Skip to content
Snippets Groups Projects

blackbox with vault

The snippet can be accessed without any authentication.
Authored by Ricardo Araujo
Edited
setup.sh 9.05 KiB
#!/bin/bash

set -x -e

if [ -z $VAULT_ADDR ]; then echo "Missing variable VAULT_ADDR"; exit 1; fi
if [ -z $CLUSTER_ID  ]; then echo "Missing variable CLUSTER_ID"; exit 1; fi
if [ -z $SERVER_IP ]; then echo "Missing variable SERVER_IP"; exit 1; fi
if [ -z $SERVER_DN ]; then echo "Missing variable SERVER_DN"; exit 1; fi

apt-get update && apt-get install -y curl jq openssl unzip 

# Get the CA public key to add to the ssh server
PUBLICKEY_CA=$(curl $VAULT_ADDR/v1/ssh/public_key 2>/dev/null)
if [ -z "$PUBLICKEY_CA" ]; then
	echo "There is no CA Public Key registered for this CLUSTER"; exit 1
fi

# Add the CA Public Key as a Trusted CA in the SSH server
echo $PUBLICKEY_CA > /etc/ssh/trusted-user-ca-keys.pem
echo >> /etc/ssh/sshd_config
echo "TrustedUserCAKeys /etc/ssh/trusted-user-ca-keys.pem" >> /etc/ssh/sshd_config
service sshd restart

# Create the user $CLUSTER_ID
useradd --user-group --create-home --home-dir /home/$CLUSTER_ID \
        --shell /bin/bash $CLUSTER_ID
echo "$CLUSTER_ID       ALL= NOPASSWD: /usr/bin/apt, /usr/bin/apt-get, /usr/bin/aptitude" >> /etc/sudoers


######### CONFIGURE SECUREBOOT AND IMA

# Enable Secure Boot
grub-install --uefi-secure-boot

# Enable IMA
sed -i 's/GRUB_CMDLINE_LINUX=""/GRUB_CMDLINE_LINUX="ima_policy=tcb ima_hash=256"/' /etc/default/grub

# Update the GRUB 
update-grub

# Create the ima directory to place custom IMA policy
mkdir /etc/ima

# Create IMA policy script
cat << EOF > /etc/ima/ima-policy
#!/bin/sh
# PROC_SUPER_MAGIC
dont_measure fsmagic=0x9fa0
# SYSFS_MAGIC
dont_measure fsmagic=0x62656572
# DEBUGFS_MAGIC
dont_measure fsmagic=0x64626720
# TMPFS_MAGIC
dont_measure fsmagic=0x01021994
# RAMFS_MAGIC
dont_measure fsmagic=0x858458f6
# SECURITYFS_MAGIC
dont_measure fsmagic=0x73636673
# MEASUREMENTS
measure func=BPRM_CHECK
measure func=FILE_MMAP mask=MAY_EXEC
measure func=MODULE_CHECK uid=0
#SELinux specific rules
measure obj_type=etc_t func=FILE_CHECK mask=MAY_READ
EOF


######### INSTALL TPM TOOLS

TPM2_TSS_BRANCH=1.3.0
TPM2_ABRMD_BRANCH=1.2.0
TPM2_TOOLS_BRANCH=3.0.2

useradd --system --user-group tss

apt update -y

apt install autoconf-archive libcmocka0 libcmocka-dev build-essential git pkg-config gcc g++ m4 libtool automake liburiparser-dev libgcrypt20-dev libssl-dev autoconf -y
git clone --depth 1 --recursive -b $TPM2_TSS_BRANCH https://github.com/tpm2-software/tpm2-tss
pushd tpm2-tss
./bootstrap
./configure --prefix=/usr
make -j10
make install
ldconfig
popd

apt install libdbus-1-dev libghc-gio-dev -y
git clone --depth 1 --recursive -b $TPM2_ABRMD_BRANCH https://github.com/tpm2-software/tpm2-abrmd
pushd tpm2-abrmd
./bootstrap
./configure --with-udevrulesdir=/etc/udev/rules.d --with-dbuspolicydir=/etc/dbus-1/system.d --with-systemdsystemunitdir=/lib/systemd/system --datarootdir=/usr/share --prefix=/usr
make -j10
make install
udevadm control --reload-rules
udevadm trigger
ldconfig
pkill -HUP dbus-daemon
systemctl daemon-reload
systemctl enable tpm2-abrmd
systemctl start tpm2-abrmd
popd

apt install libcurl4-gnutls-dev pandoc python-yaml -y
git clone --depth 1 --recursive -b $TPM2_TOOLS_BRANCH https://github.com/tpm2-software/tpm2-tools
pushd tpm2-tools
apt install ruby ruby-dev -y
gem update --system
gem install md2man
./bootstrap
./configure --prefix=/usr
make -j10
make install
popd


######### INSTALL STRONGSWAN

apt update -y
apt install -y libtspi-dev libopencryptoki-dev                libssl-dev libtool m4 automake pkg-config                libgmp3-dev libcurl4-openssl-dev                build-essential libsystemd0 libsystemd-dev
wget http://download.strongswan.org/strongswan-5.6.3.tar.bz2
tar xjvf strongswan-5.6.3.tar.bz2
pushd strongswan-5.6.3
./configure --prefix=/usr --sysconfdir=/etc --disable-gmp --disable-aes --disable-md5 --disable-sha1 --disable-sha2             --disable-fips-prf --enable-curl --enable-openssl --enable-eap-identity --enable-eap-md5 --enable-eap-mschapv2             --enable-eap-tnc --enable-eap-ttls --enable-eap-dynamic --enable-tnccs-20 --enable-tnc-imc --enable-imc-os             --enable-imc-attestation --enable-aikgen --enable-tss-tss2 --enable-tpm --enable-systemd
make -j 4
make install
popd


######### CONFIGURE STRONGSWAN

cat << EOF >> /etc/strongswan.conf
charon {
	load_modular = yes
	plugins {
		include strongswan.d/charon/*.conf
	}
}

include strongswan.d/*.conf
charon {
  plugins {
    eap-ttls {
      max_message_count = 0
    }
    eap-tnc {
      max_message_count = 0
    } 
    tnccs-20 {
       max_batch_size = 32754
       max_message_size = 32722
    }
  }
}

libtls {
  suites = TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
}
libimcv {
  plugins {
    imc-os {
        device_pubkey = /ak_rsa.pem.pub
    }
    imc-attestation {	
      aik_handle = 81010003
      aik_cert = blackboxCert.der
    }
  }
}

EOF

#Configuring Integrity Measurement Collector on TNC client
echo "IMC \"OS\"           /usr/lib/ipsec/imcvs/imc-os.so" >> /etc/tnc_config
echo "IMC \"Attestation\"  /usr/lib/ipsec/imcvs/imc-attestation.so" >> /etc/tnc_config

# Configuring VPN connection

cat << EOF | envsubst > /etc/ipsec.conf
config setup
     charondebug="tnc 3, imc 3, pts 3" 

conn %default
        ike=aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-curve25519!
        esp=aes128gcm128-ecp256,aes256gcm128-ecp384,aes128-sha256-curve25519!
        keyexchange=ikev2

conn home
        auto=add
        left=%any
        leftid=$CLUSTER_ID
        leftauth=eap
        leftfirewall=yes
        leftsourceip=%config
        right=$SERVER_IP
        rightid=$SERVER_DN
        rightauth=any
        rightsendcert=never
        rightsubnet=10.1.0.0/28
        auto=start
        ikelifetime=3m
        margintime=1m
        rekeyfuzz=0%
        rekey=yes
EOF

#Adding client secrets
echo "$CLUSTER_ID : EAP \"$CLUSTER_ID\"" > /etc/ipsec.secrets


cat <<EOF | envsubst >> /etc/swanctl/swanctl.conf
connections {
   rsa {
      local_addrs = %any
      remote_addrs = $SERVER_IP

      local {
         auth = pubkey
         certs = blackbox01KeyCert.der
      }
      vips = 0.0.0.0, ::
      remote {
         auth = pubkey
         id = $SERVER_DN 
      }
      children {
         rsa {
           remote_ts = 0.0.0.0/0,::/0
            updown = /usr/libexec/ipsec/_updown iptables
            esp_proposals = aes128-sha256-curve25519
         }
      }
      version = 2
      proposals = aes128-sha256-curve25519
   }
}

secrets {
    token_ak_rsa {
       handle = 81010003 # INDEX OF AK KEY AT TPM WITHOUT 0x
    }
}
EOF


######### CONFIGURE CERTIFICATES AND KEYS

echo "THIS SHOULD BE EXECUTED IN ANOTHER SECURE MACHINE"
mkdir ca
pushd ca

echo "Using hardcoded CA for demo purposes!!!!! Change for production!"
cat << EOF > ztpCaKey.pem
-----BEGIN EC PRIVATE KEY-----
MHcCAQEEIOaJ+iH8tO7fHtY1RUvL+q+AD5ea1JTTRhAKwQM5I/dMoAoGCCqGSM49
AwEHoUQDQgAESGJj2tyNmuT1ogveMQ4zOTTOYKl6KoB3cUGlktg8afBDqYXEUSUv
cafPiZl6TbdRyXnI3/TJPuVi+uiilhhj4A==
-----END EC PRIVATE KEY-----
EOF

cat << EOF > ztpCaCert.pem
-----BEGIN CERTIFICATE-----
MIIBpDCCAUqgAwIBAgIIJSSzwvZfkkAwCgYIKoZIzj0EAwIwNjELMAkGA1UEBhMC
QlIxETAPBgNVBAoTCFpUUCBEZW1vMRQwEgYDVQQDEwtaVFAgRGVtbyBDQTAeFw0x
ODA4MDcyMDEwMzhaFw0yODA4MDYyMDEwMzhaMDYxCzAJBgNVBAYTAkJSMREwDwYD
VQQKEwhaVFAgRGVtbzEUMBIGA1UEAxMLWlRQIERlbW8gQ0EwWTATBgcqhkjOPQIB
BggqhkjOPQMBBwNCAARIYmPa3I2a5PWiC94xDjM5NM5gqXoqgHdxQaWS2Dxp8EOp
hcRRJS9xp8+JmXpNt1HJecjf9Mk+5WL66KKWGGPgo0IwQDAPBgNVHRMBAf8EBTAD
AQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQUOyPuVdxUYyw8vvJCOOdi7O/w
ggkwCgYIKoZIzj0EAwIDSAAwRQIhAPQYz3+POUMscFk8Q1mTTk4Ir6RTSiGpuk9y
p2At/NVYAiBy6aRgyRuDNRxl1cxMQYCaYzLHER/mQmk+RnC39pDhhw==
-----END CERTIFICATE-----
EOF

cp ztpCaCert.pem /etc/swanctl/x509ca/
cp ztpCaCert.pem /etc/ipsec.d/cacerts/
popd

tpm2_pcrlist
tpm2_getpubek -H 0x81010002 -g 0x0001 -f ek_rsa.tss.pub
tpm2_getpubak -E 0x81010002 -g 0x0001 -D 0x000B -s 0x0014 -k 0x81010003 -f ak_rsa.tss.pub -n ak_rsa.name
tpm2_readpublic -H 0x81010003 -o ak_rsa.pem.pub -f pem

pki --issue --cacert ca/ztpCaCert.pem --cakey ca/ztpCaKey.pem --type pub --in ak_rsa.pem.pub --dn "C=BR, O=ZTP Demo, OU=RSA, CN=$CLUSTER_ID" --san $CLUSTER_ID --lifetime 3651 > blackboxCert.der

cp blackboxCert.der /etc/swanctl/x509/
cp blackboxCert.der /etc/ipsec.d/certs/


######### CONFIGURE SELINUX

/etc/init.d/apparmor stop
service apparmor teardown
update-rc.d -f apparmor remove
apt-get purge apparmor -y

apt update -y

# Install SELinux packages
apt-get install -y selinux-basics selinux-policy-default auditd

# Configure GRUB and create ./autorelabel
selinux-activate

# Enable SELinux on Ubuntu 18.04
sed -i 's/selinux"/selinux selinux=1"/' /etc/default/grub

# Update the GRUB 
update-grub

# Prepare files for database reference (for demo)
echo -n "fill-database.sh " >> file_path.sh
curl --upload-file /etc/ssh/sshd_config https://transfer.sh >> file_path.sh
echo -n " " >> file_path.sh
curl --upload-file /usr/lib/ipsec/plugins/libstrongswan-tpm.so https://transfer.sh >> file_path.sh
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment