├── Deployment.jpg
├── Design.jpg
├── README.md
├── THREAT_MODEL.md
└── deaddrop_puppet
    ├── manifests
        ├── nodes.pp
        └── site.pp
    └── modules
        ├── deaddrop
            ├── files
            │   ├── common-auth
            │   ├── cron.allow
            │   ├── fuse.conf
            │   ├── internal_options.conf
            │   ├── mountsshfs
            │   ├── ossec_rules.xml
            │   ├── ssh_config
            │   ├── sysctl.conf
            │   └── umountsshfs
            ├── manifests
            │   ├── .source.pp.swp
            │   ├── apache_config.pp
            │   ├── apparmor.pp
            │   ├── base.pp
            │   ├── cron_allow.pp
            │   ├── crontab.pp
            │   ├── hosts_file.pp
            │   ├── init.pp
            │   ├── iptables_v4.pp
            │   ├── journalist.pp
            │   ├── monitor.pp
            │   ├── ossec_agents.pp
            │   ├── ossec_server.pp
            │   ├── python_gnupg.pp
            │   ├── remove_pcmcia.pp
            │   ├── restricted_pw_files.pp
            │   ├── source.pp
            │   ├── source_deaddrop.pp
            │   ├── ssh.pp
            │   ├── sshfs.pp
            │   ├── sshfs_remote.pp
            │   ├── sysctl.pp
            │   └── tcp_wrappers.pp
            └── templates
            │   ├── apache2.conf.erb
            │   ├── config.py.erb
            │   ├── hosts.allow.erb
            │   ├── hosts.deny.erb
            │   ├── hosts.erb
            │   ├── iptables_v4.erb
            │   ├── journalist.ossec.conf.erb
            │   ├── monitor.ossec.conf.erb
            │   ├── ports.conf.erb
            │   ├── security.erb
            │   ├── source.ossec.conf.erb
            │   ├── sshd_config.erb
            │   ├── vhost-deaddrop-ssl.conf.erb
            │   └── vhost-deaddrop.conf.erb
        ├── gnupg2
            └── manifests
            │   └── init.pp
        ├── rng_tools
            ├── CHANGELOG
            ├── LICENSE
            ├── README
            ├── files
            │   └── rng-tools
            └── manifests
            │   └── init.pp
        ├── secure_delete
            └── manifests
            │   └── init.pp
        ├── ssh
            └── manifests
            │   ├── auth.pp
            │   └── init.pp
        ├── sysstat
            ├── files
            │   └── etc
            │   │   └── default
            │   │       └── sysstat
            └── manifests
            │   └── init.pp
        └── tor
            ├── files
                └── torrc
            └── manifests
                ├── hidden_service.pp
                └── init.pp


/Deployment.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/deaddrop/DeadDropDocs/bef1a6d8c76d09b22bdd8f4ad70b97dadefefb02/Deployment.jpg


--------------------------------------------------------------------------------
/Design.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/deaddrop/DeadDropDocs/bef1a6d8c76d09b22bdd8f4ad70b97dadefefb02/Design.jpg


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
  1 | The documentation has been merged into the main repository at [freedomofpress/securedrop](https://github.com/freedomofpress/securedrop).
  2 | 
  3 | Deaddrop Environment Install Guide
  4 | ===========
  5 | 
  6 | Deaddrop is a tool for communicating securely with journalists. Please also view the Threat_Model.doc, diagram.jpg, and design.jpg in docs/ for more information. The environment install guide is below the license. 
  7 | 
  8 | Copyright (C) 2011-2013 James Dolan
  9 | 
 10 | This program is free software: you can redistribute it and/or modify
 11 | it under the terms of the GNU Affero General Public License as published by
 12 | the Free Software Foundation, either version 3 of the License, or
 13 | (at your option) any later version.
 14 | 
 15 | This program is distributed in the hope that it will be useful,
 16 | but WITHOUT ANY WARRANTY; without even the implied warranty of
 17 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 18 | GNU Affero General Public License for more details.
 19 | 
 20 | You should have received a copy of the GNU Affero General Public License
 21 | along with this program.  If not, see <http://www.gnu.org/licenses/>.
 22 | 
 23 | ##Hardware Requirements
 24 | The following equipment will be required:  
 25 | 1. You will need 3 computers with the hard drives still installed  
 26 | 2. You will need 1 computer shell (a computer with the hard drive removed)  
 27 | 3. You will need 3 USB sticks with Tails the Amesic Incognito Live System installed  
 28 | 4. You will need 2 USB sticks for transfering files  
 29 | 5. You will need 1 USB stick for storing the applications gpg private key  
 30 | 6. A USB stick will be needed for each journalist for storing their personnel gpg private keys  
 31 | 
 32 | ##Local Certificate Authority Install  
 33 | The journalist's interface uses ssl certificates for transport encryption and authentication that will be generated on the Local CA USB stick.  
 34 | 
 35 | 1. Steps to download, verify and install Tails to a usb stick can be found here https://tails.boum.org/download/index.en.html  
 36 | 2. Step to configure the Personal Data persistant storage feature to store the config file and root CA certs can be found here https://tails.boum.org/doc/first_steps/persistence/index.en.html   
 37 | 3. Ensure that Persistent Volume Feature 'Personal Data' is activated  
 38 | 3. The Local CA never needs to be connected to a network to generate the needed certificates and revocation lists    
 39 | 4. The USB stick that the Local CA is installed on should be stored securely when not in use  
 40 | 5. The USB stick that the Local CA is installed on should be clearly labeled to avoid confusion with other USB sticks  
 41 | 6. User certificates should only be generated for approved journalists that require access to the journalist interface  
 42 | 7. Unique user certificates should be generated for each approved journalist  
 43 | 8. User certificates should be securely transported to the approved journalist  
 44 | 9. Server and user certificates should be set to expire to your organization's policy  
 45 | 10. A User certificate should be revoked if the journalist no longer requires access  
 46 | 
 47 | ###Setup openssl
 48 | The configuration files, certificates, and revocation lists are saved in the Persistant folder activated with the Personal Data feature of the Tails Persistent Volume Feature.
 49 | 
 50 | 	mkdir -p /home/amnesia/Persistent/deaddropCA/{private,newcerts,certs,usercerts,crl}  
 51 | 	touch /home/amnesia/Persistent/deaddropCA/index.txt  
 52 | 	echo '01' > /home/amnesia/Persistent/deaddropCA/serial  
 53 | 	echo '01' > /home/amnesia/Persistent/deaddropCA/crlnumber  
 54 | 	cp /etc/ssl/openssl.cnf /home/amnesia/Persistent/deaddropCA/  
 55 | 	cd /home/amnesia/Persistent/deaddropCA  
 56 | 
 57 | Edit **/home/amnesia/Persistent/deaddropCA/openssl.cnf**  adjusting the default values
 58 | 
 59 | 	nano /home/amnesia/Persistent/deaddropCA/openssl.cnf  
 60 | 
 61 | 
 62 | >[CA_default]  
 63 | >dir             = /home/amnesia/Persistent/deaddropCA               # Where everything is kept  
 64 | 
 65 | 
 66 | ...
 67 | 
 68 | 
 69 | >countryName_default           = US        # Replace US with your default value  
 70 | 
 71 | 
 72 | ...  
 73 | 
 74 | 
 75 | >stateOrProvinceName_default   = NY        # Replace NY with your default value  
 76 | 
 77 | 
 78 | ...  
 79 | 
 80 | 
 81 | >0.organizationName_default    = Deaddrop  # Replace Deaddrop with your default value  
 82 | 
 83 | Update the OpenSSL environment variable to use the new config file  
 84 | 
 85 |         export OPENSSL_CONF=/home/amnesia/Persistent/deaddropCA/openssl.cnf  
 86 |         
 87 | ####Generate the needed certificates
 88 | Generate the CA cert and revocation list. Adjust the expirations to meet your organization's policy:  
 89 | 
 90 | 	openssl ecparam -name prime256v1 -genkey -out private/cakey.pem  
 91 | 	openssl req -x509 -extensions v3_ca -sha256 -new -key private/cakey.pem -out certs/cacert.pem -days 365  
 92 | 	
 93 | When prompted for "YOUR name" enter a Distinguished Name for your Local CA.  
 94 | 
 95 | 	openssl ca -gencrl -keyfile private/cakey.pem -cert certs/cacert.pem -out crl/cacrl.pem -crldays 365  
 96 | 
 97 | Generate the Journalist's Interface certs:  
 98 | 
 99 | 	openssl genrsa -out private/journalist.key.pem 4096  
100 | 	openssl req -sha256 -new -nodes -key private/journalist.key.pem -out newcerts/journalist.req.pem -days 365  
101 | 	openssl ca -keyfile private/cakey.pem -cert certs/cacert.pem -in newcerts/journalist.req.pem -out certs/journalist.cert.pem  
102 | 	openssl x509 -in certs/journalist.cert.pem -text -noout  
103 | 	openssl rsa -in private/journalist.key.pem -out private/journalist.with.out.key  
104 | 
105 | Generate the user certificates for admins and journalists that will require access to the journalist interface. Convert the certs to pkcs12 format to import into browsers.  
106 | 
107 | 	openssl genrsa -out private/first_last_name.key.pem 4096  
108 | 	openssl req -sha256 -new -nodes -key private/first_last_name.key.pem -out newcerts/first_last_name.req.pem -days 365  
109 | 	openssl ca -keyfile private/cakey.pem -cert certs/cacert.pem -in newcerts/first_last_name.req.pem -out usercerts/first_last_name.cert.pem  
110 | 	openssl pkcs12 -export -in usercerts/first_last_name.cert.pem -inkey private/first_last_name.key.pem -out usercerts/first_last_name.p12 -name "first_last_name"  
111 | 	chmod 0400 /opt/tipsCA/*/*.pem  
112 | 
113 | Copy the needed certs to the app's external harddrive  
114 | 
115 | 	cd /opt/tips  
116 | 	cp private/journalist.wo.key.pem ~/journalist_certs/  
117 | 	cp crl/cacrl.pem ~/journalist_certs/  
118 | 	cp certs/{cacert.pem,journalist.cert.pem} ~/journalist_certs/  
119 | 
120 | ##Configure Secure-Viewing-Station and Application's GPG keypair
121 | 
122 | ###Create Ubuntu LiveCD and prepare the SVS  
123 | https://help.ubuntu.com/community/LiveCD  
124 | Remove the hard drive containing the Local CA (after copying the generated certificates to the monitor server)  
125 | Boot from the SVS from the LiveCD   
126 | 
127 | ###Create the Application's GPG keypair  
128 | Insert the app's secure keydrive into the SVS  
129 | Use an external hard drives rather than a external flash drives. A GPG v1 key will not work with the DeadDrop application. gnupg2 is not required to decrypt messages and files, only to create keys. Use an external entropy device when possible, if one is not available use /dev/random  
130 | 
131 | ####Install required dependencies and create the gpg v2 keys
132 | 
133 | 	apt-get install gnupg2 secure-delete rng-tools -y  
134 | 	
135 | Edit /etc/default/rng-tools, if you have an external entropy key use it instead of dev/random  
136 | 
137 | 	nano /etc/default/rng-tools  
138 | 	
139 | >\# Set to the input source for random data, leave undefined  
140 | >\# for the initscript to attempt auto-detection.  Set to /dev/null  
141 | >\# for the viapadlock driver.  
142 | >\#HRNGDEVICE=/dev/hwrng  
143 | >\#HRNGDEVICE=/dev/null  
144 | >**HRNGDEVICE=/dev/random**  
145 | 
146 | Start rng_tools to provide create a larger entropy source  
147 | 
148 | 	/etc/init.d/rng-tools start  
149 | 	
150 | Generate the gpg v2 keys  
151 | 
152 | 	gpg2 --homedir  */set this to path on the secure keydrive/* --gen-key  
153 | 	
154 | >(1) RSA and RSA (default)  
155 | >key size: 4096  
156 | >real name: Journalist  
157 | 
158 | Only the two selected journalist's should know the app's GPG keypair's passphrase. Follow your organization's password policy. http://howto.wired.com/wiki/Choose_a_Strong_Password  
159 | 
160 | Export the Journalist's gpg public key  
161 | 
162 | 	gpg2 --export --output journalist.acs --armor Journalist  
163 | 
164 | ####Determine and record the application's gpg key's fingerprint  
165 | 
166 | 	gpg --homedir /var/www/deaddrop/keys --list-keys --with-fingerprint  
167 |  
168 | 
169 | You will get a prompt like `Command>` type `fpr` and hit enter  
170 | it will then show you the key's fingerprint. It should look like the line below. Record it somewhere for use in the puppet nodes.pp file.  
171 | 
172 | 	CCCC CCCC CCCC CCCC CCCC  CCCC CCCC CCCC CCCC CCCC  
173 | 
174 | ##Install and configure puppet
175 | Puppet is used to install the deaddrop application and configure the environment. Efforts were taken to apply the security hardening steps. To keep the attack surface to a minimum uninstall puppet after the environment is configured.
176 | https://help.ubuntu.com/12.04/serverguide/puppet.html
177 | 
178 | ###Monitor Server
179 | -----------  
180 | ####Set the hostname if not already done  
181 | 
182 | 	nano /etc/hostname  
183 | 	
184 | >monitor.domain_name  
185 | 
186 | 	hostname -F /etc/hostname  
187 | 
188 | ####Edit the /etc/hosts file  
189 | It should look something like below  
190 | 
191 | 	nano /etc/hosts  
192 | 	
193 | >127.0.0.1       localhost puppet  
194 | >127.0.1.1       ubuntu
195 | >
196 | >xxx.xxx.xxx.xxx source.domain_name    source  
197 | >xxx.xxx.xxx.xxx journalist.domain_name    journalist  
198 | >xxx.xxx.xxx.xxx monitor.domain_name    monitor  
199 | >xxx.xxx.xxx.xxx intvpn.domain_name    intvpn  
200 | >xxx.xxx.xxx.xxx intfw.domain_name    intfw  
201 | 
202 | ####Install the puppetmaster and dependencies  
203 | When promted during iptables-persistent install hit *yes* for the IP address version you are using. This guide uses IPv4 enter **yes** when prompted.  
204 | 
205 | 	sudo apt-get install puppetmaster iptables-persistent rubygems sqlite3 libsqlite3-ruby git -y  
206 | 	cd /etc/puppet/modules  
207 | 	gem install puppet-module  
208 | 	gem install rails -v 2.2.2   
209 | 	puppet module install puppetlabs-firewall  
210 | 	puppet module install puppetlabs-ntp  
211 | 	puppet module install puppetlabs-vcsrepo  
212 | 	puppet module install puppetlabs-apt  
213 | 	puppet module install puppetlabs-git  
214 | 	puppet module install puppetlabs-stdlib   
215 | 	puppet module install puppetlabs-apache  
216 | 	
217 | If you get a **Invalid version format: 0.5.0-rc1** error then download the module manually:  
218 | 
219 | 	wget http://forge.puppetlabs.com/puppetlabs/apache/0.5.0-rc1.tar.gz  
220 | 	tar -xzf 0.5.0-rc1.tar.gz  
221 | 	mv puppetlabs-apache-0.5.0-rc1 apache  
222 | 
223 | Clone the deaddrop_puppet repo which contains the rest of the manifests and modules needed. Put them in the correct directories. These modules were not done to puppet style guide. Currently in the process of improving them and making them compliant. At some point we hope to have them hosted on puppet forge but till then use at your own risk and please help out if you are a puppet guru.   
224 | 
225 | 	cd ~
226 | 	git clone https://github.com/deaddrop/DeadDropDocs  
227 | 	cp DeadDropDocs/deaddrop_puppet/manifests/* /etc/puppet/manifests/  
228 | 	cp DeaddropDocs/deaddrop_puppet/modules/* /etc/puppet/modules/
229 | 
230 | 
231 | Edit **/etc/puppet/puppet.conf** adding the following lines:  
232 | 
233 | 	nano /etc/puppet/puppet.conf  
234 | 	
235 |  
236 | >thin_storeconfigs = true  
237 | >dbadpter = sqlite3  
238 | 
239 | ####Gather the required files from the external harddrives  
240 | From the Secure Viewing Station's:  
241 | App's pub gpg key `/etc/puppet/modules/deaddrop/files`  
242 | 
243 | From the Local Certificate Authority:  
244 | Journalist Interface's SSL cert `/etc/puppet/modules/deaddrop/files/journalist_certs/`  
245 | Journalist Interface's SSL private key `/etc/puppet/modules/deaddrop/files/journalist_certs/`  
246 | Local CA's root CA cert `/etc/puppet/modules/deaddrop/files/journalist_certs/`  
247 | Local CA's CRL list `/etc/puppet/modules/deaddrop/files/journalist_certs/`
248 | 
249 | #####Modify the default parameters  
250 | Modify parameters and hostnames the first section of nodes.pp manifest  
251 | 
252 | 	nano /etc/puppet/manifests/nodes.pp  
253 | 
254 | >node basenode {  
255 | >\# These values will need to be changed to reflect your environment  
256 | >    $domain_name                 = 'domain_name.com'  
257 | >    $source_ip                   = 'xxx.xxx.xxx.xxx'  
258 | >    $source_hostname             = 'source'  
259 | >    $journalist_ip               = 'xxx.xxx.xxx.xxx'  
260 | >    $journalist_hostname         = 'journalist'  
261 | >    $monitor_ip                  = 'xxx.xxx.xxx.xxx'  
262 | >    $monitor_hostname            = 'monitor'  
263 | >    $admin_intVPN_ip             = 'xxx.xxx.xxx.xxx'  
264 | >    $admin_intVPN_hostname       = 'intVPN'  
265 | >    $journalist_intVPN_ip        = 'xxx.xxx.xxx.xxx'  
266 | >    $journalist_intVPN_hostname  = 'intVPN'  
267 | >    $intFWlogs_ip                = 'xxx.xxx.xxx.xxx'  
268 | >    $intFWlogs_hostname          = 'intFWlogs'  
269 | >    $puppetmaster_hostname       = 'monitor'  
270 | >    $app_gpg_pub_key             = 'journalist.acs'  
271 | >    $hmac_secret                 = 'use_a_random_number_generater_for_this_value'  
272 | >    $app_gpg_fingerprint         = 'XXXX XXXX XXXX XXXX XXXX  XXXX XXXX XXXX XXXX XXXX'  
273 | >    $mailserver_ip               = 'gmail-smtp-in.l.google.com'  
274 | >    $ossec_emailto               = 'user_name@gmail.com'  
275 | 
276 | ####Restart the puppetmaster
277 | 
278 | 	/etc/init.d/puppetmaster restart
279 | 
280 | ------------------------
281 | ###Install Puppet on the Source and Journalist servers  
282 | ------------------------
283 | 
284 | 	apt-get install puppet iptables-persistent  
285 | 	
286 | Edit /etc/hosts file to look like below:  
287 | 
288 | >127.0.0.1       localhost  
289 | >127.0.1.1       ubuntu  
290 | >
291 | >xxx.xxx.xxx.xxx source.domain_name source  
292 | >xxx.xxx.xxx.xxx journalist.domain_name journalist  
293 | >xxx.xxx.xxx.xxx monitor.domain_name monitor puppet  
294 | >xxx.xxx.xxx.xxx intvpn.domain_name intvpn  
295 | >xxx.xxx.xxx.xxx intfw.domain_name intfw  
296 | 
297 | Edit /etc/default/puppet change “START=no” to look like below  
298 | 
299 | >\#  Start puppet on boot?  
300 | >START=yes  
301 | 
302 | Start the puppet agent on the source and journalist server  
303 | 
304 | 	/etc/init.d/puppet restart  
305 | 
306 | ###Sign the puppet agent certs on the Monitor server  
307 | 
308 | 	puppetca --list --all   
309 | 	puppetca --sign --all
310 | 
311 | ###Run the puppet manifest to configure the environment  
312 | Run puppet on the 1) monitor server, 2) journalist interface server, 3) source interface server  
313 | 
314 | 	puppet agent --server monitor.domain_name -t  
315 | 	
316 | ##Steps for the system admins to create keys for Google's 2 Step Authenticator PAM module  
317 | Ensure that you are not root. Each user that needs SSH access will need to perform these steps. The same key can be used for all devices in the same environment. If the ios/android device and the servers are more than 30 seconds off the codes will not work. Currently the puppet manifest only downloads and partially install google-authenticator it does not enable it. Was worried that people may lock themselves out. You can read more about it at https://code.google.com/p/google-authenticator/    
318 | 
319 | ###Each admin should create their own code  
320 | Create the code  
321 | 
322 | 	cd ~  
323 | 	google-authenticator  
324 | 
325 | >y  
326 | >y  
327 | >y  
328 | >n  
329 | >y  
330 | 
331 | To set up you ios or android device install the 'google authenticator' app from the respective official app stores.  
332 | 
333 | Open the app and click 'add key manually'  
334 | 
335 | On the server run \# `cat ~/.google-authenticator` The first line is your key. Enter that exactly into the google-authenticator app  
336 | 
337 | Edit **/etc/ssh/sshd_config** and change **ChallengeResponseAuthentication** from **no** to **yes**
338 | 
339 | >ChallengeResponseAuthentication yes  
340 | 
341 | Edit /etc/pam.d/common-auth  and add  **auth    required	pam_google_authenticator.so** so that it will look like the following  
342 | 
343 | >here are the per-package modules (the "Primary" block)  
344 | >auth    required                        pam_google_authenticator.so  
345 | >auth    [success=1 default=ignore]      pam_unix.so nullok_secure  
346 | 
347 | Restart ssh and test it in a new connection. Do not close or log out of the current window  
348 | 
349 | 	/etc/init.d/ssh restart  
350 | 	
351 | Open a new terminal window and ssh into the server and verify you can login. do not close the other window until after you verified that you still have access.  
352 | 
353 | Copy you secret key to the other hosts with a command like this one  
354 | 
355 | 	scp /home/user_name/.google-authenticator user_name@source:.  
356 | 
357 | ##Create a grsec patched kernel with the ubuntu-precise overlay .deb package  
358 | The grsecurity wikibook should be read thoroughly.
359 | http://en.wikibooks.org/wiki/Grsecurity  
360 | The steps for creating a grsec patched kernel with a ubuntu overlay were based from the following link. Please read that blog post for more information.  
361 | http://compilefailure.blogspot.com/2011/02/grsecurity-patched-ubuntu-server-lts.html  
362 | 
363 | ###Gather files and packages needed for the ubuntu overlay  
364 | 
365 | 	cd ~  
366 | 	mkdir grsec  
367 | 	cd grsec  
368 | 	apt-get install libncurses5-dev build-essential  kernel-package git-core -y  
369 | 	git clone git://kernel.ubuntu.com/ubuntu/ubuntu-precise.git  
370 | 	cp -a /usr/share/kernel-package ubuntu-package  
371 | 	cp ubuntu-precise/debian/control-scripts/p* ubuntu-package/pkg/image/  
372 | 	cp -a /usr/share/kernel-package ubuntu-package  
373 | 	cp ubuntu-precise/debian/control-scripts/p* ubuntu-package/pkg/image/  
374 | 	cp ubuntu-precise/debian/control-scripts/headers-postinst ubuntu-package/pkg/headers/  
375 | 
376 | Install gcc-(version)-plugin-dev.   
377 | This package is needed by the grsec patch.  
378 | 
379 | 	apt-get install gcc-4.6-plugin-dev -y    
380 | 
381 | Download the kernel and grsecurity patch 
382 | Check the grsecurity.net website and use the current stable version. The grsec/kernel were current at the time of writing.
383 | \“All grsecurity packages have a version string in their names. It contains both the version of the release itself and the kernel version it is meant for. For example, the version string 2.2.2-2.6.32.45-201108262310 tells us that the version of this grsecurity release is 2.2.2 and it is meant for kernel version 2.6.32.45. The last section of the version is a timestamp.\”  
384 | 	- http://en.wikibooks.org/wiki/Grsecurity/Obtaining_grsecurity#Downloading_grsecurity
385 | 
386 | 	wget https://www.kernel.org/pub/linux/kernel/v3.x/linux-3.2.36.tar.bz2  
387 | 	wget https://www.kernel.org/pub/linux/kernel/v3.x/linux-3.2.36.tar.sign  
388 | 	wget http://grsecurity.net/spender-gpg-key.asc  
389 | 	wget http://grsecurity.net/stable/grsecurity-2.9.1-3.2.36-201301032034.patch  
390 | 	wget http://grsecurity.net/stable/grsecurity-2.9.1-3.2.36-201301032034.patch.sig  
391 | 
392 | Verify the packages  
393 | 
394 | 	gpg --import spender-gpg-key.asc
395 | 	gpg --verify grsecurity-2.9.1-3.2.36-201301032034.patch.sig  
396 | 	gpg --recv-keys 6092693E  
397 | 	bunzip2 linux-3.2.36.tar.bz2  
398 | 	gpg --verify linux-3.2.36.tar.sign  
399 | 
400 | ###Apply the patch to the kernel and make the grsec kernel
401 | 
402 | 	tar -xf linux-3.2.36.tar  
403 | 	cd linux-3.2.36  
404 | 	patch -p1 <../grsecurity-2.9.1-3.2.36-201301032034.patch  
405 | 
406 | Apply the old hardware config to ensure that the correct options are retained
407 | 
408 | 	yes "" | make oldconfig  
409 | 	make menuconfig  
410 | 	
411 | In the gui:
412 | 
413 | >- navigate to 'Security options'  
414 | >- navigate to 'Grsecurity'  
415 | >- enable the ‘Grsecurity’ option  
416 | >- Set ‘Configuration Method’ to ‘Automatic’  
417 | >- Set ‘Usage Type’ to ‘Server’  
418 | >- Set ‘Virtualization Type’ to ‘None’  
419 | >- Set ‘Required Priorities’ to ‘Security’  
420 | >- navigate to ‘Customize Configuration’  
421 | >- navigate to ‘Sysctl Support’ and enable ‘Sysctl support’  
422 | >- exit and save changes  
423 | 
424 | 	make-kpkg clean  
425 | 	make-kpkg --initrd --overlay-dir=../ubuntu-package kernel_image kernel_headers  
426 | 
427 | Grab a cup of coffee. When the package is complete scp the .deb files to all the servers.  
428 | ###Resolve PAX grub issues    
429 | 
430 | 	apt-get install paxctl -y  
431 | 	paxctl -Cpm /usr/sbin/grub-probe  
432 | 	paxctl -Cpm /usr/sbin/grub-mkdevicemap  
433 | 	paxctl -Cpm /usr/sbin/grub-setup  
434 | 	paxctl -Cpm /usr/bin/grub-script-check  
435 | 	paxctl -Cpm /usr/bin/grub-mount  
436 | 	update-grub  
437 | 
438 | ###Install the grsec patched kernel  
439 | 
440 | 	cd ..  
441 | 	dpkg -i *.deb  
442 | 
443 | 
444 | Review boot menu and boot into new kernel  
445 | Verify that `/boot/grub/menu.lst` has the correct values. Make adjustments as necessary.  
446 | 
447 | 	sudo reboot 
448 | 
449 | After the reboot check that you booted into the correct kernel.   
450 | 
451 | 	uname -r  
452 | 
453 | It should end in '-grsec'  
454 | 
455 | After finishing installing the ensure the grsec sysctl configs are applied and locked
456 | 
457 |     sysctl -p  
458 |     sysctl -w kernel.grsecurity.grsec_lock = 1  
459 | 
460 | 
461 | ##Clean up the system and puppet firewall rules  
462 | Once the environment is verified, uninstall puppet on the puppetmaster and puppet agents to decrease the attack surface  
463 | 
464 | 	apt-get purge rubygems puppetmaster puppet gcc make libncurses5-dev build-essential  kernel-package git-core g++ python-setuptools sqlite3 libsqlite3-ruby  
465 | 
466 | Remove the puppet rule from the monitor server in /etc/iptables/iptables_v4 file  
467 | 
468 | 	iptables-restore < /etc/iptables/iptables_v4  
469 | 
470 | Due to Puppet bug 1737 you will need to either apply this fix linked to below or manually restrict the ssh options for www-data public key on the journalist server
471 | http://projects.puppetlabs.com/issues/1737  
472 | Fix #1737 - ssh_authorized_keys should be able to parse options conta…  
473 | https://github.com/masterzen/puppet/commit/d9f40be12fe0d25c11d76129ee64fa1f70507d05  
474 | 
475 | the options preceding the apache user's ssh key file should look like below:  
476 | 
477 | 	from=\"source\",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty  
478 | 


--------------------------------------------------------------------------------
/THREAT_MODEL.md:
--------------------------------------------------------------------------------
  1 | #DeadDrop Threat Model  
  2 | ---------------------  
  3 | 
  4 | ##Application Name and Description  
  5 | DeadDrop is meant to let sources communicate with journalists with greater anonymity and security than afforded by conventional e-mail.
  6 | 
  7 | 
  8 | ##Business Objectives  
  9 | * Design an application that provides a source a way to securely upload documents and messages to a journalist that protects the source's anonymity.  
 10 | * Design an environment to host the application that protects the source's anonymity.  
 11 | * The application should allow for the source to return to the site and check for replies from the journalist.  
 12 | * The application and environment should be designed so only the selected journalists can decrypt the source's encrypted documents and files.  
 13 | * The application and environment should be designed so only the intended source can view the journalist's clear text replies.  
 14 | * The source's authentication mechanism, while being secure, should be easy for the source to remember without writing down. 
 15 | * The application and environment should use well known and industry accepted cryptography and security practices.  
 16 | * The environment should be monitored for possible security events though identifiable information about the source should be excluded from all logs in the environment.  
 17 | * The application and environment should be designed to protect the encrypted files even in the event of a full system compromise or seizure.  
 18 | 
 19 | 
 20 | ##Anonymity Provided
 21 | * A Tor hidden service is configured for the application. It is highly recommended for the source to use Tor to submit messages, documents and check for replies. Please consult this link for more information on Tor and Tor hidden services https://www.torproject.org/docs/hidden-services.html.en  
 22 | * Only the two selected journalists have physical access to the application's GPG private key and know the key's passphrase used to decrypt source files. These steps were taken to provide reasonable assurance that only the two selected journalists could decrypt the files after they were encrypted in the application.   
 23 | * The network firewall only detects the tor traffic not information about the source.  
 24 | * Apache access logs are not kept.  
 25 | * The source's clear text code name is not stored to disk in the application or known to the site administrators and journalists.  
 26 | * The source's uploaded messages and documents are encrypted before being stored to disk.  
 27 | * The secure viewing station is where the application's GPG private keys decrypts the source's submitted information and is 1) never connected to a network, 2) booted from a LiveCD, 3) the hard drive is removed, 4) physically located in a secured corporate facility.  
 28 | * Journalist's reply messages to sources are encrypted with a GPG keypair unique to the source.  
 29 | * Journalist's replies are encrypted with a gpg passphrase that is only known to the source and never stored in clear text in the application.   
 30 | * The source is urged to delete replies after reading them. The application uses secure-remove to delete the file and it is not reasonably forensically recoverable.
 31 | * To ensure that the physical devices are not tampered with the network firewalls, source interface, journalist interface and monitors servers are located in a corporate owned facility (not a co-location hosting provider or cloud provider).   *The environment is physically monitored 24/7 with strict access policies.  
 32 | 
 33 | ##Application Usage  
 34 | ###Source's Role  
 35 | (S1) The organization's Tor hidden service URL, directions, and links to the Tor single-purpose browser are displayed organization's website. The source downloads and installs the Tor single-purpose browser from https://torproject.org. The source uses the site's hidden service URL (.onion) to use the application with a higher level of anonymity than a HTTPS url can provide.  
 36 | 
 37 | (S2) A link to the privacy statement is provided.  
 38 | 
 39 | (S3) Upon hitting 'Submit,' a codename is generated for the individual source. The source is instructed to memorize the clear text codename. The codename is used to identify individual sources on return visits to view replies and follow up with the journalist.  
 40 | 
 41 | (S4) The application creates a sha256 hash of the clear text codename. The clear text codename is transmitted in each protected resource's POST request which is verified against the sha256 hash that is stored to disk that authorizes the source to access the requested resource. That authorization process is performed on each individual POST request to a protected resource.  
 42 | 
 43 | (S5) Once the source is authenticated, using the hash of the clear text codename, the application checks to see if a GPG v2 keypair was previously created for the source's hashed codename. If a keypair was not previously created, the application generates a unique keypair for the specified hashed codename. The source interface has the rng-tools package installed and configured to use an external random number generator device for the source of entropy in the key generation. The source’s clear text codename is used as the sources gpg keypair secret passphrase which is not stored to disk in clear text.  
 44 | 
 45 | (S6) The source can then upload a file, enter a message, view and delete replies from the journalist.  
 46 | 
 47 | (S7) If a message was uploaded, the string is utf8-encoded and then encrypted with the application's GPG public key. The encrypted message is stored in the individual's source's hashed codename directory.  
 48 | 
 49 | (S8) If a document is uploaded, a background lambda** process is started in order to handle the upload and encryption process. The encrypted document is stored in the unique source's hashed codename directory.  
 50 | 
 51 | (S9) If a reply message from a journalist is stored in the source's hashed codename directory, the source is presented a link to decrypt the reply. A warning is presented to the source, advising them to delete the message after viewing it. This is done to limit the source's exposure, should their codename ever be compromised. To decrypt the message, the application queries the GPG keyring for the source's private GPG key using the hashed codename. The source's GPG passphrase is the clear text codename (which the application never stores to disk, but is passed in the source's POST request for protected resources.)  
 52 | 
 53 | (S10) Once the message is displayed, the source is provided the option to delete it per the previous warning. The secure-delete package's srm command is used to securely wipe the journalist's encrypted message from the source's encrypted file store.  
 54 | 
 55 | ###Journalist's Role  
 56 | (J1) From the journalist's workstation, the journalist VPNs into the tips environment through a VPN tunnel that does not allow split-tunneling and has been configured for 2-factor authentication. The journalist interface requires SSL client certificates for access. The journalist will need to have their user certificate installed into their browser to access the journalist interface.  
 57 | 
 58 | (J2) Once the journalist's SSL user certificate is validated, the journalist is presented a list of source code IDs that have submitted documents. The source code IDs that are presented to the journalist is a different 3-word code IDs from the source’s clear text codename. The application generates the separate code IDs using the hashes of the sources’ codenames. This is done so that the source's clear text codename is not known to the journalist. A journalist will not request the source’s clear text codename and the source should not include it in any uploaded files or messages. 
 59 | 
 60 | (J3) The journalist can select a code ID and is presented a list of encrypted files to download.  
 61 | 
 62 | (J4) The journalist will download the encrypted files to application's external hard drive.  
 63 | 
 64 | (J5) The journalist then walks the application's external hard drive (with the encrypted files saved to it) over to the Secure Viewing Station (SVS) that is never connected to a network to decrypt and view the submitted information.  
 65 | 
 66 | (J6) The SVS is a workstation that is booted from a LiveCD with the hard drive removed to limit its attack surface to persistent threats. It is never connected to any wired or wireless networks, to prevent a remote attacker from accessing it. The source then inserts the application's external hard drive into the booted SVS and transfers the encrypted files to the SVS desktop. After the transfer is complete, the journalist should securely delete the encrypted file from the external hard drive and remove the drive. After the application's external hard drive is removed from the SVS, the journalist should insert application's secure keydrive that contains the application's private GPG key and the journalist’s personnel public key into the SVS. The journalist should then decrypt the files using the application's private GPG key. The journalist can then proceed validating the submitted documents. When the journalist's session is over, they should remove the application's secure keydrive, power down the SVS, and securely store all components. Only the selected journalists should know the passphrase and physical access to the application's GPG private key.  
 67 | 
 68 | (J7) For scenarios where a journalist requires part of the unencrypted contents of submitted information for publication, the journalist should encrypt the clear text contents using their personal GPG keypair – not the application's keypair, on the secure viewing station before transferring them to their personnel workstation. The source's documents and messages should be encrypted at rest until the article is ready for publication.  
 69 | 
 70 | (J8) The journalist's interface also has a reply function. The journalist can enter their message for a specific source into a text box and click 'Submit.' The application retrieves the source's GPG public key based off of the source's hashed codename. If the journalist cannot access the source's GPG public key, the reply function is not rendered. The application encrypts the journalist reply with a unique source's GPG public key, which is stored in the source's hashed codename-encrypted file store.  
 71 | 
 72 | ##Authentication    
 73 | * VPN authentication requires 1) username, 2) follows the organization's password complexity policy, and 3) requires 2-factor authentication such as the one from DUO Security.  
 74 | 
 75 | * Admin SSH access should require 1) 2-factor authentication, such as Google 2-factor pam module, 2) following the organization's policy for password complexity, and 3) access restricted to the admin's internal vpn address.  
 76 | 
 77 | * The DeadDrop password-less ECDSA 4096-bit length keyfile used for the sshfs mount, should restrict logins to the journalist server from the source server, and restrict the user to sshfs commands only.  
 78 | 
 79 | * The OSSEC manager and agents use generated server and client SSL certificates, which authenticate and encrypt the traffic.  
 80 | 
 81 | * The OSSEC manager should be configured to use an authenticated SMTP relay  
 82 | 
 83 | * The journalist site and user SSL certificates should be generated on the standalone Local CA workstation.  
 84 |   
 85 | * User certificates to access the journalist interface, restricted to the journalist's internal VPN address  
 86 |  
 87 | * All GPG keypairs are GPG v2, RSA, 4096-bit length keys with unique passphrase.  
 88 | 
 89 | * The application's GPG private key should only be generated and stored on application's secure keydrive inserted into the SVS when in use, otherwise stored in a secure location.  
 90 | 
 91 | * The codename is derived by using “system.random” to randomly choose 3 words from the pre-defined word list file.  It is supplied by the source in each request to a protected resource to authenticate. It is also used as the source's GPG passphrase. The clear text codename is not stored to disk in clear text at any point.  
 92 | 
 93 | * A sha256 hash using the HMAC secret, which the admin defined in the configuration file, is made of the source's clear text codename. The source's hashed codename is used as the source's encrypted file store directory and as part of the source's GPG keypair's email address.  
 94 | 
 95 | * On POST requests to protected resources, the application will hash the value passed from the source in the codename field and compare it to the source's encrypted file store directory names. If the hashed value from the source matches the name a of a directory then the source is authenticated as that source.  
 96 | 
 97 | * Admin access to the network firewall should be restricted to the admin's internal VPN IP address.  
 98 | 
 99 | ##Security Monitoring  
100 | * Security email alerts are sent to the configured admin distribution email address in the puppet config.  
101 | * VPN User access  
102 | * Network firewall configuration changes  
103 | * Tor error log  
104 | * SSH access (includes SSHFS access and google's 2 factor pam module)  
105 | * OSSEC agent and manager activity    
106 | * Grsecurity events  
107 | * AppArmor events  
108 | * Host-based firewall events (excluding external drops on the network firewall device)  
109 | * New network connections (excluding the source interface servers HTTP and HTTPS ports)  
110 | * Real time file integrity changes  
111 | * Apparmor policy violations  
112 | * Grsecurity kernel violations  
113 | * The Journalist interface access and error events  
114 | * Disk space monitoring  
115 | * Memory and CPU monitoring  
116 | * Process monitoring  
117 | * “Is it up” site monitoring should be performed with a tool that does not require an agent to be installed in the environment to limit the attack surface.  
118 | 
119 | 
120 | ##Security Mailing Lists  
121 | Network Firewall ____________________  
122 | DeadDrop https://github.com/deaddrop  
123 | Tor https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-announce/  
124 | Apache2 http://httpd.apache.org/lists.html#http-announce  
125 | mod_wsgi https://groups.google.com/forum/?fromgroups#!forum/wsgi-security-announce  
126 | web.py https://groups.google.com/forum/?fromgroups#!forum/webpy  
127 | python-gnupg library http://groups.google.com/group/python-gnupg  
128 | python 2.7 http://www.python.org/news/security/ create a change alert for this page  
129 | gnupg2 package http://lists.gnupg.org/pipermail/gnupg-announce/  
130 | Openssl http://www.openssl.org/support/community.html (enter email address)  
131 | Google's 2FA pam module http://code.google.com/p/google-authenticator/ (join group)  
132 | Grsecurity http://grsecurity.net/cgi-bin/mailman/listinfo/grsecurity  
133 | OSSEC http://www.ossec.net/?page_id=21#ossec-list (send email request to join)  
134 | AppArmor https://lists.ubuntu.com/mailman/listinfo/apparmor  
135 | Ubuntu 12.04 https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce  
136 | 
137 | 
138 | 


--------------------------------------------------------------------------------
/deaddrop_puppet/manifests/nodes.pp:
--------------------------------------------------------------------------------
 1 | node basenode {
 2 | # These values will need to be changed to reflect your environment
 3 |     $domain_name           	 = 'domain_name'
 4 |     $source_ip             	 = 'xxx.xxx.xxx.xxx'
 5 |     $source_hostname       	 = 'source_hostname'
 6 |     $journalist_ip         	 = 'xxx.xxx.xxx.xxx'
 7 |     $journalist_hostname   	 = 'journalist_hostname'
 8 |     $monitor_ip            	 = 'xxx.xxx.xxx.xxx'
 9 |     $monitor_hostname      	 = 'monitor_hostname'
10 |     $admin_intVPN_ip             = 'xxx.xxx.xxx.xxx'
11 |     $admin_intVPN_hostname       = 'intVPN'
12 |     $journalist_intVPN_ip        = 'xxx.xxx.xxx.xxx'
13 |     $journalist_intVPN_hostname  = 'intVPN'
14 |     $intFWlogs_ip           	 = 'xxx.xxx.xxx.xxx'
15 |     $intFWlogs_hostname    	 = 'intFWlogs'
16 |     $puppetmaster_hostname 	 = 'monitor'
17 |     $app_gpg_pub_key       	 = 'journalist.acs' 
18 |     $hmac_secret           	 = 'long random value'
19 |     $app_gpg_fingerprint   	 = 'CCCC CCCC CCCC CCCC CCCC CCCC CCCC CCCC CCCC CCCC'
20 |     $mailserver_ip		 = 'smtp_server'
21 |     $ossec_emailto		 = 'email distribution list that includes journalist'
22 | 
23 | # The values in this section do not need to be changed
24 |     $apache_name                 =  'apache2-mpm-worker'
25 |     $apache_user                 =  'www-data'
26 |     $sshfs_user                  =  'www-data'
27 |     $deaddrop_home               =  '/var/www/deaddrop'
28 |     $store_dir                   =  "$deaddrop_home/store"
29 |     $keys_dir                    =  "$deaddrop_home/keys"
30 |     $word_list                   =  "$deaddrop_home/wordlist"
31 |     $source_template_dir         =  "$deaddrop_home/source_templates"
32 |     $journalist_template_dir     =  "$deaddrop_home/journalist_templates"
33 |     $docroot_owner      	 =  "www-data"
34 |     $docroot_group      	 =  "www-data"
35 |     include deaddrop::base
36 | }
37 | 
38 | include ssh::auth
39 | ssh::auth::key { "www-data": }
40 | 
41 | # Ensure you change the host name from "monitor" to it's actual name
42 | node " the monitor servers hostname" inherits basenode {
43 |     include ssh::auth::keymaster
44 |     include deaddrop::monitor
45 | }
46 | 
47 | # Ensure you change the host name from "source" to it's actual name
48 | node " the source servers hostname" inherits basenode {
49 |     user { "www-data": }
50 |     ssh::auth::client { "www-data": home => "/var/www" }
51 |     include deaddrop::source
52 | }
53 | 
54 | # Ensure you change the host name from "journalist" to it's actual name
55 | node " the journalist servers hostname" inherits basenode {
56 |     ssh::auth::server { "www-data": home => "/var/www" }
57 | # temp fix until fix 1737 is applied
58 | #    ssh::auth::server { "www-data": home => "/var/www", options => 'from=\"source\",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty' }
59 |     include deaddrop::journalist
60 | }
61 | 


--------------------------------------------------------------------------------
/deaddrop_puppet/manifests/site.pp:
--------------------------------------------------------------------------------
1 | Exec { path => [ "/bin/", "/sbin/" , "/usr/bin/", "/usr/sbin/" ] }
2 | 
3 | # Import node.pp manifest
4 | import 'nodes.pp'
5 | 
6 | 


--------------------------------------------------------------------------------
/deaddrop_puppet/modules/deaddrop/files/common-auth:
--------------------------------------------------------------------------------
 1 | #
 2 | # /etc/pam.d/common-auth - authentication settings common to all services
 3 | #
 4 | # This file is included from other service-specific PAM config files,
 5 | # and should contain a list of the authentication modules that define
 6 | # the central authentication scheme for use on the system
 7 | # (e.g., /etc/shadow, LDAP, Kerberos, etc.).  The default is to use the
 8 | # traditional Unix authentication mechanisms.
 9 | #
10 | # As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
11 | # To take advantage of this, it is recommended that you configure any
12 | # local modules either before or after the default block, and use
13 | # pam-auth-update to manage selection of other modules.  See
14 | # pam-auth-update(8) for details.
15 | 
16 | # here are the per-package modules (the "Primary" block)
17 | #auth    required                        pam_google_authenticator.so
18 | auth	[success=1 default=ignore]	pam_unix.so nullok_secure
19 | # here's the fallback if no module succeeds
20 | auth	requisite			pam_deny.so
21 | # prime the stack with a positive return value if there isn't one already;
22 | # this avoids us returning an error just because nothing sets a success code
23 | # since the modules above will each just jump around
24 | auth	required			pam_permit.so
25 | # and here are more per-package modules (the "Additional" block)
26 | # end of pam-auth-update config
27 | 


--------------------------------------------------------------------------------
/deaddrop_puppet/modules/deaddrop/files/cron.allow:
--------------------------------------------------------------------------------
1 | root
2 | 


--------------------------------------------------------------------------------
/deaddrop_puppet/modules/deaddrop/files/fuse.conf:
--------------------------------------------------------------------------------
 1 | # Set the maximum number of FUSE mounts allowed to non-root users.
 2 | # The default is 1000.
 3 | #
 4 | #mount_max = 1000
 5 | 
 6 | # Allow non-root users to specify the 'allow_other' or 'allow_root'
 7 | # mount options.
 8 | #
 9 | user_allow_other
10 | 
11 | 


--------------------------------------------------------------------------------
/deaddrop_puppet/modules/deaddrop/files/internal_options.conf:
--------------------------------------------------------------------------------
  1 | # internal_options.conf, Daniel B. Cid (dcid @ ossec.net).
  2 | #
  3 | # DO NOT TOUCH THIS FILE. The default configuration
  4 | # is at ossec.conf. More information at:
  5 | # http://www.ossec.net/en/manual.html
  6 | #
  7 | # This file should be handled with care. It contain
  8 | # run time modifications that can affect the use
  9 | # of ossec. Only change it if you know what you
 10 | # are doing. Again, look first at ossec.conf
 11 | # for most of the things you want to change.
 12 | 
 13 | 
 14 | # Analysisd default rule timeframe.
 15 | analysisd.default_timeframe=360
 16 | # Analysisd stats maximum diff.
 17 | analysisd.stats_maxdiff=25000
 18 | # Analysisd stats minimum diff.
 19 | analysisd.stats_mindiff=250
 20 | # Analysisd stats percentage (how much to differ from average)
 21 | analysisd.stats_percent_diff=30
 22 | # Analysisd FTS list size.
 23 | analysisd.fts_list_size=32
 24 | # Analysisd FTS minimum string size.    
 25 | analysisd.fts_min_size_for_str=14
 26 | # Analysisd Enable the firewall log (at logs/firewall/firewall.log)
 27 | # 1 to enable, 0 to disable.
 28 | analysisd.log_fw=1
 29 | 
 30 | 
 31 | # Logcollector file loop timeout (check every 2 seconds for file changes)
 32 | logcollector.loop_timeout=2
 33 | 
 34 | # Logcollector number of attempts to open a log file.
 35 | logcollector.open_attempts=8
 36 | 
 37 | 
 38 | # Remoted counter io flush.
 39 | remoted.recv_counter_flush=128
 40 | 
 41 | # Remoted compression averages printout.
 42 | remoted.comp_average_printout=19999
 43 | 
 44 | # Verify msg id (set to 0 to disable it)
 45 | remoted.verify_msg_id=1
 46 | 
 47 | 
 48 | # Maild strict checking (0=disabled, 1=enabled)
 49 | maild.strict_checking=1
 50 | 
 51 | # Maild grouping (0=disabled, 1=enabled)
 52 | # Groups alerts within the same e-mail.
 53 | maild.groupping=1
 54 | 
 55 | # Maild full subject (0=disabled, 1=enabled)
 56 | maild.full_subject=1
 57 | 
 58 | 
 59 | # Monitord day_wait. Ammount of seconds to wait before compressing/signing
 60 | # the files.
 61 | monitord.day_wait=10
 62 | 
 63 | # Monitord compress. (0=do not compress, 1=compress)
 64 | monitord.compress=1
 65 | 
 66 | # Monitord sign. (0=do not sign, 1=sign)
 67 | monitord.sign=1
 68 | 
 69 | # Monitord monitor_agents. (0=do not monitor, 1=monitor)
 70 | monitord.monitor_agents=1
 71 | 
 72 | 
 73 | # Syscheck checking/usage speed. To avoid large cpu/memory
 74 | # usage, you can specify how much to sleep after generating
 75 | # the checksum of X files. The default is to sleep 2 seconds
 76 | # after reading 15 files.
 77 | syscheck.sleep=2
 78 | syscheck.sleep_after=15
 79 | 
 80 | 
 81 | # Database - maximum number of reconnect attempts
 82 | dbd.reconnect_attempts=10
 83 | 
 84 | 
 85 | # Debug options.
 86 | # Debug 0 -> no debug
 87 | # Debug 1 -> first level of debug
 88 | # Debug 2 -> full debugging
 89 | 
 90 | # Windows debug (used by the windows agent)
 91 | windows.debug=0
 92 | 
 93 | # Syscheck (local, server and unix agent)
 94 | syscheck.debug=0
 95 | 
 96 | # Remoted (server debug)
 97 | remoted.debug=0
 98 | 
 99 | # Analysisd (server or local)
100 | analysisd.debug=0
101 | 
102 | # Log collector (server, local or unix agent)
103 | logcollector.debug=0
104 | 
105 | # Unix agentd
106 | agent.debug=0
107 | 
108 | 
109 | # EOF
110 | 


--------------------------------------------------------------------------------
/deaddrop_puppet/modules/deaddrop/files/mountsshfs:
--------------------------------------------------------------------------------
  1 | #!/bin/sh
  2 | 
  3 | ## http://ubuntuforums.org/showthread.php?t=430312
  4 | ## The script will attempt to mount any fstab entry with an option
  5 | ## "...,comment=$SELECTED_STRING,..."
  6 | ## Use this to select specific sshfs mounts rather than all of them.
  7 | SELECTED_STRING="sshfs"
  8 | 
  9 | # Not for loopback
 10 | [ "$IFACE" != "lo" ] || exit 0
 11 | 
 12 | ## define a number of useful functions
 13 | 
 14 | ## returns true if input contains nothing but the digits 0-9, false otherwise
 15 | ## so realy, more like isa_positive_integer 
 16 | isa_number () {
 17 |     ! echo $1 | egrep -q '[^0-9]'
 18 |     return $?
 19 | }
 20 | 
 21 | ## returns true if the given uid or username is that of the current user
 22 | am_i () {
 23 | 	[ "$1" = "`id -u`" ] || [ "$1" = "`id -un`" ]
 24 | }
 25 | 
 26 | ## takes a username or uid and finds it in /etc/passwd
 27 | ## echoes the name and returns true on success
 28 | ## echoes nothing and returns false on failure 
 29 | user_from_uid () {
 30 |     if isa_number "$1"
 31 |     then
 32 | 		# look for the corresponding name in /etc/passwd
 33 |     	local IFS=":"
 34 |     	while read name x uid the_rest
 35 |     	do
 36 |         	if [ "$1" = "$uid" ]
 37 | 			then 
 38 | 				echo "$name"
 39 | 				return 0
 40 | 			fi
 41 |     	done </etc/passwd
 42 |     else
 43 |     	# look for the username in /etc/passwd
 44 |     	if grep -q "^${1}:" /etc/passwd
 45 |     	then
 46 |     		echo "$1"
 47 |     		return 0
 48 |     	fi
 49 |     fi
 50 |     # if nothing was found, return false
 51 |    	return 1
 52 | }
 53 | 
 54 | ## Parses a string of comma-separated fstab options and finds out the 
 55 | ## username/uid assigned within them. 
 56 | ## echoes the found username/uid and returns true if found
 57 | ## echoes "root" and returns false if none found
 58 | uid_from_fs_opts () {
 59 | 	local uid=`echo $1 | egrep -o 'uid=[^,]+'`
 60 | 	if [ -z "$uid" ]; then
 61 | 		# no uid was specified, so default is root
 62 | 		echo "root"
 63 | 		return 1
 64 | 	else
 65 | 		# delete the "uid=" at the beginning
 66 | 		uid_length=`expr length $uid - 3`
 67 | 		uid=`expr substr $uid 5 $uid_length`
 68 | 		echo $uid
 69 | 		return 0
 70 | 	fi
 71 | }
 72 | 
 73 | # unmount all shares first
 74 | sh "/etc/network/if-down.d/umountsshfs"
 75 | 
 76 | while read fs mp type opts dump pass extra
 77 | do
 78 |     # check validity of line
 79 |     if [ -z "$pass" -o -n "$extra" -o "`expr substr ${fs}x 1 1`" = "#" ]; 
 80 |     then
 81 |         # line is invalid or a comment, so skip it
 82 |         continue
 83 |     
 84 |     # check if the line is a selected line
 85 |     elif echo $opts | grep -q "comment=$SELECTED_STRING"; then
 86 |     	
 87 |     	# get the uid of the mount
 88 |         mp_uid=`uid_from_fs_opts $opts`
 89 |         
 90 |         if am_i "$mp_uid"; then
 91 | 			# current user owns the mount, so mount it normally
 92 | 			{ sh -c "mount $mp" && 
 93 | 				echo "$mp mounted as current user (`id -un`)" || 
 94 | 				echo "$mp failed to mount as current user (`id -un`)"; 
 95 | 			} &
 96 | 		elif am_i root; then
 97 | 			# running as root, so sudo mount as user
 98 | 			if isa_number "$mp_uid"; then
 99 | 				# sudo wants a "#" sign icon front of a numeric uid
100 | 				mp_uid="#$mp_uid"
101 | 			fi 
102 | 			{ sudo -u "$mp_uid" sh -c "mount $mp" && 
103 | 				echo "$mp mounted as $mp_uid" || 
104 | 				echo "$mp failed to mount as $mp_uid"; 
105 | 			} &
106 | 		else
107 | 			# otherwise, don't try to mount another user's mount point
108 | 			echo "Not attempting to mount $mp as other user $mp_uid"
109 | 		fi
110 |     fi
111 |     # if not an sshfs line, do nothing
112 | done </etc/fstab
113 | 
114 | wait
115 | 


--------------------------------------------------------------------------------
/deaddrop_puppet/modules/deaddrop/files/ossec_rules.xml:
--------------------------------------------------------------------------------
  1 | <!-- @(#) $Id$
  2 |   -  Official ossec rules for OSSEC.
  3 |   -
  4 |   -  Copyright (C) 2009 Trend Micro Inc.
  5 |   -  All rights reserved.
  6 |   -
  7 |   -  This program is a free software; you can redistribute it
  8 |   -  and/or modify it under the terms of the GNU General Public
  9 |   -  License (version 2) as published by the FSF - Free Software
 10 |   -  Foundation.
 11 |   -
 12 |   -  License details: http://www.ossec.net/en/licensing.html
 13 |   -->
 14 | 
 15 | 
 16 | 
 17 | <group name="ossec,">
 18 |   <rule id="500" level="0">
 19 |     <category>ossec</category>
 20 |     <decoded_as>ossec</decoded_as>
 21 |     <description>Grouping of ossec rules.</description>
 22 |   </rule>
 23 |   
 24 |   <rule id="501" level="3">
 25 |     <if_sid>500</if_sid>
 26 |     <if_fts />
 27 |     <options>alert_by_email</options>
 28 |     <match>Agent started</match>
 29 |     <description>New ossec agent connected.</description>
 30 |   </rule>
 31 |   
 32 |   <rule id="502" level="3">
 33 |     <if_sid>500</if_sid>
 34 |     <options>alert_by_email</options>
 35 |     <match>Ossec started</match>
 36 |     <description>Ossec server started.</description>
 37 |   </rule>
 38 | 
 39 |   <rule id="503" level="3">
 40 |     <if_sid>500</if_sid>
 41 |     <options>alert_by_email</options>
 42 |     <match>Agent started</match>
 43 |     <description>Ossec agent started.</description>
 44 |   </rule>
 45 | 
 46 |   <rule id="504" level="3">
 47 |     <if_sid>500</if_sid>
 48 |     <options>alert_by_email</options>
 49 |     <match>Agent disconnected</match>
 50 |     <description>Ossec agent disconnected.</description>
 51 |   </rule>
 52 |   
 53 |   <rule id="509" level="0">
 54 |     <category>ossec</category>
 55 |     <decoded_as>rootcheck</decoded_as>
 56 |     <description>Rootcheck event.</description>
 57 |     <group>rootcheck,</group>
 58 |   </rule>
 59 | 
 60 |   <rule id="510" level="7">
 61 |     <if_sid>509</if_sid>
 62 |     <description>Host-based anomaly detection event (rootcheck).</description>
 63 |     <group>rootcheck,</group>
 64 |     <if_fts />
 65 |   </rule>
 66 | 
 67 |   <rule id="511" level="0">
 68 |     <if_sid>510</if_sid>
 69 |     <match>^NTFS Alternate data stream found</match>
 70 |     <regex>Thumbs.db:encryptable'.|:Zone.Identifier'.|</regex>
 71 |     <regex>Exchsrvr/Mailroot/vsi</regex>
 72 |     <description>Ignored common NTFS ADS entries.</description>
 73 |     <group>rootcheck,</group>
 74 |   </rule>
 75 | 
 76 |   <rule id="512" level="3">
 77 |     <if_sid>510</if_sid>
 78 |     <match>^Windows Audit</match>
 79 |     <description>Windows Audit event.</description>
 80 |     <group>rootcheck,</group>
 81 |   </rule>
 82 |   
 83 |   <rule id="513" level="9">
 84 |     <if_sid>510</if_sid>
 85 |     <match>^Windows Malware</match>
 86 |     <description>Windows malware detected.</description>
 87 |     <group>rootcheck,</group>
 88 |   </rule>
 89 |   
 90 |   <rule id="514" level="2">
 91 |     <if_sid>510</if_sid>
 92 |     <match>^Application Found</match>
 93 |     <description>Windows application monitor event.</description>
 94 |     <group>rootcheck,</group>
 95 |   </rule>
 96 | 
 97 |   <rule id="515" level="0">
 98 |     <if_sid>510</if_sid>
 99 |     <match>^Starting rootcheck scan|^Ending rootcheck scan.|</match>
100 |     <match>^Starting syscheck scan|^Ending syscheck scan.</match>
101 |     <description>Ignoring rootcheck/syscheck scan messages.</description>
102 |     <group>rootcheck,syscheck</group>
103 |   </rule>
104 | 
105 |   <rule id="516" level="3">
106 |     <if_sid>510</if_sid>
107 |     <match>^System Audit</match>
108 |     <description>System Audit event.</description>
109 |     <group>rootcheck,</group>
110 |   </rule>
111 |   
112 |   <rule id="518" level="9">
113 |     <if_sid>514</if_sid>
114 |     <match>Adware|Spyware</match>
115 |     <description>Windows Adware/Spyware application found.</description>
116 |     <group>rootcheck,</group>
117 |   </rule>
118 | 
119 |   <!-- Process monitoring rules -->
120 |   <rule id="530" level="0">
121 |     <if_sid>500</if_sid>
122 |     <match>^ossec: output: </match>
123 |     <description>OSSEC process monitoring rules.</description>
124 |     <group>process_monitor,</group>
125 |   </rule>
126 | 
127 |   <rule id="531" level="7" ignore="7200">
128 |     <if_sid>530</if_sid>
129 |     <match>ossec: output: 'df -h': /dev/</match>
130 |     <regex>100%|80%|85%|90%|95%</regex>
131 |     <description>Partition usage reached is at a high percentage please investigate (disk space monitor).</description>
132 |     <group>low_diskspace,</group>
133 |   </rule>
134 | 
135 |   <rule id="150001" level="9">
136 |     <if_sid>530</if_sid>
137 |     <match>ossec: output: 'netstat -tuln'</match>
138 |     <check_diff />
139 |     <description>Listened ports have changed.</description>
140 |     <options>alert_by_email</options>
141 |   </rule>
142 | 
143 |   <rule id="140123" level="7">
144 |     <if_sid>530</if_sid>
145 |     <match>ossec: output: 'netstat -tuan'</match>
146 |     <check_diff />
147 |     <description>Established ports have changed.</description>
148 |     <options>alert_by_email</options>
149 |   </rule>
150 | 
151 |   <rule id="532" level="0">
152 |     <if_sid>531</if_sid>
153 |     <match>cdrom|/media|usb|/mount|floppy|dvd</match>
154 |     <description>Ignoring external medias.</description> 
155 |   </rule>
156 |   
157 |   <rule id="550" level="7">
158 |     <category>ossec</category>
159 |     <decoded_as>syscheck_integrity_changed</decoded_as>
160 |     <description>Integrity checksum changed.</description>
161 |     <group>syscheck,</group>
162 |   </rule>
163 |   
164 |   <rule id="551" level="7">
165 |     <category>ossec</category>
166 |     <decoded_as>syscheck_integrity_changed_2nd</decoded_as>
167 |     <description>Integrity checksum changed again (2nd time).</description>
168 |     <group>syscheck,</group>
169 |   </rule>
170 |   
171 |   <rule id="552" level="7">
172 |     <category>ossec</category>
173 |     <decoded_as>syscheck_integrity_changed_3rd</decoded_as>
174 |     <description>Integrity checksum changed again (3rd time).</description>
175 |     <group>syscheck,</group>
176 |   </rule>
177 |   
178 |   <rule id="553" level="7">
179 |     <category>ossec</category>
180 |     <decoded_as>syscheck_deleted</decoded_as>
181 |     <description>File deleted. Unable to retrieve checksum.</description>
182 |     <group>syscheck,</group>
183 |   </rule>
184 |   
185 |   <rule id="554" level="0">
186 |     <category>ossec</category>
187 |     <decoded_as>syscheck_new_entry</decoded_as>
188 |     <description>File added to the system.</description>
189 |     <group>syscheck,</group>
190 |   </rule>
191 | 
192 |   <rule id="555" level="7">
193 |     <if_sid>500</if_sid>
194 |     <match>^ossec: agentless: </match>
195 |     <description>Integrity checksum for agentless device changed.</description>
196 |     <group>syscheck,agentless</group>
197 |   </rule>
198 | 
199 |   <!-- Hostinfo rules -->  
200 |   <rule id="580" level="8">
201 |     <category>ossec</category>
202 |     <decoded_as>hostinfo_modified</decoded_as>
203 |     <description>Host information changed.</description>
204 |     <group>hostinfo,</group>
205 |   </rule>
206 |   
207 |   <rule id="581" level="8">
208 |     <category>ossec</category>
209 |     <decoded_as>hostinfo_new</decoded_as>
210 |     <description>Host information added.</description>
211 |     <group>hostinfo,</group>
212 |   </rule>
213 | 
214 | 
215 |   <!-- File rotation/reducded rules -->
216 |   <rule id="591" level="3">
217 |     <if_sid>500</if_sid>
218 |     <match>^ossec: File rotated </match>
219 |     <description>Log file rotated.</description>
220 |   </rule>
221 |   
222 |   <rule id="592" level="8">
223 |     <if_sid>500</if_sid>
224 |     <match>^ossec: File size reduced</match>
225 |     <description>Log file size reduced.</description>
226 |     <group>attacks,</group>
227 |   </rule>
228 | 
229 |   <rule id="593" level="9">
230 |     <if_sid>500</if_sid>
231 |     <match>^ossec: Event log cleared</match>
232 |     <description>Microsoft Event log cleared.</description>
233 |     <group>logs_cleared,</group>
234 |   </rule>
235 | 
236 | <!-- active response rules
237 | Example:
238 | Sat May  7 03:27:57 CDT 2011 /var/ossec/active-response/bin/firewall-drop.sh delete - 172.16.0.1 1304756247.60385 31151
239 | -->
240 | 
241 | <rule id="600" level="0">
242 |     <decoded_as>ar_log</decoded_as>
243 |     <description>Active Response Messages Grouped</description>
244 |     <group>active_response,</group>
245 |   </rule>
246 | 
247 |   <rule id="601" level="3">
248 |     <if_sid>600</if_sid>
249 |     <action>firewall-drop.sh</action>
250 |     <status>add</status>
251 |     <description>Host Blocked by firewall-drop.sh Active Response</description>
252 |     <group>active_response,</group>
253 |   </rule>
254 | 
255 |   <rule id="602" level="3">
256 |     <if_sid>600</if_sid>
257 |     <action>firewall-drop.sh</action>
258 |     <status>delete</status>
259 |     <description>Host Unblocked by firewall-drop.sh Active Response</description>
260 |     <group>active_response,</group>
261 |   </rule>
262 | 
263 |   <rule id="603" level="3">
264 |     <if_sid>600</if_sid>
265 |     <action>host-deny.sh</action>
266 |     <status>add</status>
267 |     <description>Host Blocked by host-deny.sh Active Response</description>
268 |     <group>active_response,</group>
269 |   </rule>
270 | 
271 |   <rule id="604" level="3">
272 |     <if_sid>600</if_sid>
273 |     <action>host-deny.sh</action>
274 |     <status>delete</status>
275 |     <description>Host Unblocked by host-deny.sh Active Response</description>
276 |     <group>active_response,</group>
277 |   </rule>
278 | 
279 |   <rule id="605" level="3">
280 |     <if_sid>600</if_sid>
281 |     <action>route-null.sh</action>
282 |     <status>add</status>
283 |     <description>Host Blocked by route-null.sh Active Response</description>
284 |     <group>active_response,</group>
285 |   </rule>
286 | 
287 |   <rule id="606" level="3">
288 |     <if_sid>600</if_sid>
289 |     <action>route-null.sh</action>
290 |     <status>delete</status>
291 |     <description>Host Unblocked by route-null.sh Active Response</description>
292 |     <group>active_response,</group>
293 |   </rule>
294 | 
295 | </group> <!-- OSSEC -->
296 | 


--------------------------------------------------------------------------------
/deaddrop_puppet/modules/deaddrop/files/ssh_config:
--------------------------------------------------------------------------------
1 | Host *
2 | Port 22
3 | Protocol 2
4 |     SendEnv LANG LC_*
5 |     HashKnownHosts yes
6 |     GSSAPIAuthentication yes
7 |     GSSAPIDelegateCredentials no
8 | 
9 | 


--------------------------------------------------------------------------------
/deaddrop_puppet/modules/deaddrop/files/sysctl.conf:
--------------------------------------------------------------------------------
 1 | # Following 11 lines added by CISecurity Benchmark sec 5.1
 2 | net.ipv4.tcp_max_syn_backlog = 4096
 3 | net.ipv4.tcp_syncookies=1
 4 | net.ipv4.conf.all.rp_filter = 1
 5 | net.ipv4.conf.all.accept_source_route = 0
 6 | net.ipv4.conf.all.accept_redirects = 0
 7 | net.ipv4.conf.all.secure_redirects = 0
 8 | net.ipv4.conf.default.rp_filter = 1
 9 | net.ipv4.conf.default.accept_source_route = 0
10 | net.ipv4.conf.default.accept_redirects = 0
11 | net.ipv4.conf.default.secure_redirects = 0
12 | net.ipv4.icmp_echo_ignore_broadcasts = 1
13 | #
14 | # Following 3 lines added by CISecurity Benchmark sec 5.2
15 | net.ipv4.ip_forward = 0
16 | net.ipv4.conf.all.send_redirects = 0
17 | net.ipv4.conf.default.send_redirects = 0
18 | #
19 | # Following 3 lines were added to disable IPv6 per CIS Debian
20 | net.ipv6.conf.all.disable_ipv6 = 1
21 | net.ipv6.conf.default.disable_ipv6 = 1
22 | net.ipv6.conf.lo.disable_ipv6 = 1
23 | 
24 | # Grsecurity Kernel related configs
25 | 
26 | #kernel.grsecurity.disable_modules = 1
27 | #kernel.grsecurity.grsec.lock = 1
28 | 


--------------------------------------------------------------------------------
/deaddrop_puppet/modules/deaddrop/files/umountsshfs:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | ## http://ubuntuforums.org/showthread.php?t=430312
 3 | 
 4 | # Not for loopback!
 5 | [ "$IFACE" != "lo" ] || exit 0
 6 | 
 7 | # comment this for testing
 8 | exec 1>/dev/null # squelch output for non-interactive
 9 | 
10 | # umount all sshfs mounts
11 | mounted=`grep 'fuse.sshfs\|sshfs#' /etc/mtab | awk '{ print $2 }'`
12 | [ -n "$mounted" ] && { for mount in $mounted; do umount -l $mount; done; }
13 | 


--------------------------------------------------------------------------------
/deaddrop_puppet/modules/deaddrop/manifests/.source.pp.swp:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/deaddrop/DeadDropDocs/bef1a6d8c76d09b22bdd8f4ad70b97dadefefb02/deaddrop_puppet/modules/deaddrop/manifests/.source.pp.swp


--------------------------------------------------------------------------------
/deaddrop_puppet/modules/deaddrop/manifests/apache_config.pp:
--------------------------------------------------------------------------------
 1 | class deaddrop::apache_config {
 2 |     file { '/etc/apache2/conf.d/other-vhosts-access-log':
 3 |         ensure => 'absent',
 4 |     }
 5 | 
 6 |     file { '/var/www/index.html':
 7 |         ensure => 'absent',
 8 |     }
 9 | 
10 |     file { 'ports.conf':
11 |         ensure => file,
12 |         path => '/etc/apache2/ports.conf',
13 |         content => template("deaddrop/ports.conf.erb"),
14 |         owner => 'root',
15 |         group => 'root',
16 |         mode => '0644',
17 |     }
18 | 
19 |     file { 'apache2.conf':
20 |         ensure => file,
21 |         path => '/etc/apache2/apache2.conf',
22 |         content => template("deaddrop/apache2.conf.erb"),
23 |         owner => 'root',
24 |         group => 'root',
25 |         mode => '0644',
26 |     }
27 | 
28 |     file { 'security':
29 |         ensure => file,
30 |         path => '/etc/apache2/conf.d/security',
31 |         content => template("deaddrop/security.erb"),
32 |         owner => 'root',
33 |         group => 'root',
34 |         mode => '0644',
35 |     }
36 | 
37 | }
38 | 
39 | 


--------------------------------------------------------------------------------
/deaddrop_puppet/modules/deaddrop/manifests/apparmor.pp:
--------------------------------------------------------------------------------
 1 | class deaddrop::apparmor {
 2 |     $dependents = [ "apparmor", "libapache2-mod-apparmor", "apparmor-profiles", "apparmor-utils", "dh-apparmor", "libpam-apparmor", "python-libapparmor", "libapparmor1", "libapparmor-perl"]
 3 |  
 4 |     package { $dependents: ensure => "installed" }
 5 | 
 6 |     file { '/etc/apparmor.d':
 7 |       ensure => directory,
 8 |       recurse => true,
 9 |       path => '/etc/apparmor.d',
10 |       source => "puppet:///modules/deaddrop/${my_role}_apparmor",
11 |       owner => 'root',
12 |       group => 'root',
13 |       mode => '0644',
14 |     }
15 | 
16 |     a2mod { "apparmor": ensure => 'present'}
17 |     exec { "a2enmod apparmor":
18 |         user => 'root',
19 |         group => 'root',
20 |     }
21 | }
22 | 


--------------------------------------------------------------------------------
/deaddrop_puppet/modules/deaddrop/manifests/base.pp:
--------------------------------------------------------------------------------
 1 | class deaddrop::base {
 2 |     include ntp
 3 |     include gnupg2
 4 |     include secure_delete
 5 |     include sysstat
 6 |     include deaddrop::ssh
 7 |     include deaddrop::iptables_v4
 8 |     include deaddrop::sysctl
 9 |     include deaddrop::restricted_pw_files
10 | #    include deaddrop::remove_pcmcia
11 |     include deaddrop::cron_allow
12 |     include deaddrop::crontab
13 | 
14 |     package { "syslog-ng": ensure => installed}   
15 |     package { "libpam-google-authenticator": ensure => installed}
16 | }
17 | 


--------------------------------------------------------------------------------
/deaddrop_puppet/modules/deaddrop/manifests/cron_allow.pp:
--------------------------------------------------------------------------------
 1 | class deaddrop::cron_allow {
 2 |     file { "/etc/cron.allow":
 3 |        ensure => file,
 4 |        source => "puppet:///modules/deaddrop/cron.allow",
 5 |        mode => '0400',
 6 |     }
 7 | 
 8 |     file { "/etc/cron.deny":
 9 |        ensure => absent,
10 |     }
11 | }
12 | 


--------------------------------------------------------------------------------
/deaddrop_puppet/modules/deaddrop/manifests/crontab.pp:
--------------------------------------------------------------------------------
 1 | class deaddrop::crontab {
 2 |     file { "/etc/crontab":
 3 |         ensure => present,
 4 |         mode => '0400',
 5 |     }
 6 | 
 7 |     file { "/var/spool/cron":
 8 |         ensure => directory,
 9 |         recurse => true,
10 |         mode => '0700',
11 |     }
12 | }
13 | 


--------------------------------------------------------------------------------
/deaddrop_puppet/modules/deaddrop/manifests/hosts_file.pp:
--------------------------------------------------------------------------------
 1 | class deaddrop::hosts_file {
 2 |     file { "/etc/hosts":
 3 |         ensure => file,
 4 |         path => "/etc/hosts",
 5 |         content => template("deaddrop/hosts.erb"),
 6 |         owner => 'root',
 7 |         group => 'root',
 8 |         mode => '0644',
 9 |     }
10 | }
11 | 


--------------------------------------------------------------------------------
/deaddrop_puppet/modules/deaddrop/manifests/init.pp:
--------------------------------------------------------------------------------
1 | class deaddrop {   
2 |     include deaddrop::params
3 | }
4 | 


--------------------------------------------------------------------------------
/deaddrop_puppet/modules/deaddrop/manifests/iptables_v4.pp:
--------------------------------------------------------------------------------
 1 | class deaddrop::iptables_v4 {
 2 |     $dependents = [ "iptables" ] 
 3 |     package { $dependents: ensure => "installed" }
 4 | 
 5 |     file {'/etc/iptables':
 6 |         ensure => directory,
 7 |         owner => 'root',
 8 |         group => 'root',
 9 |     }
10 | 
11 |     file {'/etc/iptables/rules_v4':
12 |         ensure => file,
13 |         content => template("deaddrop/iptables_v4.erb"),
14 |         owner => 'root',
15 |         group => 'root',
16 |         mode => '0644',
17 |         require => Package[$dependents],
18 |     }
19 |   
20 |     exec { 'iptables-restore < /etc/iptables/rules_v4':
21 |         cwd => '/etc/iptables',
22 |         path => [ "/bin/", "/sbin/" , "/usr/bin/", "/usr/sbin/" ],
23 |         user => 'root',
24 |         group => 'root',
25 |         subscribe => File['/etc/iptables/rules_v4'],
26 |         refreshonly => true,
27 |     }
28 | }
29 | 


--------------------------------------------------------------------------------
/deaddrop_puppet/modules/deaddrop/manifests/journalist.pp:
--------------------------------------------------------------------------------
  1 | class deaddrop::journalist {
  2 |     $my_role   		= 'journalist'
  3 |     $ossec_role = 'agent'
  4 |     $enable_mods        = 'ssl wsgi'
  5 |     $disabled_mods = 'auth_basic authn_file autoindex cgid env setenvif status'
  6 | 
  7 |     include git
  8 |     include rng_tools
  9 |     include deaddrop::hosts_file
 10 |     include deaddrop::tcp_wrappers
 11 |     include apache
 12 |     include apache::ssl
 13 |     include apache::mod::wsgi
 14 |     include deaddrop::sshfs
 15 |     include deaddrop::python_gnupg
 16 |     include deaddrop::apache_config
 17 |     include deaddrop::ossec_agents
 18 | #    include deaddrop::apparmor
 19 | 
 20 |     a2mod { "$disabled_mods": ensure => 'absent' }
 21 | # Having and issue with puppetlabs a2mod define not working
 22 |     exec { "a2enmod $enable_mods":
 23 |         user => 'root',
 24 |         group => 'root',
 25 |         logoutput => 'true',
 26 |     }
 27 | 
 28 |     exec { "a2dismod $disabled_mods":
 29 |         user => 'root',
 30 |         group => 'root',
 31 |         logoutput => 'true',
 32 |     }
 33 | 
 34 |     file {"/var/www":
 35 |         ensure => directory,
 36 |         owner => "$apache_user",
 37 |         group => "$apache_user",
 38 |         mode => "0600",
 39 |     }
 40 | 
 41 | 
 42 |     apache::vhost::redirect { "$journalist_ip":
 43 |        port => '80',
 44 |        dest => "https://$journalist_hostname.$domain_name",
 45 |        vhost_name => $journalist_ip,
 46 |     }
 47 | 
 48 |     apache::vhost { "ssl_$journalist_ip":
 49 |        priority => '25',
 50 |        vhost_name => $journalist_ip,
 51 |        port => '443',
 52 |        servername => "$journalist_hostname.$domain_name",
 53 |        serveraliases => "www.$journalist_hostname.$domain_name",
 54 |        docroot => "$deaddrop_home/static",
 55 |        options => 'None',
 56 |        template => 'deaddrop/vhost-deaddrop-ssl.conf.erb',
 57 |     #   before => File["$deaddrop_home"],
 58 |     }
 59 | 
 60 | #    vcsrepo { "$deaddrop_home":
 61 | #        ensure => present,
 62 | #        provider => git,
 63 | #        source => 'git://github.com/deaddrop/deaddrop.git',
 64 | #        before => File["$deaddrop_home/store"],
 65 | #    }
 66 | 
 67 |     file { "$deaddrop_home":
 68 |         ensure => directory,
 69 |         recurse => true,
 70 |         owner => "$apache_user",
 71 |         group => "$apache_user",
 72 |         mode => '0600',
 73 |         source => "puppet:///modules/deaddrop/deaddrop",
 74 |         before => File["$deaddrop_home/store"],
 75 |     }
 76 | 
 77 |     file {"$deaddrop_home/store":
 78 |         ensure => directory,
 79 |         owner => "$apache_user",
 80 |         group => "$apache_user",
 81 |         mode => "0700",
 82 |         before => File["$deaddrop_home/keys"],
 83 |     }
 84 | 
 85 |     file {"$deaddrop_home/keys":
 86 |         ensure => directory,
 87 |         owner => "$apache_user",
 88 |         group => "$apache_user",
 89 |         mode => "0700",
 90 |         before => File["$deaddrop_home/config.py"],
 91 |     }
 92 | 
 93 |     file { "$deaddrop_home/config.py":
 94 |         ensure => file,
 95 |         owner => "$apache_user",
 96 |         group => "$apache_user",
 97 |         mode => '0600',
 98 |         content => template("deaddrop/config.py.erb"),
 99 |         before => File["$deaddrop_home/web"],
100 |     }
101 | 
102 |     vcsrepo { "$deaddrop_home/webpy":
103 |         ensure => present,
104 |         provider => git,
105 |         source => 'git://github.com/webpy/webpy.git',
106 |         before => File["$deaddrop_home/web"],
107 |     }
108 |  
109 |     exec { "git clone git://github.com/webpy/webpy.git":
110 |         cwd => '/var/www/deaddrop/',
111 |         user => "$apache_user",
112 |         group => "$apache_user",
113 |     }
114 | 
115 |     file { "$deaddrop_home/web":
116 |         ensure => 'link',
117 |         target => "$deaddrop_home/webpy/web",
118 |         owner => "$apache_user",
119 |         group => "$apache_user",
120 |     }
121 | 
122 |     file { "/etc/ssl/journalist_certs/":
123 |         ensure => directory,
124 |         recurse => true,
125 |         owner => 'root',
126 |         group => 'root',
127 |         mode => '0400',
128 |         source => "puppet:///modules/deaddrop/journalist_certs/",
129 |     }
130 | 
131 |     file { "/var/www/$app_gpg_pub_key":
132 |         ensure => file,
133 |         owner => "$apache_user",
134 |         group => "$apache_user",
135 |         mode => '0700',
136 |         source => "puppet:///modules/deaddrop/${app_gpg_pub_key}",
137 |     }
138 | 
139 |     exec {"import_key":
140 |         command => "gpg2 --homedir $keys_dir --import /var/www/$app_gpg_pub_key",
141 |         cwd => $keys_dir,
142 |         user => $apache_user,
143 |         group => $apache_user,
144 |         subscribe => File["/var/www/$app_gpg_pub_key"],
145 |         refreshonly => true,
146 |     }
147 | 
148 |     file { "/var/www/deaddrop/static":
149 |         ensure => present,
150 |         owner => "$apache_user",
151 |         group => "$apache_user",
152 |         mode => '0700',
153 |     }
154 | }
155 | 


--------------------------------------------------------------------------------
/deaddrop_puppet/modules/deaddrop/manifests/monitor.pp:
--------------------------------------------------------------------------------
 1 | class deaddrop::monitor {
 2 |     $my_role = 'monitor'
 3 |     $ossec_role = 'server'
 4 | 
 5 |     include deaddrop::hosts_file
 6 |     include deaddrop::tcp_wrappers
 7 |     include deaddrop::ossec_server
 8 | #    include deaddrop::apparmor  
 9 | }
10 | 


--------------------------------------------------------------------------------
/deaddrop_puppet/modules/deaddrop/manifests/ossec_agents.pp:
--------------------------------------------------------------------------------
 1 | class deaddrop::ossec_agents {
 2 |     file { 'ossec.conf':
 3 |       ensure => file,
 4 |       path => '/var/ossec/etc/ossec.conf',
 5 |       content => template("deaddrop/$my_role.ossec.conf.erb"),
 6 |       owner => 'root',
 7 |       group => 'ossec',
 8 |       mode => '0550',
 9 |     }
10 | }
11 | 
12 | 


--------------------------------------------------------------------------------
/deaddrop_puppet/modules/deaddrop/manifests/ossec_server.pp:
--------------------------------------------------------------------------------
 1 | class deaddrop::ossec_server {
 2 |     file { 'ossec.conf':
 3 |       ensure => file,
 4 |       path => '/var/ossec/etc/ossec.conf',
 5 |       content => template("deaddrop/monitor.ossec.conf.erb"),
 6 |       owner => 'root',
 7 |       group => 'ossec',
 8 |       mode => '0550',
 9 |     }
10 | 
11 |     file { 'ossec_rules.xml':
12 |       ensure => file,
13 |       path => '/var/ossec/rules/ossec_rules.xml',
14 |       source => 'puppet:///modules/deaddrop/ossec_rules.xml',
15 |       owner => 'root',
16 |       group => 'ossec',
17 |       mode => '0550',
18 |     }
19 | 
20 |     file { 'internal_options.conf':
21 |       ensure => file,
22 |       path => '/var/ossec/etc/internal_options.conf',
23 |       source => "puppet:///modules/deaddrop/internal_options.conf",
24 |       owner => 'root',
25 |       group => 'ossec',
26 |       mode => '0440',
27 |     }
28 | 
29 |    file { 'ossec-logtest':
30 |       ensure => 'link',
31 |       path => '/var/ossec/bin/ossec-logtest',
32 |       target => '/var/ossec/ossec-logtest',
33 |       owner => 'root',
34 |       group => 'root',
35 |    }
36 | }
37 | 
38 | 


--------------------------------------------------------------------------------
/deaddrop_puppet/modules/deaddrop/manifests/python_gnupg.pp:
--------------------------------------------------------------------------------
 1 | class deaddrop::python_gnupg {
 2 |    package { 'python-setuptools':
 3 | 	 ensure => "installed" 
 4 |    }
 5 | 
 6 |    exec { 'easy_install https://python-gnupg.googlecode.com/files/python-gnupg-0.2.7.tar.gz':
 7 |         cwd => $deaddrop_home,
 8 |         user => 'root',
 9 |         group => 'root',
10 |         require => Package["python-setuptools"],
11 |         unless => "ls /usr/local/lib/python2.7/dist-packages/python_gnupg-0.2.7-py2.7.egg",
12 |    }
13 | }
14 | 


--------------------------------------------------------------------------------
/deaddrop_puppet/modules/deaddrop/manifests/remove_pcmcia.pp:
--------------------------------------------------------------------------------
 1 | class deaddrop::remove_pcmcia {
 2 |     package { 'pcmcia-cs':
 3 | 	ensure => absent,
 4 |     }
 5 | 
 6 |     exec { "K=$(uname -a | awk '{print $3}')":
 7 |         cwd => "/root",
 8 |         path => [ "/bin/", "/sbin/" , "/usr/bin/", "/usr/sbin/" ],
 9 |         group => "root",
10 |         user => "root",
11 |        # notify => Exec['aptitude remove kernel-pcmcia-modules-$K'],
12 |     }
13 | 
14 |     exec { 'aptitude remove kernel-pcmcia-modules-$K':
15 |         cwd => "/root",
16 |         path => [ "/bin/", "/sbin/" , "/usr/bin/", "/usr/sbin/" ],
17 |         group => "root",
18 |         user => "root",
19 |        # notify => Exec['aptitude remove pcmcia-modules-$K'],
20 |     }
21 | 
22 |     exec { 'aptitude remove pcmcia-modules-$K':
23 |         cwd => "/root",
24 |         path => [ "/bin/", "/sbin/" , "/usr/bin/", "/usr/sbin/" ],
25 |         group => "root",
26 |         user => "root",
27 |     }
28 | 
29 |     package { 'hotplug':
30 | 	ensure => purged,
31 |     }
32 | }
33 | 


--------------------------------------------------------------------------------
/deaddrop_puppet/modules/deaddrop/manifests/restricted_pw_files.pp:
--------------------------------------------------------------------------------
 1 | class deaddrop::restricted_pw_files {
 2 |      file { "/etc/passwd":
 3 |          ensure => present,
 4 |          mode => '0644',
 5 |      }
 6 | 
 7 |      file { "/etc/group":
 8 |          ensure => present,
 9 |          mode => '0644',
10 |      }
11 | 
12 |     file { "/etc/shadow":
13 |         ensure => present,
14 |         mode => '0400',
15 |     }
16 | }   
17 | 


--------------------------------------------------------------------------------
/deaddrop_puppet/modules/deaddrop/manifests/source.pp:
--------------------------------------------------------------------------------
 1 | class deaddrop::source {
 2 |     $my_role    =   'source'
 3 |     $ossec_role = 'agent'
 4 |     $enable_mods   = 'ssl wsgi'
 5 |     $disabled_mods = 'auth_basic authn_file autoindex cgid env setenvif status'
 6 | 
 7 |     include rng_tools
 8 |     include deaddrop::hosts_file
 9 |     include deaddrop::tcp_wrappers
10 |     include apache
11 |     include apache::mod::wsgi
12 |     include deaddrop::source_deaddrop
13 |     include tor::hidden_service
14 |     include deaddrop::sshfs_remote
15 |     include deaddrop::python_gnupg
16 |     include deaddrop::apache_config
17 |     include deaddrop::ossec_agents
18 | #    include deaddrop::apparmor
19 | 
20 |     a2mod { "$disabled_mods": ensure => 'absent' }
21 | 
22 |     a2mod { "$enable_mods": ensure => 'present' }
23 | 
24 |     exec { "a2enmod $enable_mods":
25 |         user => 'root',
26 |         group => 'root',
27 |         logoutput => 'true',
28 |     }
29 | 
30 |     exec { "a2dismod $disabled_mods":
31 |         user => 'root',
32 |         group => 'root',
33 |         logoutput => 'true',
34 |     }
35 | 
36 |     apache::vhost { "127.0.0.1":
37 |        vhost_name => "127.0.0.1",
38 |        port => '8080',
39 |        priority => '15',
40 |        docroot => "$deaddrop_home/static",
41 |        options => 'None',
42 |        template => 'deaddrop/vhost-deaddrop.conf.erb',
43 |     }
44 |     
45 | }
46 | 


--------------------------------------------------------------------------------
/deaddrop_puppet/modules/deaddrop/manifests/source_deaddrop.pp:
--------------------------------------------------------------------------------
 1 | class deaddrop::source_deaddrop {
 2 |     include git
 3 | 
 4 |     file {"/var/www":
 5 |         ensure => directory,
 6 |         owner => "$apache_user",
 7 |         group => "$apache_user",
 8 |         mode => "0600",
 9 |     }
10 | 
11 |     file {"/var/www/.ssh":
12 |         ensure => directory,
13 |         owner => "$apache_user",
14 |         group => "$apache_user",
15 |         mode => "0600",
16 |     }
17 | 
18 | #    vcsrepo { "$deaddrop_home":
19 | #        ensure => present,
20 | #        provider => git,
21 | #        source => 'git@github.com:deaddrop/deaddrop.git'
22 | #        before => File["$deaddrop_home/store"],
23 | #    }
24 |     file { "$deaddrop_home":
25 |         ensure => directory,
26 |         recurse => true,
27 |         owner => "$apache_user",
28 |         group => "$apache_user",
29 |         mode => '0600',
30 |         source => "puppet:///modules/deaddrop/deaddrop",
31 |         before => File["$deaddrop_home/store"],
32 |     }
33 | 
34 |     file {"$deaddrop_home/store":
35 |         ensure => directory,
36 |         owner => "$apache_user",
37 |         group => "$apache_user",
38 |         mode => "0700",
39 |         before => File["$deaddrop_home/keys"],
40 |     }
41 | 
42 |     file {"$deaddrop_home/keys":
43 |         ensure => directory,
44 |         owner => "$apache_user",
45 |         group => "$apache_user",
46 |         mode => "0700",
47 |         before => File["$deaddrop_home/config.py"],
48 |     }
49 | 
50 |     file { "$deaddrop_home/config.py":
51 |         ensure => file,
52 |         owner => "$apache_user",
53 |         group => "$apache_user",
54 |         mode => '0600',
55 |         content => template("deaddrop/config.py.erb"),
56 | #        before => VCSREPO["$deaddrop_home/webpy"],
57 |     }
58 | 
59 | #    vcsrepo { "$deaddrop_home/webpy":
60 | #        ensure => present,
61 | #        provider => git,
62 | #        source => 'git://github.com/webpy/webpy.git',
63 | #    }
64 |  
65 |     exec { "git clone git://github.com/webpy/webpy.git":
66 |         cwd => '/var/www/deaddrop/',
67 |         user => "$apache_user",
68 |         group => "$apache_user",
69 |     }
70 | 
71 |     file { "$deaddrop_home/web":
72 |         ensure => 'link',
73 |         target => "$deaddrop_home/webpy/web",
74 |         owner => "$apache_user",
75 |         group => "$apache_user",
76 | #        subscribe => Vcsrepo["$deaddrop_home/webpy"],
77 |     }
78 |     file { "$deaddrop_home/static":
79 |         ensure => present,
80 |         owner => "$apache_user",
81 |         group => "$apache_user",
82 |         mode => '0700',
83 |     }
84 | }
85 | 
86 | 


--------------------------------------------------------------------------------
/deaddrop_puppet/modules/deaddrop/manifests/ssh.pp:
--------------------------------------------------------------------------------
 1 | class deaddrop::ssh {
 2 |     file { "ssh_config":
 3 |         ensure => file,
 4 |         path => "/etc/ssh/ssh_config",
 5 |         source => "puppet:///modules/deaddrop/ssh_config",
 6 |         owner => 'root',
 7 |         group => 'root',
 8 |         mode => '0644',
 9 |     }
10 | 
11 |     file { "sshd_config":
12 |         ensure => file,
13 |         path => "/etc/ssh/sshd_config",
14 |         content => template("deaddrop/sshd_config.erb"),
15 |         owner => 'root',
16 |         group => 'root',
17 |         mode => '0600',
18 |     }
19 | 
20 |     file { "common-auth":
21 |         ensure => file,
22 |         path => "/etc/pam.d/common-auth",
23 |         source => "puppet:///modules/deaddrop/common-auth",
24 |         owner => 'root',
25 |         group => 'root',
26 |         mode => '0644',
27 |     }
28 | }
29 | 
30 | 


--------------------------------------------------------------------------------
/deaddrop_puppet/modules/deaddrop/manifests/sshfs.pp:
--------------------------------------------------------------------------------
 1 | # Class: deaddrop::sshfs
 2 | #
 3 | # This class installs sshfs
 4 | #
 5 | # Actions:
 6 | #   - Install the sshfs package
 7 | #
 8 | # Sample Usage:
 9 | #  class { 'deaddrop::sshfs': }
10 | #
11 | class deaddrop::sshfs {
12 |         package { 'sshfs':
13 |         ensure => installed,
14 |         notify => File['fuse.conf'],
15 |     }
16 | 
17 |     file { 'fuse.conf':
18 |         ensure => file,
19 |         path => '/etc/fuse.conf',
20 |         source => "puppet:///modules/deaddrop/fuse.conf",
21 |         owner => 'root',
22 |         group => 'root',
23 |     }
24 | 
25 |     exec { "usermod -a -G fuse $apache_user":
26 |         user => 'root',
27 |         group => 'root',
28 |     } 
29 | 
30 |     file { '/dev/fuse':
31 |         ensure => present,
32 |         owner => 'root',
33 |         group => 'fuse',
34 |     }
35 | 
36 |     exec { "chmod g+rw /dev/fuse":
37 |         user => 'root',
38 |         group => 'root',
39 |     }
40 | }
41 | 


--------------------------------------------------------------------------------
/deaddrop_puppet/modules/deaddrop/manifests/sshfs_remote.pp:
--------------------------------------------------------------------------------
 1 | class deaddrop::sshfs_remote {
 2 |     include deaddrop::sshfs
 3 | 
 4 |     service { "networking":
 5 |         hasrestart => true,
 6 |         hasstatus => false,
 7 |         restart => "/etc/init.d/networking restart",
 8 |         ensure => running,
 9 |         provider => upstart,
10 |     }
11 | 
12 |     mount { "$store_dir":
13 |         notify => Service["networking"],
14 |         ensure => present,
15 |         device => "sshfs#${apache_user}@${journalist_hostname}:${store_dir}",
16 |         fstype => 'fuse',
17 |         options => 'comment=sshfs,noauto,users,exec,uid=33,gid=33,allow_other,reconnect,transform_symlinks,BatchMode=yes',
18 |         atboot => no,
19 |         remounts => false,
20 |     }
21 | 
22 |     mount { "$keys_dir":
23 |         notify => Service["networking"],
24 |         ensure => present,
25 |         device => "sshfs#${apache_user}@${journalist_hostname}:${keys_dir}",
26 |         fstype => 'fuse',
27 |         options => 'comment=sshfs,noauto,users,exec,uid=33,gid=33,allow_other,reconnect,transform_symlinks,BatchMode=yes',
28 |         atboot => no,
29 |         remounts => false,
30 |     }
31 |   
32 |     file { '/etc/network/if-up.d/mountsshfs':
33 |         ensure => file,
34 |         source => "puppet:///modules/deaddrop/mountsshfs",
35 |         owner => 'root',
36 |         group => 'root',
37 |         mode => '0755',
38 |     }
39 |  
40 |     file { '/etc/network/if-down.d/umountsshfs':
41 |         ensure => file,
42 |         source => "puppet:///modules/deaddrop/umountsshfs",
43 |         owner => 'root',
44 |         group => 'root',
45 |         mode => '0755',
46 |     }
47 | }
48 | 


--------------------------------------------------------------------------------
/deaddrop_puppet/modules/deaddrop/manifests/sysctl.pp:
--------------------------------------------------------------------------------
 1 | class deaddrop::sysctl {
 2 |     file { "sysctl.conf":
 3 |         ensure => present,
 4 |         path => '/etc/sysctl.conf',
 5 |         source => "puppet:///modules/deaddrop/sysctl.conf",
 6 |         owner => 'root',
 7 |         group => 'root',
 8 |         mode => '0600',
 9 |     }
10 | 
11 |     exec { "sysctl -p":
12 | 	cwd => "/etc/",
13 |         group => 'root',
14 |         user => 'root',
15 |         subscribe => File["sysctl.conf"],
16 |         refreshonly => true,
17 |     }
18 | }
19 | 


--------------------------------------------------------------------------------
/deaddrop_puppet/modules/deaddrop/manifests/tcp_wrappers.pp:
--------------------------------------------------------------------------------
 1 | class deaddrop::tcp_wrappers {
 2 |     file { '/etc/hosts.allow':
 3 |         ensure => file,
 4 | 	path => '/etc/hosts.allow',
 5 |         content => template("deaddrop/hosts.allow.erb"),
 6 |         owner => 'root',
 7 | 	group => 'root',
 8 |         mode => '0644',
 9 |     }
10 | 
11 |     file { '/etc/hosts.deny':
12 |         ensure => file,
13 |         path => '/etc/hosts.deny',
14 |         content => template("deaddrop/hosts.deny.erb"),
15 |         owner => 'root',
16 |         group => 'root',
17 |         mode => '0644',
18 |      }
19 | }
20 | 
21 | 


--------------------------------------------------------------------------------
/deaddrop_puppet/modules/deaddrop/templates/apache2.conf.erb:
--------------------------------------------------------------------------------
 1 | LockFile ${APACHE_LOCK_DIR}/accept.lock
 2 | PidFile ${APACHE_PID_FILE}
 3 | Timeout 300
 4 | KeepAlive On
 5 | MaxKeepAliveRequests 100
 6 | KeepAliveTimeout 5
 7 | <IfModule mpm_worker_module>
 8 |     StartServers          2
 9 |     MinSpareThreads      25
10 |     MaxSpareThreads      75
11 |     ThreadLimit          64
12 |     ThreadsPerChild      25
13 |     MaxClients          150
14 |     MaxRequestsPerChild   0
15 | </IfModule>
16 | User ${APACHE_RUN_USER}
17 | Group ${APACHE_RUN_GROUP}
18 | AccessFileName .htaccess
19 | <Files ~ "^\.ht">
20 |     Order allow,deny
21 |     Deny from all
22 |     Satisfy all
23 | </Files>
24 | DefaultType None
25 | HostnameLookups Off
26 | <% if my_role =='source' -%>
27 | <%= "ErrorLog /dev/null" %>
28 | <%= "LogLevel crit" %>
29 | <% elsif my_role !='source' -%>
30 | LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" combined
31 | ErrorLog /var/log/apache2/error.log
32 | CustomLog /var/log/apache2/access.log combined
33 | LogLevel info
34 | <% end %>
35 | Include mods-enabled/*.load
36 | Include mods-enabled/*.conf
37 | Include httpd.conf
38 | Include ports.conf
39 | Include conf.d/
40 | Include sites-enabled/
41 | 
42 | 


--------------------------------------------------------------------------------
/deaddrop_puppet/modules/deaddrop/templates/config.py.erb:
--------------------------------------------------------------------------------
1 | HMAC_SECRET = "<%= hmac_secret %>"
2 | GPG_KEY_DIR = "<%= keys_dir %>"
3 | JOURNALIST_KEY = "<%= app_gpg_fingerprint %>"
4 | STORE_DIR = "<%= store_dir %>"
5 | WORD_LIST = "<%= word_list %>"
6 | SOURCE_TEMPLATES_DIR = "<%= source_template_dir %>"
7 | JOURNALIST_TEMPLATES_DIR = "<%= journalist_template_dir %>"
8 | 


--------------------------------------------------------------------------------
/deaddrop_puppet/modules/deaddrop/templates/hosts.allow.erb:
--------------------------------------------------------------------------------
 1 | # /etc/hosts.allow: list of hosts that are allowed to access the system.
 2 | #                   See the manual pages hosts_access(5) and hosts_options(5).
 3 | #
 4 | # Example:    ALL: LOCAL @some_netgroup
 5 | #             ALL: .foobar.edu EXCEPT terminalserver.foobar.edu
 6 | #
 7 | # If you're going to protect the portmapper use the name "portmap" for the
 8 | # daemon name. Remember that you can only use the keyword "ALL" and IP
 9 | # addresses (NOT host or domain names) for the portmapper, as well as for
10 | # rpc.mountd (the NFS mount daemon). See portmap(8) and rpc.mountd(8)
11 | # for further information.
12 | #
13 | <% if  journalist_hostname==@hostname %>
14 | <%= "sshd: #{admin_intVPN_ip} #{source_hostname}.#{domain_name}" %>
15 | <% else -%>
16 | <%= "sshd: #{admin_intVPN_ip}" %>
17 | <% end -%>
18 | 
19 | 
20 | 


--------------------------------------------------------------------------------
/deaddrop_puppet/modules/deaddrop/templates/hosts.deny.erb:
--------------------------------------------------------------------------------
 1 | # /etc/hosts.allow: list of hosts that are allowed to access the system.
 2 | #                   See the manual pages hosts_access(5) and hosts_options(5).
 3 | #
 4 | # Example:    ALL: LOCAL @some_netgroup
 5 | #             ALL: .foobar.edu EXCEPT terminalserver.foobar.edu
 6 | #
 7 | # If you're going to protect the portmapper use the name "portmap" for the
 8 | # daemon name. Remember that you can only use the keyword "ALL" and IP
 9 | # addresses (NOT host or domain names) for the portmapper, as well as for
10 | # rpc.mountd (the NFS mount daemon). See portmap(8) and rpc.mountd(8)
11 | # for further information.
12 | #
13 | ALL: ALL
14 | 


--------------------------------------------------------------------------------
/deaddrop_puppet/modules/deaddrop/templates/hosts.erb:
--------------------------------------------------------------------------------
 1 | <% if puppetmaster_hostname==@hostname %>
 2 | <%= '127.0.0.1    localhost    puppet' %>
 3 | <% else -%>
 4 | <%= '127.0.0.1    localhost' %><% end %>
 5 | 127.0.1.1       ubuntu
 6 | 
 7 | <%= source_ip -%> <%= source_hostname -%>.<%= domain_name -%> <%= source_hostname %>
 8 | <%= journalist_ip -%> <%= journalist_hostname -%>.<%= domain_name -%> <%= journalist_hostname %>
 9 | <%= monitor_ip -%> <%= monitor_hostname -%>.<%= domain_name -%> <%= monitor_hostname -%> puppet
10 | <%= intFWlogs_ip -%> <%= intFWlogs_hostname %>
11 | <%= journalist_intVPN_ip -%> <%= journalist_intVPN_hostname %>
12 | <%= admin_intVPN_ip -%> <%= admin_intVPN_hostname %>
13 | 
14 | # The following lines are desirable for IPv6 capable hosts
15 | ::1     ip6-localhost ip6-loopback
16 | fe00::0 ip6-localnet
17 | ff00::0 ip6-mcastprefix
18 | ff02::1 ip6-allnodes
19 | ff02::2 ip6-allrouters
20 | 
21 | 


--------------------------------------------------------------------------------
/deaddrop_puppet/modules/deaddrop/templates/iptables_v4.erb:
--------------------------------------------------------------------------------
 1 | <% if monitor_hostname==@hostname %>
 2 | *filter
 3 | :INPUT ACCEPT [655:68085]
 4 | :FORWARD ACCEPT [0:0]
 5 | :LOGNDROP - [0:0]
 6 | :OUTPUT ACCEPT [4829:752680]
 7 | -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 8 | -A INPUT -s <%= admin_intVPN_ip -%> -p tcp -m tcp --dport 22 -j ACCEPT
 9 | -A INPUT -s <%= source_ip -%> -p udp --dport 1514 -j ACCEPT
10 | -A INPUT -s <%= journalist_ip -%> -p udp --dport 1514 -j ACCEPT
11 | -A INPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -p tcp -m tcp -j ACCEPT
12 | -A INPUT -p tcp -m tcp --dport 8140 -j ACCEPT
13 | -A INPUT -j LOGNDROP
14 | -A LOGNDROP -p tcp -m limit --limit 5/min -j LOG --log-prefix "Denied_TCP " --log-level 4
15 | -A LOGNDROP -p udp -m limit --limit 5/min -j LOG --log-prefix "Denied_UDP " --log-level 4
16 | -A LOGNDROP -p icmp -m limit --limit 5/min -j LOG --log-prefix "Denied_ICMP " --log-level 4 
17 | -A LOGNDROP -j DROP
18 | COMMIT
19 | <% end %>
20 | 
21 | <% if journalist_hostname==@hostname %>
22 | *filter
23 | :INPUT ACCEPT [655:68085]
24 | :FORWARD ACCEPT [0:0]
25 | :LOGNDROP - [0:0]
26 | :OUTPUT ACCEPT [4829:752680]
27 | -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
28 | -A INPUT -s <%= admin_intVPN_ip -%> -p tcp -m tcp --dport 22 -j ACCEPT
29 | -A INPUT -s <%= source_ip -%> -p tcp -m tcp --dport 22 -j ACCEPT
30 | -A INPUT -s <%= admin_intVPN_ip -%> -p tcp -m tcp --dport 80 -j ACCEPT
31 | -A INPUT -s <%= admin_intVPN_ip -%> -p tcp -m tcp --dport 443 -j ACCEPT
32 | -A INPUT -s <%= journalist_intVPN_ip -%> -p tcp -m tcp --dport 80 -j ACCEPT
33 | -A INPUT -s <%= journalist_intVPN_ip -%> -p tcp -m tcp --dport 443 -j ACCEPT
34 | -A INPUT -s <%= monitor_ip -%> -p udp --dport 1514 -j ACCEPT
35 | -A INPUT -p tcp -m tcp --dport 8140 -j ACCEPT
36 | -A INPUT -j LOGNDROP
37 | -A LOGNDROP -p tcp -m limit --limit 5/min -j LOG --log-prefix "Denied_TCP " --log-level 4
38 | -A LOGNDROP -p udp -m limit --limit 5/min -j LOG --log-prefix "Denied_UDP " --log-level 4
39 | -A LOGNDROP -p icmp -m limit --limit 5/min -j LOG --log-prefix "Denied_ICMP " --log-level 4 
40 | -A LOGNDROP -j DROP
41 | COMMIT
42 | <% end %>
43 | 
44 | <% if source_hostname==@hostname %>
45 | *filter
46 | :INPUT ACCEPT [0:0]
47 | :FORWARD ACCEPT [0:0]
48 | :LOGNDROP - [0:0]
49 | :OUTPUT ACCEPT [0:0]
50 | -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
51 | -A INPUT -s <%= admin_intVPN_ip -%> -p tcp -m tcp --dport 22 -j ACCEPT
52 | -A INPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -p tcp -m tcp --dport 8080 -j ACCEPT
53 | -A INPUT -s <%= monitor_ip -%> -p udp --dport 1514 -j ACCEPT
54 | -A INPUT -p tcp -m tcp --dport 8140 -j ACCEPT
55 | -A INPUT -j LOGNDROP
56 | -A LOGNDROP -p tcp -m limit --limit 5/min -j LOG --log-prefix "Denied_TCP " --log-level 4
57 | -A LOGNDROP -p udp -m limit --limit 5/min -j LOG --log-prefix "Denied_UDP " --log-level 4
58 | -A LOGNDROP -p icmp -m limit --limit 5/min -j LOG --log-prefix "Denied_ICMP " --log-level 4 
59 | -A LOGNDROP -j DROP
60 | COMMIT
61 | <% end %>
62 | 


--------------------------------------------------------------------------------
/deaddrop_puppet/modules/deaddrop/templates/journalist.ossec.conf.erb:
--------------------------------------------------------------------------------
  1 | <ossec_config>
  2 |   <client>
  3 |     <server-ip><%= monitor_ip -%></server-ip>
  4 |   </client>
  5 | 
  6 |   <syscheck>
  7 |     <alert_new_files>yes</alert_new_files>
  8 |     
  9 |     <!-- Directories to check  (perform all possible verifications) -->
 10 |     <directories realtime="yes" check_all="yes" report_changes="yes">/etc,/usr/bin,/usr/sbin</directories>
 11 |     <directories realtime="yes" check_all="yes" report_changes="yes">/bin,/sbin</directories>
 12 |     <directories realtime="yes" check_all="yes" report_changes="yes">/var/ossec</directories>
 13 |     <directories realtime="yes" check_all="yes" report_changes="yes">/var/www</directories>
 14 | 
 15 |     <!-- Files/directories to ignore -->
 16 |     <ignore>/var/www/keys</ignore>
 17 |     <ignore>/var/www/store</ignore>
 18 |     <ignore>/var/ossec/queue</ignore>
 19 |     <ignore>/var/ossec/logs</ignore>
 20 |     <ignore>/var/ossec/stats</ignore>
 21 |     <ignore>/var/ossec/var</ignore>
 22 |     <ignore>/etc/grsec/learning.logs</ignore>
 23 |     <ignore>/etc/mtab</ignore>
 24 |     <ignore>/etc/mnttab</ignore>
 25 |     <ignore>/etc/mail/statistics</ignore>
 26 |     <ignore>/etc/random-seed</ignore>
 27 |     <ignore>/etc/adjtime</ignore>
 28 |     <ignore>/etc/httpd/logs</ignore>
 29 |     <ignore>/etc/utmpx</ignore>
 30 |     <ignore>/etc/wtmpx</ignore>
 31 |     <ignore>/etc/cups/certs</ignore>
 32 |     <ignore>/etc/dumpdates</ignore>
 33 |     <ignore>/etc/svc/volatile</ignore>
 34 |   </syscheck>
 35 | 
 36 |   <rootcheck>
 37 |     <disabled>yes</disabled>
 38 |   </rootcheck>
 39 | 
 40 |   <active-response>
 41 |     <disabled>yes</disabled>
 42 |   </active-response>
 43 | 
 44 |   <!-- Files to monitor (localfiles) -->
 45 | 
 46 |   <localfile>
 47 |     <log_format>syslog</log_format>
 48 |     <location>/var/log/messages</location>
 49 |   </localfile>
 50 | 
 51 |   <localfile>
 52 |     <log_format>syslog</log_format>
 53 |     <location>/var/log/auth.log</location>
 54 |   </localfile>
 55 | 
 56 |   <localfile>
 57 |     <log_format>syslog</log_format>
 58 |     <location>/var/log/syslog</location>
 59 |   </localfile>
 60 | 
 61 |   <localfile>
 62 |     <log_format>syslog</log_format>
 63 |     <location>/var/log/mail.info</location>
 64 |   </localfile>
 65 | 
 66 |   <localfile>
 67 |     <log_format>syslog</log_format>
 68 |     <location>/var/log/dpkg.log</location>
 69 |   </localfile>
 70 | 
 71 |   <localfile>
 72 |     <log_format>syslog</log_format>
 73 |     <location>/var/log/kern.log</location>
 74 |   </localfile>
 75 | 
 76 |   <localfile>
 77 |     <log_format>syslog</log_format>
 78 |     <location>/var/log/apache2/error.log</location>
 79 |   </localfile>
 80 | 
 81 |   <localfile>
 82 |     <log_format>syslog</log_format>
 83 |     <location>/var/log/apache2/access.log</location>
 84 |   </localfile>
 85 | 
 86 |   <localfile>
 87 |     <log_format>command</log_format>
 88 |     <command>df -h</command>
 89 |   </localfile>
 90 | 
 91 |   <localfile>
 92 |     <log_format>full_command</log_format>
 93 |     <command>netstat -tuln</command>
 94 |   </localfile>
 95 | 
 96 |   <localfile>
 97 |     <log_format>full_command</log_format>
 98 |     <command>netstat -tuan</command>
 99 |   </localfile>
100 | </ossec_config>
101 | 


--------------------------------------------------------------------------------
/deaddrop_puppet/modules/deaddrop/templates/monitor.ossec.conf.erb:
--------------------------------------------------------------------------------
  1 | <ossec_config>
  2 |   <global>
  3 |     <email_notification>yes</email_notification>
  4 |     <email_to><%= ossec_emailto -%></email_to>
  5 |     <smtp_server><%= mailserver_ip -%></smtp_server>
  6 |     <email_from>ossecm@monitor</email_from>
  7 |   </global>
  8 | 
  9 |   <syscheck>
 10 |     <alert_new_files>yes</alert_new_files>
 11 |     
 12 |     <!-- Directories to check  (perform all possible verifications) -->
 13 |     <directories realtime="yes" check_all="yes" report_changes="yes">/etc,/usr/bin,/usr/sbin</directories>
 14 |     <directories realtime="yes" check_all="yes" report_changes="yes">/bin,/sbin</directories>
 15 |     <directories realtime="yes" check_all="yes" report_changes="yes">/var/ossec</directories>
 16 |   
 17 |     <!-- Files/directories to ignore -->
 18 |     <ignore>/var/ossec/queue</ignore>
 19 |     <ignore>/var/ossec/logs</ignore>
 20 |     <ignore>/var/ossec/stats</ignore>
 21 |     <ignore>/var/ossec/var</ignore>
 22 |     <ignore>/etc/grsec/learning.logs</ignore>
 23 |     <ignore>/etc/mtab</ignore>
 24 |     <ignore>/etc/mnttab</ignore>
 25 |     <ignore>/etc/hosts.deny</ignore>
 26 |     <ignore>/etc/mail/statistics</ignore>
 27 |     <ignore>/etc/random-seed</ignore>
 28 |     <ignore>/etc/adjtime</ignore>
 29 |     <ignore>/etc/httpd/logs</ignore>
 30 |     <ignore>/etc/utmpx</ignore>
 31 |     <ignore>/etc/wtmpx</ignore>
 32 |     <ignore>/etc/cups/certs</ignore>
 33 |     <ignore>/etc/dumpdates</ignore>
 34 |     <ignore>/etc/svc/volatile</ignore>
 35 | 
 36 |     <!-- Windows files to ignore -->
 37 |     <ignore>C:\WINDOWS/System32/LogFiles</ignore>
 38 |     <ignore>C:\WINDOWS/Debug</ignore>
 39 |     <ignore>C:\WINDOWS/WindowsUpdate.log</ignore>
 40 |     <ignore>C:\WINDOWS/iis6.log</ignore>
 41 |     <ignore>C:\WINDOWS/system32/wbem/Logs</ignore>
 42 |     <ignore>C:\WINDOWS/system32/wbem/Repository</ignore>
 43 |     <ignore>C:\WINDOWS/Prefetch</ignore>
 44 |     <ignore>C:\WINDOWS/PCHEALTH/HELPCTR/DataColl</ignore>
 45 |     <ignore>C:\WINDOWS/SoftwareDistribution</ignore>
 46 |     <ignore>C:\WINDOWS/Temp</ignore>
 47 |     <ignore>C:\WINDOWS/system32/config</ignore>
 48 |     <ignore>C:\WINDOWS/system32/spool</ignore>
 49 |     <ignore>C:\WINDOWS/system32/CatRoot</ignore>
 50 |   </syscheck>
 51 | 
 52 |   <rootcheck>
 53 |     <disabled>yes</disabled>
 54 |   </rootcheck>
 55 | 
 56 |   <active-response>
 57 |     <disabled>yes</disabled>
 58 |   </active-response>
 59 | 
 60 | 
 61 |   <remote>
 62 |     <connection>secure</connection>
 63 |   </remote>
 64 | 
 65 |   <alerts>
 66 |     <log_alert_level>1</log_alert_level>
 67 |     <email_alert_level>7</email_alert_level>
 68 |   </alerts>
 69 |   <!-- Files to monitor (localfiles) -->
 70 | 
 71 |   <localfile>
 72 |     <log_format>syslog</log_format>
 73 |     <location>/var/log/auth.log</location>
 74 |   </localfile>
 75 | 
 76 |   <localfile>
 77 |     <log_format>syslog</log_format>
 78 |     <location>/var/log/syslog</location>
 79 |   </localfile>
 80 | 
 81 |   <localfile>
 82 |     <log_format>syslog</log_format>
 83 |     <location>/var/log/dpkg.log</location>
 84 |   </localfile>
 85 | 
 86 |   <localfile>
 87 |     <log_format>syslog</log_format>
 88 |     <location>/var/log/kern.log</location>
 89 |   </localfile>
 90 | 
 91 |   <localfile>
 92 |     <log_format>command</log_format>
 93 |     <command>df -h</command>
 94 |   </localfile>
 95 | 
 96 |   <localfile>
 97 |     <log_format>full_command</log_format>
 98 |     <command>netstat -tuln</command>
 99 |   </localfile>
100 | 
101 |   <localfile>
102 |     <log_format>full_command</log_format>
103 |     <command>netstat -tuan</command>
104 |   </localfile>
105 |  
106 |   <reports>
107 |     <group>authentication_success</group>
108 |     <user type="relation">srcip</user>
109 |     <title>Daily report: Successful logins</title>
110 |     <email_to><%= ossec_emailto -%></email_to>
111 |   </reports>
112 | 
113 |   <reports>
114 |     <group>syscheck</group>
115 |     <title>Daily report: File Changes</title>
116 |     <email_to><%= ossec_emailto -%></email_to>
117 |   </reports>
118 | 
119 |   <email_alerts>
120 |     <email_to><%= ossec_emailto -%></email_to>
121 |     <group>authentication_success</group>
122 |     <do_not_delay />
123 |     <do_not_group />
124 |   </email_alerts>
125 | 
126 |   <email_alerts>
127 |     <email_to><%= ossec_emailto -%></email_to>
128 |     <group>syscheck</group>
129 |     <do_not_delay />
130 |   </email_alerts>
131 | 
132 |   <email_alerts>
133 |     <email_to><%= ossec_emailto -%></email_to>
134 |     <group>low_diskspace</group>
135 |     <do_not_delay />
136 |   </email_alerts>
137 | </ossec_config>
138 | 
139 | <ossec_config>  <!-- rules global entry -->
140 |   <rules>
141 |     <include>rules_config.xml</include>
142 |     <include>pam_rules.xml</include>
143 |     <include>sshd_rules.xml</include>
144 |     <include>telnetd_rules.xml</include>
145 |     <include>syslog_rules.xml</include>
146 |     <include>arpwatch_rules.xml</include>
147 |     <include>symantec-av_rules.xml</include>
148 |     <include>symantec-ws_rules.xml</include>
149 |     <include>pix_rules.xml</include>
150 |     <include>named_rules.xml</include>
151 |     <include>smbd_rules.xml</include>
152 |     <include>vsftpd_rules.xml</include>
153 |     <include>pure-ftpd_rules.xml</include>
154 |     <include>proftpd_rules.xml</include>
155 |     <include>ms_ftpd_rules.xml</include>
156 |     <include>ftpd_rules.xml</include>
157 |     <include>hordeimp_rules.xml</include>
158 |     <include>roundcube_rules.xml</include>
159 |     <include>wordpress_rules.xml</include>
160 |     <include>cimserver_rules.xml</include>
161 |     <include>vpopmail_rules.xml</include>
162 |     <include>vmpop3d_rules.xml</include>
163 |     <include>courier_rules.xml</include>
164 |     <include>web_rules.xml</include>
165 |     <include>apache_rules.xml</include>
166 |     <include>nginx_rules.xml</include>
167 |     <include>php_rules.xml</include>
168 |     <include>mysql_rules.xml</include>
169 |     <include>postgresql_rules.xml</include>
170 |     <include>ids_rules.xml</include>
171 |     <include>squid_rules.xml</include>
172 |     <include>firewall_rules.xml</include>
173 |     <include>cisco-ios_rules.xml</include>
174 |     <include>netscreenfw_rules.xml</include>
175 |     <include>sonicwall_rules.xml</include>
176 |     <include>postfix_rules.xml</include>
177 |     <include>sendmail_rules.xml</include>
178 |     <include>imapd_rules.xml</include>
179 |     <include>mailscanner_rules.xml</include>
180 |     <include>dovecot_rules.xml</include>
181 |     <include>ms-exchange_rules.xml</include>
182 |     <include>racoon_rules.xml</include>
183 |     <include>vpn_concentrator_rules.xml</include>
184 |     <include>spamd_rules.xml</include>
185 |     <include>msauth_rules.xml</include>
186 |     <include>mcafee_av_rules.xml</include>
187 |     <include>trend-osce_rules.xml</include>
188 |     <include>ms-se_rules.xml</include>
189 |     <!-- <include>policy_rules.xml</include> -->
190 |     <include>zeus_rules.xml</include>
191 |     <include>solaris_bsm_rules.xml</include>
192 |     <include>vmware_rules.xml</include>
193 |     <include>ms_dhcp_rules.xml</include>
194 |     <include>asterisk_rules.xml</include>
195 |     <include>ossec_rules.xml</include>
196 |     <include>attack_rules.xml</include>
197 |     <include>openbsd_rules.xml</include>
198 |     <include>clam_av_rules.xml</include>
199 |     <include>bro-ids_rules.xml</include>
200 |     <include>dropbear_rules.xml</include>
201 |     <include>local_rules.xml</include>
202 |   </rules>  
203 | </ossec_config>  <!-- rules global entry -->
204 | 


--------------------------------------------------------------------------------
/deaddrop_puppet/modules/deaddrop/templates/ports.conf.erb:
--------------------------------------------------------------------------------
 1 | <% if source_hostname==@hostname %>
 2 | Listen 127.0.0.1:8080
 3 | <% end %>
 4 | <% if journalist_hostname==@hostname %>
 5 | Listen <%= @ipaddress -%>:80
 6 | <IfModule mod_ssl.c>
 7 |     Listen <%= @ipaddress -%>:443
 8 | </IfModule>
 9 | <% end %>
10 | 


--------------------------------------------------------------------------------
/deaddrop_puppet/modules/deaddrop/templates/security.erb:
--------------------------------------------------------------------------------
1 | ServerTokens Prod
2 | ServerSignature Off
3 | TraceEnable Off
4 | 
5 | 


--------------------------------------------------------------------------------
/deaddrop_puppet/modules/deaddrop/templates/source.ossec.conf.erb:
--------------------------------------------------------------------------------
 1 | <ossec_config>
 2 |   <client>
 3 |     <server-ip><%= monitor_ip -%></server-ip>
 4 |   </client>
 5 | 
 6 |   <syscheck>
 7 |     <alert_new_files>yes</alert_new_files>
 8 |     
 9 |     <!-- Directories to check  (perform all possible verifications) -->
10 |     <directories realtime="yes" check_all="yes" report_changes="yes">/etc,/usr/bin,/usr/sbin</directories>
11 |     <directories realtime="yes" check_all="yes" report_changes="yes">/bin,/sbin</directories>
12 |     <directories realtime="yes" check_all="yes" report_changes="yes">/var/ossec</directories>
13 |     <directories realtime="yes" check_all="yes" report_changes="yes">/var/lib/tor/hidden_service/,/var/lib/tor/lock</directories>
14 |     <directories realtime="yes" check_all="yes" report_changes="yes">/var/www</directories>
15 | 
16 |     <!-- Files/directories to ignore -->
17 |     <ignore>/var/www/keys</ignore>
18 |     <ignore>/var/www/store</ignore>
19 |     <ignore>/var/ossec/queue</ignore>
20 |     <ignore>/var/ossec/logs</ignore>
21 |     <ignore>/var/ossec/stats</ignore>
22 |     <ignore>/var/ossec/var</ignore>
23 |     <ignore>/etc/mtab</ignore>
24 |     <ignore>/etc/mnttab</ignore>
25 |     <ignore>/etc/mail/statistics</ignore>
26 |     <ignore>/etc/random-seed</ignore>
27 |     <ignore>/etc/adjtime</ignore>
28 |     <ignore>/etc/httpd/logs</ignore>
29 |     <ignore>/etc/utmpx</ignore>
30 |     <ignore>/etc/wtmpx</ignore>
31 |     <ignore>/etc/cups/certs</ignore>
32 |     <ignore>/etc/dumpdates</ignore>
33 |     <ignore>/etc/svc/volatile</ignore>
34 |   </syscheck>
35 | 
36 |   <rootcheck>
37 |     <disabled>yes</disabled>
38 |   </rootcheck>
39 | 
40 |   <active-response>
41 |     <disabled>yes</disabled>
42 |   </active-response>
43 | 
44 |   <!-- Files to monitor (localfiles) -->
45 | 
46 |   <localfile>
47 |     <log_format>syslog</log_format>
48 |     <location>/var/log/messages</location>
49 |   </localfile>
50 | 
51 |   <localfile>
52 |     <log_format>syslog</log_format>
53 |     <location>/var/log/auth.log</location>
54 |   </localfile>
55 | 
56 |   <localfile>
57 |     <log_format>syslog</log_format>
58 |     <location>/var/log/syslog</location>
59 |   </localfile>
60 | 
61 |   <localfile>
62 |     <log_format>syslog</log_format>
63 |     <location>/var/log/mail.info</location>
64 |   </localfile>
65 | 
66 |   <localfile>
67 |     <log_format>syslog</log_format>
68 |     <location>/var/log/dpkg.log</location>
69 |   </localfile>
70 | 
71 |   <localfile>
72 |     <log_format>syslog</log_format>
73 |     <location>/var/log/kern.log</location>
74 |   </localfile>
75 | 
76 |   <localfile>
77 |     <log_format>syslog</log_format>
78 |     <location>/var/log/tor/log</location>
79 |   </localfile>
80 | 
81 |   <localfile>
82 |     <log_format>command</log_format>
83 |     <command>df -h</command>
84 |   </localfile>
85 | 
86 |   <localfile>
87 |     <log_format>full_command</log_format>
88 |     <command>netstat -tuln</command>
89 |   </localfile>
90 | 
91 |   <localfile>
92 |     <log_format>full_command</log_format>
93 |     <command>netstat -tuan |grep -v :443 |grep -v :8080 | grep -v :80</command>
94 |   </localfile>
95 | </ossec_config>
96 | 


--------------------------------------------------------------------------------
/deaddrop_puppet/modules/deaddrop/templates/sshd_config.erb:
--------------------------------------------------------------------------------
 1 | # Package generated configuration file
 2 | # See the sshd_config(5) manpage for details
 3 | 
 4 | # What ports, IPs and protocols we listen for
 5 | Port 22
 6 | # Use these options to restrict which interfaces/protocols sshd will bind to
 7 | #ListenAddress ::
 8 | #ListenAddress 0.0.0.0
 9 | Protocol 2
10 | # HostKeys for protocol version 2
11 | HostKey /etc/ssh/ssh_host_rsa_key
12 | HostKey /etc/ssh/ssh_host_dsa_key
13 | HostKey /etc/ssh/ssh_host_ecdsa_key
14 | #Privilege Separation is turned on for security
15 | UsePrivilegeSeparation yes
16 | 
17 | # Lifetime and size of ephemeral version 1 server key
18 | KeyRegenerationInterval 3600
19 | ServerKeyBits 768
20 | 
21 | # Logging
22 | SyslogFacility AUTH
23 | LogLevel INFO
24 | 
25 | # Authentication:
26 | LoginGraceTime 120
27 | PermitRootLogin no
28 | StrictModes yes
29 | 
30 | RSAAuthentication yes
31 | PubkeyAuthentication yes
32 | #AuthorizedKeysFile	%h/.ssh/authorized_keys
33 | 
34 | # Don't read the user's ~/.rhosts and ~/.shosts files
35 | IgnoreRhosts yes
36 | # For this to work you will also need host keys in /etc/ssh_known_hosts
37 | RhostsRSAAuthentication no
38 | # similar for protocol version 2
39 | HostbasedAuthentication no
40 | # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
41 | #IgnoreUserKnownHosts yes
42 | 
43 | # To enable empty passwords, change to yes (NOT RECOMMENDED)
44 | PermitEmptyPasswords no
45 | 
46 | # Change to yes to enable challenge-response passwords (beware issues with
47 | # some PAM modules and threads)
48 | ChallengeResponseAuthentication no
49 | 
50 | # Change to no to disable tunnelled clear text passwords
51 | #PasswordAuthentication yes
52 | 
53 | # Kerberos options
54 | #KerberosAuthentication no
55 | #KerberosGetAFSToken no
56 | #KerberosOrLocalPasswd yes
57 | #KerberosTicketCleanup yes
58 | 
59 | # GSSAPI options
60 | #GSSAPIAuthentication no
61 | #GSSAPICleanupCredentials yes
62 | 
63 | X11Forwarding yes
64 | X11DisplayOffset 10
65 | PrintMotd no
66 | PrintLastLog yes
67 | TCPKeepAlive yes
68 | #UseLogin no
69 | 
70 | #MaxStartups 10:30:60
71 | #Banner /etc/issue.net
72 | 
73 | # Allow client to pass locale environment variables
74 | AcceptEnv LANG LC_*
75 | 
76 | Subsystem sftp /usr/lib/openssh/sftp-server
77 | 
78 | # Set this to 'yes' to enable PAM authentication, account processing,
79 | # and session processing. If this is enabled, PAM authentication will
80 | # be allowed through the ChallengeResponseAuthentication and
81 | # PasswordAuthentication.  Depending on your PAM configuration,
82 | # PAM authentication via ChallengeResponseAuthentication may bypass
83 | # the setting of "PermitRootLogin without-password".
84 | # If you just want the PAM account and session checks to run without
85 | # PAM authentication, then enable this but set PasswordAuthentication
86 | # and ChallengeResponseAuthentication to 'no'.
87 | UsePAM yes
88 | 
89 | <% if journalist_hostname==@hostname %>
90 | <%= "	Match User #{sshfs_user} " %>
91 | <%= "	ForceCommand internal-sftp " %>
92 | <% end %>
93 | 
94 | 


--------------------------------------------------------------------------------
/deaddrop_puppet/modules/deaddrop/templates/vhost-deaddrop-ssl.conf.erb:
--------------------------------------------------------------------------------
 1 | # ************************************
 2 | # Default template in module puppetlabs-apache
 3 | # Modified for use by deaddrop application
 4 | # ************************************
 5 | WSGIPythonPath /var/www/deaddrop
 6 | SSLRandomSeed startup builtin
 7 | SSLRandomSeed connect builtin
 8 | SSLSessionCache none
 9 | 
10 | NameVirtualHost <%= vhost_name %>:<%= port %>
11 | <VirtualHost <%= vhost_name %>:<%= port %>>
12 |   ServerName <%= srvname %>
13 | <% if serveraliases.is_a? Array -%>
14 | <% serveraliases.each do |name| -%><%= "  ServerAlias #{name}\n" %><% end -%>
15 | <% elsif serveraliases != '' -%>
16 | <%= "  ServerAlias #{serveraliases}" -%>
17 | <% end %>
18 |   DocumentRoot <%= docroot %>
19 |   Alias /static /var/www/deaddrop/static
20 |   WSGIScriptAlias / /var/www/deaddrop/<%= my_role -%>.py/
21 |   AddType text/html .py
22 | 
23 |   <Directory />
24 |     AAHatName apachehome
25 |     Options None
26 |     AllowOverride None
27 |     Order deny,allow
28 |     Deny from all
29 |   </Directory>
30 |   <Directory /var/www/deaddrop>
31 |     AAHatName deaddropHome
32 |     Order allow,deny
33 |     allow from all
34 |   </Directory>
35 |   <Directory <%= docroot %>>a
36 |     AAHatName docroot
37 |     Options <%= options %>
38 |     AllowOverride None
39 |     Order allow,deny
40 |     allow from all
41 |   </Directory>
42 |   
43 |  SSLEngine on
44 |   SSLProtocol -ALL +TLSv1
45 |   SSLHonorCipherOrder On
46 |   SSLCipherSuite ECDHE-RSA-RC4-SHA:RC4-SHA:!ADH:!AES256-SHA:!ECDHE-RSA-AES256-SHA384:!AES128-SHA:!DES-CBC
47 |   SSLOptions      +StrictRequire
48 |   SSLVerifyClient require
49 |   SSLVerifyDepth 2
50 |   SSLProxyEngine off
51 |   SSLCertificateFile	/etc/ssl/<%= my_role -%>_certs/<%= my_role -%>.cert.pem
52 |   SSLCertificateKeyFile	/etc/ssl/<%= my_role -%>_certs/<%= my_role -%>.without.key.pem
53 |   SSLCACertificateFile  /etc/ssl/<%= my_role -%>_certs/cacert.pem
54 |   SSLCARevocationFile   /etc/ssl/<%= my_role -%>_certs/cacrl.pem
55 | <% if my_role =='source' -%>
56 | <%= "ErrorLog /dev/null" %>
57 | <%= "LogLevel crit" %>
58 | <% elsif my_role !='source' -%>
59 | <%= "ErrorLog /var/log/apache2/#{vhost_name}_error.log" %>
60 | <%= "CustomLog /var/log/apache2/#{vhost_name}_access.log combined" %>
61 | <%= "LogLevel info" %>
62 | <% end %>
63 |   ServerSignature Off
64 | </VirtualHost>
65 | 
66 | 


--------------------------------------------------------------------------------
/deaddrop_puppet/modules/deaddrop/templates/vhost-deaddrop.conf.erb:
--------------------------------------------------------------------------------
 1 | # ************************************
 2 | # Default template in module puppetlabs-apache
 3 | # Modified for use by deaddrop application
 4 | # ************************************
 5 | WSGIPythonPath /var/www/deaddrop
 6 | 
 7 | NameVirtualHost <%= vhost_name %>:<%= port %>
 8 | <VirtualHost <%= vhost_name %>:<%= port %>>
 9 |   ServerName <%= srvname %>
10 | <% if serveraliases.is_a? Array -%>
11 | <% serveraliases.each do |name| -%><%= "  ServerAlias #{name}\n" %><% end -%>
12 | <% elsif serveraliases != '' -%>
13 | <%= "  ServerAlias #{serveraliases}" -%>
14 | <% end %>
15 |   DocumentRoot <%= docroot %>
16 |   Alias /static /var/www/deaddrop/static
17 |   WSGIScriptAlias / /var/www/deaddrop/<%= my_role -%>.py/
18 |   AddType text/html .py
19 | 
20 |   <Directory />
21 |     AAHatName apacheHome
22 |     Options None
23 |     AllowOverride None
24 |     Order deny,allow
25 |     Deny from all
26 |   </Directory>
27 |   <Directory /var/www/deaddrop>
28 |     AAHatName deaddropHome
29 |     Order allow,deny
30 |     allow from all
31 |   </Directory>
32 |   <Directory <%= docroot %>>
33 |     AAHatName docroot
34 |     Options <%= options %>
35 |     AllowOverride None
36 |     Order allow,deny
37 |     allow from all
38 |   </Directory>
39 |   
40 | <% if my_role =='source' -%>
41 |   <%= "ErrorLog /dev/null" %>
42 |   <%= "LogLevel crit" %>
43 | <% elsif my_role !='source' -%>
44 |   <%= "ErrorLog /var/log/apache2/error.log" %>
45 |   <%= "CustomLog /var/log/apache2/access.log combined" %>
46 |   <%= "LogLevel info" %>
47 | <% end %>
48 |   ServerSignature Off
49 | </VirtualHost>
50 | 
51 | 


--------------------------------------------------------------------------------
/deaddrop_puppet/modules/gnupg2/manifests/init.pp:
--------------------------------------------------------------------------------
 1 | # Class: gnupg2
 2 | #
 3 | # This class installs gnupg2
 4 | #
 5 | # Actions:
 6 | #   - Install the gnupg2 package
 7 | #
 8 | # Sample Usage:
 9 | #  class { 'gnupg2': }
10 | #
11 | class gnupg2 {
12 |   package { 'gnupg2':
13 |     ensure => installed,
14 |   }
15 | }
16 | 


--------------------------------------------------------------------------------
/deaddrop_puppet/modules/rng_tools/CHANGELOG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/deaddrop/DeadDropDocs/bef1a6d8c76d09b22bdd8f4ad70b97dadefefb02/deaddrop_puppet/modules/rng_tools/CHANGELOG


--------------------------------------------------------------------------------
/deaddrop_puppet/modules/rng_tools/LICENSE:
--------------------------------------------------------------------------------
  1 |                                  Apache License
  2 |                            Version 2.0, January 2004
  3 |                         http://www.apache.org/licenses/
  4 | 
  5 |    TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
  6 | 
  7 |    1. Definitions.
  8 | 
  9 |       "License" shall mean the terms and conditions for use, reproduction,
 10 |       and distribution as defined by Sections 1 through 9 of this document.
 11 | 
 12 |       "Licensor" shall mean the copyright owner or entity authorized by
 13 |       the copyright owner that is granting the License.
 14 | 
 15 |       "Legal Entity" shall mean the union of the acting entity and all
 16 |       other entities that control, are controlled by, or are under common
 17 |       control with that entity. For the purposes of this definition,
 18 |       "control" means (i) the power, direct or indirect, to cause the
 19 |       direction or management of such entity, whether by contract or
 20 |       otherwise, or (ii) ownership of fifty percent (50%) or more of the
 21 |       outstanding shares, or (iii) beneficial ownership of such entity.
 22 | 
 23 |       "You" (or "Your") shall mean an individual or Legal Entity
 24 |       exercising permissions granted by this License.
 25 | 
 26 |       "Source" form shall mean the preferred form for making modifications,
 27 |       including but not limited to software source code, documentation
 28 |       source, and configuration files.
 29 | 
 30 |       "Object" form shall mean any form resulting from mechanical
 31 |       transformation or translation of a Source form, including but
 32 |       not limited to compiled object code, generated documentation,
 33 |       and conversions to other media types.
 34 | 
 35 |       "Work" shall mean the work of authorship, whether in Source or
 36 |       Object form, made available under the License, as indicated by a
 37 |       copyright notice that is included in or attached to the work
 38 |       (an example is provided in the Appendix below).
 39 | 
 40 |       "Derivative Works" shall mean any work, whether in Source or Object
 41 |       form, that is based on (or derived from) the Work and for which the
 42 |       editorial revisions, annotations, elaborations, or other modifications
 43 |       represent, as a whole, an original work of authorship. For the purposes
 44 |       of this License, Derivative Works shall not include works that remain
 45 |       separable from, or merely link (or bind by name) to the interfaces of,
 46 |       the Work and Derivative Works thereof.
 47 | 
 48 |       "Contribution" shall mean any work of authorship, including
 49 |       the original version of the Work and any modifications or additions
 50 |       to that Work or Derivative Works thereof, that is intentionally
 51 |       submitted to Licensor for inclusion in the Work by the copyright owner
 52 |       or by an individual or Legal Entity authorized to submit on behalf of
 53 |       the copyright owner. For the purposes of this definition, "submitted"
 54 |       means any form of electronic, verbal, or written communication sent
 55 |       to the Licensor or its representatives, including but not limited to
 56 |       communication on electronic mailing lists, source code control systems,
 57 |       and issue tracking systems that are managed by, or on behalf of, the
 58 |       Licensor for the purpose of discussing and improving the Work, but
 59 |       excluding communication that is conspicuously marked or otherwise
 60 |       designated in writing by the copyright owner as "Not a Contribution."
 61 | 
 62 |       "Contributor" shall mean Licensor and any individual or Legal Entity
 63 |       on behalf of whom a Contribution has been received by Licensor and
 64 |       subsequently incorporated within the Work.
 65 | 
 66 |    2. Grant of Copyright License. Subject to the terms and conditions of
 67 |       this License, each Contributor hereby grants to You a perpetual,
 68 |       worldwide, non-exclusive, no-charge, royalty-free, irrevocable
 69 |       copyright license to reproduce, prepare Derivative Works of,
 70 |       publicly display, publicly perform, sublicense, and distribute the
 71 |       Work and such Derivative Works in Source or Object form.
 72 | 
 73 |    3. Grant of Patent License. Subject to the terms and conditions of
 74 |       this License, each Contributor hereby grants to You a perpetual,
 75 |       worldwide, non-exclusive, no-charge, royalty-free, irrevocable
 76 |       (except as stated in this section) patent license to make, have made,
 77 |       use, offer to sell, sell, import, and otherwise transfer the Work,
 78 |       where such license applies only to those patent claims licensable
 79 |       by such Contributor that are necessarily infringed by their
 80 |       Contribution(s) alone or by combination of their Contribution(s)
 81 |       with the Work to which such Contribution(s) was submitted. If You
 82 |       institute patent litigation against any entity (including a
 83 |       cross-claim or counterclaim in a lawsuit) alleging that the Work
 84 |       or a Contribution incorporated within the Work constitutes direct
 85 |       or contributory patent infringement, then any patent licenses
 86 |       granted to You under this License for that Work shall terminate
 87 |       as of the date such litigation is filed.
 88 | 
 89 |    4. Redistribution. You may reproduce and distribute copies of the
 90 |       Work or Derivative Works thereof in any medium, with or without
 91 |       modifications, and in Source or Object form, provided that You
 92 |       meet the following conditions:
 93 | 
 94 |       (a) You must give any other recipients of the Work or
 95 |           Derivative Works a copy of this License; and
 96 | 
 97 |       (b) You must cause any modified files to carry prominent notices
 98 |           stating that You changed the files; and
 99 | 
100 |       (c) You must retain, in the Source form of any Derivative Works
101 |           that You distribute, all copyright, patent, trademark, and
102 |           attribution notices from the Source form of the Work,
103 |           excluding those notices that do not pertain to any part of
104 |           the Derivative Works; and
105 | 
106 |       (d) If the Work includes a "NOTICE" text file as part of its
107 |           distribution, then any Derivative Works that You distribute must
108 |           include a readable copy of the attribution notices contained
109 |           within such NOTICE file, excluding those notices that do not
110 |           pertain to any part of the Derivative Works, in at least one
111 |           of the following places: within a NOTICE text file distributed
112 |           as part of the Derivative Works; within the Source form or
113 |           documentation, if provided along with the Derivative Works; or,
114 |           within a display generated by the Derivative Works, if and
115 |           wherever such third-party notices normally appear. The contents
116 |           of the NOTICE file are for informational purposes only and
117 |           do not modify the License. You may add Your own attribution
118 |           notices within Derivative Works that You distribute, alongside
119 |           or as an addendum to the NOTICE text from the Work, provided
120 |           that such additional attribution notices cannot be construed
121 |           as modifying the License.
122 | 
123 |       You may add Your own copyright statement to Your modifications and
124 |       may provide additional or different license terms and conditions
125 |       for use, reproduction, or distribution of Your modifications, or
126 |       for any such Derivative Works as a whole, provided Your use,
127 |       reproduction, and distribution of the Work otherwise complies with
128 |       the conditions stated in this License.
129 | 
130 |    5. Submission of Contributions. Unless You explicitly state otherwise,
131 |       any Contribution intentionally submitted for inclusion in the Work
132 |       by You to the Licensor shall be under the terms and conditions of
133 |       this License, without any additional terms or conditions.
134 |       Notwithstanding the above, nothing herein shall supersede or modify
135 |       the terms of any separate license agreement you may have executed
136 |       with Licensor regarding such Contributions.
137 | 
138 |    6. Trademarks. This License does not grant permission to use the trade
139 |       names, trademarks, service marks, or product names of the Licensor,
140 |       except as required for reasonable and customary use in describing the
141 |       origin of the Work and reproducing the content of the NOTICE file.
142 | 
143 |    7. Disclaimer of Warranty. Unless required by applicable law or
144 |       agreed to in writing, Licensor provides the Work (and each
145 |       Contributor provides its Contributions) on an "AS IS" BASIS,
146 |       WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
147 |       implied, including, without limitation, any warranties or conditions
148 |       of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
149 |       PARTICULAR PURPOSE. You are solely responsible for determining the
150 |       appropriateness of using or redistributing the Work and assume any
151 |       risks associated with Your exercise of permissions under this License.
152 | 
153 |    8. Limitation of Liability. In no event and under no legal theory,
154 |       whether in tort (including negligence), contract, or otherwise,
155 |       unless required by applicable law (such as deliberate and grossly
156 |       negligent acts) or agreed to in writing, shall any Contributor be
157 |       liable to You for damages, including any direct, indirect, special,
158 |       incidental, or consequential damages of any character arising as a
159 |       result of this License or out of the use or inability to use the
160 |       Work (including but not limited to damages for loss of goodwill,
161 |       work stoppage, computer failure or malfunction, or any and all
162 |       other commercial damages or losses), even if such Contributor
163 |       has been advised of the possibility of such damages.
164 | 
165 |    9. Accepting Warranty or Additional Liability. While redistributing
166 |       the Work or Derivative Works thereof, You may choose to offer,
167 |       and charge a fee for, acceptance of support, warranty, indemnity,
168 |       or other liability obligations and/or rights consistent with this
169 |       License. However, in accepting such obligations, You may act only
170 |       on Your own behalf and on Your sole responsibility, not on behalf
171 |       of any other Contributor, and only if You agree to indemnify,
172 |       defend, and hold each Contributor harmless for any liability
173 |       incurred by, or claims asserted against, such Contributor by reason
174 |       of your accepting any such warranty or additional liability.
175 | 
176 |    END OF TERMS AND CONDITIONS
177 | 
178 |    APPENDIX: How to apply the Apache License to your work.
179 | 
180 |       To apply the Apache License to your work, attach the following
181 |       boilerplate notice, with the fields enclosed by brackets "[]"
182 |       replaced with your own identifying information. (Don't include
183 |       the brackets!) The text should be enclosed in the appropriate
184 |       comment syntax for the file format. We also recommend that a
185 |       file or class name and description of purpose be included on the
186 |       same "printed page" as the copyright notice for easier
187 |       identification within third-party archives.
188 | 
189 |    Copyright [yyyy] [name of copyright owner]
190 | 
191 |    Licensed under the Apache License, Version 2.0 (the "License");
192 |    you may not use this file except in compliance with the License.
193 |    You may obtain a copy of the License at
194 | 
195 |        http://www.apache.org/licenses/LICENSE-2.0
196 | 
197 |    Unless required by applicable law or agreed to in writing, software
198 |    distributed under the License is distributed on an "AS IS" BASIS,
199 |    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
200 |    See the License for the specific language governing permissions and
201 |    limitations under the License.
202 | 


--------------------------------------------------------------------------------
/deaddrop_puppet/modules/rng_tools/README:
--------------------------------------------------------------------------------
1 | simple module that can install rng-tools and configures dev/urnadom for ubuntu hosts
2 | 


--------------------------------------------------------------------------------
/deaddrop_puppet/modules/rng_tools/files/rng-tools:
--------------------------------------------------------------------------------
 1 | # Configuration for the rng-tools initscript
 2 | # $Id: rng-tools.default,v 1.1.2.5 2008-06-10 19:51:37 hmh Exp $
 3 | 
 4 | # This is a POSIX shell fragment
 5 | 
 6 | # Set to the input source for random data, leave undefined
 7 | # for the initscript to attempt auto-detection.  Set to /dev/null
 8 | # for the viapadlock and tpm drivers.
 9 | #HRNGDEVICE=/dev/hwrng
10 | #HRNGDEVICE=/dev/null
11 | HRNGDEVICE=/dev/random
12 | 
13 | # Additional options to send to rngd. See the rngd(8) manpage for
14 | # more information.  Do not specify -r/--rng-device here, use
15 | # HRNGDEVICE for that instead.
16 | #RNGDOPTIONS="--hrng=intelfwh --fill-watermark=90% --feed-interval=1"
17 | #RNGDOPTIONS="--hrng=viakernel --fill-watermark=90% --feed-interval=1"
18 | #RNGDOPTIONS="--hrng=viapadlock --fill-watermark=90% --feed-interval=1"
19 | #RNGDOPTIONS="--hrng=tpm --fill-watermark=90% --feed-interval=1"
20 | 


--------------------------------------------------------------------------------
/deaddrop_puppet/modules/rng_tools/manifests/init.pp:
--------------------------------------------------------------------------------
 1 | # Class: rng-tools
 2 | #
 3 | # This class installs rng-tools
 4 | #
 5 | # Actions:
 6 | #   - Install the rng-tools package
 7 | #
 8 | # Sample Usage:
 9 | #  class { 'rng-tools': }
10 | #
11 | class rng_tools {
12 |   package { 'rng-tools':
13 |     ensure => installed,
14 |   }
15 | 
16 |   service { "rng-tools":
17 |     ensure => "running",
18 |     enable => "true",
19 |     require => Package["rng-tools"],
20 |     hasrestart => "true",
21 |     subscribe => File['/etc/default/rng-tools'],
22 |   }
23 | 
24 |   file { "/etc/default/rng-tools":
25 |     mode => 644,
26 |     owner => 'root',
27 |     group => 'root',
28 |     require => Package["rng-tools"],
29 |     source => "puppet:///modules/rng_tools/rng-tools",
30 |     }
31 | }
32 | 


--------------------------------------------------------------------------------
/deaddrop_puppet/modules/secure_delete/manifests/init.pp:
--------------------------------------------------------------------------------
 1 | # Class: secure-delete
 2 | #
 3 | # This class installs secure-delete
 4 | #
 5 | # Actions:
 6 | #   - Install the secure-delete package
 7 | #
 8 | # Sample Usage:
 9 | #  class { 'secure-delete': }
10 | #
11 | class secure_delete {
12 |   package { 'secure-delete':
13 |     ensure => installed,
14 |   }
15 | }
16 | 


--------------------------------------------------------------------------------
/deaddrop_puppet/modules/ssh/manifests/auth.pp:
--------------------------------------------------------------------------------
  1 | # =========                                                 
  2 | 
  3 | # ssh::auth                                                 
  4 | 
  5 | # =========                                                 
  6 | 
  7 | #                                                           
  8 | 
  9 | # The latest official release and documentation for ssh::auth can always
 10 | 
 11 | # be found at http://reductivelabs.com/trac/puppet/wiki/Recipes/ModuleSSHAuth .
 12 | 
 13 | #                                                                              
 14 | 
 15 | # Version:          0.3.2                                                      
 16 | 
 17 | # Release date:     2009-12-29                                                 
 18 | 
 19 | 
 20 | 
 21 | class ssh::auth {
 22 | 
 23 | 
 24 | 
 25 | $keymaster_storage = "/var/lib/keys" 
 26 | 
 27 | 
 28 | 
 29 | Exec { path => "/usr/bin:/usr/sbin:/bin:/sbin" }
 30 | 
 31 | Notify { withpath => false }                    
 32 | 
 33 | 
 34 | 
 35 | 
 36 | 
 37 | ##########################################################################
 38 | 
 39 | 
 40 | 
 41 | 
 42 | 
 43 | # ssh::auth::key 
 44 | 
 45 | 
 46 | 
 47 | # Declare keys.  The approach here is just to define a bunch of
 48 | 
 49 | # virtual resources, representing key files on the keymaster, client,
 50 | 
 51 | # and server.  The virtual keys are then realized by                 
 52 | 
 53 | # ssh::auth::{keymaster,client,server}, respectively.  The reason for
 54 | 
 55 | # doing things that way is that it makes ssh::auth::key into a "one  
 56 | 
 57 | # stop shop" where users can declare their keys with all of their    
 58 | 
 59 | # parameters, whether those parameters apply to the keymaster, server,
 60 | 
 61 | # or client.  The real work of creating, installing, and removing keys
 62 | 
 63 | # is done in the private definitions called by the virtual resources: 
 64 | 
 65 | # ssh_auth_key_{master,server,client}.                                
 66 | 
 67 | 
 68 | 
 69 | define key ($ensure = "present", $filename = "", $force = false, $group = "puppet", $home = "", $keytype = "rsa", $length = 2048, $maxdays = "", $mindate = "", $options = "", $user = "") {                                                                                                                                                    
 70 | 
 71 | 
 72 | 
 73 |   ssh_auth_key_namecheck { "${title}-title": parm => "title", value => $title }
 74 | 
 75 | 
 76 | 
 77 |   # apply defaults
 78 | 
 79 |   $_filename = $filename ? { "" => "id_${keytype}", default => $filename }
 80 | 
 81 |   $_length = $keytype ? { "rsa" => $length, "dsa" => 1024 }               
 82 | 
 83 |   $_user = $user ? {                                                      
 84 | 
 85 |     ""      => regsubst($title, '^([^@]*)@?.*$', '\1'),                   
 86 | 
 87 |     default => $user,                                                     
 88 | 
 89 |   }                                                                       
 90 | 
 91 |   $_home = $home ? { "" => "/home/$_user",  default => $home }            
 92 | 
 93 | 
 94 | 
 95 |   ssh_auth_key_namecheck { "${title}-filename": parm => "filename", value => $_filename }
 96 | 
 97 | 
 98 | 
 99 |   @ssh_auth_key_master { $title:
100 | 
101 |     ensure  => $ensure,         
102 | 
103 |     force   => $force,          
104 | 
105 |     keytype => $keytype,        
106 | 
107 |     length  => $_length,        
108 | 
109 |     maxdays => $maxdays,        
110 | 
111 |     mindate => $mindate,        
112 | 
113 |   }                             
114 | 
115 |   @ssh_auth_key_client { $title:
116 | 
117 |     ensure   => $ensure,        
118 | 
119 |     filename => $_filename,     
120 | 
121 |     group    => $group,         
122 | 
123 |     home     => $_home,         
124 | 
125 |     user     => $_user,         
126 | 
127 |   }                             
128 | 
129 |   @ssh_auth_key_server { $title:
130 | 
131 |     ensure  => $ensure,         
132 | 
133 |     group   => $group,          
134 | 
135 |     home    => $_home,          
136 | 
137 |     options => $options,        
138 | 
139 |     user    => $_user,          
140 | 
141 |   }                             
142 | 
143 | }                               
144 | 
145 | 
146 | 
147 | 
148 | 
149 | ##########################################################################
150 | 
151 | 
152 | 
153 | 
154 | 
155 | # ssh::auth::keymaster
156 | 
157 | #                     
158 | 
159 | # Keymaster host:     
160 | 
161 | # Create key storage; create, regenerate, and remove key pairs
162 | 
163 | 
164 | 
165 | class keymaster {
166 | 
167 | 
168 | 
169 |   # Set up key storage
170 | 
171 | 
172 | 
173 |   file { $ssh::auth::keymaster_storage:
174 | 
175 |     ensure => directory,               
176 | 
177 |     owner  => puppet,                  
178 | 
179 |     group  => puppet,                  
180 | 
181 |     mode   => 644,                     
182 | 
183 |   }                                    
184 | 
185 |                                        
186 | 
187 |   # Realize all virtual master keys    
188 | 
189 |   Ssh_auth_key_master <| |>            
190 | 
191 | 
192 | 
193 | } # class keymaster
194 | 
195 | 
196 | 
197 | 
198 | 
199 | ##########################################################################
200 | 
201 | 
202 | 
203 | 
204 | 
205 | # ssh::auth::client
206 | 
207 | #                  
208 | 
209 | # Install generated key pairs onto clients
210 | 
211 | 
212 | 
213 | define client ($ensure = "", $filename = "", $group = "", $home = "", $user = "") {
214 | 
215 | 
216 | 
217 |   # Realize the virtual client keys.
218 | 
219 |   # Override the defaults set in ssh::auth::key, as needed.
220 | 
221 |   if $ensure   { Ssh_auth_key_client <| title == $title |> { ensure   => $ensure   } }
222 | 
223 |   if $filename { Ssh_auth_key_client <| title == $title |> { filename => $filename } }
224 | 
225 |   if $group    { Ssh_auth_key_client <| title == $title |> { group    => $group    } }
226 | 
227 | 
228 | 
229 |   if $user { Ssh_auth_key_client <| title == $title |> { user => $user, home => "/home/$user" } }
230 | 
231 |   if $home { Ssh_auth_key_client <| title == $title |> { home => $home } }                       
232 | 
233 | 
234 | 
235 |   realize Ssh_auth_key_client[$title]
236 | 
237 | 
238 | 
239 | } # define client
240 | 
241 | 
242 | 
243 | 
244 | 
245 | ##########################################################################
246 | 
247 | 
248 | 
249 | 
250 | 
251 | # ssh::auth::server
252 | 
253 | #                  
254 | 
255 | # Install public keys onto clients
256 | 
257 | 
258 | 
259 | define server ($ensure = "", $group = "", $home = "", $options = "", $user = "") {
260 | 
261 | 
262 | 
263 |   # Realize the virtual server keys.
264 | 
265 |   # Override the defaults set in ssh::auth::key, as needed.
266 | 
267 |   if $ensure  { Ssh_auth_key_server <| title == $title |> { ensure  => $ensure  } }
268 | 
269 |   if $group   { Ssh_auth_key_server <| title == $title |> { group   => $group   } }
270 | 
271 |   if $options { Ssh_auth_key_server <| title == $title |> { options => $options } }
272 | 
273 | 
274 | 
275 |   if $user { Ssh_auth_key_server <| title == $title |> { user => $user, home => "/home/$user" } }
276 | 
277 |   if $home { Ssh_auth_key_server <| title == $title |> { home => $home } }                       
278 | 
279 | 
280 | 
281 |   realize Ssh_auth_key_server[$title]
282 | 
283 | 
284 | 
285 | } # define server
286 | 
287 | 
288 | 
289 | } # class ssh::auth
290 | 
291 | 
292 | 
293 | 
294 | 
295 | ##########################################################################
296 | 
297 | 
298 | 
299 | 
300 | 
301 | # ssh_auth_key_master
302 | 
303 | #                    
304 | 
305 | # Create/regenerate/remove a key pair on the keymaster.
306 | 
307 | # This definition is private, i.e. it is not intended to be called directly by users.
308 | 
309 | # ssh::auth::key calls it to create virtual keys, which are realized in ssh::auth::keymaster.
310 | 
311 | 
312 | 
313 | define ssh_auth_key_master ($ensure, $force, $keytype, $length, $maxdays, $mindate) {
314 | 
315 | 
316 | 
317 |   Exec { path => "/usr/bin:/usr/sbin:/bin:/sbin" }
318 | 
319 |   File {                                          
320 | 
321 |     owner => puppet,                              
322 | 
323 |     group => puppet,                              
324 | 
325 |     mode  => 600,                                 
326 | 
327 |   }                                               
328 | 
329 | 
330 | 
331 |   $keydir = "${ssh::auth::keymaster_storage}/${title}"
332 | 
333 |   $keyfile = "${keydir}/key"                          
334 | 
335 | 
336 | 
337 |   file { 
338 | 
339 |     "$keydir":
340 | 
341 |       ensure => directory,
342 | 
343 |       mode   => 644;      
344 | 
345 |     "$keyfile":           
346 | 
347 |       ensure => $ensure;  
348 | 
349 |     "${keyfile}.pub":     
350 | 
351 |       ensure => $ensure,  
352 | 
353 |       mode   => 644;      
354 | 
355 |   }                       
356 | 
357 | 
358 | 
359 |   if $ensure == "present" {
360 | 
361 | 
362 | 
363 |     # Remove the existing key pair, if
364 | 
365 |     # * $force is true, or            
366 | 
367 |     # * $maxdays or $mindate criteria aren't met, or
368 | 
369 |     # * $keytype or $length have changed            
370 | 
371 | 
372 | 
373 |     $keycontent = file("${keyfile}.pub", "/dev/null")
374 | 
375 |     if $keycontent {                                 
376 | 
377 | 
378 | 
379 |       if $force {
380 | 
381 |         $reason = "force=true"
382 | 
383 |       }                       
384 | 
385 |       if !$reason and $mindate and generate("/usr/bin/find", $keyfile, "!", "-newermt", "${mindate}") {
386 | 
387 |         $reason = "created before ${mindate}"                                                          
388 | 
389 |       }                                                                                                
390 | 
391 |       if !$reason and $maxdays and generate("/usr/bin/find", $keyfile, "-mtime", "+${maxdays}") {      
392 | 
393 |         $reason = "older than ${maxdays} days"                                                         
394 | 
395 |       }                                                                                                
396 | 
397 |       if !$reason and $keycontent =~ /^ssh-... [^ ]+ (...) (\d+)$/ {                                   
398 | 
399 |         if       $keytype != $1 { $reason = "keytype changed: $1 -> $keytype" }                        
400 | 
401 |         else { if $length != $2 { $reason = "length changed: $2 -> $length" } }                        
402 | 
403 |       }                                                                                                
404 | 
405 |       if $reason {                                                                                     
406 | 
407 |         exec { "Revoke previous key ${title}: ${reason}":                                              
408 | 
409 |           command => "rm $keyfile ${keyfile}.pub",                                                     
410 | 
411 |           before  => Exec["Create key $title: $keytype, $length bits"],                                
412 | 
413 |         }                                                                                              
414 | 
415 |       }                                                                                                
416 | 
417 |     }                                                                                                  
418 | 
419 | 
420 | 
421 |     # Create the key pair.
422 | 
423 |     # We "repurpose" the comment field in public keys on the keymaster to
424 | 
425 |     # store data about the key, i.e. $keytype and $length.  This avoids  
426 | 
427 |     # having to rerun ssh-keygen -l on every key at every run to determine
428 | 
429 |     # the key length.                                                     
430 | 
431 |     exec { "Create key $title: $keytype, $length bits":                   
432 | 
433 |       command => "ssh-keygen -t ${keytype} -b ${length} -f ${keyfile} -C \"${keytype} ${length}\" -N \"\"",
434 | 
435 |       user    => "puppet",                                                                                 
436 | 
437 |       group   => "puppet",                                                                                 
438 | 
439 |       creates => $keyfile,                                                                                 
440 | 
441 |       require => File[$keydir],                                                                            
442 | 
443 |       before  => File[$keyfile, "${keyfile}.pub"],                                                         
444 | 
445 |     }                                                                                                      
446 | 
447 | 
448 | 
449 |   } # if $ensure  == "present"
450 | 
451 | 
452 | 
453 | } # define ssh_auth_key_master
454 | 
455 | 
456 | 
457 | 
458 | 
459 | ##########################################################################
460 | 
461 | 
462 | 
463 | 
464 | 
465 | # ssh_auth_key_client
466 | 
467 | #                    
468 | 
469 | # Install a key pair into a user's account.
470 | 
471 | # This definition is private, i.e. it is not intended to be called directly by users.
472 | 
473 | 
474 | 
475 | define ssh_auth_key_client ($ensure, $filename, $group, $home, $user) {
476 | 
477 | 
478 | 
479 |   File {
480 | 
481 |     owner   => $user,
482 | 
483 |     group   => $group,
484 | 
485 |     mode    => 600,   
486 | 
487 |     require => [ User[$user], File[$home]],
488 | 
489 |   }                                                    
490 | 
491 | 
492 | 
493 |   $key_src_file = "${ssh::auth::keymaster_storage}/${title}/key" # on the keymaster
494 | 
495 |   $key_tgt_file = "${home}/.ssh/${filename}" # on the client                       
496 | 
497 | 
498 | 
499 |   $key_src_content_pub = file("${key_src_file}.pub", "/dev/null")
500 | 
501 |   if $ensure == "absent" or $key_src_content_pub =~ /^(ssh-...) ([^ ]+)/ {
502 | 
503 |     $keytype = $1                                                         
504 | 
505 |     $modulus = $2                                                         
506 | 
507 |     file {                                                                
508 | 
509 |       $key_tgt_file:                                                      
510 | 
511 |         ensure  => $ensure,                                               
512 | 
513 |         content => file($key_src_file, "/dev/null");                      
514 | 
515 |       "${key_tgt_file}.pub":                                              
516 | 
517 |         ensure  => $ensure,                                               
518 | 
519 |         content => "$keytype $modulus $title\n",                          
520 | 
521 |         mode    => 644;                                                   
522 | 
523 |     }                                                                     
524 | 
525 |   } else {                                                                
526 | 
527 |     notify { "Private key file $key_src_file for key $title not found on keymaster; skipping ensure => present": }
528 | 
529 |   }                                                                                                               
530 | 
531 | 
532 | 
533 | } # define ssh_auth_key_client
534 | 
535 | 
536 | 
537 | 
538 | 
539 | ##########################################################################
540 | 
541 | 
542 | 
543 | 
544 | 
545 | # ssh_auth_key_server
546 | 
547 | #                    
548 | 
549 | # Install a public key into a server user's authorized_keys(5) file.
550 | 
551 | # This definition is private, i.e. it is not intended to be called directly by users.
552 | 
553 | 
554 | 
555 | define ssh_auth_key_server ($ensure, $group, $home, $options, $user) {
556 | 
557 | 
558 | 
559 |   # on the keymaster:
560 | 
561 |   $key_src_dir = "${ssh::auth::keymaster_storage}/${title}"
562 | 
563 |   $key_src_file = "${key_src_dir}/key.pub"                 
564 | 
565 |   # on the server:                                         
566 | 
567 |   $key_tgt_file = "${home}/.ssh/authorized_keys"           
568 | 
569 |                                                            
570 | 
571 |   File {                                                   
572 | 
573 |     owner   => $user,                                      
574 | 
575 |     group   => $group,                                     
576 | 
577 |     require => User[$user],                                
578 | 
579 |     mode    => 600,                                        
580 | 
581 |   }                                                        
582 | 
583 |   Ssh_authorized_key {                                     
584 | 
585 |     user   => $user,                                       
586 | 
587 |     target => $key_tgt_file,                               
588 | 
589 |   }                                                        
590 | 
591 | 
592 | 
593 |   if $ensure == "absent" {
594 | 
595 |     ssh_authorized_key { $title: ensure => "absent" }
596 | 
597 |   }                                                  
598 | 
599 |   else {
600 | 
601 |     $key_src_content = file($key_src_file, "/dev/null")
602 | 
603 |     if ! $key_src_content {
604 | 
605 |       notify { "Public key file $key_src_file for key $title not found on keymaster; skipping ensure => present": }
606 | 
607 |     } else { if $ensure == "present" and $key_src_content !~ /^(ssh-...) ([^ ]*)/ {
608 | 
609 |       err("Can't parse public key file $key_src_file")
610 | 
611 |       notify { "Can't parse public key file $key_src_file for key $title on the keymaster: skipping ensure => $ensure": }
612 | 
613 |     } else {
614 | 
615 |       $keytype = $1
616 | 
617 |       $modulus = $2
618 | 
619 |       ssh_authorized_key { $title:
620 | 
621 |         ensure  => "present",
622 | 
623 |         type    => $keytype,
624 | 
625 |         key     => $modulus,
626 | 
627 |         options => $options ? { "" => undef, default => $options },
628 | 
629 |       }
630 | 
631 |     }} # if ... else ... else
632 | 
633 |   } # if ... else
634 | 
635 | 
636 | 
637 | } # define ssh_auth_key_server
638 | 
639 | 
640 | 
641 | 
642 | 
643 | ##########################################################################
644 | 
645 | 
646 | 
647 | 
648 | 
649 | # ssh_auth_key_namecheck
650 | 
651 | #
652 | 
653 | # Check a name (e.g. key title or filename) for the allowed form
654 | 
655 | 
656 | 
657 | define ssh_auth_key_namecheck ($parm, $value) {
658 | 
659 |   if $value !~ /^[A-Za-z0-9]/ {
660 | 
661 |     fail("ssh::auth::key: $parm '$value' not allowed: must begin with a letter or digit")
662 | 
663 |   }
664 | 
665 |   if $value !~ /^[A-Za-z0-9_.:@-]+$/ {
666 | 
667 |     fail("ssh::auth::key: $parm '$value' not allowed: may only contain the characters A-Za-z0-9_.:@-")
668 | 
669 |   }
670 | 
671 | } # define namecheck
672 | 


--------------------------------------------------------------------------------
/deaddrop_puppet/modules/ssh/manifests/init.pp:
--------------------------------------------------------------------------------
 1 | class ssh {
 2 |     # Declare:
 3 |     @@sshkey { $hostname:
 4 |         type => rsa,
 5 |         key => $sshrsakey,
 6 |         size => '4096',
 7 |     }
 8 |     # Collect:
 9 |     Sshkey <<| |>>
10 | }
11 | 


--------------------------------------------------------------------------------
/deaddrop_puppet/modules/sysstat/files/etc/default/sysstat:
--------------------------------------------------------------------------------
 1 | #
 2 | # Default settings for /etc/init.d/sysstat, /etc/cron.d/sysstat
 3 | # and /etc/cron.daily/sysstat files
 4 | #
 5 | 
 6 | # Should sadc collect system activity informations? Valid values
 7 | # are "true" and "false". Please do not put other values, they
 8 | # will be overwritten by debconf!
 9 | ENABLED="true"
10 | 
11 | # Additional options passed to sa1 by /etc/init.d/sysstat
12 | # and /etc/cron.d/sysstat
13 | # By default contains the `-S DISK' option responsible for
14 | # generating disk statisitcs.
15 | SA1_OPTIONS="-S DISK"
16 | 
17 | # Additional options passed to sa2 by /etc/cron.daily/sysstat.
18 | SA2_OPTIONS=""
19 | 


--------------------------------------------------------------------------------
/deaddrop_puppet/modules/sysstat/manifests/init.pp:
--------------------------------------------------------------------------------
 1 | class sysstat {
 2 |     package { 'sysstat':
 3 |         ensure => installed,
 4 |     }
 5 | 
 6 |     service {"sysstat":
 7 |         ensure => running,
 8 |         require => Package["sysstat"],
 9 |     }
10 | 
11 |     file {"/etc/default/sysstat":
12 |         ensure => file,
13 |         source => "puppet:///modules/sysstat/etc/default/sysstat",
14 |         owner => 'root',
15 |         group => 'root',
16 |         mode => '0644',
17 |         notify => Service["sysstat"],
18 |         require => Package["sysstat"],
19 |     }
20 | }
21 |  
22 | 


--------------------------------------------------------------------------------
/deaddrop_puppet/modules/tor/files/torrc:
--------------------------------------------------------------------------------
1 | #SocksPort 9050 
2 | #SocksListenAddress 127.0.0.1
3 | RunAsDaemon 1
4 | HiddenServiceDir /var/lib/tor/hidden_service/
5 | HiddenServicePort 80 127.0.0.1:8080
6 | 
7 | 


--------------------------------------------------------------------------------
/deaddrop_puppet/modules/tor/manifests/hidden_service.pp:
--------------------------------------------------------------------------------
 1 | class tor::hidden_service {
 2 |    include tor
 3 | 
 4 |    file { '/etc/tor/torrc':
 5 |       ensure => file,
 6 |       source => "puppet:///modules/tor/torrc",
 7 |       owner => 'root',
 8 |       group => 'root',
 9 |       mode => '0644',
10 |       require => Package["tor"],
11 |    }
12 | 
13 |    service { 'tor':
14 |       ensure => running,
15 |       hasrestart => true,
16 |       hasstatus => true,
17 |       subscribe => File['/etc/tor/torrc'],
18 |    }
19 | 
20 |    exec { 'passwd -l debian-tor':
21 |       user => 'root',
22 |       group => 'root',
23 |    }
24 | }
25 | 


--------------------------------------------------------------------------------
/deaddrop_puppet/modules/tor/manifests/init.pp:
--------------------------------------------------------------------------------
 1 | # Requrires puppetlabs-apt module
 2 | class tor {
 3 | 
 4 |     apt::key { "tor":
 5 |         key               => "886DDD89",
 6 |         key_server        => "keys.gnupg.net",
 7 |     }
 8 | 
 9 |     apt::source { "tor":
10 |         location          => "http://deb.torproject.org/torproject.org",
11 |         release           => "precise",
12 |         repos             => "main",
13 |         required_packages => "deb.torproject.org-keyring",
14 |         key               => "886DDD89",
15 |         key_server        => "keys.gnupg.net",
16 |         before		  => Package["tor"],
17 |     }
18 | 
19 |     package { 'tor':
20 |         ensure => "installed",
21 |     }
22 | }
23 | 


--------------------------------------------------------------------------------