anyway, but having a class name 33 | # here suppresses the diagnostic) 34 | # 35 | standard:\ 36 | :tc=default: 37 | xuser:\ 38 | :tc=default: 39 | staff:\ 40 | :tc=default: 41 | daemon:\ 42 | :memorylocked=128M:\ 43 | :tc=default: 44 | news:\ 45 | :tc=default: 46 | dialer:\ 47 | :tc=default: 48 | 49 | # 50 | # Root can always login 51 | # 52 | # N.B. login_getpwclass(3) will use this entry for the root account, 53 | # in preference to 'default'. 54 | root:\ 55 | :ignorenologin:\ 56 | :memorylocked=unlimited:\ 57 | :tc=default:\ 58 | :charset=UTF-8:\ 59 | :lang=en_US.UTF-8: 60 | 61 | -------------------------------------------------------------------------------- /etc/motd: -------------------------------------------------------------------------------- 1 | 2 |  3 | __ __  _ _  ____ _____ 4 | \ \ / /  | | |  / __ \ / ____| 5 |  \ \ / /  _| | |_ _ _ _ __ ___  | | | | (___ 6 |  \ \/ / | | | | __| | | | '__/ _ \ | | | |\___ \ 7 |  \ /| |_| | | |_| |_| | | | __/ | |__| |____) | 8 |  \/  \__,_|_|\__|\__,_|_| \___| \____/|_____/ 9 | 10 |  11 | Before seeking technical support, please use the following resources: 12 | 13 | o Security advisories and updated errata information for all releases are 14 | at https://www.vultureproject.org 15 |  16 | o Feel free to ask any question to the community at https://discord.gg/E5Bs97J 17 |  18 | o Source project is available on Github : https://github.com/VultureProject 19 |  20 | ############################################################################ 21 | ### ### 22 | ### Launch admin (as vlt-adm) to access main configuration features  ### 23 | ### ### 24 | ############################################################################ 25 |  26 | 27 | Your system can be upgraded to HardenedBSD 13! 28 | Please launch /home/vlt-adm/system/upgrade_to_13.sh to start the upgrade 29 | Be wary that the appliance will become unavailable and will restart a couple of times! 30 | -------------------------------------------------------------------------------- /etc/motd.template: -------------------------------------------------------------------------------- 1 | 2 |  3 | __ __  _ _  ____ _____ 4 | \ \ / /  | | |  / __ \ / ____| 5 |  \ \ / /  _| | |_ _ _ _ __ ___  | | | | (___ 6 |  \ \/ / | | | | __| | | | '__/ _ \ | | | |\___ \ 7 |  \ /| |_| | | |_| |_| | | | __/ | |__| |____) | 8 |  \/  \__,_|_|\__|\__,_|_| \___| \____/|_____/ 9 | 10 |  11 | Before seeking technical support, please use the following resources: 12 | 13 | o Security advisories and updated errata information for all releases are 14 | at https://www.vultureproject.org 15 |  16 | o Feel free to ask any question to the community at https://discord.gg/E5Bs97J 17 |  18 | o Source project is available on Github : https://github.com/VultureProject 19 |  20 | ############################################################################ 21 | ### ### 22 | ### Launch admin (as vlt-adm) to access main configuration features  ### 23 | ### ### 24 | ############################################################################ 25 |  26 | -------------------------------------------------------------------------------- /etc/periodic.conf.sample: -------------------------------------------------------------------------------- 1 | daily_clean_hoststat_enable="NO" 2 | daily_status_mail_rejects_enable="NO" 3 | daily_status_include_submit_mailq="NO" 4 | daily_submit_queuerun="NO" -------------------------------------------------------------------------------- /etc/rc.conf.d/cron: -------------------------------------------------------------------------------- 1 | cron_enable="YES" 2 | -------------------------------------------------------------------------------- /etc/rc.conf.d/dnsmasq: -------------------------------------------------------------------------------- 1 | dnsmasq_enable="YES" 2 | -------------------------------------------------------------------------------- /etc/rc.conf.d/haproxy: -------------------------------------------------------------------------------- 1 | haproxy_enable="YES" 2 | -------------------------------------------------------------------------------- /etc/rc.conf.d/htcacheclean: -------------------------------------------------------------------------------- 1 | htcacheclean_enable="YES" 2 | -------------------------------------------------------------------------------- /etc/rc.conf.d/jail: -------------------------------------------------------------------------------- 1 | jail_enable="YES" -------------------------------------------------------------------------------- /etc/rc.conf.d/ntpd: -------------------------------------------------------------------------------- 1 | ntpd_enable="YES" 2 | -------------------------------------------------------------------------------- /etc/rc.conf.d/openvpn_server: -------------------------------------------------------------------------------- 1 | openvpn_server_enable="NO" 2 | openvpn_server_configfile="/usr/local/etc/openvpn/openvpn_server.conf" -------------------------------------------------------------------------------- /etc/rc.conf.d/pf: -------------------------------------------------------------------------------- 1 | pf_enable="YES" 2 | pf_rules="/usr/local/etc/pf.conf" 3 | -------------------------------------------------------------------------------- /etc/rc.conf.d/pflog: -------------------------------------------------------------------------------- 1 | #DO NOT ENABLE, AS tshark is used to capture logs to file 2 | pflog_enable="NO" 3 | -------------------------------------------------------------------------------- /etc/rc.conf.d/postfix: -------------------------------------------------------------------------------- 1 | postfix_enable="YES" -------------------------------------------------------------------------------- /etc/rc.conf.d/secadm: -------------------------------------------------------------------------------- 1 | secadm_enable="YES" -------------------------------------------------------------------------------- /etc/rc.conf.d/sendmail: -------------------------------------------------------------------------------- 1 | sendmail_enable="NO" 2 | sendmail_submit_enable="NO" 3 | sendmail_outbound_enable="NO" 4 | sendmail_msp_queue_enable="NO" 5 | -------------------------------------------------------------------------------- /etc/rc.conf.d/sshd: -------------------------------------------------------------------------------- 1 | sshd_enable="YES" 2 | -------------------------------------------------------------------------------- /etc/rc.conf.d/ssmtp: -------------------------------------------------------------------------------- 1 | ssmtp_enable="YES" 2 | -------------------------------------------------------------------------------- /etc/rc.conf.d/syslogd: -------------------------------------------------------------------------------- 1 | syslogd_enable="YES" 2 | syslogd_flags="-ss -c" -------------------------------------------------------------------------------- /etc/rc.conf.d/tshark: -------------------------------------------------------------------------------- 1 | tshark_enable="YES" 2 | -------------------------------------------------------------------------------- /etc/rc.conf.d/vultured: -------------------------------------------------------------------------------- 1 | vultured_enable="YES" 2 | -------------------------------------------------------------------------------- /etc/rc.conf.d/zfs: -------------------------------------------------------------------------------- 1 | zfs_enable="YES" 2 | -------------------------------------------------------------------------------- /etc/rc.conf.local.sample: -------------------------------------------------------------------------------- 1 | clear_tmp_enable="YES" 2 | gateway_enable="YES" 3 | ipv6_gateway_enable="YES" 4 | dumpdev="NO" 5 | sendmail_enable="NONE" -------------------------------------------------------------------------------- /etc/rc.local: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # 3 | # This file is part of VultureOS 4 | # 5 | 6 | . /etc/rc.subr 7 | 8 | # Get freebsd-swap partition 9 | swap_part="$(/sbin/gpart show -p | /usr/bin/grep "freebsd-swap" | /usr/bin/awk '{print $3}')" 10 | # Replace the first "swap" occurence by the swap partition in fstab 11 | /usr/bin/sed -i '' -e "1,/swap/ s/.*swap.*/\/dev\/$swap_part none swap sw 0 0/" /etc/fstab 12 | # And activate swap based on /etc/fstab 13 | /sbin/swapon -aq 14 | -------------------------------------------------------------------------------- /etc/ssh/sshd_config.sample: -------------------------------------------------------------------------------- 1 | Port 22 2 | AddressFamily any 3 | ListenAddress 0.0.0.0 4 | ListenAddress :: 5 | 6 | HostKey /etc/ssh/ssh_host_rsa_key 7 | HostKey /etc/ssh/ssh_host_ecdsa_key 8 | HostKey /etc/ssh/ssh_host_ed25519_key 9 | 10 | Ciphers aes256-ctr 11 | KexAlgorithms diffie-hellman-group-exchange-sha256,curve25519-sha256,curve25519-sha256@libssh.org 12 | Macs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com 13 | 14 | RekeyLimit default 1h 15 | 16 | SyslogFacility AUTH 17 | LogLevel INFO 18 | 19 | LoginGraceTime 30 20 | PermitRootLogin no 21 | StrictModes yes 22 | MaxAuthTries 3 23 | MaxSessions 1 24 | 25 | PasswordAuthentication yes 26 | ChallengeResponseAuthentication yes 27 | PermitEmptyPasswords no 28 | 29 | PubkeyAuthentication yes 30 | AuthorizedKeysFile .ssh/authorized_keys 31 | 32 | HostbasedAuthentication no 33 | IgnoreUserKnownHosts yes 34 | IgnoreRhosts yes 35 | 36 | UsePAM no 37 | 38 | AllowAgentForwarding no 39 | AllowTcpForwarding no 40 | GatewayPorts no 41 | X11Forwarding no 42 | 43 | PermitTTY yes 44 | PrintMotd yes 45 | 46 | TCPKeepAlive yes 47 | PermitUserEnvironment no 48 | 49 | Compression delayed 50 | ClientAliveInterval 0 51 | ClientAliveCountMax 3 52 | UseDNS no 53 | 54 | PidFile /var/run/sshd.pid 55 | MaxStartups 10:30:100 56 | PermitTunnel no 57 | 58 | ChrootDirectory none 59 | UseBlacklist no 60 | 61 | # no default banner path 62 | Banner none 63 | 64 | # override default of no subsystems 65 | Subsystem sftp /usr/libexec/sftp-server 66 | 67 | -------------------------------------------------------------------------------- /etc/sysctl.conf: -------------------------------------------------------------------------------- 1 | kern.coredump=0 2 | kern.ipc.maxsockbuf=67108864 3 | kern.ipc.soacceptqueue=4096 4 | 5 | #Wires all shared pages, making them unswappable 6 | kern.ipc.shm_use_phys=1 7 | kern.maxfiles=204800 8 | kern.maxfilesperproc=128000 9 | kern.maxprocperuid=64000 10 | kern.maxvnodes=250000 11 | kern.sched.interact=5 12 | kern.sched.slice=1 13 | kern.sugid_coredump=0 14 | kern.threads.max_threads_per_proc=4096 15 | kern.msgbuf_show_timestamp=1 16 | 17 | net.inet.carp.log=1 18 | net.inet.carp.preempt=1 19 | 20 | net.inet.ip.intr_queue_maxlen=4096 21 | net.inet.ip.maxfragpackets=0 22 | net.inet.ip.maxfragsperpacket=0 23 | net.inet.ip.process_options=0 24 | net.inet.ip.random_id=1 25 | net.inet.ip.redirect=0 26 | net.inet.ip.sourceroute=0 27 | net.inet.ip.accept_sourceroute=0 28 | net.inet.ip.ttl=128 29 | 30 | net.inet.icmp.maskrepl=0 31 | net.inet.icmp.log_redirect=0 32 | net.inet.icmp.drop_redirect=1 33 | 34 | net.inet.tcp.abc_l_var=44 35 | 36 | #Let applications manage Keepalive 37 | net.inet.tcp.always_keepalive=0 38 | 39 | #Stops creating any state (nor socket neither compressed tcpw) for the TCP connection where both endpoints were local. 40 | net.inet.tcp.nolocaltimewait=1 41 | 42 | net.inet.tcp.delayed_ack=1 43 | net.inet.tcp.blackhole=2 44 | net.inet.tcp.drop_synfin=1 45 | net.inet.tcp.ecn.enable=1 46 | net.inet.tcp.fast_finwait2_recycle=1 47 | net.inet.tcp.icmp_may_rst=0 48 | net.inet.tcp.initcwnd_segments=44 49 | net.inet.tcp.isn_reseed_interval=4500 50 | net.inet.tcp.keepcnt=3 51 | net.inet.tcp.keepidle=10000 52 | net.inet.tcp.keepintvl=5000 53 | net.inet.tcp.minmss=536 54 | net.inet.tcp.maxtcptw=200000 55 | net.inet.tcp.msl=5000 56 | net.inet.tcp.recvbuf_auto=1 57 | net.inet.tcp.recvbuf_max=16777216 58 | net.inet.tcp.sendbuf_auto=1 59 | net.inet.tcp.sendbuf_inc=131072 60 | net.inet.tcp.sendbuf_max=16777216 61 | net.inet.tcp.syncache.rexmtlimit=0 62 | net.inet.tcp.syncookies=0 63 | net.inet.tcp.tso=0 64 | 65 | net.inet.udp.blackhole=1 66 | 67 | net.inet6.icmp6.nodeinfo=0 68 | net.inet6.icmp6.rediraccept=0 69 | net.inet6.ip6.accept_rtadv=0 70 | net.inet6.ip6.auto_linklocal=0 71 | net.inet6.ip6.maxfragpackets=0 72 | net.inet6.ip6.maxfrags=0 73 | net.inet6.ip6.prefer_tempaddr=1 74 | net.inet6.ip6.use_tempaddr=1 75 | net.inet6.ip6.use_deprecated=0 76 | 77 | net.local.dgram.maxdgram=65535 78 | net.local.dgram.recvspace=65535 79 | 80 | security.bsd.hardlink_check_gid=1 81 | security.bsd.hardlink_check_uid=1 82 | security.bsd.see_other_gids=0 83 | security.bsd.see_other_uids=0 84 | security.bsd.stack_guard_page=1 85 | security.bsd.unprivileged_proc_debug=0 86 | security.bsd.unprivileged_read_msgbuf=0 87 | 88 | vfs.zfs.vdev.async_read_max_active=6 89 | vfs.zfs.vdev.sync_read_max_active=20 90 | vfs.read_max=128 91 | -------------------------------------------------------------------------------- /etc/syslog.conf: -------------------------------------------------------------------------------- 1 | # $FreeBSD: releng/12.0/usr.sbin/syslogd/syslog.conf 338146 2018-08-21 17:01:47Z brd $ 2 | # 3 | # Spaces ARE valid field separators in this file. However, 4 | # other *nix-like systems still insist on using tabs as field 5 | # separators. If you are sharing this file between systems, you 6 | # may want to use only tabs as field separators here. 7 | # Consult the syslog.conf(5) manpage. 8 | 9 | *.err;kern.warning;auth.notice;mail.crit /var/log/kernel.log 10 | *.notice;authpriv.none;kern.debug;lpr.info;mail.crit;news.err /var/log/messages 11 | security.* /var/log/security 12 | auth.info;authpriv.info /var/log/auth.log 13 | mail.info /var/log/maillog 14 | cron.* /var/log/cron 15 | !-devd 16 | *.=debug /var/log/debug.log 17 | *.emerg * 18 | console.info /var/log/console.log 19 | !* 20 | include /etc/syslog.d 21 | include /usr/local/etc/syslog.d -------------------------------------------------------------------------------- /etc/ttys: -------------------------------------------------------------------------------- 1 | console none unknown off secure 2 | # 3 | ttyv0 "/usr/libexec/getty Pc" xterm onifexists insecure 4 | # Virtual terminals 5 | ttyv1 "/usr/libexec/getty Pc" xterm onifexists insecure 6 | ttyv2 "/usr/libexec/getty Pc" xterm onifexists insecure 7 | ttyv3 "/usr/libexec/getty Pc" xterm onifexists insecure 8 | ttyv4 "/usr/libexec/getty Pc" xterm onifexists insecure 9 | ttyv5 "/usr/libexec/getty Pc" xterm onifexists insecure 10 | ttyv6 "/usr/libexec/getty Pc" xterm onifexists insecure 11 | ttyv7 "/usr/libexec/getty Pc" xterm onifexists insecure 12 | ttyv8 "/usr/local/bin/xdm -nodaemon" xterm off insecure 13 | 14 | # Serial terminals 15 | # The 'dialup' keyword identifies dialin lines to login, fingerd etc. 16 | ttyu0 "/usr/libexec/getty 3wire" vt100 onifconsole insecure 17 | ttyu1 "/usr/libexec/getty 3wire" vt100 onifconsole insecure 18 | ttyu2 "/usr/libexec/getty 3wire" vt100 onifconsole insecure 19 | ttyu3 "/usr/libexec/getty 3wire" vt100 onifconsole insecure 20 | 21 | # Dumb console 22 | dcons "/usr/libexec/getty std.9600" vt100 off insecure -------------------------------------------------------------------------------- /home/vlt-adm/.cshrc: -------------------------------------------------------------------------------- 1 | # $FreeBSD$ 2 | # 3 | # .cshrc - csh resource script, read at beginning of execution by each shell 4 | # 5 | # see also csh(1), environ(7). 6 | # more examples available at /usr/share/examples/csh/ 7 | # 8 | 9 | alias h history 25 10 | alias j jobs -l 11 | alias la ls -aF 12 | alias lf ls -FA 13 | alias ll ls -laFGh 14 | alias admin /home/vlt-adm/admin.sh 15 | 16 | # read(2) of directories may not be desirable by default, as this will provoke 17 | # EISDIR errors from each directory encountered. 18 | # alias grep grep -d skip 19 | 20 | 21 | # These are normally set through /etc/login.conf. You may override them here 22 | # if wanted. 23 | # set path = (/sbin /bin /usr/sbin /usr/bin /usr/local/sbin /usr/local/bin $HOME/bin) 24 | # setenv BLOCKSIZE K 25 | # A righteous umask 26 | #umask 22 27 | 28 | set path = (/sbin /bin /usr/sbin /usr/bin /usr/local/sbin /usr/local/bin $HOME/bin) 29 | 30 | setenv EDITOR vi 31 | setenv PAGER less 32 | 33 | if ($?prompt) then 34 | # An interactive shell -- set some stuff up 35 | #set prompt = "%N@%m:%~ %# " 36 | if ( $USER != "root" ) then 37 | set prompt="(%l)[%{\033[36m%}`whoami`@%{\033[1;30m%}%m:%{\033[0;32m%}%~%{\033[0m%}]%# " 38 | else 39 | set prompt="%N@%m:%~ %# " 40 | endif 41 | set promptchars = "%#" 42 | 43 | set filec 44 | set history = 1000 45 | set savehist = (1000 merge) 46 | set autolist = ambiguous 47 | # Use history to aid expansion 48 | set autoexpand 49 | set autorehash 50 | set mail = (/var/mail/$USER) 51 | if ( $?tcsh ) then 52 | bindkey "^W" backward-delete-word 53 | bindkey -k up history-search-backward 54 | bindkey -k down history-search-forward 55 | bindkey "\e[1~" beginning-of-line # Home 56 | bindkey "\e[7~" beginning-of-line # Home rxvt 57 | bindkey "\e[2~" overwrite-mode # Ins 58 | bindkey "\e[3~" delete-char # Delete 59 | bindkey "\e[3;5~" delete-word # Ctrl Delete 60 | bindkey "\e[4~" end-of-line # End 61 | bindkey "\e[8~" end-of-line # End rxvt 62 | bindkey "\e[1;5C" forward-word # Right arrow 63 | bindkey "\e[1;5D" backward-word # Left arrow 64 | endif 65 | endif 66 | 67 | # Reset home directory 68 | cd -------------------------------------------------------------------------------- /home/vlt-adm/.login: -------------------------------------------------------------------------------- 1 | # $FreeBSD: releng/11.2/share/skel/dot.login 325815 2017-11-14 17:05:34Z trasz $ 2 | # 3 | # .login - csh login script, read by login shell, after `.cshrc' at login. 4 | # 5 | # See also csh(1), environ(7). 6 | # 7 | 8 | # Query terminal size; useful for serial lines. 9 | if ( -x /usr/bin/resizewin ) /usr/bin/resizewin -z -------------------------------------------------------------------------------- /home/vlt-adm/.profile: -------------------------------------------------------------------------------- 1 | # $FreeBSD: releng/11.2/share/skel/dot.profile 325815 2017-11-14 17:05:34Z trasz $ 2 | # 3 | # .profile - Bourne Shell startup script for login shells 4 | # 5 | # see also sh(1), environ(7). 6 | # 7 | 8 | # These are normally set through /etc/login.conf. You may override them here 9 | # if wanted. 10 | # PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin:$HOME/bin; export PATH 11 | # BLOCKSIZE=K; export BLOCKSIZE 12 | 13 | # Setting TERM is normally done through /etc/ttys. Do only override 14 | # if you're sure that you'll never log in via telnet or xterm or a 15 | # serial line. 16 | # TERM=xterm; export TERM 17 | 18 | EDITOR=vi; export EDITOR 19 | PAGER=more; export PAGER 20 | 21 | # set ENV to a file invoked each time sh is started for interactive use. 22 | ENV=$HOME/.shrc; export ENV 23 | 24 | # Query terminal size; useful for serial lines. 25 | if [ -x /usr/bin/resizewin ] ; then /usr/bin/resizewin -z ; fi -------------------------------------------------------------------------------- /home/vlt-adm/admin.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # Define the dialog exit status codes 4 | DIALOG_OK=0 5 | DIALOG_CANCEL=1 6 | DIALOG_HELP=2 7 | DIALOG_EXTRA=3 8 | DIALOG_ITEM_HELP=4 9 | DIALOG_ESC=255 10 | 11 | JAILS_DIR="/zroot" 12 | 13 | # Function used to check jails and install them 14 | check_jails() { 15 | for jail in apache mongodb redis rsyslog haproxy portal; do 16 | # Do not check if jail is up, because there can be some tasks that have not been done (eg: pkg install mongodb) 17 | # /usr/bin/clear 18 | 19 | if [ ! -d /zroot/${jail} ]; then 20 | # /bin/echo "Updating jail ${jail} ..." 21 | # /usr/local/bin/sudo /home/vlt-adm/bootstrap/mkjail-${jail}.sh 22 | /bin/echo "ERROR: Your vulture installation does not comply with standards" 23 | /bin/echo "Please contact the vulture team to report this incident" 24 | fi 25 | 26 | done 27 | } 28 | 29 | 30 | # Create a temporary file and make sure it goes away when we're dome 31 | tmp_file="/var/tmp/dialog$$" 32 | while : 33 | do 34 | /usr/bin/dialog --clear --colors --title "Welcome on Vulture OS" --menu "Please choose an action" 20 100 13 \ 35 | "keymap" "Keyboard config" \ 36 | "time" "Time config" \ 37 | "password" "Modify vlt-adm's password" \ 38 | "geli_change" "Modify FDE password" \ 39 | "email" "Define Email address to send alerts to" \ 40 | "network_ips" "Change Node Network IPs" \ 41 | "proxy" "HTTP Proxy config" \ 42 | "netconfig" "Network config" \ 43 | "hostname" "Hostname config" \ 44 | "shell" "CSH Shell" \ 45 | "rootshell" "ROOT Shell" \ 46 | "update" "Update OS" \ 47 | "exit" "Exit" --stdout > "$tmp_file" 48 | 49 | return_value=$? 50 | case "$return_value" in 51 | "$DIALOG_OK") 52 | action="$(/bin/cat "$tmp_file")" 53 | 54 | case "$action" in 55 | "email") 56 | /bin/rm -f "$tmp_file" 57 | email=`grep '^root:' /etc/mail/aliases | sed -E 's/^.*:.([a-zA-Z0-9_\.-]+@[a-zA-Z0-9_\.-]+)$/\1/g'` 58 | if /usr/bin/dialog --title "Vulture Alert Email address" --inputbox "Enter the email address to send alerts to" 8 60 "${email}" --stdout > "$tmp_file"; then 59 | email="$(/bin/cat "$tmp_file")" 60 | /bin/rm "$tmp_file" 61 | 62 | /usr/local/bin/sudo /home/vlt-adm/system/write_aliases.sh "${email}" 63 | fi 64 | ;; 65 | "password") 66 | /usr/bin/passwd vlt-adm 67 | ;; 68 | "geli_change") 69 | if /usr/bin/dialog --title "Vulture Encryption passphrase" --inputbox "Enter a new encryption passphrase" 8 60 "" --stdout > "$tmp_file"; then 70 | passphrase="$(/bin/cat "$tmp_file")" 71 | /bin/rm "$tmp_file" 72 | /usr/local/bin/sudo /home/vlt-adm/system/geli-passphrase.sh "${passphrase}" 73 | fi 74 | ;; 75 | "network_ips") 76 | check_jails 77 | 78 | /bin/rm -f "$tmp_file" 79 | 80 | management_ip="$(/usr/sbin/sysrc -f /etc/rc.conf.d/network -n management_ip 2> /dev/null)" 81 | if [ "$?" = 1 ]; then 82 | management_ip="$(/sbin/ifconfig | /usr/bin/grep inet | /usr/bin/grep -v '127.0.0.1' | /usr/bin/grep -v ' ::1 ' \ 83 | | /usr/bin/grep -v 'fe80:' | /usr/bin/awk '{print $2}' | /usr/bin/awk -vRS="" -vOFS=' ' '$1=$1' | cut -d " " -f1)" 84 | fi 85 | 86 | internet_ip="$(/usr/sbin/sysrc -f /etc/rc.conf.d/network -n internet_ip 2> /dev/null)" 87 | internet_ip="${internet_ip:-${management_ip}}" 88 | backends_outgoing_ip="$(/usr/sbin/sysrc -f /etc/rc.conf.d/network -n backends_outgoing_ip 2> /dev/null)" 89 | backends_outgoing_ip="${backends_outgoing_ip:-${management_ip}}" 90 | logom_outgoing_ip="$(/usr/sbin/sysrc -f /etc/rc.conf.d/network -n logom_outgoing_ip 2> /dev/null)" 91 | logom_outgoing_ip="${logom_outgoing_ip:-${management_ip}}" 92 | 93 | if /usr/bin/dialog --title "Vulture Node Network settings" --form "Choose the Node's network IP Addresses" 14 60 8 \ 94 | "Management IP Address:" 1 1 "$management_ip" 1 25 25 30 \ 95 | "Internet IP:" 3 1 "$internet_ip" 3 25 25 30 \ 96 | "Backends Outgoing IP:" 5 1 "$backends_outgoing_ip" 5 25 25 30 \ 97 | "LogOM Outgoing IP:" 7 1 "$logom_outgoing_ip" 7 25 25 30 \ 98 | --stdout > "$tmp_file"; then 99 | 100 | management_ip="$(/usr/bin/sed -n 1p "$tmp_file")" 101 | internet_ip="$(/usr/bin/sed -n 2p "$tmp_file")" 102 | backends_outgoing_ip="$(/usr/bin/sed -n 3p "$tmp_file")" 103 | logom_outgoing_ip="$(/usr/bin/sed -n 4p "$tmp_file")" 104 | 105 | /bin/rm "$tmp_file" 106 | 107 | if ! (echo "$management_ip" | grep -Eq '(^([[:digit:]]{1,3}\.){3}[[:digit:]]{1,3}$)|(^([[:xdigit:]]{0,4}:){2,7}[[:xdigit:]]{0,4}$)'); then 108 | /usr/bin/dialog --msgbox "Management IP format incorrect" 8 60 109 | elif ! (echo "$internet_ip" | grep -Eq '(^([[:digit:]]{1,3}\.){3}[[:digit:]]{1,3}$)|(^([[:xdigit:]]{0,4}:){2,7}[[:xdigit:]]{0,4}$)'); then 110 | /usr/bin/dialog --msgbox "Internet IP format incorrect" 8 60 111 | elif ! (echo "$backends_outgoing_ip" | grep -Eq '(^([[:digit:]]{1,3}\.){3}[[:digit:]]{1,3}$)|(^([[:xdigit:]]{0,4}:){2,7}[[:xdigit:]]{0,4}$)'); then 112 | /usr/bin/dialog --msgbox "Backends Outgoing IP format incorrect" 8 60 113 | elif ! (echo "$logom_outgoing_ip" | grep -Eq '(^([[:digit:]]{1,3}\.){3}[[:digit:]]{1,3}$)|(^([[:xdigit:]]{0,4}:){2,7}[[:xdigit:]]{0,4}$)'); then 114 | /usr/bin/dialog --msgbox "LogOM Outgoing IP format incorrect" 8 60 115 | else 116 | /usr/local/bin/sudo /home/vlt-adm/system/netconfig-resolv.sh 117 | /usr/local/bin/sudo /home/vlt-adm/system/network-ips.sh "${management_ip}" "${internet_ip}" "${backends_outgoing_ip}" "${logom_outgoing_ip}" 118 | fi 119 | fi 120 | ;; 121 | "update") 122 | check_jails 123 | /usr/local/bin/sudo /home/vlt-adm/system/update_system.sh 124 | ;; 125 | "exit") 126 | break 127 | ;; 128 | "shell") 129 | /bin/csh 130 | ;; 131 | "rootshell") 132 | /usr/local/bin/sudo /usr/bin/su 133 | ;; 134 | "proxy") 135 | /bin/rm -f "$tmp_file" 136 | if [ -f /etc/rc.conf.proxy ]; then 137 | proxy="$(/usr/bin/grep "http_" /etc/rc.conf.proxy | /usr/bin/sed 's/.*http:\/\///')" 138 | fi 139 | if /usr/bin/dialog --title "Vulture HTTP Proxy setting" --inputbox "Enter HTTP proxy address (IPv4:port or [IPv6]:port)" 8 60 "${proxy}" --stdout > "$tmp_file"; then 140 | proxy="$(/bin/cat "$tmp_file")" 141 | /bin/rm "$tmp_file" 142 | 143 | if echo "$proxy" | grep -Eq '(^([[:digit:]]{1,3}\.){3}[[:digit:]]{1,3}:[[:digit:]]{1,5}$)|(^\[([[:xdigit:]]{0,4}:){2,7}[[:xdigit:]]{0,4}\]:[[:digit:]]{1,5}$)' || [ -z "$proxy" ] ; then 144 | /usr/local/bin/sudo /home/vlt-adm/system/proxy.sh "${proxy}" 145 | else 146 | /usr/bin/dialog --msgbox "IP format incorrect" 8 60 147 | fi 148 | 149 | fi 150 | ;; 151 | "keymap") 152 | /usr/local/bin/sudo /home/vlt-adm/system/keymap.sh 153 | ;; 154 | "time") 155 | /home/vlt-adm/system/time.sh 156 | ;; 157 | "hostname") 158 | check_jails 159 | 160 | /usr/local/bin/sudo /home/vlt-adm/system/hostname.sh 161 | ;; 162 | "netconfig") 163 | /usr/local/bin/sudo /home/vlt-adm/system/netconfig.sh 164 | ;; 165 | esac 166 | ;; 167 | "$DIALOG_CANCEL") 168 | /bin/echo "Cancel pressed." 169 | break 170 | ;; 171 | "$DIALOG_HELP") 172 | /bin/echo "Help pressed." 173 | /usr/bin/read a 174 | ;; 175 | "$DIALOG_EXTRA") 176 | /bin/echo "Extra button pressed." 177 | /usr/bin/read a 178 | ;; 179 | "$DIALOG_ITEM_HELP") 180 | /bin/echo "Item-help button pressed." 181 | /usr/bin/read a 182 | ;; 183 | "$DIALOG_ESC") 184 | /bin/echo "ESC pressed." 185 | /usr/bin/read a 186 | ;; 187 | esac 188 | 189 | /bin/rm -rf "$tmp_file" 190 | 191 | done 192 | -------------------------------------------------------------------------------- /home/vlt-adm/gui/cluster_create.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | if [ "$(/usr/bin/id -u)" != "0" ]; then 4 | /bin/echo "This script must be run as root" 1>&2 5 | exit 1 6 | fi 7 | 8 | username=$1 9 | password=$2 10 | confirm_password=$2 11 | 12 | if [ -z "$username" ]; then 13 | echo -n "Username: " 14 | read username 15 | fi 16 | 17 | if [ -z "$password" ]; then 18 | echo -n "Password: " 19 | stty -echo 20 | read password 21 | stty echo 22 | echo "" 23 | fi 24 | 25 | if [ -z "$confirm_password" ]; then 26 | echo -n "Confirm Password: " 27 | stty -echo 28 | read confirm_password 29 | stty echo 30 | echo "" 31 | fi 32 | 33 | if [ "$password" = "$confirm_password" ]; then 34 | # Unset proxy to contact the GUI (myself) 35 | export http_proxy="" 36 | export https_proxy="" 37 | export ftp_proxy="" 38 | 39 | # Do a first curl to create log files 40 | echo "[+] Trying to contact GUI..." 41 | /bin/sleep 5 42 | curl -XGET -kw "Status code : %{http_code}\n" -o /dev/null https://$(hostname):8000/ 2> /dev/null 43 | 44 | /usr/sbin/jexec redis service redis restart 45 | /home/jails.apache/.zfs-source/home/vlt-os/bootstrap/cluster_create $username $password || exit 2 46 | 47 | # Restart gunicorn service to refresh code and conf 48 | /usr/sbin/jexec apache /usr/sbin/service gunicorn restart 49 | 50 | /usr/sbin/service vultured restart || /usr/sbin/service vultured start 51 | else 52 | echo "\e[31mPasswords mismatch\e[0m" 53 | exit 1 54 | fi 55 | 56 | -------------------------------------------------------------------------------- /home/vlt-adm/gui/cluster_join.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | if [ "$(/usr/bin/id -u)" != "0" ]; then 4 | /bin/echo "This script must be run as root" 1>&2 5 | exit 1 6 | fi 7 | 8 | master_hostname=$1 9 | master_ip=$2 10 | api_key=$3 11 | 12 | if [ -z "${master_hostname}" ]; then 13 | echo -n "Master hostname: " 14 | read master_hostname 15 | fi 16 | 17 | if [ -z "${master_ip}" ]; then 18 | echo -n "Master IP (without bracket for IPv6):" 19 | read master_ip 20 | fi 21 | 22 | if [ -z "${api_key}" ]; then 23 | echo -n "Cluster APIKey: " 24 | read api_key 25 | fi 26 | 27 | /home/vlt-os/scripts/add_to_hosts.py "$master_hostname" "$master_ip" 28 | 29 | /usr/sbin/jexec redis service redis restart 30 | /usr/sbin/jexec apache service gunicorn stop 31 | /usr/sbin/jexec portal service gunicorn stop 32 | /usr/sbin/service vultured stop 33 | 34 | if echo "$master_ip" | grep ":" ; then 35 | master_ip="[${master_ip}]" 36 | fi 37 | 38 | /zroot/apache/home/vlt-os/bootstrap/cluster_join "$master_hostname" "$master_ip" "$api_key" 39 | 40 | /usr/sbin/service vultured start 41 | /usr/sbin/jexec apache service gunicorn start 42 | /usr/sbin/jexec portal service gunicorn start 43 | -------------------------------------------------------------------------------- /home/vlt-adm/gui/configure.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | if [ "$(/usr/bin/id -u)" != "0" ]; then 4 | /bin/echo "This script must be run as root" 1>&2 5 | exit 1 6 | fi 7 | 8 | jexec apache /home/vlt-os/bootstrap/configure $1 9 | 10 | 11 | -------------------------------------------------------------------------------- /home/vlt-adm/gui/django_migration.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | if [ "$(/usr/bin/id -u)" != "0" ]; then 4 | /bin/echo "This script must be run as root" 1>&2 5 | exit 1 6 | fi 7 | 8 | sudo -u vlt-os /home/jails.apache/.zfs-source/home/vlt-os/bootstrap/django_migration.sh 9 | 10 | # Prevent script return code to be != 0 if services already running 11 | service tshark status || service tshark start 12 | 13 | -------------------------------------------------------------------------------- /home/vlt-adm/system/configure_jail_hosts.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | 4 | if [ "$(/usr/bin/id -u)" != "0" ]; then 5 | /bin/echo "This script must be run as root" 1>&2 6 | exit 1 7 | fi 8 | 9 | if [ $# -ne 1 ] ; then 10 | echo "Usage: $0 " 11 | exit 1 12 | fi 13 | 14 | JAIL_NAME="$1" 15 | TARGET="/zroot/${JAIL_NAME}" 16 | 17 | # Configure /etc/hosts of jail 18 | /bin/echo "::1 localhost" > ${TARGET}/etc/hosts 19 | /bin/echo "127.0.0.1 localhost" >> ${TARGET}/etc/hosts 20 | /bin/echo "fd00::202 mongodb" >> ${TARGET}/etc/hosts 21 | /bin/echo "127.0.0.2 mongodb" >> ${TARGET}/etc/hosts 22 | /bin/echo "fd00::203 redis" >> ${TARGET}/etc/hosts 23 | /bin/echo "127.0.0.3 redis" >> ${TARGET}/etc/hosts 24 | /bin/echo "fd00::204 rsyslog" >> ${TARGET}/etc/hosts 25 | /bin/echo "127.0.0.4 rsyslog" >> ${TARGET}/etc/hosts 26 | /bin/echo "fd00::205 haproxy" >> ${TARGET}/etc/hosts 27 | /bin/echo "127.0.0.5 haproxy" >> ${TARGET}/etc/hosts 28 | /bin/echo "127.0.0.6 apache" >> ${TARGET}/etc/hosts 29 | /bin/echo "fd00::206 apache" >> ${TARGET}/etc/hosts 30 | /bin/echo "127.0.0.7 portal" >> ${TARGET}/etc/hosts 31 | /bin/echo "fd00::207 portal" >> ${TARGET}/etc/hosts 32 | 33 | # Host's dnsmasq resolver is used by jails -> local loopback of the jail 34 | echo "nameserver ${JAIL_NAME}" > ${TARGET}/etc/resolv.conf 35 | -------------------------------------------------------------------------------- /home/vlt-adm/system/geli-passphrase.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | 4 | if [ "$(/usr/bin/id -u)" != "0" ]; then 5 | /bin/echo "This script must be run as root" 1>&2 6 | exit 1 7 | fi 8 | 9 | if [ -e /dev/ada0 ]; then 10 | DISKSLICE=ada 11 | else 12 | DISKSLICE=da 13 | fi 14 | 15 | echo $1 > /root/.tmpkey 16 | geli setkey -J /root/.tmpkey /dev/${DISKSLICE}0p3 17 | rm -f /root/.tmpkey 18 | 19 | geli backup /dev/da0p3 /var/backups/${DISKSLICE}0p3.eli 20 | 21 | 22 | 23 | -------------------------------------------------------------------------------- /home/vlt-adm/system/hostname.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | 4 | if [ "$(/usr/bin/id -u)" != "0" ]; then 5 | /bin/echo "This script must be run as root" 1>&2 6 | exit 1 7 | fi 8 | 9 | # Get old hostname if exists 10 | if [ -f /etc/rc.conf.hostname ] ; then 11 | old_hostname="$(/bin/cat /etc/rc.conf.hostname | /usr/bin/sed -E 's/hostname=\"?(.*)\"?/\1/g')" 12 | elif [ -f /tmp/bsdinstall_etc/rc.conf.hostname ] ; then 13 | old_hostname="$(/bin/cat /tmp/bsdinstall_etc/rc.conf.hostname | /usr/bin/sed -E 's/hostname=\"?(.*)\"?/\1/g')" 14 | fi 15 | 16 | 17 | if [ $# -ge 1 ] ; then 18 | /bin/mkdir -p /tmp/bsdinstall_etc/ 19 | /bin/echo "hostname=$1" > /tmp/bsdinstall_etc/rc.conf.hostname 20 | else 21 | /usr/sbin/bsdinstall hostname 22 | fi 23 | 24 | if [ -f /tmp/bsdinstall_etc/rc.conf.hostname ]; then 25 | 26 | grep 'hostname=""' /tmp/bsdinstall_etc/rc.conf.hostname 1>&2 27 | if [ $? -ne 0 ]; then #if == 0 hostname="" so we don't update 28 | /bin/cat /tmp/bsdinstall_etc/rc.conf.hostname | tr -d '"' > /etc/rc.conf.hostname 29 | sysrc -f /etc/rc.conf "$(cat /etc/rc.conf.hostname)" 30 | . /etc/rc.conf 31 | /bin/hostname "${hostname}" 32 | 33 | # Retrieve management IP address 34 | ip="$(/usr/sbin/sysrc -f /etc/rc.conf.d/network -n management_ip 2> /dev/null)" 35 | # Ip no management IP - exit 36 | if [ -z "$ip" ] ; then 37 | /bin/echo "Management IP address is null - please select 'Management' and retry." >> /dev/stderr 38 | exit 1 39 | fi 40 | 41 | /usr/sbin/service vultured status 42 | vultured_runing=$? 43 | if [ $vultured_runing -eq 0 ] ; then 44 | /usr/sbin/service vultured stop 45 | fi 46 | 47 | # Update /etc/hosts with the new name (take the management IP address) 48 | /home/vlt-adm/system/write_hostname.sh 49 | 50 | # Be sure that all jails are started 51 | for jail in apache mongodb redis rsyslog haproxy portal; do 52 | /usr/sbin/jail -cm "$jail" > /dev/null 53 | done 54 | 55 | # Initialize internal PKI 56 | # On secondary node, this will be overridden later during cluster join 57 | /home/vlt-os/env/bin/python /home/vlt-os/scripts/pki.py 58 | 59 | # Apache: Hostname change has no impact 60 | /usr/sbin/jexec apache /usr/sbin/service gunicorn restart 61 | /usr/sbin/jexec apache /usr/sbin/service nginx restart 62 | /usr/sbin/jexec portal /usr/sbin/service gunicorn restart 63 | 64 | # MongoDB is restarted "as this" 65 | if ! /usr/sbin/jexec mongodb /usr/sbin/service mongod restart ; then 66 | /bin/echo "[!] Failed to restart mongodb. Please solve and relaunch $0." > /dev/stderr 67 | exit 1 68 | fi 69 | 70 | # Initialize the mongoDB replicaset, if bootstrap is not done yet 71 | if ! /usr/local/bin/sudo -u vlt-os /home/vlt-os/env/bin/python /home/vlt-os/vulture_os/manage.py check >/dev/null 2>&1 ; then 72 | export hostname=${hostname} 73 | options="--ssl --sslPEMKeyFile /var/db/pki/node.pem --sslCAFile /var/db/pki/ca.pem" 74 | # If the management IP is an IPv6 address 75 | if [ "$(/bin/echo "$ip" | /usr/bin/grep ":")" ] ; then 76 | options="--ipv6 $options" 77 | fi 78 | # Populate mongoDB, if bootstrap is not done yet 79 | command='/bin/echo rs.initiate\(\{_id:\"Vulture\", members:\[\{_id:0,host:\"'${hostname}':9091\"\}\]\}\) | /usr/local/bin/mongo '${options}' '${hostname}':9091/vulture' 80 | if /usr/sbin/jexec mongodb /bin/csh -c "$command" ; then 81 | ## Django migrations 82 | /home/vlt-adm/gui/django_migration.sh 83 | else 84 | /bin/echo "Failed to initialize mongodb node, migrations aborted." >> /dev/stderr 85 | fi 86 | /usr/sbin/jexec apache /usr/sbin/service gunicorn restart 87 | /usr/sbin/jexec portal /usr/sbin/service gunicorn restart 88 | elif [ -n "$old_hostname" -a "$old_hostname" != "$hostname" ] ; then # old != new 89 | echo "Rename replicaset" 90 | # Change the hostname of the node in MongoDB replicaset configuration 91 | /home/vlt-os/scripts/replica_rename.py "$old_hostname" "$hostname" 92 | # Start vultured if it was running 93 | if [ $vultured_runing -eq 0 ] ; then 94 | /usr/sbin/service vultured start 95 | fi 96 | fi 97 | fi 98 | fi 99 | -------------------------------------------------------------------------------- /home/vlt-adm/system/keymap.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | 4 | if [ "$(/usr/bin/id -u)" != "0" ]; then 5 | /bin/echo "This script must be run as root" 1>&2 6 | exit 1 7 | fi 8 | 9 | if [ $# -ge 1 ]; then 10 | /bin/echo "keymap=\"$1\"" > /etc/rc.conf.keymap 11 | /usr/sbin/kbdmap -r 2> /dev/null 12 | sysrc kdbmap=$1 13 | else 14 | /usr/sbin/bsdinstall keymap 15 | if [ -f /tmp/bsdinstall_etc/rc.conf.keymap ]; then 16 | /bin/cat /tmp/bsdinstall_etc/rc.conf.keymap | tr -d '"' > /etc/rc.conf.keymap 17 | /usr/sbin/kbdmap -r 2> /dev/null 18 | 19 | sysrc -f /etc/rc.conf $(cat /etc/rc.conf.keymap) 20 | fi 21 | fi -------------------------------------------------------------------------------- /home/vlt-adm/system/netconfig-resolv.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | if [ "$(/usr/bin/id -u)" != "0" ]; then 4 | /bin/echo "This script must be run as root" 1>&2 5 | exit 1 6 | fi 7 | 8 | if [ "$1" ]; then 9 | /usr/bin/printf "%s" "$1" > /etc/resolv.conf 10 | fi 11 | -------------------------------------------------------------------------------- /home/vlt-adm/system/netconfig.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | if [ "$(/usr/bin/id -u)" != "0" ]; then 4 | /bin/echo "This script must be run as root" 1>&2 5 | exit 1 6 | fi 7 | 8 | # In case of automatic needs, export env variable AUTO=yes 9 | if [ "$AUTO" != "yes" ] ; then 10 | /usr/sbin/bsdinstall netconfig 11 | fi 12 | if [ -f /tmp/bsdinstall_etc/rc.conf.net ]; then 13 | /usr/bin/xargs /usr/sbin/sysrc < /tmp/bsdinstall_etc/rc.conf.net 14 | 15 | # Set Vulture-specific static network configuration 16 | /usr/sbin/sysrc -f /etc/rc.conf.d/network ifconfig_lo0="inet 127.0.0.1 netmask 255.255.255.0" 17 | /usr/sbin/sysrc -f /etc/rc.conf.d/network ifconfig_lo0_ipv6="inet6 ::1 prefixlen 128" 18 | /usr/sbin/sysrc -f /etc/rc.conf.d/network ifconfig_lo0_alias0="inet6 fd00::201 prefixlen 128" 19 | /usr/sbin/sysrc -f /etc/rc.conf.d/network cloned_interfaces="lo1 lo2 lo3 lo4 lo5 lo6" 20 | 21 | /usr/sbin/service netif restart 22 | dhcp_list=$(/usr/sbin/sysrc -ae | /usr/bin/grep -i "ifconfig.*dhcp" | /usr/bin/sed -e 's/.*_\(.*\)=\(.*\)/\1/' | sort -u) 23 | for i in ${dhcp_list}; do 24 | /sbin/dhclient "${i}" 25 | done 26 | 27 | # Restart routes 28 | /usr/sbin/service routing restart 29 | 30 | # Restart jails to re-apply ip addresses config 31 | /usr/sbin/service jail restart 32 | fi 33 | if [ -f /tmp/bsdinstall_etc/resolv.conf ]; then 34 | /bin/mv /tmp/bsdinstall_etc/resolv.conf /etc/ 35 | fi 36 | 37 | /usr/local/bin/pfctl-get_management.sh 38 | /usr/local/bin/pfctl-init.sh 39 | /sbin/pfctl -f /usr/local/etc/pf.conf 40 | -------------------------------------------------------------------------------- /home/vlt-adm/system/network-ips.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | 4 | if [ "$(/usr/bin/id -u)" != "0" ]; then 5 | /bin/echo "This script must be run as root" 1>&2 6 | exit 1 7 | fi 8 | 9 | management_ip="$1" 10 | internet_ip="${2:-$management_ip}" 11 | backends_outgoing_ip="${3:-$management_ip}" 12 | logom_outgoing_ip="${4:-$management_ip}" 13 | 14 | if /sbin/ifconfig | grep -q "$management_ip"; then 15 | # update node network ips in /etc/rc.conf.d/network 16 | /usr/sbin/sysrc -f /etc/rc.conf.d/network management_ip=$management_ip internet_ip=$internet_ip backends_outgoing_ip=$backends_outgoing_ip logom_outgoing_ip=$logom_outgoing_ip 17 | 18 | #Update /etc/hosts with the new Management IP address 19 | /home/vlt-adm/system/write_hostname.sh 20 | 21 | #Update sentinel and redis with the new Management IP address 22 | if ! /usr/sbin/jls | /usr/bin/grep -q "redis"; then 23 | /usr/sbin/jail -cm redis > /dev/null 24 | fi 25 | 26 | #Update Rsyslog jail conf 27 | case $management_ip in 28 | *:*) /usr/bin/sed -Ei '' $'s/^.+#RSYSLOGJAILIP$/\t ip6.addr += '$management_ip$'; \t\t\t\t\t #RSYSLOGJAILIP/' "/etc/jail.conf";; 29 | *) /usr/bin/sed -Ei '' $'s/^.+#RSYSLOGJAILIP$/\t ip4.addr += '$management_ip$'; \t\t\t\t\t #RSYSLOGJAILIP/' "/etc/jail.conf";; 30 | esac 31 | 32 | /usr/sbin/service jail restart rsyslog 33 | 34 | # The Node has been removed of the replicaset, restart mongodb to re-initiate 35 | /usr/sbin/jexec mongodb service mongod restart 36 | 37 | # If boostrap has already be done, 38 | if /usr/local/bin/sudo -u vlt-os /home/vlt-os/env/bin/python /home/vlt-os/vulture_os/manage.py is_node_bootstrapped >/dev/null 2>&1 ; then 39 | # Update node network ips in Mongo 40 | /usr/local/bin/sudo -u vlt-os /home/vlt-os/env/bin/python /home/vlt-os/vulture_os/manage.py shell -c "from system.cluster.models import Node ; n = Node.objects.get(name=\"`hostname`\") ; n.management_ip = \"$management_ip\" ; n.internet_ip = \"$internet_ip\" ; n.backends_outgoing_ip = \"$backends_outgoing_ip\" ; n.logom_outgoing_ip = \"$logom_outgoing_ip\" ; n.save()" 41 | 42 | # Update Redis configuration 43 | redis_password="$(/usr/local/bin/sudo -u vlt-os /home/vlt-os/env/bin/python /home/vlt-os/vulture_os/manage.py shell -c 'from system.cluster.models import Cluster; print(Cluster.get_global_config().redis_password)')" 44 | REDISCLI_AUTH="${redis_password}" /usr/sbin/jexec redis redis-cli CONFIG SET replica-announce-ip "${management_ip}" 45 | REDISCLI_AUTH="${redis_password}" /usr/sbin/jexec redis redis-cli CONFIG REWRITE 46 | echo "configuring sentinel..." 47 | /usr/sbin/jexec redis redis-cli -p 26379 SENTINEL CONFIG SET announce-ip "${management_ip}" 48 | 49 | # Reload apache service 50 | /usr/sbin/jexec apache /usr/sbin/service gunicorn reload 51 | /usr/sbin/jexec apache /usr/sbin/service nginx reload 52 | # Reload pf configuration 53 | /usr/local/bin/sudo -u vlt-os /home/vlt-os/env/bin/python /home/vlt-os/vulture_os/manage.py shell -c 'from system.cluster.models import Cluster ; Cluster.api_request("services.pf.pf.gen_config")' 54 | 55 | else 56 | # Update Redis/Sentinel configuration (without password) 57 | /usr/local/bin/pfctl-init.sh 58 | /sbin/pfctl -f /usr/local/etc/pf.conf 59 | /usr/sbin/jexec redis redis-cli CONFIG SET replica-announce-ip "${management_ip}" 60 | /usr/sbin/jexec redis redis-cli CONFIG REWRITE 61 | /usr/sbin/jexec redis redis-cli -p 26379 SENTINEL CONFIG SET announce-ip "${management_ip}" 62 | fi 63 | else 64 | /bin/echo "Invalid IP Address !" 65 | fi 66 | -------------------------------------------------------------------------------- /home/vlt-adm/system/proxy.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | if [ "$(/usr/bin/id -u)" != "0" ]; then 4 | /bin/echo "This script must be run as root" 1>&2 5 | exit 1 6 | fi 7 | proxy="${1#*://}" 8 | 9 | export http_proxy=http://${proxy} 10 | export https_proxy=http://${proxy} 11 | export ftp_proxy=http://${proxy} 12 | 13 | if [ -n "${proxy}" ]; then 14 | /bin/echo "http_proxy=http://${proxy}" > /etc/rc.conf.proxy 15 | /bin/echo "https_proxy=http://${proxy}" >> /etc/rc.conf.proxy 16 | /bin/echo "ftp_proxy=http://${proxy}" >> /etc/rc.conf.proxy 17 | # Copy proxy conf to jails 18 | for dir in /zroot/*/etc/ ; do /bin/cp /etc/rc.conf.proxy "$dir" ; done 19 | # update pkg.conf file to force pkg to use proxy 20 | if /usr/bin/grep -q "^PKG_ENV" /usr/local/etc/pkg.conf; then 21 | sed -i '' "s+^PKG_ENV.*+PKG_ENV {http_proxy: http://${proxy}, https_proxy: http://${proxy}}+g" /usr/local/etc/pkg.conf 22 | else 23 | /bin/echo "" >> /usr/local/etc/pkg.conf 24 | /bin/echo "PKG_ENV {http_proxy: http://${proxy}, https_proxy: http://${proxy}}" >> /usr/local/etc/pkg.conf 25 | fi 26 | else 27 | /bin/rm /etc/rc.conf.proxy 28 | # Remove proxy from jails 29 | /bin/rm /zroot/*/etc/rc.conf.proxy 30 | # update pkg.conf file to force pkg to use proxy 31 | sed -i '' 's+^PKG_ENV.*+PKG_ENV {}+g' /usr/local/etc/pkg.conf 32 | fi 33 | 34 | if /usr/local/bin/sudo -u vlt-os /home/vlt-os/env/bin/python /home/vlt-os/vulture_os/manage.py is_node_bootstrapped >/dev/null 2>&1 ; then 35 | /usr/local/bin/sudo -u vlt-os /home/vlt-os/env/bin/python /home/vlt-os/vulture_os/manage.py shell -c 'from system.cluster.models import Cluster ; Cluster.api_request("services.pf.pf.gen_config")' 36 | fi 37 | -------------------------------------------------------------------------------- /home/vlt-adm/system/register_vulture_repos.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env sh 2 | # Usage update_repositories [prefix_dir] 3 | 4 | pkg_url="http://pkg.vultureproject.org/" 5 | vulture_conf="Vulture.conf" 6 | pkg_ca="pkg.vultureproject.org" 7 | update_url="http://updates.vultureproject.org/" 8 | vulture_update_conf="hbsd-update.conf" 9 | vulture_update_ca="ca.vultureproject.org" 10 | temp_dir=$(mktemp -d) 11 | 12 | RESET_COLOR="\033[0m" 13 | ORANGE="\033[38;5;172m" 14 | 15 | finalize() { 16 | # set default in case err_code is not specified 17 | err_code=${1:-0} 18 | err_message=$2 19 | 20 | if [ -n "$err_message" ]; then 21 | /bin/echo "" 22 | /bin/echo "[!] ${err_message}" 23 | /bin/echo "" 24 | fi 25 | 26 | /bin/echo "[+] Cleaning temporary dir..." 27 | /bin/rm -rf "$temp_dir" 28 | /bin/echo "[-] Done" 29 | 30 | exit $err_code 31 | } 32 | 33 | update_repositories() { 34 | prefix_dir="$1" 35 | _log_header="" 36 | if [ -n "$prefix_dir" ]; then 37 | _log_header="[${prefix_dir}]" 38 | fi 39 | if [ -d ${prefix_dir}/usr/local/etc/pkg/repos/ ]; then 40 | /usr/bin/printf "\033[38;5;172m[!]${_log_header} Disabling custom repos in ${prefix_dir}/usr/local/etc/pkg\033[0m\n" 41 | /usr/bin/sed -i '' 's/enabled\(.*\)yes/enabled\1no/' ${prefix_dir}/usr/local/etc/pkg/repos/*.conf 42 | if [ -e ${prefix_dir}/usr/local/etc/pkg/repos/vulture.conf ]; then 43 | /bin/rm -f "${prefix_dir}/usr/local/etc/pkg/repos/vulture.conf" 44 | fi 45 | /bin/echo "[-]${_log_header} Done" 46 | fi 47 | 48 | /bin/mkdir -p "${prefix_dir}/usr/local/etc/pkg/repos" 49 | /usr/bin/printf "# HardenedBSD are now disabled by default on Vulture\n# Vulture repositories should be enough to go by, but you can delete this file if you want to enable default HBSD repos again\nHardenedBSD: { enabled: no }\n" > ${prefix_dir}/usr/local/etc/pkg/repos/HardenedBSD.disabled.conf 50 | 51 | /bin/echo -n "[*]${_log_header} Backing up default configurations:" 52 | for conf in ${prefix_dir}/etc/hbsd-update*.conf ; do 53 | conf=$(basename ${conf}) 54 | if [ ! -f ${prefix_dir}/var/backups/${conf}.bak ]; then 55 | /bin/echo -n "." 56 | /bin/mv "${prefix_dir}/etc/$conf" "${prefix_dir}/var/backups/${conf}.bak" 57 | fi 58 | done 59 | /bin/echo "." 60 | /bin/echo "[*]${_log_header} Backups kept at ${prefix_dir}/var/backups/" 61 | /bin/echo "[-]${_log_header} Done" 62 | 63 | /bin/echo -n "[+]${_log_header} Updating repositories " 64 | if [ -n "$prefix_dir" ]; then 65 | /bin/echo -n "at $prefix_dir" 66 | else 67 | /bin/echo -n "on system" 68 | fi 69 | 70 | if [ ! -f ${temp_dir}/${vulture_conf} ]; then 71 | /usr/local/bin/wget -q ${pkg_url}${vulture_conf} --directory-prefix="${temp_dir}" || finalize 1 "[/] Failed to download ${vulture_conf}" 72 | /bin/echo -n "." 73 | fi 74 | 75 | /bin/cp -f "${temp_dir}/${vulture_conf}" "${prefix_dir}/etc/pkg/${vulture_conf}" 76 | /bin/echo -n "." 77 | 78 | if [ ! -f ${temp_dir}/${pkg_ca} ]; then 79 | /usr/local/bin/wget -q ${pkg_url}${pkg_ca} --directory-prefix="${temp_dir}" || finalize 1 "[/] Failed to download $pkg_ca" 80 | /bin/echo -n "." 81 | fi 82 | 83 | /bin/mkdir -p "${prefix_dir}/usr/share/keys/pkg/trusted" && /bin/cp -f "${temp_dir}/${pkg_ca}" "${prefix_dir}/usr/share/keys/pkg/trusted/${pkg_ca}" 84 | /bin/echo -n "." 85 | 86 | if [ ! -f ${temp_dir}/${vulture_update_conf} ]; then 87 | /usr/local/bin/wget -q ${update_url}${vulture_update_conf} --directory-prefix="${temp_dir}" || finalize 1 "[/] Failed to download $vulture_update_conf" 88 | /bin/echo -n "." 89 | fi 90 | 91 | /bin/mkdir -p "${prefix_dir}/etc" && /bin/cp -f "${temp_dir}/${vulture_update_conf}" "${prefix_dir}/etc/${vulture_update_conf}" 92 | /bin/echo -n "." 93 | 94 | if [ ! -f ${temp_dir}/${vulture_update_ca} ]; then 95 | /usr/local/bin/wget -q ${update_url}${vulture_update_ca} --directory-prefix="${temp_dir}" || finalize 1 "[/] Failed to download $vulture_update_ca" 96 | /bin/echo -n "." 97 | fi 98 | 99 | /bin/mkdir -p "${prefix_dir}/usr/share/keys/hbsd-update/trusted/" && /bin/cp -f "${temp_dir}/${vulture_update_ca}" "${prefix_dir}/usr/share/keys/hbsd-update/trusted/${vulture_update_ca}" 100 | /bin/echo "." 101 | } 102 | 103 | update_repositories "$1" 104 | 105 | finalize 106 | -------------------------------------------------------------------------------- /home/vlt-adm/system/time.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | 4 | tmp_file="/var/tmp/dialog$$" 5 | /bin/rm -f "$tmp_file" 6 | 7 | current_ntp="0.freebsd.pool.ntp.org" 8 | if [ -f /etc/rc.conf.ntp ] ; then 9 | current_ntp="$(/bin/cat /etc/rc.conf.ntp)" 10 | fi 11 | 12 | if /usr/bin/dialog --title "Vulture NTP setting" --inputbox "Enter NTP server address" 8 60 "$current_ntp" 2> "$tmp_file"; then 13 | if [ -f "$tmp_file" ]; then 14 | ntp=$(/bin/cat "$tmp_file") 15 | /usr/local/bin/sudo /home/vlt-adm/system/write_ntp.sh "${ntp}" 16 | fi 17 | /bin/rm "$tmp_file" 18 | fi 19 | -------------------------------------------------------------------------------- /home/vlt-adm/system/update_system.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | COLOR_RESET='\033[0m' 4 | COLOR_RED='\033[0;31m' 5 | TEXT_BLINK='\033[5m' 6 | 7 | ############# 8 | # variables # 9 | ############# 10 | temp_dir="" 11 | resolve_strategy="mf" 12 | system_version="" 13 | keep_temp_dir=0 14 | do_update_system=1 15 | do_update_packages=1 16 | download_only=0 17 | use_dnssec=0 18 | clean_cache=0 19 | cron_was_up=0 20 | vultured_was_up=0 21 | 22 | ############# 23 | # functions # 24 | ############# 25 | usage() { 26 | echo "USAGE ${0} OPTIONS" 27 | echo "OPTIONS:" 28 | echo " -D only download packages/system updates in temporary dir (implies -T)" 29 | echo " -T keep temporary directory" 30 | echo " -V set a custom system update package (as specified by 'hbsd-update -v', only available on HBSD)" 31 | echo " -c clean pkg cache and tempdir at the end of the script (incompatible with -T and -D)" 32 | echo " -d use dnssec while downloading HardenedBSD updates (disabled by default)" 33 | echo " -u do not update system/kernel, only update packages" 34 | echo " -s do not update packages, only update system/kernel" 35 | echo " -t tmpdir temporary directory to use (default is /tmp/vulture_update/, only available on HBSD)" 36 | echo " -r strategy (non-interactive) resolve strategy to pass to hbsd-update script while upgrading system configuration files (see man etcupdate for more info, default is 'mf')" 37 | exit 1 38 | } 39 | 40 | download_system_update() { 41 | download_dir="$1" 42 | jail="$2" 43 | 44 | if [ -f /usr/sbin/hbsd-update ] ; then 45 | options="" 46 | if [ $use_dnssec -eq 0 ]; then options="${options} -d"; fi 47 | if [ -n "$jail" ] ; then 48 | if [ -d /.jail_system ]; then 49 | # upgrade base jail_system root with local hbsd-update.conf (for "thin" jails) 50 | options="${options} -nr /.jail_system/" 51 | else 52 | # use -j flag from hbsd-update to let it handle upgrade of "full" jail 53 | options="${options} -nj $jail" 54 | fi 55 | fi 56 | if [ -n "$system_version" ]; then 57 | # Add -U as non-last update versions cannot be verified 58 | echo "[!] Custom version of system update selected, this version will be installed without signature verification!" 59 | options="${options} -v $system_version -U" 60 | fi # Store (-t) and keep (-T) downloads to $download_dir for later use 61 | # Do not install update yet (-f) 62 | if [ ! -f ${download_dir}/update.tar ]; then 63 | /usr/sbin/hbsd-update -t "$download_dir" -T -f $options 64 | fi 65 | if [ $? -ne 0 ] ; then return 1 ; fi 66 | else 67 | /usr/sbin/freebsd-update --not-running-from-cron fetch > /dev/null 68 | if [ $? -ne 0 ] ; then return 1 ; fi 69 | fi 70 | } 71 | 72 | has_pending_be() { 73 | if /sbin/bectl list -H | cut -f 2 | grep -qE "(RN|NR)"; then 74 | return 0 75 | else 76 | sed -i '' '/Upgrade:/d' /var/run/motd 77 | /usr/bin/printf "${COLOR_RED}${TEXT_BLINK}Upgrade: the system has a pending new Boot Environment, please restart your machine to apply!${COLOR_RESET}\n" | tee -a /var/run/motd 78 | return 1 79 | fi 80 | } 81 | 82 | has_upgraded_kernel() { 83 | if [ "$(uname -U)" -eq "$(uname -K)" ]; then 84 | return 0 85 | else 86 | sed -i '' '/Upgrade:/d' /var/run/motd 87 | /usr/bin/printf "${COLOR_RED}${TEXT_BLINK}Upgrade: the system has a pending kernel/userland upgrade, please restart your machine to apply!${COLOR_RESET}\n" | tee -a /var/run/motd 88 | return 1 89 | fi 90 | } 91 | 92 | # Function used to use appropriate update binary 93 | update_system() { 94 | download_dir="$1" 95 | jail="$2" 96 | if [ -f /usr/sbin/hbsd-update ] ; then 97 | # If a jail is specified, execute update in it 98 | if [ -n "$jail" ] ; then 99 | if [ -d /.jail_system ]; then 100 | # upgrade base jail_system root with local hbsd-update.conf (for "thin" jails) 101 | options="-r /.jail_system/" 102 | else 103 | # use -j flag from hbsd-update to let it handle upgrade of "full" jail 104 | options="-j $jail" 105 | fi 106 | fi 107 | if [ -n "$system_version" ]; then 108 | # Add -U as non-last update versions cannot be verified 109 | echo "[!] Custom version of system update selected, this version will be installed without signature verification!" 110 | options="${options} -v $system_version -U" 111 | fi 112 | # Store (-t) and keep (-T) downloads to $download_dir for later use 113 | # Previous download should be present in the 'download_dir' folder already 114 | if [ -n "$resolve_strategy" ] ; then 115 | # echo resolve strategy to hbsd-update for non-interactive resolution of conflicts in /etc/ via etcupdate 116 | /usr/bin/yes "$resolve_strategy" | /usr/sbin/hbsd-update -d -t "$download_dir" -T -D $options 117 | else 118 | /usr/sbin/hbsd-update -d -t "$download_dir" -T -D $options 119 | fi 120 | if [ $? -ne 0 ] ; then return 1 ; fi 121 | else 122 | # If jail, just install do not fetch 123 | if [ -n "$jail" ] ; then options="-b /zroot/$jail" ; fi 124 | /usr/sbin/freebsd-update $options install > /dev/null 125 | if [ $? -ne 0 ] ; then return 1 ; fi 126 | fi 127 | } 128 | 129 | 130 | initialize() { 131 | if [ "$(/usr/bin/id -u)" != "0" ]; then 132 | /bin/echo "This script must be run as root" 1>&2 133 | exit 1 134 | fi 135 | 136 | has_pending_be || exit 1 137 | has_upgraded_kernel || exit 1 138 | 139 | echo "[$(date +%Y-%m-%dT%H:%M:%S+00:00)] Beginning upgrade" 140 | 141 | trap finalize SIGINT 142 | 143 | /usr/local/bin/sudo -u vlt-os /home/vlt-os/env/bin/python /home/vlt-os/vulture_os/manage.py toggle_maintenance --on 2>/dev/null || true 144 | 145 | if /usr/sbin/service vultured status > /dev/null; then 146 | vultured_was_up=1 147 | /usr/sbin/service vultured stop 148 | fi 149 | 150 | if [ -f /etc/rc.conf.proxy ]; then 151 | . /etc/rc.conf.proxy 152 | export http_proxy=${http_proxy} 153 | export https_proxy=${https_proxy} 154 | export ftp_proxy=${ftp_proxy} 155 | fi 156 | 157 | # Create temporary directory if none specified 158 | temp_dir=${temp_dir:="/tmp/vulture_update"} 159 | mkdir -p $temp_dir || echo "Temp directory exists, keeping" 160 | 161 | # Disable secadm rules if on an HardenedBSD system 162 | if [ -f /usr/sbin/hbsd-update ] ; then 163 | echo "[+] Disabling root secadm rules" 164 | /usr/sbin/service secadm stop || echo "Could not disable secadm rules" 165 | echo "[-] Done." 166 | 167 | for jail in "mongodb" "apache" "portal"; do 168 | echo "[+] [${jail}] Disabling secadm rules" 169 | /usr/sbin/jexec $jail /usr/sbin/service secadm stop || echo "Could not disable secadm rules" 170 | echo "[-] Done." 171 | done 172 | fi 173 | 174 | # Disable harden_rtld: currently breaks many packages upgrade 175 | _was_rtld=$(/sbin/sysctl -n hardening.harden_rtld) 176 | /sbin/sysctl hardening.harden_rtld=0 177 | for jail in "haproxy" "mongodb" "redis" "apache" "portal" "rsyslog"; do 178 | eval "_was_rtld_${jail}=$(/usr/sbin/jexec $jail /sbin/sysctl -n hardening.harden_rtld)" 179 | /usr/sbin/jexec $jail /sbin/sysctl hardening.harden_rtld=0 > /dev/null 180 | done 181 | 182 | # Unlock Vulture packages 183 | echo "[+] Unlocking Vulture packages..." 184 | /usr/sbin/pkg unlock -y vulture-base vulture-gui vulture-haproxy vulture-mongodb vulture-redis vulture-rsyslog 185 | echo "[-] Done." 186 | 187 | if /usr/sbin/service cron status > /dev/null; then 188 | cron_was_up=1 189 | process_match="manage.py crontab run " 190 | # Disable cron during upgrades 191 | echo "[+] Disabling cron..." 192 | /usr/sbin/service cron stop 193 | if /bin/pgrep -qf "${process_match}"; then 194 | echo "[*] Stopping currently running crons..." 195 | # send a SIGTERM to close scripts cleanly, if pwait expires after 10m, force kill all remaining scripts 196 | /bin/pkill -15 -f "${process_match}" 197 | if ! /bin/pgrep -f "${process_match}" | /usr/bin/xargs /bin/pwait -t10m; then 198 | echo -e "\033[0;31m[!] Some crons still running after 10 minutes, forcing remaining crons to stop!\033[0m" 199 | /bin/pgrep -lf "${process_match}" 200 | /bin/pkill -9 -lf "${process_match}" 201 | fi 202 | fi 203 | echo "[-] Cron disabled" 204 | fi 205 | } 206 | 207 | 208 | finalize() { 209 | # set default in case err_code is not specified 210 | err_code=$1 211 | err_message=$2 212 | # does not work with '${1:=0}' if $1 is not set... 213 | err_code=${err_code:=0} 214 | 215 | 216 | if [ -n "$err_message" ]; then 217 | echo "" 218 | echo "[!] ${err_message}" 219 | echo "" 220 | fi 221 | 222 | if [ $keep_temp_dir -eq 0 ]; then 223 | echo "[+] Cleaning temporary dir..." 224 | /bin/rm -rf $temp_dir 225 | echo "[-] Done." 226 | fi 227 | 228 | # Re-enable secadm rules if on an HardenedBSD system 229 | if [ -f /usr/sbin/hbsd-update ] ; then 230 | echo "[+] Enabling root secadm rules" 231 | /usr/sbin/service secadm start || echo "Could not enable secadm rules" 232 | echo "[-] Done." 233 | 234 | for jail in "mongodb" "apache" "portal"; do 235 | echo "[+] [${jail}] Enabling secadm rules" 236 | /usr/sbin/jexec $jail /usr/sbin/service secadm start || echo "Could not enable secadm rules" 237 | echo "[-] Done." 238 | done 239 | fi 240 | 241 | # Reset hardeen_rtld to its previous value 242 | /sbin/sysctl hardening.harden_rtld="${_was_rtld}" 243 | for jail in "haproxy" "mongodb" "redis" "apache" "portal" "rsyslog"; do 244 | eval "/usr/sbin/jexec $jail /sbin/sysctl hardening.harden_rtld=\$_was_rtld_$jail" > /dev/null 245 | done 246 | 247 | # Lock Vulture packages 248 | echo "[+] Lock Vulture packages..." 249 | /usr/sbin/pkg lock -y vulture-base vulture-gui vulture-haproxy vulture-mongodb vulture-redis vulture-rsyslog 250 | echo "[-] Done." 251 | 252 | # Be sure to restart dnsmasq: No side-effect and it deals with dnsmasq configuration changes 253 | /usr/sbin/service dnsmasq restart 254 | 255 | if [ $cron_was_up -eq 1 ]; then 256 | # Restart cron after upgrade 257 | echo "[+] Restarting cron..." 258 | /usr/sbin/service cron start 259 | echo "[-] Cron restarted" 260 | fi 261 | 262 | /usr/local/bin/sudo -u vlt-os /home/vlt-os/env/bin/python /home/vlt-os/vulture_os/manage.py toggle_maintenance --off 2>/dev/null || true 263 | 264 | if [ $vultured_was_up -eq 1 ]; then 265 | # Restart Vultured after upgrade 266 | /usr/sbin/service vultured start 267 | fi 268 | 269 | has_pending_be 270 | has_upgraded_kernel 271 | 272 | echo "[$(date +%Y-%m-%dT%H:%M:%S+00:00)] Upgrade finished!" 273 | exit $err_code 274 | } 275 | 276 | 277 | #################### 278 | # parse parameters # 279 | #################### 280 | while getopts 'hDTV:cdust:r:' opt; do 281 | case "${opt}" in 282 | D) download_only=1; 283 | keep_temp_dir=1; 284 | ;; 285 | T) keep_temp_dir=1; 286 | ;; 287 | V) system_version="${OPTARG}"; 288 | ;; 289 | c) clean_cache=1; 290 | ;; 291 | d) use_dnssec=1; 292 | ;; 293 | u) do_update_system=0; 294 | ;; 295 | s) do_update_packages=0; 296 | ;; 297 | t) temp_dir="${OPTARG}"; 298 | ;; 299 | r) resolve_strategy="${OPTARG}"; 300 | ;; 301 | *) usage; 302 | ;; 303 | esac 304 | done 305 | shift $((OPTIND-1)) 306 | 307 | if [ $clean_cache -gt 0 -a $keep_temp_dir -gt 0 -o $clean_cache -gt 0 -a $download_only -gt 0 ]; then 308 | echo "[!] Cannot activate -c if -D or -T are set" 309 | exit 1 310 | fi 311 | 312 | initialize 313 | 314 | if [ $do_update_packages -gt 0 ]; then 315 | IGNORE_OSVERSION="yes" /usr/sbin/pkg update -f || finalize 1 "Could not update list of packages" 316 | fi 317 | 318 | if [ $download_only -gt 0 ]; then 319 | if [ $do_update_packages -gt 0 ]; then 320 | # Fetch updated packages for root system 321 | IGNORE_OSVERSION="yes" /usr/sbin/pkg fetch -yu || finalize 1 "Failed to download new packages" 322 | # fetch updated packages for each jail 323 | for jail in "haproxy" "apache" "portal" "mongodb" "redis" "rsyslog" ; do 324 | IGNORE_OSVERSION="yes" /usr/sbin/pkg -j $jail update -f || finalize 1 "Could not update list of packages for jail ${jail}" 325 | IGNORE_OSVERSION="yes" /usr/sbin/pkg -j $jail fetch -yu || finalize 1 "Failed to download new packages for jail ${jail}" 326 | done 327 | fi 328 | if [ $do_update_system -gt 0 ]; then 329 | download_system_update ${temp_dir} || finalize 1 "Failed to download system upgrades" 330 | fi 331 | # exit here, everything has been downloaded 332 | finalize 333 | fi 334 | 335 | if [ $do_update_system -gt 0 ]; then 336 | /bin/echo "[+] Updating system..." 337 | download_system_update ${temp_dir} || finalize 1 "Failed to download system upgrades" 338 | update_system ${temp_dir} || finalize 1 "Failed to install system upgrades" 339 | secadm_version="$(/usr/sbin/pkg query '%At:%Av' secadm | /usr/bin/grep "FreeBSD_version" | /usr/bin/cut -d : -f 2)" 340 | if [ -n "$secadm_version" ] && [ "$secadm_version" -lt "$(uname -U)" ]; then 341 | echo "Forcing upgrade of secadm packages (kernel version mismatch)" 342 | /usr/sbin/pkg upgrade -yf secadm secadm-kmod 343 | for jail in "haproxy" "apache" "portal" "mongodb" "redis" "rsyslog" ; do 344 | /usr/sbin/pkg -j "$jail" upgrade -yf secadm 345 | done 346 | fi 347 | /bin/echo "[-] Done." 348 | fi 349 | 350 | # If no argument or jail asked 351 | for jail in "haproxy" "redis" "mongodb" "rsyslog" ; do 352 | if [ -z "$1" -o "$1" == "$jail" ] ; then 353 | /bin/echo "[+] Updating $jail..." 354 | 355 | if [ $do_update_system -gt 0 ]; then 356 | /bin/echo "[+] Updating jail $jail base system files..." 357 | download_system_update "$temp_dir" "$jail" || finalize 1 "Failed to download system upgrades for jail ${jail}" 358 | update_system "$temp_dir" "$jail" || finalize 1 "Failed to install system upgrades in jail ${jail}" 359 | echo "[-] Ok." 360 | fi 361 | 362 | if [ $do_update_packages -gt 0 ]; then 363 | /bin/echo "[+] Updating jail $jail packages..." 364 | IGNORE_OSVERSION="yes" /usr/sbin/pkg -j "$jail" update -f || finalize 1 "Could not update list of packages for jail ${jail}" 365 | IGNORE_OSVERSION="yes" /usr/sbin/pkg -j "$jail" upgrade -y || finalize 1 "Could not upgrade packages for jail ${jail}" 366 | # Upgrade vulture-$jail AFTER, in case of "pkg -j $jail upgrade" has removed some permissions... (like redis) 367 | IGNORE_OSVERSION="yes" /usr/sbin/pkg upgrade -y "vulture-$jail" || finalize 1 "Could not upgrade vulture-${jail}" 368 | echo "[-] Ok." 369 | fi 370 | 371 | case "$jail" in 372 | rsyslog) 373 | /usr/sbin/jexec "$jail" /usr/sbin/service rsyslogd restart 374 | ;; 375 | mongodb) 376 | /usr/sbin/jexec "$jail" /usr/sbin/service mongod restart 377 | # TODO Force disable pageexec and mprotect on the mongo executable 378 | # there seems to be a bug currently with secadm when rules are pre-loaded on executables in packages 379 | # which is the case for latest mongodb36-3.6.23 380 | /usr/sbin/jexec "$jail" /usr/sbin/hbsdcontrol pax disable pageexec /usr/local/bin/mongo 381 | /usr/sbin/jexec "$jail" /usr/sbin/hbsdcontrol pax disable mprotect /usr/local/bin/mongo 382 | ;; 383 | redis) 384 | /usr/sbin/jexec "$jail" /usr/sbin/service sentinel stop 385 | /usr/sbin/jexec "$jail" /usr/sbin/service redis restart 386 | /usr/sbin/jexec "$jail" /usr/sbin/service sentinel start 387 | ;; 388 | haproxy) 389 | if /usr/sbin/jexec "$jail" /usr/sbin/service haproxy status > /dev/null ; then 390 | # Reload gracefully 391 | /bin/echo "[*] reloading haproxy service..." 392 | /usr/sbin/jexec "$jail" /usr/sbin/service haproxy reload 393 | else 394 | # Start service 395 | /bin/echo "[*] starting haproxy service..." 396 | /usr/sbin/jexec "$jail" /usr/sbin/service haproxy start 397 | fi 398 | ;; 399 | *) 400 | /usr/sbin/jexec "$jail" /usr/sbin/service "$jail" restart 401 | ;; 402 | esac 403 | echo "[-] $jail updated." 404 | fi 405 | done 406 | 407 | # No parameter, or gui 408 | if [ -z "$1" -o "$1" == "gui" ] ; then 409 | echo "[+] Updating GUI..." 410 | if [ $do_update_packages -gt 0 ]; then 411 | /usr/sbin/jexec apache /usr/sbin/service gunicorn stop 412 | /usr/sbin/jexec portal /usr/sbin/service gunicorn stop 413 | echo "[+] Updating apache and portal jails' packages..." 414 | IGNORE_OSVERSION="yes" /usr/sbin/pkg upgrade -y vulture-gui || finalize 1 "Failed to upgrade package vulture-gui" 415 | 416 | /bin/echo "[+] Reloading dnsmasq..." 417 | # Ensure dnsmasq is up-to-date, as it could be modified during vulture-gui upgrade 418 | /usr/sbin/service dnsmasq reload || /usr/sbin/service dnsmasq restart 419 | /bin/echo "[-] dnsmasq reloaded" 420 | 421 | IGNORE_OSVERSION="yes" /usr/sbin/pkg -j apache update -f || finalize 1 "Failed to update the list of packages for the apache jail" 422 | IGNORE_OSVERSION="yes" /usr/sbin/pkg -j portal update -f || finalize 1 "Failed to update the list of packages for the portal jail" 423 | IGNORE_OSVERSION="yes" /usr/sbin/pkg -j apache upgrade -y || finalize 1 "Failed to upgrade packages in the apache jail" 424 | IGNORE_OSVERSION="yes" /usr/sbin/pkg -j portal upgrade -y || finalize 1 "Failed to upgrade packages in the portal jail" 425 | echo "[-] Ok." 426 | fi 427 | 428 | if [ $do_update_system -gt 0 ]; then 429 | echo "[+] Updating jail apache base system files..." 430 | download_system_update "$temp_dir" "apache" || finalize 1 "Failed to download system upgrades for jail apache" 431 | update_system "$temp_dir" "apache" || finalize 1 "Failed to install system upgrades in jail apache" 432 | echo "[-] Ok." 433 | echo "[+] Updating jail portal base system files..." 434 | download_system_update "$temp_dir" "portal" || finalize 1 "Failed to download system upgrades for jail portal" 435 | update_system "$temp_dir" "portal" || finalize 1 "Failed to install system upgrades in jail portal" 436 | echo "[-] Ok." 437 | fi 438 | /usr/sbin/jexec apache /usr/sbin/service gunicorn restart 439 | /usr/sbin/jexec apache /usr/sbin/service nginx restart 440 | /usr/sbin/jexec portal /usr/sbin/service gunicorn restart 441 | echo "[-] GUI updated." 442 | fi 443 | 444 | # If no parameter provided, upgrade vulture-base 445 | if [ -z "$1" ] ; then 446 | if [ $do_update_packages -gt 0 ]; then 447 | echo "[+] Updating vulture-base ..." 448 | IGNORE_OSVERSION="yes" /usr/sbin/pkg upgrade -y vulture-base || finalize 1 "Failed to upgrade vulture-base" 449 | 450 | /bin/echo "[+] Reloading dnsmasq..." 451 | # Ensure dnsmasq is up-to-date, as it could be modified during vulture-base upgrade 452 | /usr/sbin/service dnsmasq reload || /usr/sbin/service dnsmasq restart 453 | /bin/echo "[-] dnsmasq reloaded" 454 | 455 | echo "[-] Vulture-base updated" 456 | fi 457 | fi 458 | 459 | 460 | # If no argument - update all 461 | if [ -z "$1" ] ; then 462 | if [ $do_update_packages -gt 0 ]; then 463 | echo "[+] Updating all packages on system..." 464 | IGNORE_OSVERSION="yes" /usr/sbin/pkg upgrade -y || finalize 1 "Error while upgrading packages" 465 | echo "[-] All packages updated" 466 | fi 467 | fi 468 | 469 | if [ $clean_cache -gt 0 ]; then 470 | echo "[+] Cleaning pkg cache..." 471 | /usr/sbin/pkg clean -ay 472 | echo "[-] Done." 473 | for jail in "haproxy" "apache" "portal" "mongodb" "redis" "rsyslog" ; do 474 | echo "[+] Cleaning pkg cache in jail ${jail}..." 475 | /usr/sbin/pkg -j $jail clean -ay 476 | echo "[-] Done." 477 | done 478 | fi 479 | 480 | finalize 481 | -------------------------------------------------------------------------------- /home/vlt-adm/system/upgrade_to_13.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env sh 2 | 3 | SCRIPT=$(realpath "$0") 4 | FOLDER="${SCRIPT%/*}" 5 | 6 | COLOR_OFF='\033[0m' 7 | COLOR_RED='\033[0;31m' 8 | 9 | temp_dir="/var/tmp/update" 10 | new_be="Vulture-HBSD13-$(date -Idate)" 11 | 12 | download_system_update(){ 13 | if [ ! -f ${temp_dir}/update.tar ]; then 14 | /bin/echo "[+] Downloading system update" 15 | /usr/sbin/hbsd-update -t "$temp_dir" -T -f || finalize 1 "[/] System update download failed" 16 | /bin/echo "[-] Done" 17 | fi 18 | } 19 | 20 | update_system(){ 21 | # usage update_system [ jail basedir ] 22 | download_system_update 23 | options="" 24 | jail="$1" 25 | if [ -n "$jail" ] ; then 26 | options="${options} -n -j $jail" 27 | else 28 | new_be="Vulture-HBSD13-$(date +%Y%m%d%H%M%S)" 29 | options="${options} -b $new_be" 30 | fi 31 | /bin/echo "[+] Updating base system..." 32 | /usr/bin/yes "mf" | /usr/sbin/hbsd-update -d -t "$temp_dir" -T -D $options || finalize 1 "[/] System update failed" 33 | /bin/echo "[-] Done with update" 34 | } 35 | 36 | update_packages(){ 37 | /bin/echo "[+] Bootstrap pkg" 38 | IGNORE_OSVERSION="yes" /usr/sbin/pkg bootstrap -fy || finalize 1 "Could not bootstrap pkg" 39 | /bin/echo "[-] Done" 40 | /bin/echo "[+] Updating root pkg repository catalogue" 41 | IGNORE_OSVERSION="yes" /usr/sbin/pkg update -f || finalize 1 "Could not update list of packages" 42 | /bin/echo "[-] Done" 43 | /bin/echo "[+] Clear pkg cache before fetching" 44 | IGNORE_OSVERSION="yes" /usr/sbin/pkg clean -ya || finalize 1 "Could not clear pkg cache" 45 | /bin/echo "[-] Done clearing pkg cache" 46 | # Fetch updated packages for root system 47 | IGNORE_OSVERSION="yes" /usr/sbin/pkg fetch -yu || finalize 1 "Failed to download packages" 48 | # Fetch updated packages for jails 49 | for jail in "haproxy" "rsyslog" "redis" "mongodb" "portal" "apache" ; do 50 | IGNORE_OSVERSION="yes" /usr/sbin/pkg -j $jail fetch -yu || finalize 1 "Failed to download packages for jail $jail" 51 | done 52 | /bin/echo "[-] Done" 53 | 54 | /bin/echo "[+] Upgrading host system packages" 55 | /usr/sbin/pkg unlock -y vulture-base vulture-gui vulture-haproxy vulture-mongodb vulture-redis vulture-rsyslog 56 | IGNORE_OSVERSION="yes" /usr/sbin/pkg upgrade -fy || finalize 1 "Failed to upgrade packages" 57 | /usr/sbin/pkg lock -y vulture-base vulture-gui vulture-haproxy vulture-mongodb vulture-redis vulture-rsyslog 58 | /bin/echo "[-] Done" 59 | 60 | /bin/echo "[+] Reloading dnsmasq..." 61 | # Ensure dnsmasq config is up-to-date, as it could be modified during vulture-gui upgrade 62 | /usr/sbin/service dnsmasq reload || /usr/sbin/service dnsmasq restart 63 | /bin/echo "[-] dnsmasq reloaded" 64 | 65 | /bin/echo "[+] Upgrading jail's packages" 66 | for jail in "haproxy" "rsyslog" "redis" "mongodb" "portal" "apache" ; do 67 | IGNORE_OSVERSION="yes" /usr/sbin/pkg -j $jail upgrade -fy || finalize 1 "Failed to upgrade packages on jail $jail" 68 | done 69 | /bin/echo "[-] Done" 70 | 71 | # Load secadm module into kernel and start 72 | /bin/echo "[+] Upgrading secadm" 73 | IGNORE_OSVERSION="yes" /usr/sbin/pkg upgrade -fy secadm secadm-kmod 74 | /bin/echo "[-] Done" 75 | kldload secadm 76 | /usr/sbin/service secadm restart 77 | 78 | /bin/echo "[+] Cleaning pkg cache..." 79 | IGNORE_OSVERSION="yes" /usr/sbin/pkg clean -ay 80 | for jail in "haproxy" "rsyslog" "redis" "mongodb" "portal" "apache" ; do 81 | IGNORE_OSVERSION="yes" /usr/sbin/pkg -j $jail clean -ay 82 | done 83 | /bin/echo "[-] Done" 84 | } 85 | 86 | 87 | restart_and_continue(){ 88 | /bin/echo "[+] Setting up startup script to continue upgrade..." 89 | # enable script to be run on startup 90 | tmp_be_mount="$(/usr/bin/mktemp -d)" 91 | /sbin/bectl mount "$new_be" "$tmp_be_mount" || finalize 1 "Could not mount Boot Environment" 92 | /bin/echo "@reboot root sleep 60 && /bin/sh $SCRIPT" > "${tmp_be_mount}/etc/cron.d/vulture_update" || finalize 1 "[/] Failed to setup startup script" 93 | # Add a temporary message to end of MOTD to warn about the ongoing upgrade 94 | /usr/bin/sed -i '' '$s/.*/Upgrade in progress, your machine will reboot shortly, please wait patiently!/' "${tmp_be_mount}/etc/motd.template" 95 | /usr/bin/sed -i '' 's+welcome=/etc/motd+welcome=/var/run/motd+' "${tmp_be_mount}/etc/login.conf" 96 | /usr/bin/cap_mkdb "${tmp_be_mount}/etc/login.conf" 97 | /sbin/bectl umount "$new_be" 98 | /usr/bin/touch ${temp_dir}/upgrading 99 | /bin/echo "[-] Ok" 100 | /bin/echo "[+] Rebooting system" 101 | /sbin/shutdown -r now 102 | /bin/echo "[-] Ok" 103 | exit 0 104 | } 105 | 106 | 107 | clean_and_restart() { 108 | /bin/echo "[+] Cleaning up..." 109 | /bin/echo "@reboot root sleep 60 && /home/vlt-os/env/bin/python /home/vlt-os/vulture_os/manage.py toggle_maintenance --off && rm /etc/cron.d/vulture_update" > "/etc/cron.d/vulture_update" 110 | 111 | /bin/echo "[+] Cleaning temporary dir..." 112 | /bin/rm -rf $temp_dir 113 | /bin/echo "[-] Done" 114 | 115 | /bin/echo "" >> /etc/motd.template 116 | /usr/bin/sed -i '' '$s/.*/Your system is now on HardenedBSD 13, welcome back!/' /etc/motd.template 117 | 118 | /usr/bin/printf "${COLOR_RED}" 119 | /bin/echo "WARNING: a new Boot Environment was created during the upgrade, please review existing BEs and delete those no longer necessary!" 120 | /sbin/bectl list -H 121 | /usr/bin/printf "${COLOR_OFF}" 122 | 123 | /bin/echo "[+] Rebooting system" 124 | /sbin/shutdown -r now 125 | 126 | exit 0 127 | } 128 | 129 | 130 | finalize() { 131 | # set default in case err_code is not specified 132 | err_code=${1:-0} 133 | err_message=$2 134 | 135 | if [ -n "$err_message" ]; then 136 | /bin/echo "" 137 | /usr/bin/printf "[!] ${COLOR_RED}${err_message}${COLOR_OFF}\n" 138 | /bin/echo "" 139 | fi 140 | 141 | /bin/echo "[+] Cleaning temporary dir..." 142 | /bin/rm -rf $temp_dir 143 | /bin/echo "[-] Done" 144 | 145 | # Re-enable secadm rules 146 | /bin/echo "[+] Enabling root secadm rules" 147 | /usr/sbin/service secadm start || /bin/echo "Could not enable secadm rules" 148 | /bin/echo "[-] Done" 149 | 150 | for jail in "mongodb" "apache" "portal"; do 151 | /bin/echo "[+] [${jail}] Enabling secadm rules" 152 | /usr/sbin/jexec $jail /usr/sbin/service secadm start || /bin/echo "Could not enable secadm rules" 153 | /bin/echo "[-] Done" 154 | done 155 | 156 | # Be sure to restart dnsmasq: No side-effect and it deals with dnsmasq configuration changes 157 | /usr/sbin/service dnsmasq restart 158 | 159 | # remove script from running at start up 160 | rm -f /etc/cron.d/vulture_update 161 | 162 | exit $err_code 163 | } 164 | 165 | usage() { 166 | /bin/echo "USAGE ${0} [-y]" 167 | /bin/echo "OPTIONS:" 168 | /bin/echo " -y start the upgrade whitout asking for user confirmation (implicit consent)" 169 | exit 1 170 | } 171 | 172 | initialize() { 173 | if [ "$(/usr/bin/id -u)" != "0" ]; then 174 | /bin/echo "This script must be run as root" 1>&2 175 | exit 1 176 | fi 177 | 178 | trap finalize INT 179 | 180 | if [ -f /etc/rc.conf.proxy ]; then 181 | . /etc/rc.conf.proxy 182 | export http_proxy="${http_proxy}" 183 | export https_proxy="${https_proxy}" 184 | export ftp_proxy="${ftp_proxy}" 185 | fi 186 | 187 | # Create temporary directory if it does not exist 188 | /bin/mkdir -p $temp_dir || /bin/echo "Temp directory exists, keeping" 189 | 190 | # Disable secadm rules 191 | /bin/echo "[+] Disabling root secadm rules" 192 | /usr/sbin/service secadm stop || /bin/echo "Could not disable secadm rules" 193 | /bin/echo "[-] Done" 194 | 195 | for jail in "mongodb" "apache" "portal"; do 196 | /bin/echo "[+] [${jail}] Disabling secadm rules" 197 | /usr/sbin/jexec $jail /usr/sbin/service secadm stop || /bin/echo "Could not disable secadm rules" 198 | /bin/echo "[-] Done" 199 | done 200 | } 201 | 202 | 203 | check_preconditions(){ 204 | if /usr/sbin/pkg version -qRl '<' | grep 'vulture-' > /dev/null; then 205 | # Show necessary packages to be updated 206 | /usr/bin/printf "${COLOR_RED}" 207 | /usr/sbin/pkg version -qRl '<' | grep 'vulture-' 208 | /usr/bin/printf "${COLOR_OFF}" 209 | finalize 1 "Some packages are not up to date, please run /home/vlt-adm/system/update_system.sh before trying to migrate" 210 | fi 211 | } 212 | 213 | 214 | stop_services(){ 215 | # Vultured 216 | /bin/echo "[+] Stopping vultured..." 217 | /usr/sbin/service vultured stop || /usr/bin/true 218 | /bin/echo "[-] Done" 219 | 220 | # Crontabs 221 | if /usr/sbin/service cron status > /dev/null; then 222 | /bin/echo "[+] Stopping crontabs..." 223 | process_match="manage.py crontab run " 224 | # Disable cron during upgrades 225 | echo "[+] Disabling cron..." 226 | /usr/sbin/service cron stop 227 | if /bin/pgrep -qf "${process_match}"; then 228 | echo "[*] Stopping currently running crons..." 229 | # # send a SIGTERM to close scripts cleanly, if pwait expires after 10m, force kill all remaining scripts 230 | /bin/pkill -15 -f "${process_match}" 231 | if ! /bin/pgrep -f "${process_match}" | /usr/bin/xargs /bin/pwait -t10m; then 232 | /usr/bin/printf "\033[0;31m[!] Some crons still running after 10 minutes, forcing remaining crons to stop!\033[0m\n" 233 | /bin/pgrep -lf "${process_match}" 234 | /bin/pkill -9 -lf "${process_match}" 235 | fi 236 | fi 237 | echo "[-] Cron disabled" 238 | fi 239 | 240 | # Apache 241 | /bin/echo "[+] [apache] Stopping nginx..." 242 | jexec apache service nginx stop || /usr/bin/true 243 | /bin/echo "[-] Done" 244 | /bin/echo "[+] [apache] Stopping gunicorn..." 245 | jexec apache service gunicorn stop || /usr/bin/true 246 | /bin/echo "[-] Done" 247 | 248 | # mongodb 249 | /bin/echo "[+] Stopping mongodb..." 250 | jexec mongodb service mongod stop || /usr/bin/true 251 | /bin/echo "[-] Done" 252 | 253 | # rsyslog 254 | /bin/echo "[+] Stopping rsyslog..." 255 | jexec rsyslog service rsyslogd stop || /usr/bin/true 256 | /bin/echo "[-] Done" 257 | 258 | # portal 259 | /bin/echo "[+] [portal] Stopping gunicorn..." 260 | jexec portal service gunicorn stop || /usr/bin/true 261 | /bin/echo "[-] Done" 262 | 263 | # haproxy 264 | /bin/echo "[+] [haproxy] Stopping haproxy..." 265 | jexec haproxy service haproxy stop || /usr/bin/true 266 | /bin/echo "[-] Done" 267 | 268 | # redis 269 | /bin/echo "[+] [redis] Stopping redis..." 270 | jexec redis service redis stop || /usr/bin/true 271 | /bin/echo "[-] Done" 272 | } 273 | 274 | if [ ! -e ${temp_dir}/upgrading ] ; then 275 | _run_ok=0 276 | 277 | while getopts "y" flag; 278 | do 279 | case "${flag}" in 280 | y) _run_ok=1; 281 | ;; 282 | *) usage; 283 | ;; 284 | esac 285 | done 286 | 287 | answer="" 288 | if [ $_run_ok -ne 1 ]; then 289 | /bin/echo -n "Do you wish to upgrade your node? It will become unavailable while it downloads and installs upgrades for the base system, jails and packages! [yN]: " 290 | read -r answer 291 | case "${answer}" in 292 | y|Y|yes|Yes|YES) 293 | # Do nothing, continue 294 | ;; 295 | *) /bin/echo "Upgrade canceled." 296 | exit 0; 297 | ;; 298 | esac 299 | fi 300 | 301 | if [ "$(uname -K)" -gt 1300000 ]; then 302 | /bin/echo "Your system seems to already be on HBSD13, nothing to do!" 303 | /usr/bin/head -25 /etc/motd > /etc/motd.template 304 | exit 0 305 | else 306 | initialize 307 | 308 | check_preconditions 309 | 310 | /bin/echo "Upgrade started!" 311 | 312 | /usr/local/bin/sudo -u vlt-os /home/vlt-os/env/bin/python /home/vlt-os/vulture_os/manage.py toggle_maintenance --on 2>/dev/null || true 313 | 314 | # Updating repositories for host 315 | ${FOLDER}/register_vulture_repos.sh 316 | # Updating repositories for each jail 317 | for jail in "portal" "apache" "haproxy" "rsyslog" "redis" "mongodb"; do 318 | ${FOLDER}/register_vulture_repos.sh /zroot/${jail} 319 | update_system $jail 320 | done 321 | 322 | # Updating HardenedBSD system 323 | update_system 324 | /bin/echo "[-] Done updating host system" 325 | 326 | restart_and_continue 327 | fi 328 | else 329 | initialize 330 | 331 | log_file=/var/log/upgrade_to_13.log 332 | /bin/echo "Output will be sent to $log_file" 333 | 334 | exec 3>&1 4>&2 335 | trap 'exec 2>&4 1>&3' 0 1 2 3 336 | exec 1>>$log_file 2>&1 337 | 338 | /bin/echo "Beggining Upgrade" 339 | 340 | # Updating repositories for the host the second time because system has been updated 341 | ${FOLDER}/register_vulture_repos.sh 342 | 343 | stop_services 344 | update_packages 345 | 346 | clean_and_restart 347 | fi 348 | -------------------------------------------------------------------------------- /home/vlt-adm/system/write_aliases.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | if [ "$(/usr/bin/id -u)" != "0" ]; then 4 | /bin/echo "This script must be run as root" 1>&2 5 | exit 1 6 | fi 7 | 8 | grep "^root:" /etc/mail/aliases > /dev/null 9 | if [ "$?" == "1" ];then 10 | echo "root: ${1}" >> /etc/mail/aliases 11 | else 12 | sed -i '' -E "s/^root:.*/root: ${1}/" /etc/mail/aliases 13 | fi 14 | 15 | grep "^vlt-adm:" /etc/mail/aliases > /dev/null 16 | if [ "$?" == "1" ];then 17 | echo "vlt-adm: ${1}" >> /etc/mail/aliases 18 | else 19 | sed -i '' -E "s/^vlt-adm:.*/vlt-adm: ${1}/" /etc/mail/aliases 20 | fi 21 | 22 | grep "^vlt-os:" /etc/mail/aliases > /dev/null 23 | if [ "$?" == "1" ];then 24 | echo "vlt-os: ${1}" >> /etc/mail/aliases 25 | else 26 | sed -i '' -E "s/^vlt-os:.*/vlt-os: ${1}/" /etc/mail/aliases 27 | fi 28 | 29 | /usr/bin/newaliases 30 | postalias /etc/aliases 31 | -------------------------------------------------------------------------------- /home/vlt-adm/system/write_hostname.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | 4 | if [ "$(/usr/bin/id -u)" != "0" ]; then 5 | /bin/echo "This script must be run as root" 1>&2 6 | exit 1 7 | fi 8 | 9 | ip="$(/usr/sbin/sysrc -f /etc/rc.conf.d/network -n management_ip 2> /dev/null)" 10 | . /etc/rc.conf 11 | 12 | if ! grep "localhost" /etc/hosts 2>&1 > /dev/null; then 13 | /bin/echo "::1 localhost" >> /etc/hosts 14 | /bin/echo "127.0.0.1 localhost" >> /etc/hosts 15 | fi 16 | if ! grep "mongodb" /etc/hosts 2>&1 > /dev/null; then 17 | /bin/echo "fd00::202 mongodb" >> /etc/hosts 18 | /bin/echo "127.0.0.2 mongodb" >> /etc/hosts 19 | fi 20 | 21 | if ! grep "redis" /etc/hosts 2>&1 > /dev/null; then 22 | /bin/echo "fd00::203 redis" >> /etc/hosts 23 | /bin/echo "127.0.0.3 redis" >> /etc/hosts 24 | fi 25 | 26 | if ! grep "rsyslog" /etc/hosts 2>&1 > /dev/null; then 27 | /bin/echo "fd00::204 rsyslog" >> /etc/hosts 28 | /bin/echo "127.0.0.4 rsyslog" >> /etc/hosts 29 | fi 30 | 31 | if ! grep "haproxy" /etc/hosts 2>&1 > /dev/null; then 32 | /bin/echo "fd00::205 haproxy" >> /etc/hosts 33 | /bin/echo "127.0.0.5 haproxy" >> /etc/hosts 34 | fi 35 | 36 | if ! grep "apache" /etc/hosts 2>&1 > /dev/null; then 37 | /bin/echo "127.0.0.6 apache" >> /etc/hosts 38 | /bin/echo "fd00::206 apache" >> /etc/hosts 39 | fi 40 | 41 | if ! grep "portal" /etc/hosts 2>&1 > /dev/null; then 42 | /bin/echo "127.0.0.7 portal" >> /etc/hosts 43 | /bin/echo "fd00::207 portal" >> /etc/hosts 44 | fi 45 | 46 | # If ip already exists in the file, replace the line using ip as match 47 | if grep -E "^${ip}[[:space:]]" /etc/hosts 2>&1 > /dev/null; then 48 | /usr/bin/sed -i '' "/^${ip}[[:space:]]/c\\ 49 | ${ip} ${hostname} 50 | " /etc/hosts 51 | # If hostname already exists in the file, replace the line using hostname as match 52 | elif grep -E "[[:space:]]${hostname}$" /etc/hosts 2>&1 > /dev/null; then 53 | /usr/bin/sed -i '' "/[[:space:]]${hostname}$/c\\ 54 | ${ip} ${hostname} 55 | " /etc/hosts 56 | else 57 | /bin/echo "${ip} ${hostname}" >> /etc/hosts 58 | fi 59 | 60 | #TODO deprecate file 61 | /bin/echo "${hostname}" > /etc/host-hostname 62 | if [ -f /home/vlt-os/vulture_os/vulture_os/.env ]; then 63 | /usr/sbin/sysrc -f /home/vlt-os/vulture_os/vulture_os/.env VULTURE_HOSTNAME="${hostname}" 64 | fi 65 | if [ -f /home/vlt-os/vulture_os/portal/.env ]; then 66 | /usr/sbin/sysrc -f /home/vlt-os/vulture_os/portal/.env VULTURE_HOSTNAME="${hostname}" 67 | fi 68 | 69 | # Set hostname=127.0.0.2 into MongoDB jail - it can then resolve himself 70 | /bin/cp /etc/hosts /zroot/mongodb/etc/hosts 71 | /usr/bin/sed -i '' "s/$ip/127.0.0.2/" /zroot/mongodb/etc/hosts 72 | 73 | #Copy hosts file to jails 74 | for jail in apache mongodb redis rsyslog haproxy portal; do 75 | #TODO deprecate file 76 | /bin/echo "${hostname}" > /zroot/${jail}/etc/host-hostname 77 | /bin/echo "nameserver ${jail}" > /zroot/${jail}/etc/resolv.conf 78 | done 79 | 80 | # Reload dnsmasq service to account for potential changes in /etc/hosts 81 | /usr/sbin/service dnsmasq reload 82 | -------------------------------------------------------------------------------- /home/vlt-adm/system/write_ntp.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | 4 | if [ "$(/usr/bin/id -u)" != "0" ]; then 5 | /bin/echo "This script must be run as root" 1>&2 6 | exit 1 7 | fi 8 | 9 | /bin/echo "$1" > /etc/rc.conf.ntp 10 | /bin/echo "Updating time from $1 ... " 11 | service ntpd stop 2> /dev/null 12 | /usr/sbin/ntpdate "$1" 13 | 14 | cat << EOF > /etc/ntp.conf 15 | tos minclock 3 maxclock 6 16 | 17 | server $1 iburst 18 | 19 | restrict default limited kod nomodify notrap noquery nopeer 20 | restrict source limited kod nomodify notrap noquery 21 | 22 | restrict 127.0.0.1 23 | restrict ::1 24 | 25 | leapfile "/var/db/ntpd.leap-seconds.list" 26 | EOF 27 | 28 | 29 | service ntpd start 2> /dev/null 30 | -------------------------------------------------------------------------------- /home/vlt-os/run/.vulturekeep: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/VultureProject/vulture-base/0667ebb4c58e064dbeb22f5bfa711e7a63625034/home/vlt-os/run/.vulturekeep -------------------------------------------------------------------------------- /usr/local/bin/free: -------------------------------------------------------------------------------- 1 | #!/usr/local/bin/perl 2 | ## 3 | ## freebsd-memory -- List Total System Memory Usage 4 | ## Copyright (c) 2003-2004 Ralf S. Engelschall 5 | ## 6 | ## Redistribution and use in source and binary forms, with or without 7 | ## modification, are permitted provided that the following conditions 8 | ## are met: 9 | ## 1. Redistributions of source code must retain the above copyright 10 | ## notice, this list of conditions and the following disclaimer. 11 | ## 2. Redistributions in binary form must reproduce the above copyright 12 | ## notice, this list of conditions and the following disclaimer in the 13 | ## documentation and/or other materials provided with the distribution. 14 | ## 15 | ## THIS SOFTWARE IS PROVIDED BY AUTHOR AND CONTRIBUTORS ``AS IS'' AND 16 | ## ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 17 | ## IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 18 | ## ARE DISCLAIMED. IN NO EVENT SHALL AUTHOR OR CONTRIBUTORS BE LIABLE 19 | ## FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 20 | ## DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 21 | ## OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 22 | ## HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 23 | ## LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 24 | ## OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 25 | ## SUCH DAMAGE. 26 | ## 27 | 28 | # query the system through the generic sysctl(8) interface 29 | # (this does not require special priviledges) 30 | my $sysctl = {}; 31 | my $sysctl_output = `/sbin/sysctl -a`; 32 | foreach my $line (split(/\n/, $sysctl_output)) { 33 | if ($line =~ m/^([^:]+):\s+(.+)\s*$/s) { 34 | $sysctl->{$1} = $2; 35 | } 36 | } 37 | 38 | # round the physical memory size to the next power of two which is 39 | # reasonable for memory cards. We do this by first determining the 40 | # guessed memory card size under the assumption that usual computer 41 | # hardware has an average of a maximally eight memory cards installed 42 | # and those are usually of equal size. 43 | sub mem_rounded { 44 | my ($mem_size) = @_; 45 | my $chip_size = 1; 46 | my $chip_guess = ($mem_size / 8) - 1; 47 | while ($chip_guess != 0) { 48 | $chip_guess >>= 1; 49 | $chip_size <<= 1; 50 | } 51 | my $mem_round = (int($mem_size / $chip_size) + 1) * $chip_size; 52 | return $mem_round; 53 | } 54 | 55 | # determine the individual known information 56 | # NOTICE: forget hw.usermem, it is just (hw.physmem - vm.stats.vm.v_wire_count). 57 | # NOTICE: forget vm.stats.misc.zero_page_count, it is just the subset of 58 | # vm.stats.vm.v_free_count which is already pre-zeroed. 59 | my $mem_hw = &mem_rounded($sysctl->{"hw.physmem"}); 60 | my $mem_phys = $sysctl->{"hw.physmem"}; 61 | my $mem_all = $sysctl->{"vm.stats.vm.v_page_count"} * $sysctl->{"hw.pagesize"}; 62 | my $mem_wire = $sysctl->{"vm.stats.vm.v_wire_count"} * $sysctl->{"hw.pagesize"}; 63 | my $mem_active = $sysctl->{"vm.stats.vm.v_active_count"} * $sysctl->{"hw.pagesize"}; 64 | my $mem_inactive = $sysctl->{"vm.stats.vm.v_inactive_count"} * $sysctl->{"hw.pagesize"}; 65 | my $mem_cache = $sysctl->{"vm.stats.vm.v_cache_count"} * $sysctl->{"hw.pagesize"}; 66 | my $mem_free = $sysctl->{"vm.stats.vm.v_free_count"} * $sysctl->{"hw.pagesize"}; 67 | 68 | # determine the individual unknown information 69 | my $mem_gap_vm = $mem_all - ($mem_wire + $mem_active + $mem_inactive + $mem_cache + $mem_free); 70 | my $mem_gap_sys = $mem_phys - $mem_all; 71 | my $mem_gap_hw = $mem_hw - $mem_phys; 72 | 73 | # determine logical summary information 74 | my $mem_total = $mem_hw; 75 | my $mem_avail = $mem_inactive + $mem_cache + $mem_free; 76 | my $mem_used = $mem_total - $mem_avail; 77 | 78 | # information annotations 79 | my $info = { 80 | "mem_wire" => 'Wired: disabled for paging out', 81 | "mem_active" => 'Active: recently referenced', 82 | "mem_inactive" => 'Inactive: recently not referenced', 83 | "mem_cache" => 'Cached: almost avail. for allocation', 84 | "mem_free" => 'Free: fully available for allocation', 85 | "mem_gap_vm" => 'Memory gap: UNKNOWN', 86 | "mem_all" => 'Total real memory managed', 87 | "mem_gap_sys" => 'Memory gap: Kernel?!', 88 | "mem_phys" => 'Total real memory available', 89 | "mem_gap_hw" => 'Memory gap: Segment Mappings?!', 90 | "mem_hw" => 'Total real memory installed', 91 | "mem_used" => 'Logically used memory', 92 | "mem_avail" => 'Logically available memory', 93 | "mem_total" => 'Logically total memory', 94 | }; 95 | 96 | # print system results 97 | printf("SYSTEM MEMORY INFORMATION:\n"); 98 | printf("mem_wire: %12d (%7dMB) [%3d%%] %s\n", $mem_wire, $mem_wire / (1024*1024), ($mem_wire / $mem_all) * 100, $info->{"mem_wire"}); 99 | printf("mem_active: + %12d (%7dMB) [%3d%%] %s\n", $mem_active, $mem_active / (1024*1024), ($mem_active / $mem_all) * 100, $info->{"mem_active"}); 100 | printf("mem_inactive:+ %12d (%7dMB) [%3d%%] %s\n", $mem_inactive, $mem_inactive / (1024*1024), ($mem_inactive / $mem_all) * 100, $info->{"mem_inactive"}); 101 | printf("mem_cache: + %12d (%7dMB) [%3d%%] %s\n", $mem_cache, $mem_cache / (1024*1024), ($mem_cache / $mem_all) * 100, $info->{"mem_cache"}); 102 | printf("mem_free: + %12d (%7dMB) [%3d%%] %s\n", $mem_free, $mem_free / (1024*1024), ($mem_free / $mem_all) * 100, $info->{"mem_free"}); 103 | printf("mem_gap_vm: + %12d (%7dMB) [%3d%%] %s\n", $mem_gap_vm, $mem_gap_vm / (1024*1024), ($mem_gap_vm / $mem_all) * 100, $info->{"mem_gap_vm"}); 104 | printf("-------------- ------------ ----------- ------\n"); 105 | printf("mem_all: = %12d (%7dMB) [100%%] %s\n", $mem_all, $mem_all / (1024*1024), $info->{"mem_all"}); 106 | printf("mem_gap_sys: + %12d (%7dMB) %s\n", $mem_gap_sys, $mem_gap_sys / (1024*1024), $info->{"mem_gap_sys"}); 107 | printf("-------------- ------------ -----------\n"); 108 | printf("mem_phys: = %12d (%7dMB) %s\n", $mem_phys, $mem_phys / (1024*1024), $info->{"mem_phys"}); 109 | printf("mem_gap_hw: + %12d (%7dMB) %s\n", $mem_gap_hw, $mem_gap_hw / (1024*1024), $info->{"mem_gap_hw"}); 110 | printf("-------------- ------------ -----------\n"); 111 | printf("mem_hw: = %12d (%7dMB) %s\n", $mem_hw, $mem_hw / (1024*1024), $info->{"mem_hw"}); 112 | 113 | # print logical results 114 | printf("\n"); 115 | printf("SYSTEM MEMORY SUMMARY:\n"); 116 | printf("mem_used: %12d (%7dMB) [%3d%%] %s\n", $mem_used, $mem_used / (1024*1024), ($mem_used / $mem_total) * 100, $info->{"mem_used"}); 117 | printf("mem_avail: + %12d (%7dMB) [%3d%%] %s\n", $mem_avail, $mem_avail / (1024*1024), ($mem_avail / $mem_total) * 100, $info->{"mem_avail"}); 118 | printf("-------------- ------------ ----------- ------\n"); 119 | printf("mem_total: = %12d (%7dMB) [100%%] %s\n", $mem_total, $mem_total / (1024*1024), $info->{"mem_total"}); 120 | 121 | -------------------------------------------------------------------------------- /usr/local/bin/pfctl-get_management.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | #This script automatically create an IP management address 4 | management_ip="$(/sbin/ifconfig | /usr/bin/grep inet | /usr/bin/grep -v '127.0.0.1' \ 5 | | /usr/bin/grep -v ' ::1 ' | /usr/bin/grep -v 'fd00::20' | /usr/bin/grep -v 'fe80:' \ 6 | | /usr/bin/awk '{print $2}' | /usr/bin/awk -vRS="" -vOFS=' ' '$1=$1' | /usr/bin/sed -e 's/ .*//')" 7 | # Ip no management IP - exit 8 | if [ -z "$management_ip" ] ; then 9 | /bin/echo "Management IP address is null - please select 'Management' and retry." >> /dev/stderr 10 | exit 1 11 | fi 12 | /usr/sbin/sysrc -f /etc/rc.conf.d/network management_ip="$(/bin/echo "$management_ip")" 13 | -------------------------------------------------------------------------------- /usr/local/bin/pfctl-init.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | #This script restores a default configuration for PF 4 | management_ip="$(/usr/sbin/sysrc -f /etc/rc.conf.d/network -n management_ip 2> /dev/null)" 5 | # Ip no management IP - exit 6 | if [ -z "$management_ip" ] ; then 7 | /bin/echo "Management IP address is null - please select 'Management' and retry." >> /dev/stderr 8 | exit 1 9 | fi 10 | /usr/sbin/sysrc -f /etc/rc.conf.d/network -n management_ip | /usr/bin/grep ":" > /dev/null 2>&1 11 | #IPV6 Management address 12 | if [ "$?" == "0" ]; then 13 | MASQUERADING="nat pass proto tcp from { fd00::202,fd00::203,fd00::204,fd00::205,fd00::206,fd00::207 } to any port 80 -> ${management_ip} # jails -> HTTP 14 | nat pass proto tcp from { fd00::202,fd00::203,fd00::204,fd00::205,fd00::206,fd00::207 } to any port 3128 -> ${management_ip} # jails -> Proxy 15 | nat pass proto tcp from fd00::206 to any port 443 -> ${management_ip} # vultureproject.org 16 | nat pass proto tcp from fd00::206 to ${management_ip} port { 1978,6379,8000,9091 } -> ${management_ip} # Haproxy, Redis, AdminGUI, Mongodb 17 | nat pass proto tcp from fd00::207 to ${management_ip} port { 6379,9091 } -> ${management_ip} # Redis, Mongodb 18 | nat pass proto tcp from fd00::202 to !fd00::202 port 9091 -> ${management_ip} # Mongodb 19 | nat pass proto tcp from fd00::203 to any port 6379 -> ${management_ip} # Redis 20 | nat pass proto tcp from fd00::203 to any port 26379 -> ${management_ip} # Sentinel 21 | nat pass proto tcp from fd00::204 to ${management_ip} port 9091 -> ${management_ip} # Rsyslog -> Mongodb 22 | " 23 | LOCAL_TO_JAIL="rdr pass proto tcp from ${management_ip} to ${management_ip} port 8000 -> fd00::206 24 | rdr pass proto tcp from ${management_ip} to ${management_ip} port 1978 -> fd00::205 25 | rdr pass proto tcp from any to ${management_ip} port 9091 -> fd00::202 26 | rdr pass proto tcp from any to ${management_ip} port 6379 -> fd00::203 27 | rdr pass proto tcp from any to ${management_ip} port 26379 -> fd00::203 28 | " 29 | REMOTE_TO_JAIL="rdr pass log proto tcp from any to ${management_ip} port { 8000 } -> fd00::206 port 8000" 30 | JAIL_INTERCONNECTION="pass quick proto tcp from fd00::205 to fd00::207 port 9000" 31 | else 32 | MASQUERADING="nat pass proto tcp from { 127.0.0.2,127.0.0.3,127.0.0.4,127.0.0.5,127.0.0.6,127.0.0.7 } to any port 80 -> ${management_ip} # jails -> HTTP 33 | nat pass proto tcp from { 127.0.0.2,127.0.0.3,127.0.0.4,127.0.0.5,127.0.0.6,127.0.0.7 } to any port 3128 -> ${management_ip} # jails -> HTTP 34 | nat pass proto tcp from 127.0.0.6 to any port 443 -> ${management_ip} # Apache jail -> vultureproject.org 35 | nat pass proto tcp from 127.0.0.6 to any port { 1978,6379,8000,9091 } -> ${management_ip} # Haproxy, Redis, AdminGUI, Mongodb 36 | nat pass proto tcp from 127.0.0.7 to ${management_ip} port { 6379,9091 } -> ${management_ip} # Redis, Mongodb 37 | nat pass proto tcp from 127.0.0.2 to !127.0.0.2 port 9091 -> ${management_ip} # Mongodb 38 | nat pass proto tcp from 127.0.0.3 to any port 6379 -> ${management_ip} # Redis 39 | nat pass proto tcp from 127.0.0.3 to any port 26379 -> ${management_ip} # Sentinel 40 | nat pass proto tcp from 127.0.0.4 to ${management_ip} port 9091 -> ${management_ip} # Rsyslog -> Mongodb 41 | " 42 | LOCAL_TO_JAIL="rdr pass proto tcp from ${management_ip} to ${management_ip} port 8000 -> 127.0.0.6 43 | rdr pass proto tcp from ${management_ip} to ${management_ip} port 1978 -> 127.0.0.5 44 | rdr pass proto tcp from any to ${management_ip} port 9091 -> 127.0.0.2 45 | rdr pass proto tcp from any to ${management_ip} port 6379 -> 127.0.0.3 46 | rdr pass proto tcp from any to ${management_ip} port 26379 -> 127.0.0.3 47 | " 48 | REMOTE_TO_JAIL="rdr pass log proto tcp from any to ${management_ip} port { 8000 } -> 127.0.0.6 port 8000 49 | rdr pass log proto tcp from any to ${management_ip} port { 9091 } -> 127.0.0.2 port 9091 50 | rdr pass log proto tcp from any to ${management_ip} port { 6379 } -> 127.0.0.3 port 6379 51 | rdr pass log proto tcp from any to ${management_ip} port { 26379 } -> 127.0.0.3 port 26379" 52 | 53 | JAIL_INTERCONNECTION="pass quick proto tcp from 127.0.0.5 to 127.0.0.7 port 9000" 54 | fi 55 | 56 | /bin/echo "# BOOTSTRAP FIREWALL CONFIG 57 | # THIS WILL BE ERASED BY VULTURE-OS LATER 58 | 59 | scrub in all 60 | 61 | #Jails Masquerading 62 | ${MASQUERADING} 63 | 64 | #Local communication to Jails 65 | ${LOCAL_TO_JAIL} 66 | 67 | #Remote communication to jails (only for GUI) 68 | ${REMOTE_TO_JAIL} 69 | 70 | ####################### 71 | 72 | # Generic directives 73 | pass quick on lo0 all 74 | pass quick on lo1 all 75 | pass quick on lo2 all 76 | pass quick on lo3 all 77 | pass quick on lo4 all 78 | pass quick on lo5 all 79 | pass quick on lo6 all 80 | block in log all 81 | #pass in proto icmp6 all 82 | #pass out proto icmp6 all 83 | # ICMP6 84 | # Packet too big (type 2) 85 | # Neighbor Discovery Protocol (NDP) (types 133-137): 86 | # Router Solicitation (RS), Router Advertisement (RA) 87 | # Neighbor Solicitation (NS), Neighbor Advertisement (NA) 88 | # Route Redirection 89 | pass in quick inet6 proto ipv6-icmp icmp6-type { 2, 133, 134, 135, 136, 137 } keep state 90 | pass out all keep state 91 | #################### 92 | 93 | # ---- Allow SSH for remote administration 94 | pass log quick proto tcp from any to any port 22 flags S/SA keep state \ 95 | (max-src-conn 10, max-src-conn-rate 3/5, overload flush global) 96 | ######################### 97 | 98 | # Jails interconnections 99 | ${JAIL_INTERCONNECTION} 100 | ######################### 101 | 102 | " > /usr/local/etc/pf.conf 103 | -------------------------------------------------------------------------------- /usr/local/etc/cloud/cloud.cfg.d/02_growpart.cfg: -------------------------------------------------------------------------------- 1 | growpart: 2 | mode: gpart 3 | devices: 4 | - /dev/da0p3 5 | - /dev/ada0p3 6 | - /dev/vtbd0p3 -------------------------------------------------------------------------------- /usr/local/etc/cloud/cloud.cfg.d/05_logging.cfg: -------------------------------------------------------------------------------- 1 | ## This yaml formated config file handles setting 2 | ## logger information. The values that are necessary to be set 3 | ## are seen at the bottom. The top '_log' are only used to remove 4 | ## redundency in a syslog and fallback-to-file case. 5 | ## 6 | ## The 'log_cfgs' entry defines a list of logger configs 7 | ## Each entry in the list is tried, and the first one that 8 | ## works is used. If a log_cfg list entry is an array, it will 9 | ## be joined with '\n'. 10 | _log: 11 | - &log_base | 12 | [loggers] 13 | keys=root,cloudinit 14 | 15 | [handlers] 16 | keys=consoleHandler,cloudLogHandler 17 | 18 | [formatters] 19 | keys=simpleFormatter,arg0Formatter 20 | 21 | [logger_root] 22 | level=DEBUG 23 | handlers=consoleHandler,cloudLogHandler 24 | 25 | [logger_cloudinit] 26 | level=DEBUG 27 | qualname=cloudinit 28 | handlers= 29 | propagate=1 30 | 31 | [handler_consoleHandler] 32 | class=StreamHandler 33 | level=WARNING 34 | formatter=arg0Formatter 35 | args=(sys.stderr,) 36 | 37 | [formatter_arg0Formatter] 38 | format=%(asctime)s - %(filename)s[%(levelname)s]: %(message)s 39 | 40 | [formatter_simpleFormatter] 41 | format=[CLOUDINIT] %(filename)s[%(levelname)s]: %(message)s 42 | - &log_file | 43 | [handler_cloudLogHandler] 44 | class=FileHandler 45 | level=DEBUG 46 | formatter=arg0Formatter 47 | args=('/var/log/cloud-init.log', 'a', 'UTF-8') 48 | - &log_syslog | 49 | [handler_cloudLogHandler] 50 | class=handlers.SysLogHandler 51 | level=DEBUG 52 | formatter=simpleFormatter 53 | args=("/dev/log", handlers.SysLogHandler.LOG_USER) 54 | 55 | log_cfgs: 56 | # Array entries in this list will be joined into a string 57 | # that defines the configuration. 58 | # 59 | # If you want logs to go to syslog, uncomment the following line. 60 | # - [ *log_base, *log_syslog ] 61 | # 62 | # The default behavior is to just log to a file. 63 | # This mechanism that does not depend on a system service to operate. 64 | - [ *log_base, *log_file ] 65 | # A file path can also be used. 66 | # - /etc/log.conf 67 | 68 | # This tells cloud-init to redirect its stdout and stderr to 69 | # 'tee -a /var/log/cloud-init-output.log' so the user can see output 70 | # there without needing to look on the console. 71 | output: {all: '| tee -a /var/log/cloud-init-output.log'} -------------------------------------------------------------------------------- /usr/local/etc/cloud/cloud.cfg.d/10_vulture.cfg: -------------------------------------------------------------------------------- 1 | preserve_hostname: true 2 | manual_cache_clean: true 3 | datasource_list: [NoCloud, Ec2, None] 4 | datasource: 5 | NoCloud: 6 | dsmode: local 7 | Ec2: 8 | strict_id: false 9 | metadata_urls: [ 'http://169.254.169.254:80' ] 10 | timeout: 5 11 | max_wait: 10 12 | 13 | cloud_init_modules: 14 | - migrator 15 | - seed_random 16 | - bootcmd 17 | - write-files 18 | - growpart 19 | - resizefs 20 | - set_hostname 21 | - update_hostname 22 | - update_etc_hosts 23 | - users-groups 24 | - ssh 25 | 26 | cloud_config_modules: 27 | - ssh-import-id 28 | - locale 29 | - set-passwords 30 | - timezone 31 | - disable-ec2-metadata 32 | - runcmd 33 | 34 | cloud_final_modules: 35 | - package-update-upgrade-install 36 | - write-files-deferred 37 | - puppet 38 | - chef 39 | - mcollective 40 | - salt-minion 41 | - reset_rmc 42 | - refresh_rmc_and_interface 43 | - rightscale_userdata 44 | - scripts-vendor 45 | - scripts-per-once 46 | - scripts-per-boot 47 | - scripts-per-instance 48 | - scripts-user 49 | - ssh-authkey-fingerprints 50 | - keys-to-console 51 | - install-hotplug 52 | - phone-home 53 | - final-message 54 | - power-state-change 55 | 56 | system_info: 57 | # This will affect which distro class gets used 58 | distro: freebsd 59 | # WARNING 'vlt-adm' is set and enabled as default user/pass 60 | # user SHOULD override the default password on cloud installations! 61 | default_user: 62 | name: vlt-adm 63 | plain_text_passwd: vlt-adm 64 | lock_passwd: false 65 | network: 66 | renderers: ['freebsd'] -------------------------------------------------------------------------------- /usr/local/etc/crontab: -------------------------------------------------------------------------------- 1 | SHELL=/bin/sh 2 | PATH=/etc:/bin:/sbin:/usr/bin:/usr/sbin 3 | 4 | */5 * * * * root /usr/libexec/atrun 5 | */11 * * * * operator /usr/libexec/save-entropy 6 | 0 * * * * root newsyslog 7 | 1 3 * * * root periodic daily 8 | 15 4 * * 6 root periodic weekly 9 | 30 5 1 * * root periodic monthly 10 | 1,31 0-5 * * * root adjkerntz -a 11 | 12 | -------------------------------------------------------------------------------- /usr/local/etc/dnsmasq.conf: -------------------------------------------------------------------------------- 1 | domain-needed 2 | localise-queries 3 | domain=vulture.lan 4 | expand-hosts 5 | no-negcache 6 | 7 | interface=lo0 8 | 9 | -------------------------------------------------------------------------------- /usr/local/etc/haproxy.d/backend_session.cfg: -------------------------------------------------------------------------------- 1 | #This file is part of Vulture OS. 2 | # 3 | 4 | backend backend_spoa_session 5 | mode tcp 6 | server srv-spoa-session haproxy:12345 check 7 | -------------------------------------------------------------------------------- /usr/local/etc/logrotate.d/vulture.conf: -------------------------------------------------------------------------------- 1 | #This file is part of Vulture OS. 2 | # 3 | 4 | # Rsyslog files storage 5 | "/zroot/rsyslog/var/log/garbage/*.log" 6 | "/zroot/rsyslog/var/log/haproxy/*.log" { 7 | su root wheel 8 | daily 9 | missingok 10 | rotate 30 11 | compress 12 | delaycompress 13 | create 0640 root wheel 14 | notifempty 15 | dateext 16 | dateformat .%Y-%m-%d 17 | sharedscripts # execute script one time for all log files 18 | postrotate 19 | /usr/sbin/jexec rsyslog /usr/sbin/service rsyslogd reload 20 | endscript 21 | } 22 | # Rsyslog monitor files 23 | "/zroot/rsyslog/var/log/pstats-sec" { 24 | su root wheel 25 | daily 26 | missingok 27 | rotate 1 28 | compress 29 | delaycompress 30 | create 0640 root wheel 31 | notifempty 32 | sharedscripts # execute script one time for all log files 33 | postrotate 34 | /usr/sbin/jexec rsyslog /usr/sbin/service rsyslogd reload 35 | endscript 36 | } 37 | 38 | # Rsyslog monitor files 39 | "/zroot/rsyslog/var/log/pstats" 40 | "/zroot/rsyslog/var/log/rsyslog-failure.log" { 41 | su root wheel 42 | daily 43 | missingok 44 | rotate 7 45 | compress 46 | delaycompress 47 | create 0640 root wheel 48 | notifempty 49 | sharedscripts # execute script one time for all log files 50 | postrotate 51 | /usr/sbin/jexec rsyslog /usr/sbin/service rsyslogd reload 52 | endscript 53 | } 54 | 55 | # Vultured + GUI + Portal files 56 | "/var/log/vulture/os/*.log" 57 | "/zroot/apache/var/log/vulture/os/*.log" 58 | "/zroot/portal/var/log/vulture/os/*.log" 59 | "/zroot/portal/var/log/vulture/portal/*.log"{ 60 | su root vlt-web 61 | daily 62 | missingok 63 | rotate 30 64 | compress 65 | delaycompress 66 | notifempty 67 | copytruncate # Mandatory for django crontabs logs 68 | sharedscripts # execute script one time for all logs 69 | postrotate 70 | /usr/sbin/service vultured restart 71 | /usr/sbin/jexec apache /usr/sbin/service gunicorn reload 72 | /usr/sbin/jexec apache /usr/sbin/service nginx reload 73 | /usr/sbin/jexec portal /usr/sbin/service gunicorn reload 74 | endscript 75 | } 76 | 77 | # MongoDB file 78 | "/zroot/mongodb/var/db/mongodb/mongod.log" { 79 | su root mongodb 80 | daily 81 | missingok 82 | rotate 30 83 | compress 84 | delaycompress 85 | notifempty 86 | create 0600 mongodb mongodb 87 | sharedscripts # execute script one time for all logs 88 | postrotate 89 | /bin/sleep 1 ; /usr/bin/pkill -SIGUSR1 mongod ; /bin/rm /zroot/mongodb/var/db/mongodb/mongod.log.*-*-*T*-* 90 | endscript 91 | } 92 | 93 | # HAProxy SPOAs files 94 | "/zroot/haproxy/var/log/spoa/*.log" { 95 | su root wheel 96 | daily 97 | missingok 98 | copytruncate # Permit to prevent restarting 99 | rotate 5 100 | compress 101 | delaycompress 102 | notifempty 103 | create 644 root wheel 104 | } 105 | 106 | 107 | # Darwin files 108 | "/var/log/darwin/*.log" { 109 | su root darwin 110 | daily 111 | missingok 112 | rotate 30 113 | compress 114 | delaycompress 115 | notifempty 116 | # Voluntarily omit permissions - to keep old file's permissions 117 | create 118 | sharedscripts # execute script one time for all logs 119 | postrotate 120 | /usr/sbin/service darwin reload 121 | endscript 122 | } 123 | 124 | # Vulture OS/Kernel files 125 | "/var/log/kernel.log" { 126 | su root wheel 127 | daily 128 | missingok 129 | rotate 30 130 | compress 131 | delaycompress 132 | notifempty 133 | create 0600 root wheel 134 | sharedscripts # execute script one time for all logs 135 | postrotate 136 | /usr/sbin/service syslogd restart 137 | endscript 138 | } 139 | 140 | # Packet Filter logs file 141 | "/var/log/pf/pf.log" 142 | "/var/log/pf/parsed.log" { 143 | su root wheel 144 | daily 145 | missingok 146 | rotate 7 147 | compress 148 | delaycompress 149 | notifempty 150 | create 0600 root wheel 151 | sharedscripts # execute script one time for all logs 152 | postrotate 153 | /usr/sbin/service tshark restart 154 | /usr/sbin/jexec rsyslog /usr/sbin/service rsyslogd reload 155 | endscript 156 | } 157 | 158 | # Temporary communication log files for Rsyslog 159 | "/var/log/api_parser/*.log" { 160 | su root wheel 161 | hourly 162 | missingok 163 | copytruncate # Permit to prevent restarting 164 | rotate 10 165 | compress 166 | delaycompress 167 | notifempty 168 | create 0640 vlt-os wheel 169 | sharedscripts # execute script one time for all logs 170 | postrotate 171 | /usr/sbin/jexec rsyslog /usr/sbin/service rsyslogd reload 172 | endscript 173 | } 174 | -------------------------------------------------------------------------------- /usr/local/etc/openvpn/openvpn_server.conf: -------------------------------------------------------------------------------- 1 | #This file is part of Vulture 3. 2 | # 3 | #Vulture 3 is free software: you can redistribute it and/or modify 4 | #it under the terms of the GNU General Public License as published by 5 | #the Free Software Foundation, either version 3 of the License, or 6 | #(at your option) any later version. 7 | 8 | #Vulture 3 is distributed in the hope that it will be useful, 9 | #but WITHOUT ANY WARRANTY; without even the implied warranty of 10 | #MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 11 | #GNU General Public License for more details. 12 | 13 | #You should have received a copy of the GNU General Public License 14 | #along with Vulture 3. If not, see http://www.gnu.org/licenses/. 15 | 16 | ########################## WARNING ############################### 17 | # Don't edit this file, it is automatically generated by Vulture # 18 | ########################## WARNING ############################### 19 | 20 | 21 | 22 | local 127.0.0.1 23 | port 1194 24 | 25 | proto tcp 26 | 27 | dev tun 28 | 29 | ca /var/db/pki/ca.pem 30 | cert /var/db/pki/node.cert 31 | key /var/db/pki/node.key 32 | dh /var/db/pki/dh2048.pem 33 | 34 | topology subnet 35 | 36 | server 10.8.0.0 255.255.0.0 37 | 38 | ifconfig-pool-persist ipp.txt 39 | 40 | keepalive 5 15 41 | 42 | ;tls-auth ta.key 0 43 | 44 | cipher AES-256-GCM 45 | 46 | compress lz4-v2 47 | push "compress lz4-v2" 48 | 49 | max-clients 100 50 | 51 | user daemon 52 | group daemon 53 | 54 | persist-key 55 | persist-tun 56 | 57 | status /var/log/openvpn-status.log 58 | log-append /var/log/openvpn.log 59 | 60 | verb 3 61 | mute 10 62 | 63 | ;explicit-exit-notify 1 -------------------------------------------------------------------------------- /usr/local/etc/pkg/repos/.gitkeep: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/VultureProject/vulture-base/0667ebb4c58e064dbeb22f5bfa711e7a63625034/usr/local/etc/pkg/repos/.gitkeep -------------------------------------------------------------------------------- /usr/local/etc/rc.d/tshark: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # 3 | # 4 | 5 | # PROVIDE: tshark 6 | # REQUIRE: DAEMON 7 | # BEFORE: securelevel 8 | # KEYWORD: shutdown 9 | 10 | # Add the following line to /etc/rc.conf to enable `tshark': 11 | # 12 | # tshark_enable="YES" 13 | # 14 | 15 | . /etc/rc.subr 16 | 17 | name="tshark" 18 | desc="tshark paquet capture for pflog, and more" 19 | rcvar=tshark_enable 20 | start_precmd="tshark_prestart" 21 | stop_postcmd="tshark_poststop" 22 | 23 | load_rc_config $name 24 | 25 | : ${tshark_enable="NO"} 26 | : ${tshark_dumpfile="/tmp/wireshark_pflog0"} 27 | # Limit the size of the tshark temp file for example to 100M -> -b filesize:100000 -b files:1 28 | : ${tshark_options="-b filesize:100000 -b files:1"} 29 | 30 | 31 | tshark_prestart() 32 | { 33 | load_kld pflog || return 1 34 | 35 | # create pflog_dev interface if needed 36 | if ! ifconfig $pflog_dev > /dev/null 2>&1; then 37 | if ! ifconfig $pflog_dev create; then 38 | warn "could not create $pflog_dev." 39 | return 1 40 | fi 41 | fi 42 | 43 | # set pflog_dev interface to up state 44 | if ! ifconfig $pflog_dev up; then 45 | warn "could not bring up $pflog_dev." 46 | return 1 47 | fi 48 | 49 | # Clean previous dumpfiles 50 | if [ -n "${tshark_dumpfile}" ]; then 51 | find ${tshark_dumpfile}* -type f -delete >/dev/null || true 52 | fi 53 | 54 | # report we're ready to run tshark 55 | return 0 56 | } 57 | 58 | tshark_poststop() 59 | { 60 | if ! ifconfig $pflog_dev down; then 61 | warn "could not bring down $pflog_dev." 62 | return 1 63 | fi 64 | 65 | return 0 66 | } 67 | 68 | tshark_user="root" 69 | pidfile="/var/run/vulture/tshark.pid" 70 | procname="/usr/local/bin/tshark" 71 | command="/usr/sbin/daemon" 72 | command_args="-f -o /var/log/pf/pf.log -p ${pidfile} ${procname} ${tshark_options} -w ${tshark_dumpfile} -n -l -i pflog0 -f \"not arp\" -T fields -E separator=, -e frame.time_epoch -e pflog.action -e ip.ttl -e pflog.dir -e pflog.ifname -e ip.proto -e frame.len -e pflog.rulenr -e ip.src -e tcp.srcport -e udp.srcport -e ip.dst -e tcp.dstport -e udp.dstport" 73 | 74 | pflog_dev="pflog0" 75 | run_rc_command "$1" 76 | -------------------------------------------------------------------------------- /usr/local/etc/rc.d/vultured: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # 3 | # 4 | 5 | # PROVIDE: vultured 6 | # REQUIRE: jail 7 | # BEFORE: securelevel 8 | # KEYWORD: shutdown 9 | 10 | # Add the following line to /etc/rc.conf to enable `vultured': 11 | # 12 | # vultured_enable="YES" 13 | # 14 | 15 | . /etc/rc.subr 16 | 17 | name="vultured" 18 | rcvar=vultured_enable 19 | 20 | load_rc_config $name 21 | 22 | : ${vultured_enable="NO"} 23 | 24 | vultured_user="vlt-os" 25 | pidfile="/var/run/vulture/vultured.pid" 26 | procname="/home/vlt-os/env/bin/python3" 27 | command="/usr/sbin/daemon" 28 | command_args="-f -p ${pidfile} ${procname} /home/vlt-os/vulture_os/daemons/cluster.py" 29 | 30 | # Redefine status function to use only pid file (solve issue with old python) 31 | status_cmd="${name}_status" 32 | vultured_status() { 33 | if [ -f $pidfile ] ; then 34 | echo "$name is running as pid $(/bin/cat $pidfile)". 35 | exit 0 36 | else 37 | echo "$name is not running." 38 | exit 1 39 | fi 40 | } 41 | 42 | run_rc_command "$1" 43 | -------------------------------------------------------------------------------- /usr/local/etc/rsyslog.d/05-tpl-00-generic.conf: -------------------------------------------------------------------------------- 1 | template(name="raw_message" type="string" string="%rawmsg%\n") 2 | template(name="recovery" type="string" string="%msg%\n") 3 | template(name="recoveryfile" type="string" string="/var/log/recovery/%SYSLOGTAG%-%timestamp:::date-year%.%timestamp:::date-month%.%timestamp:::date-day%-%timestamp:::date-hour%.log") 4 | template(name="date-rfc3339" type="string" string="%$!timestamp!year%-%$!timestamp!month%-%$!timestamp!day%T%$!timestamp!hour%:%$!timestamp!minute%:%$!timestamp!second%Z") 5 | template(name="darwin_redis_key" type="string" string="%$!mmdarwin!darwin_id%") 6 | template(name="bulkid-template" type="string" string="%$.generated_uuid%") 7 | -------------------------------------------------------------------------------- /usr/local/etc/rsyslog.d/05-tpl-01-haproxy.conf: -------------------------------------------------------------------------------- 1 | 2 | template(name="haproxy" type="list") { 3 | constant(value="{") 4 | constant(value="\"@timestamp\": \"") property(name="$!timestamp") 5 | constant(value="\", \"date_time\": \"") property(name="$!date_time") 6 | constant(value="\", \"bytes_read\": ") property(name="$!bytes_read") 7 | constant(value=", \"captured_request_cookie\": \"") property(name="$!captured_request_cookie" format="json") 8 | constant(value="\", \"captured_response_cookie\": \"") property(name="$!captured_response_cookie" format="json") 9 | constant(value="\", \"hostname\": \"") property(name="$!hostname" format="json") 10 | constant(value="\", \"http_method\": \"") property(name="$!http_method" format="json") 11 | constant(value="\", \"http_path\": \"") property(name="$!http_path" format="json") 12 | constant(value="\", \"http_get_params\": \"") property(name="$!http_get_params" format="json") 13 | constant(value="\", \"http_version\": \"") property(name="$!http_version" format="json") 14 | constant(value="\", \"http_user_agent\": \"") property(name="$!http_user_agent" format="json") 15 | constant(value="\", \"http_request_cookies\": \"") property(name="$!http_request_cookies" format="json") 16 | constant(value="\", \"http_request_body\": \"") property(name="$!http_request_body" format="json") 17 | constant(value="\", \"http_request_content_type\": \"") property(name="$!http_request_content_type" format="json") 18 | constant(value="\", \"http_request_host\": \"") property(name="$!http_request_host" format="json") 19 | constant(value="\", \"unique_id\": \"") property(name="$!unique_id") 20 | constant(value="\", \"status_code\": ") property(name="$!status_code") 21 | constant(value=", \"http_request_time\": ") property(name="$!http_request_time") 22 | constant(value=", \"http_idle_time\": ") property(name="$!http_idle_time") 23 | constant(value=", \"handshake_time\": ") property(name="$!handshake_time") 24 | constant(value=", \"unix_timestamp\": ") property(name="$!unix_timestamp") 25 | constant(value=", \"bytes_received\": ") property(name="$!bytes_received") 26 | constant(value=", \"active_conn\": ") property(name="$!active_conn") 27 | constant(value=", \"backend_name\": \"") property(name="$!backend_name" format="json") 28 | constant(value="\", \"beconn\": ") property(name="$!beconn") 29 | constant(value=", \"backend_ip\": \"") property(name="$!backend_ip") 30 | constant(value="\", \"backend_port\": ") property(name="$!backend_port") 31 | constant(value=", \"backend_queue\": ") property(name="$!backend_queue") 32 | constant(value=", \"src_ip\": \"") property(name="$!src_ip") 33 | constant(value="\", \"src_port\": ") property(name="$!src_port") 34 | constant(value=", \"frontend_name\": \"") property(name="$!frontend_name" format="json") 35 | constant(value="\", \"feconn\": ") property(name="$!feconn") 36 | constant(value=", \"frontend_ip\": \"") property(name="$!frontend_ip") 37 | constant(value="\", \"frontend_port\": ") property(name="$!frontend_port") 38 | constant(value=", \"pid\": ") property(name="$!pid") 39 | constant(value=", \"retries\": ") property(name="$!retries") 40 | constant(value=", \"request_count\": ") property(name="$!request_count") 41 | constant(value=", \"server_name\": \"") property(name="$!server_name" format="json") 42 | constant(value="\", \"srvconn\": ") property(name="$!srvconn") 43 | constant(value=", \"server_ip\": \"") property(name="$!server_ip") 44 | constant(value="\", \"server_port\": ") property(name="$!server_port") 45 | constant(value=", \"server_queue\": ") property(name="$!server_queue") 46 | constant(value=", \"termination_state\": \"") property(name="$!termination_state") 47 | constant(value="\", \"tags\": \"") property(name="$!iplocation!reputation" format="json") 48 | constant(value="\", \"location\": \"") property(name="$!iplocation!country!iso_code" format="json") 49 | constant(value="\", \"ctx_tags\": \"") property(name="$!ctx_tags" format="json") 50 | constant(value="\", \"darwin_session_error\": \"") property(name="$!darwin_session_error") 51 | constant(value="\", \"darwin_session_score\": \"") property(name="$!darwin_session_score") 52 | constant(value="\", \"advens\": ") property(name="$!advens") 53 | constant(value="}\n") 54 | } 55 | 56 | template(name="haproxy_json" type="list") { 57 | constant(value="{") 58 | constant(value="\"@timestamp\": \"") property(name="$!timestamp") 59 | constant(value="\", \"date_time\": \"") property(name="$!date_time") 60 | constant(value="\", \"bytes_read\": ") property(name="$!bytes_read") 61 | constant(value=", \"captured_request_cookie\": \"") property(name="$!captured_request_cookie" format="json") 62 | constant(value="\", \"captured_response_cookie\": \"") property(name="$!captured_response_cookie" format="json") 63 | constant(value="\", \"hostname\": \"") property(name="$!hostname" format="json") 64 | constant(value="\", \"http_method\": \"") property(name="$!http_method" format="json") 65 | constant(value="\", \"http_path\": \"") property(name="$!http_path" format="json") 66 | constant(value="\", \"http_get_params\": \"") property(name="$!http_get_params" format="json") 67 | constant(value="\", \"http_version\": \"") property(name="$!http_version" format="json") 68 | constant(value="\", \"http_user_agent\": \"") property(name="$!http_user_agent" format="json") 69 | constant(value="\", \"http_request_cookies\": \"") property(name="$!http_request_cookies" format="json") 70 | constant(value="\", \"http_request_body\": \"") property(name="$!http_request_body" format="json") 71 | constant(value="\", \"http_request_content_type\": \"") property(name="$!http_request_content_type" format="json") 72 | constant(value="\", \"http_request_host\": \"") property(name="$!http_request_host" format="json") 73 | constant(value="\", \"unique_id\": \"") property(name="$!unique_id") 74 | constant(value="\", \"status_code\": ") property(name="$!status_code") 75 | constant(value=", \"http_request_time\": ") property(name="$!http_request_time") 76 | constant(value=", \"http_idle_time\": ") property(name="$!http_idle_time") 77 | constant(value=", \"handshake_time\": ") property(name="$!handshake_time") 78 | constant(value=", \"unix_timestamp\": ") property(name="$!unix_timestamp") 79 | constant(value=", \"bytes_received\": ") property(name="$!bytes_received") 80 | constant(value=", \"active_conn\": ") property(name="$!active_conn") 81 | constant(value=", \"backend_name\": \"") property(name="$!backend_name" format="json") 82 | constant(value="\", \"beconn\": ") property(name="$!beconn") 83 | constant(value=", \"backend_ip\": \"") property(name="$!backend_ip") 84 | constant(value="\", \"backend_port\": ") property(name="$!backend_port") 85 | constant(value=", \"backend_queue\": ") property(name="$!backend_queue") 86 | constant(value=", \"src_ip\": \"") property(name="$!src_ip") 87 | constant(value="\", \"src_port\": ") property(name="$!src_port") 88 | constant(value=", \"frontend_name\": \"") property(name="$!frontend_name" format="json") 89 | constant(value="\", \"feconn\": ") property(name="$!feconn") 90 | constant(value=", \"frontend_ip\": \"") property(name="$!frontend_ip") 91 | constant(value="\", \"frontend_port\": ") property(name="$!frontend_port") 92 | constant(value=", \"pid\": ") property(name="$!pid") 93 | constant(value=", \"retries\": ") property(name="$!retries") 94 | constant(value=", \"request_count\": ") property(name="$!request_count") 95 | constant(value=", \"server_name\": \"") property(name="$!server_name" format="json") 96 | constant(value="\", \"srvconn\": ") property(name="$!srvconn") 97 | constant(value=", \"server_ip\": \"") property(name="$!server_ip") 98 | constant(value="\", \"server_port\": ") property(name="$!server_port") 99 | constant(value=", \"server_queue\": ") property(name="$!server_queue") 100 | constant(value=", \"termination_state\": \"") property(name="$!termination_state") 101 | constant(value="\", \"tags\": \"") property(name="$!iplocation!reputation" format="json") 102 | constant(value="\", \"location\": \"") property(name="$!iplocation!country!iso_code" format="json") 103 | constant(value="\", \"ctx_tags\": \"") property(name="$!ctx_tags" format="json") 104 | constant(value="\", \"darwin_session_error\": \"") property(name="$!darwin_session_error") 105 | constant(value="\", \"darwin_session_score\": \"") property(name="$!darwin_session_score") 106 | constant(value="\", \"advens\": ") property(name="$!advens") 107 | constant(value="}") 108 | } 109 | 110 | 111 | template(name="haproxy_elastic" type="list") { 112 | constant(value="{") 113 | constant(value="\"@timestamp\": \"") property(name="$!timestamp") 114 | constant(value="\", \"date_time\": \"") property(name="$!date_time") 115 | constant(value="\", \"bytes_read\": ") property(name="$!bytes_read") 116 | constant(value=", \"captured_request_cookie\": \"") property(name="$!captured_request_cookie" format="json") 117 | constant(value="\", \"captured_response_cookie\": \"") property(name="$!captured_response_cookie" format="json") 118 | constant(value="\", \"hostname\": \"") property(name="$!hostname" format="json") 119 | constant(value="\", \"http_method\": \"") property(name="$!http_method" format="json") 120 | constant(value="\", \"http_path\": \"") property(name="$!http_path" format="json") 121 | constant(value="\", \"http_get_params\": \"") property(name="$!http_get_params" format="json") 122 | constant(value="\", \"http_version\": \"") property(name="$!http_version" format="json") 123 | constant(value="\", \"http_user_agent\": \"") property(name="$!http_user_agent" format="json") 124 | constant(value="\", \"http_request_cookies\": \"") property(name="$!http_request_cookies" format="json") 125 | constant(value="\", \"http_request_body\": \"") property(name="$!http_request_body" format="json") 126 | constant(value="\", \"http_request_content_type\": \"") property(name="$!http_request_content_type" format="json") 127 | constant(value="\", \"http_request_host\": \"") property(name="$!http_request_host" format="json") 128 | constant(value="\", \"unique_id\": \"") property(name="$!unique_id") 129 | constant(value="\", \"status_code\": ") property(name="$!status_code") 130 | constant(value=", \"http_request_time\": ") property(name="$!http_request_time") 131 | constant(value=", \"http_idle_time\": ") property(name="$!http_idle_time") 132 | constant(value=", \"handshake_time\": ") property(name="$!handshake_time") 133 | constant(value=", \"unix_timestamp\": ") property(name="$!unix_timestamp") 134 | constant(value=", \"bytes_received\": ") property(name="$!bytes_received") 135 | constant(value=", \"active_conn\": ") property(name="$!active_conn") 136 | constant(value=", \"backend_name\": \"") property(name="$!backend_name" format="json") 137 | constant(value="\", \"beconn\": ") property(name="$!beconn") 138 | constant(value=", \"backend_ip\": \"") property(name="$!backend_ip") 139 | constant(value="\", \"backend_port\": ") property(name="$!backend_port") 140 | constant(value=", \"backend_queue\": ") property(name="$!backend_queue") 141 | constant(value=", \"src_ip\": \"") property(name="$!src_ip") 142 | constant(value="\", \"src_port\": ") property(name="$!src_port") 143 | constant(value=", \"frontend_name\": \"") property(name="$!frontend_name" format="json") 144 | constant(value="\", \"feconn\": ") property(name="$!feconn") 145 | constant(value=", \"frontend_ip\": \"") property(name="$!frontend_ip") 146 | constant(value="\", \"frontend_port\": ") property(name="$!frontend_port") 147 | constant(value=", \"pid\": ") property(name="$!pid") 148 | constant(value=", \"retries\": ") property(name="$!retries") 149 | constant(value=", \"request_count\": ") property(name="$!request_count") 150 | constant(value=", \"server_name\": \"") property(name="$!server_name" format="json") 151 | constant(value="\", \"srvconn\": ") property(name="$!srvconn") 152 | constant(value=", \"server_ip\": \"") property(name="$!server_ip") 153 | constant(value="\", \"server_port\": ") property(name="$!server_port") 154 | constant(value=", \"server_queue\": ") property(name="$!server_queue") 155 | constant(value=", \"termination_state\": \"") property(name="$!termination_state") 156 | constant(value="\", \"tags\": \"") property(name="$!iplocation!reputation" format="json") 157 | constant(value="\", \"location\": \"") property(name="$!iplocation!country!iso_code" format="json") 158 | constant(value="\", \"ctx_tags\": \"") property(name="$!ctx_tags" format="json") 159 | constant(value="\", \"darwin_session_error\": \"") property(name="$!darwin_session_error") 160 | constant(value="\", \"darwin_session_score\": \"") property(name="$!darwin_session_score") 161 | constant(value="\", \"advens\": ") property(name="$!advens") 162 | constant(value="}") 163 | } 164 | 165 | template(name="haproxy_mongo" type="list") { 166 | property(name="$!timestamp" outName="time") 167 | property(name="$!date_time") 168 | property(name="$!bytes_read") 169 | property(name="$!captured_request_cookie") 170 | property(name="$!captured_response_cookie") 171 | property(name="$!hostname") 172 | property(name="$!http_method") 173 | property(name="$!http_path") 174 | property(name="$!http_get_params") 175 | property(name="$!http_version") 176 | property(name="$!http_user_agent") 177 | property(name="$!http_request_body") 178 | property(name="$!http_request_cookies") 179 | property(name="$!http_request_content_type") 180 | property(name="$!http_request_host") 181 | property(name="$!unique_id") 182 | property(name="$!status_code") 183 | property(name="$!http_request_time") 184 | property(name="$!http_idle_time") 185 | property(name="$!handshake_time") 186 | property(name="$!http_receive_time") 187 | property(name="$!http_response_time") 188 | property(name="$!unix_timestamp") 189 | property(name="$!bytes_received") 190 | property(name="$!active_conn") 191 | property(name="$!backend_name") 192 | property(name="$!beconn") 193 | property(name="$!backend_ip") 194 | property(name="$!backend_port") 195 | property(name="$!backend_queue") 196 | property(name="$!src_ip") 197 | property(name="$!src_port") 198 | property(name="$!frontend_name") 199 | property(name="$!feconn") 200 | property(name="$!frontend_ip") 201 | property(name="$!frontend_port") 202 | property(name="$!pid") 203 | property(name="$!retries") 204 | property(name="$!request_count") 205 | property(name="$!server_name") 206 | property(name="$!srvconn") 207 | property(name="$!server_ip") 208 | property(name="$!server_port") 209 | property(name="$!server_queue") 210 | property(name="$!termination_state") 211 | property(name="$!ctx_tags") 212 | property(name="$!darwin_session_error") 213 | property(name="$!darwin_session_score") 214 | property(name="$!advens") 215 | } 216 | -------------------------------------------------------------------------------- /usr/local/etc/rsyslog.d/05-tpl-01-haproxy_tcp.conf: -------------------------------------------------------------------------------- 1 | 2 | template(name="haproxy_tcp" type="list") { 3 | constant(value="{") 4 | constant(value="\"@timestamp\": \"") property(name="$!timestamp") 5 | constant(value="\", \"date_time\": \"") property(name="$!date_time") 6 | constant(value="\", \"bytes_read\": ") property(name="$!bytes_read") 7 | constant(value=", \"hostname\": \"") property(name="$!hostname" format="json") 8 | constant(value="\", \"unique_id\": \"") property(name="$!unique_id") 9 | constant(value="\", \"status_code\": ") property(name="$!status_code") 10 | constant(value=", \"handshake_time\": ") property(name="$!handshake_time") 11 | constant(value=", \"unix_timestamp\": ") property(name="$!unix_timestamp") 12 | constant(value=", \"bytes_received\": ") property(name="$!bytes_received") 13 | constant(value=", \"active_conn\": ") property(name="$!active_conn") 14 | constant(value=", \"backend_name\": \"") property(name="$!backend_name" format="json") 15 | constant(value="\", \"beconn\": ") property(name="$!beconn") 16 | constant(value=", \"backend_ip\": \"") property(name="$!backend_ip") 17 | constant(value="\", \"backend_port\": ") property(name="$!backend_port") 18 | constant(value=", \"backend_queue\": ") property(name="$!backend_queue") 19 | constant(value=", \"src_ip\": \"") property(name="$!src_ip") 20 | constant(value="\", \"src_port\": ") property(name="$!src_port") 21 | constant(value=", \"frontend_name\": \"") property(name="$!frontend_name" format="json") 22 | constant(value="\", \"feconn\": ") property(name="$!feconn") 23 | constant(value=", \"frontend_ip\": \"") property(name="$!frontend_ip") 24 | constant(value="\", \"frontend_port\": ") property(name="$!frontend_port") 25 | constant(value=", \"pid\": ") property(name="$!pid") 26 | constant(value=", \"retries\": ") property(name="$!retries") 27 | constant(value=", \"request_count\": ") property(name="$!request_count") 28 | constant(value=", \"server_name\": \"") property(name="$!server_name" format="json") 29 | constant(value="\", \"srvconn\": ") property(name="$!srvconn") 30 | constant(value=", \"server_ip\": \"") property(name="$!server_ip") 31 | constant(value="\", \"server_port\": ") property(name="$!server_port") 32 | constant(value=", \"server_queue\": ") property(name="$!server_queue") 33 | constant(value=", \"termination_state\": \"") property(name="$!termination_state") 34 | constant(value="\", \"tags\": \"") property(name="$!iplocation!reputation" format="json") 35 | constant(value="\", \"location\": \"") property(name="$!iplocation!country!iso_code" format="json") 36 | constant(value="\", \"ctx_tags\": \"") property(name="$!ctx_tags" format="json") 37 | constant(value="\", \"advens\": ") property(name="$!advens") 38 | constant(value="}\n") 39 | } 40 | 41 | template(name="haproxy_tcp_json" type="list") { 42 | constant(value="{") 43 | constant(value="\"@timestamp\": \"") property(name="$!timestamp") 44 | constant(value="\", \"date_time\": \"") property(name="$!date_time") 45 | constant(value="\", \"bytes_read\": ") property(name="$!bytes_read") 46 | constant(value=", \"hostname\": \"") property(name="$!hostname" format="json") 47 | constant(value="\", \"unique_id\": \"") property(name="$!unique_id") 48 | constant(value="\", \"status_code\": ") property(name="$!status_code") 49 | constant(value=", \"handshake_time\": ") property(name="$!handshake_time") 50 | constant(value=", \"unix_timestamp\": ") property(name="$!unix_timestamp") 51 | constant(value=", \"bytes_received\": ") property(name="$!bytes_received") 52 | constant(value=", \"active_conn\": ") property(name="$!active_conn") 53 | constant(value=", \"backend_name\": \"") property(name="$!backend_name" format="json") 54 | constant(value="\", \"beconn\": ") property(name="$!beconn") 55 | constant(value=", \"backend_ip\": \"") property(name="$!backend_ip") 56 | constant(value="\", \"backend_port\": ") property(name="$!backend_port") 57 | constant(value=", \"backend_queue\": ") property(name="$!backend_queue") 58 | constant(value=", \"src_ip\": \"") property(name="$!src_ip") 59 | constant(value="\", \"src_port\": ") property(name="$!src_port") 60 | constant(value=", \"frontend_name\": \"") property(name="$!frontend_name" format="json") 61 | constant(value="\", \"feconn\": ") property(name="$!feconn") 62 | constant(value=", \"frontend_ip\": \"") property(name="$!frontend_ip") 63 | constant(value="\", \"frontend_port\": ") property(name="$!frontend_port") 64 | constant(value=", \"pid\": ") property(name="$!pid") 65 | constant(value=", \"retries\": ") property(name="$!retries") 66 | constant(value=", \"request_count\": ") property(name="$!request_count") 67 | constant(value=", \"server_name\": \"") property(name="$!server_name" format="json") 68 | constant(value="\", \"srvconn\": ") property(name="$!srvconn") 69 | constant(value=", \"server_ip\": \"") property(name="$!server_ip") 70 | constant(value="\", \"server_port\": ") property(name="$!server_port") 71 | constant(value=", \"server_queue\": ") property(name="$!server_queue") 72 | constant(value=", \"termination_state\": \"") property(name="$!termination_state") 73 | constant(value="\", \"tags\": \"") property(name="$!iplocation!reputation" format="json") 74 | constant(value="\", \"location\": \"") property(name="$!iplocation!country!iso_code" format="json") 75 | constant(value="\", \"ctx_tags\": \"") property(name="$!ctx_tags" format="json") 76 | constant(value="\", \"advens\": ") property(name="$!advens") 77 | constant(value="}") 78 | } 79 | 80 | template(name="haproxy_tcp_elastic" type="list") { 81 | constant(value="{") 82 | constant(value="\"@timestamp\": \"") property(name="$!timestamp") 83 | constant(value="\", \"date_time\": \"") property(name="$!date_time") 84 | constant(value="\", \"bytes_read\": ") property(name="$!bytes_read") 85 | constant(value=", \"hostname\": \"") property(name="$!hostname" format="json") 86 | constant(value="\", \"unique_id\": \"") property(name="$!unique_id") 87 | constant(value="\", \"status_code\": ") property(name="$!status_code") 88 | constant(value=", \"handshake_time\": ") property(name="$!handshake_time") 89 | constant(value=", \"unix_timestamp\": ") property(name="$!unix_timestamp") 90 | constant(value=", \"bytes_received\": ") property(name="$!bytes_received") 91 | constant(value=", \"active_conn\": ") property(name="$!active_conn") 92 | constant(value=", \"backend_name\": \"") property(name="$!backend_name" format="json") 93 | constant(value="\", \"beconn\": ") property(name="$!beconn") 94 | constant(value=", \"backend_ip\": \"") property(name="$!backend_ip") 95 | constant(value="\", \"backend_port\": ") property(name="$!backend_port") 96 | constant(value=", \"backend_queue\": ") property(name="$!backend_queue") 97 | constant(value=", \"src_ip\": \"") property(name="$!src_ip") 98 | constant(value="\", \"src_port\": ") property(name="$!src_port") 99 | constant(value=", \"frontend_name\": \"") property(name="$!frontend_name" format="json") 100 | constant(value="\", \"feconn\": ") property(name="$!feconn") 101 | constant(value=", \"frontend_ip\": \"") property(name="$!frontend_ip") 102 | constant(value="\", \"frontend_port\": ") property(name="$!frontend_port") 103 | constant(value=", \"pid\": ") property(name="$!pid") 104 | constant(value=", \"retries\": ") property(name="$!retries") 105 | constant(value=", \"request_count\": ") property(name="$!request_count") 106 | constant(value=", \"server_name\": \"") property(name="$!server_name" format="json") 107 | constant(value="\", \"srvconn\": ") property(name="$!srvconn") 108 | constant(value=", \"server_ip\": \"") property(name="$!server_ip") 109 | constant(value="\", \"server_port\": ") property(name="$!server_port") 110 | constant(value=", \"server_queue\": ") property(name="$!server_queue") 111 | constant(value=", \"termination_state\": \"") property(name="$!termination_state") 112 | constant(value="\", \"tags\": \"") property(name="$!iplocation!reputation" format="json") 113 | constant(value="\", \"location\": \"") property(name="$!iplocation!country!iso_code" format="json") 114 | constant(value="\", \"ctx_tags\": \"") property(name="$!ctx_tags" format="json") 115 | constant(value="\", \"advens\": ") property(name="$!advens") 116 | constant(value="}") 117 | } 118 | 119 | template(name="haproxy_tcp_mongo" type="list") { 120 | property(name="$!time-utc" outName="time") 121 | property(name="$!date_time") 122 | property(name="$!bytes_read") 123 | property(name="$!hostname") 124 | property(name="$!unique_id") 125 | property(name="$!status_code") 126 | property(name="$!http_request_time") 127 | property(name="$!handshake_time") 128 | property(name="$!http_receive_time") 129 | property(name="$!http_response_time") 130 | property(name="$!unix_timestamp") 131 | property(name="$!bytes_received") 132 | property(name="$!active_conn") 133 | property(name="$!backend_name") 134 | property(name="$!beconn") 135 | property(name="$!backend_ip") 136 | property(name="$!backend_port") 137 | property(name="$!backend_queue") 138 | property(name="$!src_ip") 139 | property(name="$!src_port") 140 | property(name="$!frontend_name") 141 | property(name="$!feconn") 142 | property(name="$!frontend_ip") 143 | property(name="$!frontend_port") 144 | property(name="$!pid") 145 | property(name="$!retries") 146 | property(name="$!request_count") 147 | property(name="$!server_name") 148 | property(name="$!srvconn") 149 | property(name="$!server_ip") 150 | property(name="$!server_port") 151 | property(name="$!server_queue") 152 | property(name="$!termination_state") 153 | property(name="$!iplocation!reputation" outname="tags") 154 | property(name="$!iplocation!country!iso_code" outname="country") 155 | property(name="$!ctx_tags") 156 | property(name="$!advens") 157 | } 158 | -------------------------------------------------------------------------------- /usr/local/etc/rsyslog.d/99-output.conf: -------------------------------------------------------------------------------- 1 | # Define outputs here 2 | 3 | 4 | 5 | #Garbage collector 6 | action(type="omfile" dirCreateMode="0700" FileCreateMode="0644" File="/var/log/rsyslog-failure.log" Template="raw_message") 7 | stop -------------------------------------------------------------------------------- /usr/local/etc/rsyslog.d/haproxy_internal.conf: -------------------------------------------------------------------------------- 1 | #This file is part of Vulture OS. 2 | # 3 | 4 | ########################## WARNING ############################### 5 | # Don't edit this file, it is automatically generated by Vulture # 6 | ########################## WARNING ############################### 7 | 8 | template(name="HAPROXY_FileFormat" type="list") { 9 | property(name="timereported" dateFormat="rfc3339") 10 | constant(value=" ") 11 | property(name="hostname") 12 | constant(value=" ") 13 | property(name="syslogtag") 14 | property(name="msg" spifno1stsp="on") 15 | property(name="msg" droplastlf="on") 16 | constant(value="\n") 17 | } 18 | 19 | input(type="imuxsock" 20 | Socket="/var/sockets/rsyslog/haproxy_internal.sock" 21 | CreatePath="on" 22 | RuleSet="ruleset_haproxy") 23 | 24 | ruleset(name="ruleset_haproxy") { 25 | 26 | # Output to asked file 27 | action(type="omfile" 28 | name="Internal_Haproxy" 29 | file="/var/log/haproxy/internal.log" 30 | flushInterval="5" 31 | asyncWriting="on" 32 | CreateDirs="on" 33 | Template="HAPROXY_FileFormat" 34 | dirCreateMode="0700" 35 | FileCreateMode="0644") 36 | 37 | } 38 | -------------------------------------------------------------------------------- /usr/local/etc/rsyslog.d/pf.rb: -------------------------------------------------------------------------------- 1 | version=2 2 | rule=pflog:%timestamp_app:float{"format":"number"}%,%action:number{"format":"number"}%,%ttl:number{"format":"number"}%,%direction:number{"format":"number"}%,%if:char-to:\x2c%,%proto:number{"format":"number"}%,%len:number{"format":"number"}%,%rulenb:number{"format":"number"}%,%src_ip:char-to:\x2c%,,%src_udp_port:char-sep:\x2c%,%dst_ip:char-to:\x2c%,,%dst_udp_port:number{"format":"number"}% 3 | rule=pflog:%timestamp_app:float{"format":"number"}%,%action:number{"format":"number"}%,%ttl:number{"format":"number"}%,%direction:number{"format":"number"}%,%if:char-to:\x2c%,%proto:number{"format":"number"}%,%len:number{"format":"number"}%,%rulenb:number{"format":"number"}%,%src_ip:char-to:\x2c%,%src_tcp_port:number{"format":"number"}%,,%dst_ip:char-to:\x2c%,%dst_tcp_port:number{"format":"number"}%, 4 | rule=pflog:%timestamp_app:float{"format":"number"}%,%action:number{"format":"number"}%,%ttl:number{"format":"number"}%,%direction:number{"format":"number"}%,%if:char-to:\x2c%,%proto:number{"format":"number"}%,%len:number{"format":"number"}%,%rulenb:number{"format":"number"}%,%src_ip:char-to:\x2c%,,,%dst_ip:char-to:\x2c%,, -------------------------------------------------------------------------------- /usr/local/etc/secadm.rules: -------------------------------------------------------------------------------- 1 | secadm { 2 | pax { 3 | path: "/usr/home/jails.apache/.zfs-source/home/vlt-os/env/bin/python3", 4 | mprotect: false, 5 | pageexec: false, 6 | prefer_acl: true 7 | }, 8 | pax { 9 | path: "/usr/local/bin/python3", 10 | mprotect: false, 11 | pageexec: false, 12 | prefer_acl: true 13 | } 14 | } 15 | -------------------------------------------------------------------------------- /usr/local/etc/sudoers.d/base_sudoers: -------------------------------------------------------------------------------- 1 | #FIXME 2 | vlt-adm ALL=NOPASSWD:/usr/bin/su 3 | 4 | vlt-adm ALL=NOPASSWD:/usr/sbin/bsdinstall 5 | vlt-adm ALL=NOPASSWD:/usr/sbin/kbdmap 6 | vlt-adm ALL=NOPASSWD:/usr/sbin/ntpdate 7 | vlt-adm ALL=NOPASSWD:/bin/hostname 8 | 9 | vlt-adm ALL=NOPASSWD:/home/vlt-adm/system/write_ntp.sh 10 | vlt-adm ALL=NOPASSWD:/home/vlt-adm/system/write_aliases.sh 11 | vlt-adm ALL=NOPASSWD:/home/vlt-adm/system/proxy.sh 12 | vlt-adm ALL=NOPASSWD:/home/vlt-adm/system/hostname.sh 13 | vlt-adm ALL=NOPASSWD:/home/vlt-adm/system/netconfig.sh 14 | vlt-adm ALL=NOPASSWD:/home/vlt-adm/system/netconfig-resolv.sh 15 | vlt-adm ALL=NOPASSWD:/home/vlt-adm/system/network-ips.sh 16 | vlt-adm ALL=NOPASSWD:/home/vlt-adm/system/update_system.sh 17 | vlt-adm ALL=NOPASSWD:/home/vlt-adm/system/keymap.sh 18 | vlt-adm ALL=NOPASSWD:/home/vlt-adm/system/geli-passphrase.sh 19 | vlt-adm ALL=NOPASSWD:/bin/mv /tmp/bsdinstall_etc/rc.conf.keymap /etc/ 20 | 21 | vlt-adm ALL=NOPASSWD:/usr/sbin/service jail start 22 | vlt-adm ALL=NOPASSWD:/usr/sbin/service jail stop 23 | vlt-adm ALL=NOPASSWD:/usr/sbin/service jail restart 24 | vlt-adm ALL=NOPASSWD:/usr/sbin/service netif restart 25 | vlt-adm ALL=NOPASSWD:/usr/sbin/service routing restart 26 | 27 | vlt-adm ALL=NOPASSWD:/usr/sbin/jail -cm mongodb 28 | vlt-adm ALL=NOPASSWD:/usr/sbin/jail -cm rsyslog 29 | vlt-adm ALL=NOPASSWD:/usr/sbin/jail -cm redis 30 | vlt-adm ALL=NOPASSWD:/usr/sbin/jail -cm haproxy 31 | vlt-adm ALL=NOPASSWD:/usr/sbin/jail -cm apache 32 | 33 | vlt-adm ALL=NOPASSWD:/usr/sbin/jexec mongodb /bin/csh 34 | vlt-adm ALL=NOPASSWD:/usr/sbin/jexec rsyslog /bin/csh 35 | vlt-adm ALL=NOPASSWD:/usr/sbin/jexec redis /bin/csh 36 | vlt-adm ALL=NOPASSWD:/usr/sbin/jexec apache /bin/csh 37 | vlt-adm ALL=NOPASSWD:/usr/sbin/jexec haproxy /bin/csh 38 | vlt-adm ALL=NOPASSWD:/usr/sbin/jexec portal /bin/csh 39 | 40 | vlt-adm ALL=NOPASSWD:/home/vlt-adm/gui/django_migration.sh 41 | vlt-adm ALL=NOPASSWD:/home/vlt-adm/gui/configure.sh 42 | vlt-adm ALL=NOPASSWD:/home/vlt-adm/gui/cluster_create.sh 43 | vlt-adm ALL=NOPASSWD:/home/vlt-adm/gui/cluster_join.sh 44 | -------------------------------------------------------------------------------- /usr/local/etc/sudoers.d/vulture_sudoers: -------------------------------------------------------------------------------- 1 | vlt-os ALL=NOPASSWD:/usr/sbin/chown 2 | vlt-os ALL=NOPASSWD:/bin/chmod 3 | vlt-os ALL=NOPASSWD:/bin/mv 4 | vlt-os ALL=NOPASSWD:/usr/sbin/sysrc 5 | 6 | vlt-os ALL=NOPASSWD:/usr/sbin/service mongod start 7 | vlt-os ALL=NOPASSWD:/usr/sbin/service mongod stop 8 | vlt-os ALL=NOPASSWD:/usr/sbin/service mongod restart 9 | vlt-os ALL=NOPASSWD:/usr/sbin/service mongod onestatus 10 | 11 | vlt-os ALL=NOPASSWD:/usr/sbin/service routing restart 12 | 13 | vlt-os ALL=NOPASSWD:/usr/sbin/jexec redis /usr/sbin/service redis onestatus 14 | vlt-os ALL=NOPASSWD:/usr/sbin/jexec mongodb /usr/sbin/service mongod onestatus 15 | vlt-os ALL=NOPASSWD:/usr/sbin/jexec apache /usr/sbin/service gunicorn onestatus 16 | vlt-os ALL=NOPASSWD:/usr/sbin/jexec apache /usr/sbin/service nginx onestatus 17 | vlt-os ALL=NOPASSWD:/usr/sbin/jexec portal /usr/sbin/service gunicorn onestatus 18 | 19 | vlt-os ALL=NOPASSWD:/usr/sbin/jexec apache /usr/sbin/service gunicorn reload 20 | vlt-os ALL=NOPASSWD:/usr/sbin/jexec apache /usr/sbin/service gunicorn restart 21 | vlt-os ALL=NOPASSWD:/usr/sbin/jexec apache /usr/sbin/service nginx reload 22 | vlt-os ALL=NOPASSWD:/usr/sbin/jexec apache /usr/sbin/service nginx restart 23 | 24 | vlt-os ALL=NOPASSWD:/usr/sbin/jexec haproxy /usr/sbin/service haproxy onestatus 25 | vlt-os ALL=NOPASSWD:/usr/sbin/jexec haproxy /usr/sbin/service haproxy start 26 | vlt-os ALL=NOPASSWD:/usr/sbin/jexec haproxy /usr/sbin/service haproxy stop 27 | vlt-os ALL=NOPASSWD:/usr/sbin/jexec haproxy /usr/sbin/service haproxy hardstop 28 | vlt-os ALL=NOPASSWD:/usr/sbin/jexec haproxy /usr/sbin/service haproxy reload 29 | vlt-os ALL=NOPASSWD:/usr/sbin/jexec haproxy /usr/sbin/service haproxy fastreload 30 | vlt-os ALL=NOPASSWD:/usr/sbin/jexec haproxy /usr/sbin/service haproxy hardreload 31 | vlt-os ALL=NOPASSWD:/usr/sbin/jexec haproxy /usr/sbin/service haproxy restart 32 | vlt-os ALL=NOPASSWD:/usr/sbin/jexec haproxy /usr/sbin/service haproxy configtest 33 | 34 | vlt-os ALL=NOPASSWD:/usr/sbin/jexec rsyslog /usr/sbin/service rsyslogd restart 35 | vlt-os ALL=NOPASSWD:/usr/sbin/jexec rsyslog /usr/sbin/service rsyslogd onestatus 36 | vlt-os ALL=NOPASSWD:/usr/sbin/jexec rsyslog /usr/sbin/service rsyslogd start 37 | vlt-os ALL=NOPASSWD:/usr/sbin/jexec rsyslog /usr/sbin/service rsyslogd stop 38 | vlt-os ALL=NOPASSWD:/usr/sbin/jexec rsyslog /usr/sbin/service rsyslogd reload 39 | 40 | vlt-os ALL=NOPASSWD:/usr/sbin/jexec ^rsyslog \/usr\/sbin\/service filebeat restart( [0-9]+)*$ 41 | vlt-os ALL=NOPASSWD:/usr/sbin/jexec ^rsyslog \/usr\/sbin\/service filebeat onestatus( [0-9]+)*$ 42 | vlt-os ALL=NOPASSWD:/usr/sbin/jexec ^rsyslog \/usr\/sbin\/service filebeat start( [0-9]+)*$ 43 | vlt-os ALL=NOPASSWD:/usr/sbin/jexec ^rsyslog \/usr\/sbin\/service filebeat stop( [0-9]+)*$ 44 | vlt-os ALL=NOPASSWD:/usr/sbin/jexec ^rsyslog \/usr\/sbin\/service filebeat reload( [0-9]+)*$ 45 | vlt-os ALL=NOPASSWD:/bin/rm ^(-f )?\/usr\/local\/etc\/filebeat\/[a-zA-Z0-9._-]+$ 46 | 47 | vlt-os ALL=NOPASSWD:/usr/sbin/service strongswan reload 48 | vlt-os ALL=NOPASSWD:/usr/sbin/service strongswan restart 49 | vlt-os ALL=NOPASSWD:/usr/sbin/service strongswan onestatus 50 | vlt-os ALL=NOPASSWD:/usr/sbin/service strongswan onestatusall 51 | vlt-os ALL=NOPASSWD:/usr/sbin/service strongswan start 52 | vlt-os ALL=NOPASSWD:/usr/sbin/service strongswan stop 53 | 54 | vlt-os ALL=NOPASSWD:/usr/sbin/service openvpn_client reload 55 | vlt-os ALL=NOPASSWD:/usr/sbin/service openvpn_client restart 56 | vlt-os ALL=NOPASSWD:/usr/sbin/service openvpn_client onestatus 57 | vlt-os ALL=NOPASSWD:/usr/sbin/service openvpn_client onestatusall 58 | vlt-os ALL=NOPASSWD:/usr/sbin/service openvpn_client start 59 | vlt-os ALL=NOPASSWD:/usr/sbin/service openvpn_client stop 60 | 61 | vlt-os ALL=NOPASSWD:/usr/sbin/service openvpn_server reload 62 | vlt-os ALL=NOPASSWD:/usr/sbin/service openvpn_server restart 63 | vlt-os ALL=NOPASSWD:/usr/sbin/service openvpn_server onestatus 64 | vlt-os ALL=NOPASSWD:/usr/sbin/service openvpn_server onestatusall 65 | vlt-os ALL=NOPASSWD:/usr/sbin/service openvpn_server start 66 | vlt-os ALL=NOPASSWD:/usr/sbin/service openvpn_server stop 67 | 68 | vlt-os ALL=NOPASSWD:/usr/sbin/service vultured start 69 | vlt-os ALL=NOPASSWD:/usr/sbin/service vultured onestatus 70 | 71 | vlt-os ALL=NOPASSWD:/usr/sbin/service darwin onestatus 72 | vlt-os ALL=NOPASSWD:/usr/sbin/service darwin start 73 | vlt-os ALL=NOPASSWD:/usr/sbin/service darwin restart 74 | 75 | vlt-os ALL=NOPASSWD:/sbin/ifconfig 76 | vlt-os ALL=NOPASSWD:/home/vlt-os/scripts/get_dhcp_address.sh 77 | vlt-os ALL=NOPASSWD:/home/vlt-os/scripts/write_cert.sh 78 | vlt-os ALL=NOPASSWD:/home/vlt-os/scripts/add_to_hosts.py 79 | vlt-os ALL=NOPASSWD:/home/vlt-os/scripts/write_netconfig.sh 80 | vlt-os ALL=NOPASSWD:/home/vlt-os/scripts/reset_mongo.sh 81 | 82 | vlt-os ALL=NOPASSWD:/sbin/pfctl -f /usr/local/etc/pf.conf 83 | vlt-os ALL=NOPASSWD:/sbin/pfctl -sr 84 | vlt-os ALL=NOPASSWD:/usr/sbin/service pf start 85 | vlt-os ALL=NOPASSWD:/usr/sbin/service pf stop 86 | vlt-os ALL=NOPASSWD:/usr/sbin/service pf restart 87 | vlt-os ALL=NOPASSWD:/usr/sbin/service pf onestatus 88 | 89 | vlt-os ALL=NOPASSWD:/usr/sbin/service sshd onestatus 90 | 91 | #FIXME 92 | vlt-os ALL=NOPASSWD:/usr/sbin/pkg 93 | vlt-os ALL=NOPASSWD:/bin/kill -TERM 94 | 95 | -------------------------------------------------------------------------------- /var/db/pkg/.gitkeep: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/VultureProject/vulture-base/0667ebb4c58e064dbeb22f5bfa711e7a63625034/var/db/pkg/.gitkeep --------------------------------------------------------------------------------