reworked dmcrypt for suricata

main
Ricard Illa 2022-10-19 11:21:27 +02:00
parent c6583f9d8c
commit 7f6720185f
10 changed files with 25 additions and 184 deletions

View File

@ -36,6 +36,7 @@
become: true
roles:
- cryptoraid
tags: raid
- name: mounts
hosts:

View File

@ -57,23 +57,13 @@ all:
rpi_cfg:
- "enable_uart=1"
- "otg_mode=1"
luks_yk_slot: 2
luks_yk_challenge: !vault |
$ANSIBLE_VAULT;1.1;AES256
34333431626366653132396433316337373134373832643066623838346535626639343130373536
3437363264343832346432373530316230623637333935310a643135323836306232366235333139
35323832333566653235386530643238633333356131373136333937373164373065313430633438
3731356134663033620a376230323761336534653064343135366465333438376539386238643931
31313735336563366366396536386262383430323161366263623639336661646465333436336264
3037623462653131643964383533646632343436613839623761
luks_dropbear_port: 2222
luks_timeout: 120
luks_targets:
- data0
- data1
luks_source_uuids:
- 202c924c-ee53-4321-9efd-1f776e939702
- a243ac31-094c-4fe2-bced-6e4311a16487
dmcrypt_targets:
- name: "WDC WDS400T1R0A"
target: "disk0"
source_uuid: "202c924c-ee53-4321-9efd-1f776e939702"
- name: "Samsung SSD 870"
target: "disk1"
source_uuid: "a243ac31-094c-4fe2-bced-6e4311a16487"
caladan:
ansible_host: caladan

View File

@ -1 +0,0 @@
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDaiwmnSKC4DpznZlode1987DvGVLWqkvDZXZ6ey/LOZhRHvNnr5lP4Ke034R17mHHuTlzzuTKUKTN6JcIxBURGUwjWgNQO5z+7SapdOvPpw7M8wOlgp92CbIMiE/tReNbUi2e584Y5NR4tMCQm+FPvQ7c7nY/WoxJ6VSiKBbXzN+IrB9H6ZAVyfAlzHpxhwXeuP5xFwTtapzyzyc4phvuIhbXUc9NOZHXwoAR2La/0TVOgDyktEmCq6aGet03Azz6KPRptdnf4g9V3u8YivccXfd9WTrJr9fj1fWjDU9bBKVU6GtdcSwfqKwa6X4sQIZfONKvVEfqbIIEB70FsXHcdfnm3EN5L1PWbC441Q8bB1zvu/GnlXTlxDFmzByxnbLWTSPLuQyKq5sv9va8Jl9QEVpS3qWJbPHYBTevgboTExyLmpEfsCI+Of86Oxb8PNjyhX1/oWiy8S3w+5oQgAb+yNfSVPnX7CO4oGQhnttoXHA94LzxArYr9zZIp2asRMlc4VVWVH/jQ4FdLDjvKNARYiytOplZBPvFOHJiGb/rfjZKbMPPE+3V1WQPZ6B2nlWN5QxTpnLgTQnONr5rlSrvzFPY8BISUAYcdOCErG4agHDkHFZqWn8u+51wUZUnXo4NI+rty4Nzmc/kPfqWyv/8mSJfihidfuuHGEEzCk1qVdQ== cardno:11 073 199

View File

@ -1,17 +0,0 @@
#!/bin/sh
. /usr/local/etc/unlock-luks.conf
. /usr/local/share/unlock-luks-helpers.sh
[ -z "$SOURCE_UUIDS" ] && return 1
[ -z "$TARGETS" ] && return 1
touch "$LOCK_FILE"
# shellcheck disable=SC2064
trap "rm -f $LOCK_FILE" EXIT
printf "Enter LUKS password:"
passwd=$(read_password)
decrypt "${passwd}"
rm -f "$LOCK_FILE"

View File

@ -1,48 +0,0 @@
#!/bin/sh
. /usr/local/etc/unlock-luks.conf
. /usr/local/share/unlock-luks-helpers.sh
REMOTE_UNLOCK=/usr/local/bin/remote-unlock.sh
DROPBEAR_PORT="${DROPBEAR_PORT:-22}"
TIMEOUT="${TIMEOUT:-60}"
YK_SLOT="${YK_SLOT:-2}"
[ -z "$YK_CHALLENGE" ] && return 1
[ -z "$SOURCE_UUIDS" ] && return 1
[ -z "$TARGETS" ] && return 1
loop() {
starttime=$(date +%s)
usedtime=0
while ! check_is_open && [ "$usedtime" -le "$TIMEOUT" ]; do
while [ -f "$LOCK_FILE" ]; do
sleep 1
done
yk_decrypt
sleep 1
endtime=$(date +%s)
usedtime=$((endtime - starttime))
done
}
dropbear \
-R -s -F \
-G root \
-p "${DROPBEAR_PORT}" \
-c "${REMOTE_UNLOCK}" &
DROPBEAR_PID="$!"
sleep 0.5
# shellcheck disable=SC2064
trap "kill $DROPBEAR_PID" EXIT
loop
kill "${DROPBEAR_PID}"
if check_is_open; then
printf "decryption succeeded\n"
else
printf "decryption failed\n"
fi

View File

@ -1,8 +0,0 @@
#!/bin/sh
export SOURCE_UUIDS="202c924c-ee53-4321-9efd-1f776e939702 a243ac31-094c-4fe2-bced-6e4311a16487"
export TARGETS="data0 data1"
export TIMEOUT="60"
export YK_CHALLENGE="xWNQnvjBZav8UZzRKeQ7W1E0CV9E6Cnt"
export YK_SLOT="2"
export DROPBEAR_PORT=2222

View File

@ -1,45 +0,0 @@
#!/bin/sh
. /usr/local/etc/unlock-luks.conf
export LOCK_FILE=/tmp/remote-unlock.lock
[ -z "$SOURCE_UUIDS" ] && return 1
[ -z "$TARGETS" ] && return 1
decrypt() {
passwd="$1"
i=1
for uuid in $SOURCE_UUIDS; do
target=$(printf "%s" "$TARGETS" | cut -d ' ' -f "${i}")
printf "%s" "$passwd" | cryptsetup luksOpen "/dev/disk/by-uuid/${uuid}" "${target}"
i=$((i + 1))
done
}
read_password() {
stty -echo
trap 'stty echo' EXIT
read -r passwd
stty echo
trap - EXIT
printf "%s" "${passwd}"
}
check_is_open() {
for target in $TARGETS; do
[ ! -b "/dev/mapper/${target}" ] && return 1
done
return 0
}
yk_decrypt() {
printf "attempting decryption with yubikey\n"
if ykinfo "-${YK_SLOT}" >&2; then
printf "yubikey available\n"
yk_pass=$(ykchalresp "-${YK_SLOT}" "${YK_CHALLENGE}" | tr -d '\n')
decrypt "$yk_pass"
else
printf "yubikey not present\n"
fi
}

View File

@ -20,44 +20,14 @@
line: btrfs
insertafter: EOF
- name: create script directories
file:
path: "/usr/local/{{ item }}"
state: directory
mode: '0755'
loop:
- bin
- etc
- share
- name: add drive block to dmcrypt config
blockinfile:
insertbefore: leave this comment last
path: /etc/conf.d/dmcrypt
block: "{{ lookup('template', 'dmcrypt_block.j2') }}"
- name: copy unlock scripts
copy:
src: "bin/{{ item }}"
dest: "/usr/local/bin/{{ item }}"
mode: '0755'
loop:
- remote-unlock.sh
- unlock-luks.sh
- name: copy helper unlock files
copy:
src: share/unlock-luks-helpers.sh
dest: /usr/local/share/unlock-luks-helpers.sh
mode: '0644'
- name: copy unlock config files
template:
src: unlock-luks.conf.j2
dest: /usr/local/etc/unlock-luks.conf
mode: '0644'
- name: create root's ssh directory
file:
path: "/root/.ssh"
state: directory
mode: '0755'
- name: copy authorized_keys
copy:
src: authorized_keys
dest: /root/.ssh/authorized_keys
- name: enable dmcrypt at boot
service:
name: dmcrypt
enabled: true
runlevel: boot

View File

@ -0,0 +1,7 @@
{% for entry in dmcrypt_targets %}
# {{ entry.name }}
target='{{ entry.target }}'
source='/dev/disk/by-uuid/{{ entry.source_uuid }}'
{% endfor %}

View File

@ -1,8 +0,0 @@
#!/bin/sh
export SOURCE_UUIDS="{{ luks_source_uuids | join(" ") }}"
export TARGETS="{{ luks_targets | join(" ") }}"
export TIMEOUT="{{ luks_timeout }}"
export YK_CHALLENGE="{{ luks_yk_challenge }}"
export YK_SLOT="{{ luks_yk_slot }}"
export DROPBEAR_PORT="{{ luks_dropbear_port }}"