blackbox with vault
The snippet can be accessed without any authentication.
Authored by
Ricardo Araujo
Edited
#!/bin/bash
set -x -e
if [ -z $VAULT_ADDR ]; then echo "Missing variable VAULT_ADDR"; exit 1; fi
if [ -z $CLUSTER_ID ]; then echo "Missing variable CLUSTER_ID"; exit 1; fi
if [ -z $SERVER_IP ]; then echo "Missing variable SERVER_IP"; exit 1; fi
if [ -z $SERVER_DN ]; then echo "Missing variable SERVER_DN"; exit 1; fi
apt-get update && apt-get install -y curl jq openssl unzip
# Get the CA public key to add to the ssh server
PUBLICKEY_CA=$(curl $VAULT_ADDR/v1/ssh/public_key 2>/dev/null)
if [ -z "$PUBLICKEY_CA" ]; then
echo "There is no CA Public Key registered for this CLUSTER"; exit 1
fi
# Add the CA Public Key as a Trusted CA in the SSH server
echo $PUBLICKEY_CA > /etc/ssh/trusted-user-ca-keys.pem
echo >> /etc/ssh/sshd_config
echo "TrustedUserCAKeys /etc/ssh/trusted-user-ca-keys.pem" >> /etc/ssh/sshd_config
service sshd restart
# Create the user $CLUSTER_ID
useradd --user-group --create-home --home-dir /home/$CLUSTER_ID \
--shell /bin/bash $CLUSTER_ID
echo "$CLUSTER_ID ALL= NOPASSWD: /usr/bin/apt, /usr/bin/apt-get, /usr/bin/aptitude" >> /etc/sudoers
######### CONFIGURE SECUREBOOT AND IMA
# Enable Secure Boot
grub-install --uefi-secure-boot
# Enable IMA
sed -i 's/GRUB_CMDLINE_LINUX=""/GRUB_CMDLINE_LINUX="ima_policy=tcb ima_hash=256"/' /etc/default/grub
# Update the GRUB
update-grub
# Create the ima directory to place custom IMA policy
mkdir /etc/ima
# Create IMA policy script
cat << EOF > /etc/ima/ima-policy
#!/bin/sh
# PROC_SUPER_MAGIC
dont_measure fsmagic=0x9fa0
# SYSFS_MAGIC
dont_measure fsmagic=0x62656572
# DEBUGFS_MAGIC
dont_measure fsmagic=0x64626720
# TMPFS_MAGIC
dont_measure fsmagic=0x01021994
# RAMFS_MAGIC
dont_measure fsmagic=0x858458f6
# SECURITYFS_MAGIC
dont_measure fsmagic=0x73636673
# MEASUREMENTS
measure func=BPRM_CHECK
measure func=FILE_MMAP mask=MAY_EXEC
measure func=MODULE_CHECK uid=0
#SELinux specific rules
measure obj_type=etc_t func=FILE_CHECK mask=MAY_READ
EOF
######### INSTALL TPM TOOLS
TPM2_TSS_BRANCH=1.3.0
TPM2_ABRMD_BRANCH=1.2.0
TPM2_TOOLS_BRANCH=3.0.2
useradd --system --user-group tss
apt update -y
apt install autoconf-archive libcmocka0 libcmocka-dev build-essential git pkg-config gcc g++ m4 libtool automake liburiparser-dev libgcrypt20-dev libssl-dev autoconf -y
git clone --depth 1 --recursive -b $TPM2_TSS_BRANCH https://github.com/tpm2-software/tpm2-tss
pushd tpm2-tss
./bootstrap
./configure --prefix=/usr
make -j10
make install
ldconfig
popd
apt install libdbus-1-dev libghc-gio-dev -y
git clone --depth 1 --recursive -b $TPM2_ABRMD_BRANCH https://github.com/tpm2-software/tpm2-abrmd
pushd tpm2-abrmd
./bootstrap
./configure --with-udevrulesdir=/etc/udev/rules.d --with-dbuspolicydir=/etc/dbus-1/system.d --with-systemdsystemunitdir=/lib/systemd/system --datarootdir=/usr/share --prefix=/usr
make -j10
make install
udevadm control --reload-rules
udevadm trigger
ldconfig
pkill -HUP dbus-daemon
systemctl daemon-reload
systemctl enable tpm2-abrmd
systemctl start tpm2-abrmd
popd
apt install libcurl4-gnutls-dev pandoc python-yaml -y
git clone --depth 1 --recursive -b $TPM2_TOOLS_BRANCH https://github.com/tpm2-software/tpm2-tools
pushd tpm2-tools
apt install ruby ruby-dev -y
gem update --system
gem install md2man
./bootstrap
./configure --prefix=/usr
make -j10
make install
popd
######### INSTALL STRONGSWAN
apt update -y
apt install -y libtspi-dev libopencryptoki-dev libssl-dev libtool m4 automake pkg-config libgmp3-dev libcurl4-openssl-dev build-essential libsystemd0 libsystemd-dev
wget http://download.strongswan.org/strongswan-5.6.3.tar.bz2
tar xjvf strongswan-5.6.3.tar.bz2
pushd strongswan-5.6.3
./configure --prefix=/usr --sysconfdir=/etc --disable-gmp --disable-aes --disable-md5 --disable-sha1 --disable-sha2 --disable-fips-prf --enable-curl --enable-openssl --enable-eap-identity --enable-eap-md5 --enable-eap-mschapv2 --enable-eap-tnc --enable-eap-ttls --enable-eap-dynamic --enable-tnccs-20 --enable-tnc-imc --enable-imc-os --enable-imc-attestation --enable-aikgen --enable-tss-tss2 --enable-tpm --enable-systemd
make -j 4
make install
popd
######### CONFIGURE STRONGSWAN
cat << EOF >> /etc/strongswan.conf
charon {
load_modular = yes
plugins {
include strongswan.d/charon/*.conf
}
}
include strongswan.d/*.conf
charon {
plugins {
eap-ttls {
max_message_count = 0
}
eap-tnc {
max_message_count = 0
}
tnccs-20 {
max_batch_size = 32754
max_message_size = 32722
}
}
}
libtls {
suites = TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
}
libimcv {
plugins {
imc-os {
device_pubkey = /ak_rsa.pem.pub
}
imc-attestation {
aik_handle = 81010003
aik_cert = blackboxCert.der
}
}
}
EOF
#Configuring Integrity Measurement Collector on TNC client
echo "IMC \"OS\" /usr/lib/ipsec/imcvs/imc-os.so" >> /etc/tnc_config
echo "IMC \"Attestation\" /usr/lib/ipsec/imcvs/imc-attestation.so" >> /etc/tnc_config
# Configuring VPN connection
cat << EOF | envsubst > /etc/ipsec.conf
config setup
charondebug="tnc 3, imc 3, pts 3"
conn %default
ike=aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-curve25519!
esp=aes128gcm128-ecp256,aes256gcm128-ecp384,aes128-sha256-curve25519!
keyexchange=ikev2
conn home
auto=add
left=%any
leftid=$CLUSTER_ID
leftauth=eap
leftfirewall=yes
leftsourceip=%config
right=$SERVER_IP
rightid=$SERVER_DN
rightauth=any
rightsendcert=never
rightsubnet=10.1.0.0/28
auto=start
ikelifetime=3m
margintime=1m
rekeyfuzz=0%
rekey=yes
EOF
#Adding client secrets
echo "$CLUSTER_ID : EAP \"$CLUSTER_ID\"" > /etc/ipsec.secrets
cat <<EOF | envsubst >> /etc/swanctl/swanctl.conf
connections {
rsa {
local_addrs = %any
remote_addrs = $SERVER_IP
local {
auth = pubkey
certs = blackbox01KeyCert.der
}
vips = 0.0.0.0, ::
remote {
auth = pubkey
id = $SERVER_DN
}
children {
rsa {
remote_ts = 0.0.0.0/0,::/0
updown = /usr/libexec/ipsec/_updown iptables
esp_proposals = aes128-sha256-curve25519
}
}
version = 2
proposals = aes128-sha256-curve25519
}
}
secrets {
token_ak_rsa {
handle = 81010003 # INDEX OF AK KEY AT TPM WITHOUT 0x
}
}
EOF
######### CONFIGURE CERTIFICATES AND KEYS
echo "THIS SHOULD BE EXECUTED IN ANOTHER SECURE MACHINE"
mkdir ca
pushd ca
echo "Using hardcoded CA for demo purposes!!!!! Change for production!"
cat << EOF > ztpCaKey.pem
-----BEGIN EC PRIVATE KEY-----
MHcCAQEEIOaJ+iH8tO7fHtY1RUvL+q+AD5ea1JTTRhAKwQM5I/dMoAoGCCqGSM49
AwEHoUQDQgAESGJj2tyNmuT1ogveMQ4zOTTOYKl6KoB3cUGlktg8afBDqYXEUSUv
cafPiZl6TbdRyXnI3/TJPuVi+uiilhhj4A==
-----END EC PRIVATE KEY-----
EOF
cat << EOF > ztpCaCert.pem
-----BEGIN CERTIFICATE-----
MIIBpDCCAUqgAwIBAgIIJSSzwvZfkkAwCgYIKoZIzj0EAwIwNjELMAkGA1UEBhMC
QlIxETAPBgNVBAoTCFpUUCBEZW1vMRQwEgYDVQQDEwtaVFAgRGVtbyBDQTAeFw0x
ODA4MDcyMDEwMzhaFw0yODA4MDYyMDEwMzhaMDYxCzAJBgNVBAYTAkJSMREwDwYD
VQQKEwhaVFAgRGVtbzEUMBIGA1UEAxMLWlRQIERlbW8gQ0EwWTATBgcqhkjOPQIB
BggqhkjOPQMBBwNCAARIYmPa3I2a5PWiC94xDjM5NM5gqXoqgHdxQaWS2Dxp8EOp
hcRRJS9xp8+JmXpNt1HJecjf9Mk+5WL66KKWGGPgo0IwQDAPBgNVHRMBAf8EBTAD
AQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQUOyPuVdxUYyw8vvJCOOdi7O/w
ggkwCgYIKoZIzj0EAwIDSAAwRQIhAPQYz3+POUMscFk8Q1mTTk4Ir6RTSiGpuk9y
p2At/NVYAiBy6aRgyRuDNRxl1cxMQYCaYzLHER/mQmk+RnC39pDhhw==
-----END CERTIFICATE-----
EOF
cp ztpCaCert.pem /etc/swanctl/x509ca/
cp ztpCaCert.pem /etc/ipsec.d/cacerts/
popd
tpm2_pcrlist
tpm2_getpubek -H 0x81010002 -g 0x0001 -f ek_rsa.tss.pub
tpm2_getpubak -E 0x81010002 -g 0x0001 -D 0x000B -s 0x0014 -k 0x81010003 -f ak_rsa.tss.pub -n ak_rsa.name
tpm2_readpublic -H 0x81010003 -o ak_rsa.pem.pub -f pem
pki --issue --cacert ca/ztpCaCert.pem --cakey ca/ztpCaKey.pem --type pub --in ak_rsa.pem.pub --dn "C=BR, O=ZTP Demo, OU=RSA, CN=$CLUSTER_ID" --san $CLUSTER_ID --lifetime 3651 > blackboxCert.der
cp blackboxCert.der /etc/swanctl/x509/
cp blackboxCert.der /etc/ipsec.d/certs/
######### CONFIGURE SELINUX
/etc/init.d/apparmor stop
service apparmor teardown
update-rc.d -f apparmor remove
apt-get purge apparmor -y
apt update -y
# Install SELinux packages
apt-get install -y selinux-basics selinux-policy-default auditd
# Configure GRUB and create ./autorelabel
selinux-activate
# Enable SELinux on Ubuntu 18.04
sed -i 's/selinux"/selinux selinux=1"/' /etc/default/grub
# Update the GRUB
update-grub
# Prepare files for database reference (for demo)
echo -n "fill-database.sh " >> file_path.sh
curl --upload-file /etc/ssh/sshd_config https://transfer.sh >> file_path.sh
echo -n " " >> file_path.sh
curl --upload-file /usr/lib/ipsec/plugins/libstrongswan-tpm.so https://transfer.sh >> file_path.sh
Please register or sign in to comment