Merge pull request #5 from solidc0re/testing

v0.2.1-alpha

Author: solidc0re

solidcore-firstboot.sh

@@ -1065,6 +1065,74 @@ space_1
 conf_msg "Automatic update timers initiated"
 space_2
 
+
+# === FINAL CHECKS ===
+
+clear
+long_msg ">
+>
+>  Running some final checks..."
+sleep 2
+space_2
+
+# Check the current SELinux status and enable enforcing if required
+short_msg "[1 of 3] Checking SELinux..."
+space_1
+sleep 1
+current_status=$(sestatus | awk '/Current mode:/ {print $3}')
+desired_status="enforcing"
+
+if [ "$current_status" = "$desired_status" ]; then
+    conf_msg "SELinux already set to enforcing"
+else
+    setenforce 1
+    conf_msg "SELinux now set to enforcing"
+fi
+space_2
+
+# HTTP check for the repos
+short_msg "[2 of 3] Checking insecure URLs in the repo directory..."
+space_1
+sleep 1
+patterns=("^baseurl=http:" "^metalink=http:")
+for pattern in "${patterns[@]}"; do
+    output=$(grep -r "$pattern" /etc/yum.repos.d/)
+    if [ -n "$output" ]; then
+        short_msg "${bold}[WARNING]${normal} HTTP link found in the repository directory (/etc/yum.repos.d/)."
+        short_msg "Output:"
+        short_msg "$output"
+        short_msg "Please investigate. You may be able to manually edit the repo to use HTTPS. Failing that, contact the repo maintainer to report the security issue."
+        sleep 2
+    else
+        conf_msg "No insecure repos found in the repository directory"
+    fi
+done
+space_2
+
+# CPU vulnerability check
+short_msg "[3 of 3] Checking CPU Vulnerabilities..."
+space_1
+sleep 1
+
+short_msg "Vulnerability      | Status"
+short_msg "------------------ | --------------"
+
+vulnerabilities=$(grep . /sys/devices/system/cpu/vulnerabilities/*)
+
+while read -r line; do
+    # Extract vulnerability and status using awk
+    vulnerability=$(short_msg "$line" | awk -F ':' '{print $1}')
+    status=$(short_msg "$line" | awk -F ':' '{print $2}')
+
+    # Print the vulnerability and its status in a table format
+    printf "%-18s | %s\n" "$vulnerability" "$status"
+done <<< "$vulnerabilities"
+sleep 1
+space_1
+short_msg "Please take a note of the vulnerability if there is no mitigation in place and your device is listed as affected."
+sleep 3
+space_2
+
 # === TiDY UP & FINISH ===
 
 # Reboot if USB Guard installed, otherwise farewell

solidcore-install.sh

@@ -283,6 +283,7 @@ chmod +x /etc/solidcore/defaults.sh
 
 # Define an array of files to be backed up
 files_to_backup=(
+    "/etc/chrony.conf"
     "/etc/default/grub"
     "/etc/fstab"
     "/etc/machine-id"
@@ -293,6 +294,7 @@ files_to_backup=(
     "/etc/security/limits.conf"
     "/etc/security/pwquality.conf"
     "/etc/ssh/sshd_config"
+    "/etc/sysconfig/chronyd"
     "/etc/systemd/coredump.conf"
     "/etc/systemd/system/rpm-ostreed-automatic.timer.d/override.conf"
     "/var/lib/dbus/machine-id"
@@ -625,23 +627,31 @@ EOF
 systemctl restart NetworkManager
 
 
-# === HTTPS REPO CHECK ===
+# === CHRONY CONF ===
 
-# Define an array of patterns to search for
-patterns=("^baseurl=http:" "^metalink=http:")
+# Borrowed from GrapheneOS, keeping license intact
+license_url="https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/LICENSE"
+chrony_url="https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/chrony.conf"
 
-# Loop through the patterns and perform checks
-for pattern in "${patterns[@]}"; do
-    output=$(grep -r "$pattern" /etc/yum.repos.d/)
-    if [ -n "$output" ]; then
-        echo "Warning: HTTP link found in yum repository configuration."
-        echo "Output:"
-        echo "$output"
-        echo "Please investigate whether you can manually edit the repo to use HTTPS instead."
-    fi
-done
+mkdir -p ./tmp
+wget -q -O ./tmp/LICENSE "$license_url"
+sed 's/^/# /' ./tmp/LICENSE > ./tmp/LICENSE_temp
+wget -q -O ./tmp/chrony.conf "$chrony_url"
+
+systemctl stop chronyd.service
+rm -rf /etc/chrony.conf
+
+# Build new chrony.conf
+cat ./tmp/LICENSE_temp >> /etc/chrony.conf
+cat ./tmp/chrony.conf >> /etc/chrony.conf
+
+# Update chronyd
+sed -i 's/^OPTIONS=.*$/OPTIONS='"-F 1"'/' /etc/sysconfig/chronyd
 
-conf_msg "No insecure repos found in yum repository directory"
+# Clean up
+systemctl start chronyd.service
+rm -rf ./tmp
+conf_msg "Chrony configuration updated (thanks GrapheneOS!)"
 
 
 # === AUTOMATIC UPDATES ===

solidcore-uninstall.sh

@@ -132,7 +132,8 @@ if [[ "$uninstall_response" =~ ^[Yy]$ ]]; then
 
 	# Define an array of files to be restored
 	files_to_restore=(
-	    "/etc/default/grub"
+	    "/etc/chrony.conf"
+		"/etc/default/grub"
     	"/etc/fstab"
 		"/etc/machine-id"
 		"/etc/resolv.conf"
@@ -142,6 +143,7 @@ if [[ "$uninstall_response" =~ ^[Yy]$ ]]; then
     	"/etc/security/limits.conf"
 		"/etc/security/pwquality.conf"
     	"/etc/ssh/sshd_config"
+		"/etc/sysconfig/chronyd"
     	"/etc/systemd/coredump.conf"
     	"/etc/systemd/system/rpm-ostreed-automatic.timer.d/override.conf"
 	    "/var/lib/dbus/machine-id"
@@ -154,7 +156,7 @@ if [[ "$uninstall_response" =~ ^[Yy]$ ]]; then
     	if [ -e "$backup_file" ]; then
     	    if [ "$backup_file" == "/var/lib/dbus/machine-id" ]; then
 				# Restore the backup file
-    	    	cp "$backup_file" "$source_file"
+    	    	cp -f "$backup_file" "$source_file"
     	    	conf_msg "Backup restored for: $source_file"
     	    	# Remove the backup file
     	    	rm "$backup_file"