From 2770dfc96473d33fa18d28713039041e46880885 Mon Sep 17 00:00:00 2001 From: matt Date: Sun, 8 Feb 2026 12:36:23 -0700 Subject: [PATCH] hardened malloc. networking + firewall. json based config. --- config/apply_initial_host_configuration.sh | 54 +++++ config/config.json | 28 +++ config/container_cmd.sh | 2 + config/filesystem_chroot_install.sh | 55 ++--- config/kernel_options.json | 210 +++++++++--------- .../settings/opensnitch/default-config.json | 37 +++ .../allow-always-list-usr-changelog.json | 26 +++ .../rules/allow-always-list-usr-dot.json | 33 +++ ...owser-apt-release-s3-brave-com-443-42.json | 47 ++++ ...rowser-apt-release-s3-brave-com-53-42.json | 47 ++++ ...rowser-apt-release-s3-brave-com-53-42.json | 47 ++++ ...lib-apt-methods-http-ubuntu-com-53-42.json | 47 ++++ ...lib-apt-methods-http-ubuntu-com-80-42.json | 47 ++++ ...-lib-snapd-snapd-api-snapcraft-io-443.json | 40 ++++ ...r-lib-snapd-snapd-api-snapcraft-io-53.json | 40 ++++ ...napd-snapd-dashboard-snapcraft-io-443.json | 40 ++++ ...snapd-snapd-dashboard-snapcraft-io-53.json | 40 ++++ ...-snapd-snapd-snapcraftcontent-com-443.json | 40 ++++ ...b-snapd-snapd-snapcraftcontent-com-53.json | 40 ++++ ...llow-always-list-usr-sbin-chronyd-123.json | 40 ++++ ...-usr-sbin-chronyd-4-ntp-ubuntu-com-53.json | 40 ++++ ...low-always-list-usr-sbin-chronyd-4460.json | 33 +++ ...n-chronyd-ntp-bootstrap-ubuntu-com-53.json | 40 ++++ ...er-connectivity-check-ubuntu-com-80-0.json | 47 ++++ ...com-brave-brave-224-0-0-251-5353-1000.json | 47 ++++ ...-com-brave-brave-239-255-255-250-1900.json | 40 ++++ ...st-usr-bin-python3-13-239-255-255-250.json | 33 +++ ...-colord-sane-239-255-255-250-3702-118.json | 47 ++++ ...sr-sbin-avahi-daemon-224-0-0-251-5353.json | 26 +++ ...-usr-sbin-chronyd-3-ntp-ubuntu-com-53.json | 40 ++++ .../rules/deny-always-simple-usr-geoclue.json | 18 ++ ...y-always-simple-usr-sbin-cups-browsed.json | 18 ++ config/settings/opensnitch/settings.conf | 46 ++++ config/settings/services/mem-alloc.service | 13 ++ config/settings/services/mem_alloc.sh | 11 + config/settings/skel/autorun.desktop | 6 + config/settings/skel/bash_profile | 5 + config/settings/skel/bashrc | 8 + config/settings/skel/gnome_settings.sh | 3 + config/settings/skel/profile | 14 ++ scripts/boot_image.sh | 2 +- scripts/bootstrap_filesystem.sh | 19 ++ scripts/build_filesystem.sh | 59 ++++- scripts/build_image.sh | 2 +- scripts/build_kernel.sh | 2 +- scripts/install_dependencies.sh | 2 +- 46 files changed, 1443 insertions(+), 138 deletions(-) create mode 100644 config/apply_initial_host_configuration.sh create mode 100644 config/config.json create mode 100755 config/settings/opensnitch/default-config.json create mode 100755 config/settings/opensnitch/rules/allow-always-list-usr-changelog.json create mode 100755 config/settings/opensnitch/rules/allow-always-list-usr-dot.json create mode 100755 config/settings/opensnitch/rules/allow-always-list-usr-lib-apt-methods-http-brave-browser-apt-release-s3-brave-com-443-42.json create mode 100755 config/settings/opensnitch/rules/allow-always-list-usr-lib-apt-methods-http-brave-browser-apt-release-s3-brave-com-53-42.json create mode 100755 config/settings/opensnitch/rules/allow-always-list-usr-lib-apt-methods-http-https-tcp-brave-browser-apt-release-s3-brave-com-53-42.json create mode 100755 config/settings/opensnitch/rules/allow-always-list-usr-lib-apt-methods-http-ubuntu-com-53-42.json create mode 100755 config/settings/opensnitch/rules/allow-always-list-usr-lib-apt-methods-http-ubuntu-com-80-42.json create mode 100755 config/settings/opensnitch/rules/allow-always-list-usr-lib-snapd-snapd-api-snapcraft-io-443.json create mode 100755 config/settings/opensnitch/rules/allow-always-list-usr-lib-snapd-snapd-api-snapcraft-io-53.json create mode 100755 config/settings/opensnitch/rules/allow-always-list-usr-lib-snapd-snapd-dashboard-snapcraft-io-443.json create mode 100755 config/settings/opensnitch/rules/allow-always-list-usr-lib-snapd-snapd-dashboard-snapcraft-io-53.json create mode 100755 config/settings/opensnitch/rules/allow-always-list-usr-lib-snapd-snapd-snapcraftcontent-com-443.json create mode 100755 config/settings/opensnitch/rules/allow-always-list-usr-lib-snapd-snapd-snapcraftcontent-com-53.json create mode 100755 config/settings/opensnitch/rules/allow-always-list-usr-sbin-chronyd-123.json create mode 100755 config/settings/opensnitch/rules/allow-always-list-usr-sbin-chronyd-4-ntp-ubuntu-com-53.json create mode 100755 config/settings/opensnitch/rules/allow-always-list-usr-sbin-chronyd-4460.json create mode 100755 config/settings/opensnitch/rules/allow-always-list-usr-sbin-chronyd-ntp-bootstrap-ubuntu-com-53.json create mode 100755 config/settings/opensnitch/rules/allow-always-list-usr-sbin-networkmanager-connectivity-check-ubuntu-com-80-0.json create mode 100755 config/settings/opensnitch/rules/deny-always-list-opt-brave-com-brave-brave-224-0-0-251-5353-1000.json create mode 100755 config/settings/opensnitch/rules/deny-always-list-opt-brave-com-brave-brave-239-255-255-250-1900.json create mode 100755 config/settings/opensnitch/rules/deny-always-list-usr-bin-python3-13-239-255-255-250.json create mode 100755 config/settings/opensnitch/rules/deny-always-list-usr-libexec-colord-sane-239-255-255-250-3702-118.json create mode 100755 config/settings/opensnitch/rules/deny-always-list-usr-sbin-avahi-daemon-224-0-0-251-5353.json create mode 100755 config/settings/opensnitch/rules/deny-always-list-usr-sbin-chronyd-3-ntp-ubuntu-com-53.json create mode 100755 config/settings/opensnitch/rules/deny-always-simple-usr-geoclue.json create mode 100755 config/settings/opensnitch/rules/deny-always-simple-usr-sbin-cups-browsed.json create mode 100755 config/settings/opensnitch/settings.conf create mode 100644 config/settings/services/mem-alloc.service create mode 100755 config/settings/services/mem_alloc.sh create mode 100644 config/settings/skel/autorun.desktop create mode 100644 config/settings/skel/bash_profile create mode 100644 config/settings/skel/bashrc create mode 100644 config/settings/skel/gnome_settings.sh create mode 100644 config/settings/skel/profile create mode 100755 scripts/bootstrap_filesystem.sh diff --git a/config/apply_initial_host_configuration.sh b/config/apply_initial_host_configuration.sh new file mode 100644 index 0000000..c8cd056 --- /dev/null +++ b/config/apply_initial_host_configuration.sh @@ -0,0 +1,54 @@ +#!/bin/bash +set -e +set -x +echo 'initial configuration' +# Parse the JSON file +while IFS="=" read -r key value; do + declare "$key=$value" +done < <(jq -r 'to_entries|map("\(.key)=\(.value|tostring)")|.[]' config.json) + +echo "$hostname" > /etc/hostname +echo "127.0.0.1 $hostname"> /etc/hosts + +echo "$timezone" > /etc/timezone +ln -sf /usr/share/zoneinfo/America/Los_Angeles /etc/localtime + +# Set the root password +echo "root:$root_password" | chpasswd + +#set additional profile options. +jq --compact-output -r '.profile[]' config.json | while read -r line; do + echo "$line" >> /etc/profile +done + +echo "export PATH=$PATH:/usr/local/go/bin" >> /etc/profile + +#set default shell to bash. +sed -i 's|^SHELL=.*|SHELL=/bin/bash|' /etc/default/useradd + +user_mod() { + echo "$1" + username=$(echo "$1" | jq -r '.username') + password=$(echo "$1" | jq -r '.password') + + # Create user + if getent passwd "$username" >/dev/null 2>&1; then + echo "User already exists" + else + useradd -m "$username" + fi + + # Set password + echo "$username:$password" | chpasswd + + # Add to sudo group + usermod -aG sudo "$username" +} +jq --compact-output -r '.users[]' config.json | while read -r line; do + user_mod "$line" +done +echo "Configuration applied." + +rm /config.json +rm /apply_initial_host_configuration.sh +rm /filesystem_chroot_install.sh diff --git a/config/config.json b/config/config.json new file mode 100644 index 0000000..e088640 --- /dev/null +++ b/config/config.json @@ -0,0 +1,28 @@ +{ + "hostname": "linuxhost", + "timezone": "America/Denver", + "root_password": "password", + "locale":"en_US.UTF-8", + "users": [ + { + "username": "user1", + "password": "password1" + }, + { + "username": "user2", + "password": "password2" + } + ], + "packages": [ + "htop", + "git", + "ffmpeg", + "vlc", + "pciutils", + "usbutils" + ], + "profile":[], + "allowed_dns":[], + "allowed_host":[] + +} diff --git a/config/container_cmd.sh b/config/container_cmd.sh index 8cb10dd..dcf270b 100755 --- a/config/container_cmd.sh +++ b/config/container_cmd.sh @@ -7,3 +7,5 @@ cat ./.config | python3 /update_kernel_make_config.py --file /linux/kernel_optio cat ./.config | python3 /update_kernel_make_config.py --file /linux/kernel_options.json > ./.config /usr/bin/make olddefconfig /usr/bin/make -j ${cores} +mkdir -p /linux/modules +/usr/bin/make modules_install INSTALL_MOD_PATH=/linux/modules diff --git a/config/filesystem_chroot_install.sh b/config/filesystem_chroot_install.sh index da7b1bf..45e39a7 100644 --- a/config/filesystem_chroot_install.sh +++ b/config/filesystem_chroot_install.sh @@ -1,51 +1,54 @@ - -#add sources list for noble. +#add sources list for questing. set -e +set -x echo "deb https://archive.ubuntu.com/ubuntu questing main restricted universe multiverse" > /etc/apt/sources.list echo "deb https://archive.ubuntu.com/ubuntu questing-updates main restricted universe multiverse" >> /etc/apt/sources.list echo "deb https://archive.ubuntu.com/ubuntu questing-backports main restricted universe multiverse" >> /etc/apt/sources.list echo "deb https://security.ubuntu.com/ubuntu questing-security main restricted universe multiverse" >> /etc/apt/sources.list apt update apt upgrade -y - -#set locale -locale-gen "en_US.UTF-8" -echo "LANG=en_US.UTF-8" > /etc/default/locale +apt install -y jq bubblewrap curl make build-essential git libselinux1 iptables nftables libnetfilter-queue-dev #install base system packages -apt install -y --install-recommends --install-suggests --reinstall systemd -apt install -y --no-install-recommends gnome-core -apt install -y git curl flatpak systemd-resolved ufw nano htop ipset lm-sensors net-tools iputils-ping fish python3-bpfcc python3-pip bpfcc-tools gnome-shell-extension-ubuntu-dock gnome-shell-extension-ubuntu-tiling-assistant ffmpeg vlc pciutils usbutils +apt install -y --install-recommends --install-suggests systemd +apt install -y vanilla-gnome-desktop vanilla-gnome-default-settings gdm3 gnome-shell-extension-appindicator gnome-shell-extension-ubuntu-dock gnome-shell-extension-ubuntu-tiling-assistant +apt install -y rlwrap dnsutils systemd-resolved ufw nano htop ipset lm-sensors net-tools iputils-ping python3-pip keepassxc ufw opensnitch -#install python systemwide -pip install --break-system-packages dnslib psutil +#install packages from config +jq -r '.packages | .[]' config.json | while read -r item; do + apt install -y "$item" +done + +#set locale +locale=$(jq -r '.locale' config.json) +echo "$locale" +locale-gen "$locale" +echo "LANG=$locale" > /etc/default/locale #add setuid for some applications chmod u+s /usr/bin/bwrap chmod u+s /usr/bin/ping +#disable setup screen config +mkdir -p ~/.config +touch ~/.config/gnome-initial-setup-done + #enable services systemctl enable systemd-resolved systemctl enable systemd-networkd +systemctl enable mem-alloc -#ui changes -gsettings set org.gnome.desktop.interface color-scheme 'prefer-dark' - - -#run echo "permit persist :sudo as root" >> /etc/doas.conf - - -#create the default user -useradd -m -s /bin/bash ubuntu -usermod -a -G sudo ubuntu -yes defaultpass | passwd ubuntu - -#install flatpak apps -flatpak remote-add flathub https://dl.flathub.org/repo/flathub.flatpakrepo -flatpak install --system --noninteractive flathub org.keepassxc.KeePassXC +#firewall enable (inbound block) +ufw enable #install brave browser curl -fsSLo /usr/share/keyrings/brave-browser-archive-keyring.gpg https://brave-browser-apt-release.s3.brave.com/brave-browser-archive-keyring.gpg curl -fsSLo /etc/apt/sources.list.d/brave-browser-release.sources https://brave-browser-apt-release.s3.brave.com/brave-browser.sources apt update apt install -y brave-browser + +#configure permissions for opensnitch firewall +rsync -a /usr/src/opensnitchd/ /etc/opensnitchd/ +chown -R root:root /etc/opensnitchd/ +chmod 777 /etc/opensnitchd/settings.conf + diff --git a/config/kernel_options.json b/config/kernel_options.json index b1ecea2..6252afe 100644 --- a/config/kernel_options.json +++ b/config/kernel_options.json @@ -1,4 +1,6 @@ { + "CONFIG_IKCONFIG":"y", + "CONFIG_IKCONFIG_PROC":"y", "CONFIG_104_QUAD_8": "m", "CONFIG_60XX_WDT": "m", "CONFIG_64BIT": "y", @@ -2908,6 +2910,8 @@ "CONFIG_HDC100X": "m", "CONFIG_HDC2010": "m", "CONFIG_HDC3020": "m", + "CONFIG_BPF_SUPPORT_RAW_CT":"y", + "CONFIG_NFT_DNS":"y", "CONFIG_HDLC": "m", "CONFIG_HDLC_CISCO": "m", "CONFIG_HDLC_FR": "m", @@ -3641,6 +3645,7 @@ "CONFIG_IO_URING": "y", "CONFIG_IO_WQ": "y", "CONFIG_IP5XXX_POWER": "m", + "CONFIG_IP6_NF_QUEUE": "m", "CONFIG_IP6_NF_FILTER": "m", "CONFIG_IP6_NF_IPTABLES": "m", "CONFIG_IP6_NF_IPTABLES_LEGACY": "m", @@ -3750,11 +3755,12 @@ "CONFIG_IP_ROUTE_MULTIPATH": "y", "CONFIG_IP_ROUTE_VERBOSE": "y", "CONFIG_IP_SCTP": "m", - "CONFIG_IP_SET": "m", + "CONFIG_IP_SET": "y", + "CONFIG_IP_FILTER": "m", "CONFIG_IP_SET_BITMAP_IP": "m", "CONFIG_IP_SET_BITMAP_IPMAC": "m", "CONFIG_IP_SET_BITMAP_PORT": "m", - "CONFIG_IP_SET_HASH_IP": "m", + "CONFIG_IP_SET_HASH_IP": "y", "CONFIG_IP_SET_HASH_IPMAC": "m", "CONFIG_IP_SET_HASH_IPMARK": "m", "CONFIG_IP_SET_HASH_IPPORT": "m", @@ -4961,97 +4967,99 @@ "CONFIG_NETFILTER": "y", "CONFIG_NETFILTER_ADVANCED": "y", "CONFIG_NETFILTER_BPF_LINK": "y", - "CONFIG_NETFILTER_CONNCOUNT": "m", + "CONFIG_NETFILTER_CONNCOUNT": "y", "CONFIG_NETFILTER_EGRESS": "y", "CONFIG_NETFILTER_FAMILY_ARP": "y", "CONFIG_NETFILTER_FAMILY_BRIDGE": "y", "CONFIG_NETFILTER_INGRESS": "y", - "CONFIG_NETFILTER_NETLINK": "m", - "CONFIG_NETFILTER_NETLINK_ACCT": "m", + "CONFIG_NETFILTER_NETLINK": "y", + "CONFIG_NETFILTER_NETLINK_ACCT": "y", "CONFIG_NETFILTER_NETLINK_GLUE_CT": "y", - "CONFIG_NETFILTER_NETLINK_HOOK": "m", - "CONFIG_NETFILTER_NETLINK_LOG": "m", - "CONFIG_NETFILTER_NETLINK_OSF": "m", - "CONFIG_NETFILTER_NETLINK_QUEUE": "m", + "CONFIG_NETFILTER_NETLINK_HOOK": "y", + "CONFIG_NETFILTER_NETLINK_LOG": "y", + "CONFIG_NETFILTER_NETLINK_OSF": "y", + "CONFIG_NETFILTER_NETLINK_QUEUE": "y", "CONFIG_NETFILTER_SKIP_EGRESS": "y", - "CONFIG_NETFILTER_SYNPROXY": "m", - "CONFIG_NETFILTER_XTABLES": "m", + "CONFIG_NETFILTER_SYNPROXY": "y", + "CONFIG_NETFILTER_XTABLES": "y", "CONFIG_NETFILTER_XTABLES_COMPAT": "y", - "CONFIG_NETFILTER_XT_CONNMARK": "m", - "CONFIG_NETFILTER_XT_MARK": "m", - "CONFIG_NETFILTER_XT_MATCH_ADDRTYPE": "m", - "CONFIG_NETFILTER_XT_MATCH_BPF": "m", - "CONFIG_NETFILTER_XT_MATCH_CGROUP": "m", + "CONFIG_NETFILTER_XT_CONNMARK": "y", + "CONFIG_NETFILTER_XT_MARK": "y", + "CONFIG_NETFILTER_XT_MATCH_ADDRTYPE": "y", + "CONFIG_NETFILTER_XT_MATCH_BPF": "y", + "CONFIG_NETFILTER_XT_MATCH_CGROUP": "y", "CONFIG_NETFILTER_XT_MATCH_CLUSTER": "m", - "CONFIG_NETFILTER_XT_MATCH_COMMENT": "m", - "CONFIG_NETFILTER_XT_MATCH_CONNBYTES": "m", - "CONFIG_NETFILTER_XT_MATCH_CONNLABEL": "m", - "CONFIG_NETFILTER_XT_MATCH_CONNLIMIT": "m", - "CONFIG_NETFILTER_XT_MATCH_CONNMARK": "m", - "CONFIG_NETFILTER_XT_MATCH_CONNTRACK": "m", + "CONFIG_NETFILTER_XT_MATCH_COMMENT": "y", + "CONFIG_NETFILTER_XT_MATCH_CONNBYTES": "y", + "CONFIG_NETFILTER_XT_MATCH_CONNLABEL": "y", + "CONFIG_NETFILTER_XT_MATCH_CONNLIMIT": "y", + "CONFIG_NETFILTER_XT_MATCH_CONNMARK": "y", + "CONFIG_NETFILTER_XT_MATCH_CONNTRACK": "y", "CONFIG_NETFILTER_XT_MATCH_CPU": "m", - "CONFIG_NETFILTER_XT_MATCH_DCCP": "m", - "CONFIG_NETFILTER_XT_MATCH_DEVGROUP": "m", - "CONFIG_NETFILTER_XT_MATCH_DSCP": "m", - "CONFIG_NETFILTER_XT_MATCH_ECN": "m", - "CONFIG_NETFILTER_XT_MATCH_ESP": "m", - "CONFIG_NETFILTER_XT_MATCH_HASHLIMIT": "m", - "CONFIG_NETFILTER_XT_MATCH_HELPER": "m", - "CONFIG_NETFILTER_XT_MATCH_HL": "m", - "CONFIG_NETFILTER_XT_MATCH_IPCOMP": "m", - "CONFIG_NETFILTER_XT_MATCH_IPRANGE": "m", - "CONFIG_NETFILTER_XT_MATCH_IPVS": "m", - "CONFIG_NETFILTER_XT_MATCH_L2TP": "m", - "CONFIG_NETFILTER_XT_MATCH_LENGTH": "m", - "CONFIG_NETFILTER_XT_MATCH_LIMIT": "m", - "CONFIG_NETFILTER_XT_MATCH_MAC": "m", - "CONFIG_NETFILTER_XT_MATCH_MARK": "m", - "CONFIG_NETFILTER_XT_MATCH_MULTIPORT": "m", - "CONFIG_NETFILTER_XT_MATCH_NFACCT": "m", - "CONFIG_NETFILTER_XT_MATCH_OSF": "m", - "CONFIG_NETFILTER_XT_MATCH_OWNER": "m", - "CONFIG_NETFILTER_XT_MATCH_PHYSDEV": "m", - "CONFIG_NETFILTER_XT_MATCH_PKTTYPE": "m", - "CONFIG_NETFILTER_XT_MATCH_POLICY": "m", - "CONFIG_NETFILTER_XT_MATCH_QUOTA": "m", - "CONFIG_NETFILTER_XT_MATCH_RATEEST": "m", - "CONFIG_NETFILTER_XT_MATCH_REALM": "m", - "CONFIG_NETFILTER_XT_MATCH_RECENT": "m", - "CONFIG_NETFILTER_XT_MATCH_SCTP": "m", - "CONFIG_NETFILTER_XT_MATCH_SOCKET": "m", - "CONFIG_NETFILTER_XT_MATCH_STATE": "m", - "CONFIG_NETFILTER_XT_MATCH_STATISTIC": "m", - "CONFIG_NETFILTER_XT_MATCH_STRING": "m", - "CONFIG_NETFILTER_XT_MATCH_TCPMSS": "m", - "CONFIG_NETFILTER_XT_MATCH_TIME": "m", - "CONFIG_NETFILTER_XT_MATCH_U32": "m", - "CONFIG_NETFILTER_XT_NAT": "m", - "CONFIG_NETFILTER_XT_SET": "m", - "CONFIG_NETFILTER_XT_TARGET_AUDIT": "m", - "CONFIG_NETFILTER_XT_TARGET_CHECKSUM": "m", - "CONFIG_NETFILTER_XT_TARGET_CLASSIFY": "m", - "CONFIG_NETFILTER_XT_TARGET_CONNMARK": "m", - "CONFIG_NETFILTER_XT_TARGET_CONNSECMARK": "m", - "CONFIG_NETFILTER_XT_TARGET_CT": "m", - "CONFIG_NETFILTER_XT_TARGET_DSCP": "m", - "CONFIG_NETFILTER_XT_TARGET_HL": "m", - "CONFIG_NETFILTER_XT_TARGET_HMARK": "m", - "CONFIG_NETFILTER_XT_TARGET_IDLETIMER": "m", - "CONFIG_NETFILTER_XT_TARGET_LED": "m", - "CONFIG_NETFILTER_XT_TARGET_LOG": "m", - "CONFIG_NETFILTER_XT_TARGET_MARK": "m", - "CONFIG_NETFILTER_XT_TARGET_MASQUERADE": "m", - "CONFIG_NETFILTER_XT_TARGET_NETMAP": "m", - "CONFIG_NETFILTER_XT_TARGET_NFLOG": "m", - "CONFIG_NETFILTER_XT_TARGET_NFQUEUE": "m", - "CONFIG_NETFILTER_XT_TARGET_RATEEST": "m", - "CONFIG_NETFILTER_XT_TARGET_REDIRECT": "m", - "CONFIG_NETFILTER_XT_TARGET_SECMARK": "m", - "CONFIG_NETFILTER_XT_TARGET_TCPMSS": "m", - "CONFIG_NETFILTER_XT_TARGET_TCPOPTSTRIP": "m", - "CONFIG_NETFILTER_XT_TARGET_TEE": "m", - "CONFIG_NETFILTER_XT_TARGET_TPROXY": "m", - "CONFIG_NETFILTER_XT_TARGET_TRACE": "m", + "CONFIG_NETFILTER_XT_MATCH_DCCP": "y", + "CONFIG_NETFILTER_XT_MATCH_DEVGROUP": "y", + "CONFIG_NETFILTER_XT_MATCH_DSCP": "y", + "CONFIG_NETFILTER_XT_MATCH_ECN": "y", + "CONFIG_NETFILTER_XT_MATCH_ESP": "y", + "CONFIG_NETFILTER_XT_MATCH_HASHLIMIT": "y", + "CONFIG_NETFILTER_XT_MATCH_HELPER": "y", + "CONFIG_NETFILTER_XT_MATCH_HL": "y", + "CONFIG_NETFILTER_XT_MATCH_IPCOMP": "y", + "CONFIG_NETFILTER_XT_MATCH_IPRANGE": "y", + "CONFIG_NETFILTER_XT_MATCH_IPVS": "y", + "CONFIG_NETFILTER_XT_MATCH_L2TP": "y", + "CONFIG_NETFILTER_XT_MATCH_LENGTH": "y", + "CONFIG_NETFILTER_XT_MATCH_LIMIT": "y", + "CONFIG_NETFILTER_XT_MATCH_MAC": "y", + "CONFIG_NETFILTER_XT_MATCH_MARK": "y", + "CONFIG_NETFILTER_XT_MATCH_MULTIPORT": "y", + "CONFIG_NETFILTER_XT_MATCH_NFACCT": "y", + "CONFIG_NETFILTER_XT_MATCH_OSF": "y", + "CONFIG_NETFILTER_XT_MATCH_OWNER": "y", + "CONFIG_NETFILTER_XT_MATCH_PHYSDEV": "y", + "CONFIG_NETFILTER_XT_MATCH_PKTTYPE": "y", + "CONFIG_NETFILTER_XT_MATCH_POLICY": "y", + "CONFIG_NETFILTER_XT_MATCH_QUOTA": "y", + "CONFIG_NETFILTER_XT_MATCH_RATEEST": "y", + "CONFIG_NETFILTER_XT_MATCH_REALM": "y", + "CONFIG_NETFILTER_XT_MATCH_RECENT": "y", + "CONFIG_NETFILTER_XT_MATCH_SCTP": "y", + "CONFIG_NETFILTER_XT_MATCH_SOCKET": "y", + "CONFIG_NETFILTER_XT_MATCH_STATE": "y", + "CONFIG_NETFILTER_XT_MATCH_STATISTIC": "y", + "CONFIG_NETFILTER_XT_MATCH_STRING": "y", + "CONFIG_NETFILTER_XT_MATCH_TCPMSS": "y", + "CONFIG_NETFILTER_XT_MATCH_TIME": "y", + "CONFIG_NETFILTER_XT_MATCH_U32": "y", + "CONFIG_NETFILTER_XT_NAT": "y", + "CONFIG_NETFILTER_XT_SET": "y", + "CONFIG_NETFILTER_XT_TARGET_BPF": "y", + "CONFIG_NETFILTER_XT_TARGET_AUDIT": "y", + "CONFIG_NETFILTER_XT_TARGET_CHECKSUM": "y", + "CONFIG_NETFILTER_XT_TARGET_CLASSIFY": "y", + "CONFIG_NETFILTER_XT_TARGET_CONNMARK": "y", + "CONFIG_NETFILTER_XT_TARGET_CONNSECMARK": "y", + "CONFIG_NETFILTER_XT_TARGET_CT": "y", + "CONFIG_NETFILTER_XT_TARGET_DSCP": "y", + "CONFIG_NETFILTER_XT_TARGET_HL": "y", + "CONFIG_NETFILTER_XT_TARGET_HMARK": "y", + "CONFIG_NETFILTER_XT_TARGET_IDLETIMER": "y", + "CONFIG_NETFILTER_XT_TARGET_LED": "y", + "CONFIG_NETFILTER_XT_TARGET_LOG": "y", + "CONFIG_NETFILTER_XT_TARGET_MARK": "y", + "CONFIG_NETFILTER_XT_TARGET_MASQUERADE": "y", + "CONFIG_NETFILTER_XT_TARGET_NETMAP": "y", + "CONFIG_NETFILTER_XT_TARGET_NFLOG": "y", + "CONFIG_NETFILTER_XT_TARGET_NFQUEUE": "y", + "CONFIG_NETFILTER_XT_TARGET_NFQ": "y", + "CONFIG_NETFILTER_XT_TARGET_RATEEST": "y", + "CONFIG_NETFILTER_XT_TARGET_REDIRECT": "y", + "CONFIG_NETFILTER_XT_TARGET_SECMARK": "y", + "CONFIG_NETFILTER_XT_TARGET_TCPMSS": "y", + "CONFIG_NETFILTER_XT_TARGET_TCPOPTSTRIP": "y", + "CONFIG_NETFILTER_XT_TARGET_TEE": "y", + "CONFIG_NETFILTER_XT_TARGET_TPROXY": "y", + "CONFIG_NETFILTER_XT_TARGET_TRACE": "y", "CONFIG_NETFS_DEBUG": "y", "CONFIG_NETFS_STATS": "y", "CONFIG_NETFS_SUPPORT": "m", @@ -5418,17 +5426,18 @@ "CONFIG_NFT_QUEUE": "m", "CONFIG_NFT_QUOTA": "m", "CONFIG_NFT_REDIR": "m", - "CONFIG_NFT_REJECT": "m", - "CONFIG_NFT_REJECT_INET": "m", - "CONFIG_NFT_REJECT_IPV4": "m", - "CONFIG_NFT_REJECT_IPV6": "m", - "CONFIG_NFT_REJECT_NETDEV": "m", + "CONFIG_NFT_REJECT": "y", + "CONFIG_NFT_REJECT_INET": "y", + "CONFIG_NFT_REJECT_IPV4": "y", + "CONFIG_NFT_REJECT_IPV6": "y", + "CONFIG_NFT_REJECT_NETDEV": "y", "CONFIG_NFT_SOCKET": "m", "CONFIG_NFT_SYNPROXY": "m", "CONFIG_NFT_TPROXY": "m", "CONFIG_NFT_TUNNEL": "m", "CONFIG_NFT_XFRM": "m", - "CONFIG_NF_CONNTRACK": "m", + "CONFIG_NFQ": "y", + "CONFIG_NF_CONNTRACK": "y", "CONFIG_NF_CONNTRACK_AMANDA": "m", "CONFIG_NF_CONNTRACK_BRIDGE": "m", "CONFIG_NF_CONNTRACK_BROADCAST": "m", @@ -5467,7 +5476,7 @@ "CONFIG_NF_LOG_IPV4": "m", "CONFIG_NF_LOG_IPV6": "m", "CONFIG_NF_LOG_SYSLOG": "m", - "CONFIG_NF_NAT": "m", + "CONFIG_NF_NAT": "y", "CONFIG_NF_NAT_AMANDA": "m", "CONFIG_NF_NAT_FTP": "m", "CONFIG_NF_NAT_H323": "m", @@ -5479,19 +5488,20 @@ "CONFIG_NF_NAT_SIP": "m", "CONFIG_NF_NAT_SNMP_BASIC": "m", "CONFIG_NF_NAT_TFTP": "m", - "CONFIG_NF_REJECT_IPV4": "m", - "CONFIG_NF_REJECT_IPV6": "m", - "CONFIG_NF_SOCKET_IPV4": "m", - "CONFIG_NF_SOCKET_IPV6": "m", - "CONFIG_NF_TABLES": "m", + "CONFIG_NF_TABLES_SET": "y", + "CONFIG_NF_REJECT_IPV4": "y", + "CONFIG_NF_REJECT_IPV6": "y", + "CONFIG_NF_SOCKET_IPV4": "y", + "CONFIG_NF_SOCKET_IPV6": "y", + "CONFIG_NF_TABLES": "y", "CONFIG_NF_TABLES_ARP": "y", - "CONFIG_NF_TABLES_BRIDGE": "m", + "CONFIG_NF_TABLES_BRIDGE": "y", "CONFIG_NF_TABLES_INET": "y", "CONFIG_NF_TABLES_IPV4": "y", "CONFIG_NF_TABLES_IPV6": "y", "CONFIG_NF_TABLES_NETDEV": "y", - "CONFIG_NF_TPROXY_IPV4": "m", - "CONFIG_NF_TPROXY_IPV6": "m", + "CONFIG_NF_TPROXY_IPV4": "y", + "CONFIG_NF_TPROXY_IPV6": "y", "CONFIG_NGBE": "m", "CONFIG_NI903X_WDT": "m", "CONFIG_NIC7018_WDT": "m", @@ -9677,4 +9687,4 @@ "CONFIG_ZSWAP_COMPRESSOR_DEFAULT_LZO": "y", "CONFIG_ZSWAP_SHRINKER_DEFAULT_ON": "y", "CONFIG_ZSWAP_ZPOOL_DEFAULT_ZBUD": "y" -} \ No newline at end of file +} diff --git a/config/settings/opensnitch/default-config.json b/config/settings/opensnitch/default-config.json new file mode 100755 index 0000000..f8675b4 --- /dev/null +++ b/config/settings/opensnitch/default-config.json @@ -0,0 +1,37 @@ +{ + "Server": { + "Address": "unix:///tmp/osui.sock", + "LogFile": "/var/log/opensnitchd.log", + "Authentication": { + "Type": "simple", + "TLSOptions": { + "CACert": "", + "ServerCert": "", + "ClientCert": "", + "ClientKey": "", + "SkipVerify": false, + "ClientAuthType": "no-client-cert" + } + } + }, + "DefaultAction": "deny", + "DefaultDuration": "once", + "InterceptUnknown": false, + "ProcMonitorMethod": "ebpf", + "LogLevel": 2, + "LogUTC": true, + "LogMicro": false, + "Firewall": "nftables", + "Rules": { + "Path": "/etc/opensnitchd/rules/" + }, + "Stats": { + "MaxEvents": 150, + "MaxStats": 25, + "Workers": 6 + }, + "Internal": { + "GCPercent": 100, + "FlushConnsOnStart": false + } +} diff --git a/config/settings/opensnitch/rules/allow-always-list-usr-changelog.json b/config/settings/opensnitch/rules/allow-always-list-usr-changelog.json new file mode 100755 index 0000000..8fceed0 --- /dev/null +++ b/config/settings/opensnitch/rules/allow-always-list-usr-changelog.json @@ -0,0 +1,26 @@ +{ + "created": "2026-01-28T11:11:49-07:00", + "updated": "2026-01-28T11:11:49-07:00", + "name": "allow-always-list-usr-changelog", + "description": "", + "action": "allow", + "duration": "always", + "operator": { + "operand": "list", + "data": "", + "type": "list", + "list": [ + { + "operand": "dest.host", + "data": "changelogs.ubuntu.com", + "type": "simple", + "list": null, + "sensitive": false + } + ], + "sensitive": false + }, + "enabled": true, + "precedence": false, + "nolog": false +} diff --git a/config/settings/opensnitch/rules/allow-always-list-usr-dot.json b/config/settings/opensnitch/rules/allow-always-list-usr-dot.json new file mode 100755 index 0000000..e040700 --- /dev/null +++ b/config/settings/opensnitch/rules/allow-always-list-usr-dot.json @@ -0,0 +1,33 @@ +{ + "created": "2026-01-28T11:10:32-07:00", + "updated": "2026-01-28T11:10:32-07:00", + "name": "allow-always-list-usr-lib-systemd-systemd-resolved-853", + "description": "", + "action": "allow", + "duration": "always", + "operator": { + "operand": "list", + "data": "", + "type": "list", + "list": [ + { + "operand": "dest.port", + "data": "853", + "type": "simple", + "list": null, + "sensitive": false + }, + { + "operand": "process.path", + "data": "/usr/lib/systemd/systemd-resolved", + "type": "simple", + "list": null, + "sensitive": false + } + ], + "sensitive": false + }, + "enabled": true, + "precedence": false, + "nolog": false +} diff --git a/config/settings/opensnitch/rules/allow-always-list-usr-lib-apt-methods-http-brave-browser-apt-release-s3-brave-com-443-42.json b/config/settings/opensnitch/rules/allow-always-list-usr-lib-apt-methods-http-brave-browser-apt-release-s3-brave-com-443-42.json new file mode 100755 index 0000000..c6cd860 --- /dev/null +++ b/config/settings/opensnitch/rules/allow-always-list-usr-lib-apt-methods-http-brave-browser-apt-release-s3-brave-com-443-42.json @@ -0,0 +1,47 @@ +{ + "created": "2026-01-28T11:12:09-07:00", + "updated": "2026-01-28T11:12:09-07:00", + "name": "allow-always-list-usr-lib-apt-methods-http-brave-browser-apt-release-s3-brave-com-443-42", + "description": "", + "action": "allow", + "duration": "always", + "operator": { + "operand": "list", + "data": "", + "type": "list", + "list": [ + { + "operand": "dest.host", + "data": "brave-browser-apt-release.s3.brave.com", + "type": "simple", + "list": null, + "sensitive": false + }, + { + "operand": "dest.port", + "data": "443", + "type": "simple", + "list": null, + "sensitive": false + }, + { + "operand": "user.id", + "data": "42", + "type": "simple", + "list": null, + "sensitive": false + }, + { + "operand": "process.path", + "data": "/usr/lib/apt/methods/http", + "type": "simple", + "list": null, + "sensitive": false + } + ], + "sensitive": false + }, + "enabled": true, + "precedence": false, + "nolog": false +} \ No newline at end of file diff --git a/config/settings/opensnitch/rules/allow-always-list-usr-lib-apt-methods-http-brave-browser-apt-release-s3-brave-com-53-42.json b/config/settings/opensnitch/rules/allow-always-list-usr-lib-apt-methods-http-brave-browser-apt-release-s3-brave-com-53-42.json new file mode 100755 index 0000000..458c31c --- /dev/null +++ b/config/settings/opensnitch/rules/allow-always-list-usr-lib-apt-methods-http-brave-browser-apt-release-s3-brave-com-53-42.json @@ -0,0 +1,47 @@ +{ + "created": "2026-01-28T11:12:05-07:00", + "updated": "2026-01-28T11:12:05-07:00", + "name": "allow-always-list-usr-lib-apt-methods-http-brave-browser-apt-release-s3-brave-com-53-42", + "description": "", + "action": "allow", + "duration": "always", + "operator": { + "operand": "list", + "data": "", + "type": "list", + "list": [ + { + "operand": "dest.host", + "data": "brave-browser-apt-release.s3.brave.com", + "type": "simple", + "list": null, + "sensitive": false + }, + { + "operand": "dest.port", + "data": "53", + "type": "simple", + "list": null, + "sensitive": false + }, + { + "operand": "user.id", + "data": "42", + "type": "simple", + "list": null, + "sensitive": false + }, + { + "operand": "process.path", + "data": "/usr/lib/apt/methods/http", + "type": "simple", + "list": null, + "sensitive": false + } + ], + "sensitive": false + }, + "enabled": true, + "precedence": false, + "nolog": false +} \ No newline at end of file diff --git a/config/settings/opensnitch/rules/allow-always-list-usr-lib-apt-methods-http-https-tcp-brave-browser-apt-release-s3-brave-com-53-42.json b/config/settings/opensnitch/rules/allow-always-list-usr-lib-apt-methods-http-https-tcp-brave-browser-apt-release-s3-brave-com-53-42.json new file mode 100755 index 0000000..0a77ba2 --- /dev/null +++ b/config/settings/opensnitch/rules/allow-always-list-usr-lib-apt-methods-http-https-tcp-brave-browser-apt-release-s3-brave-com-53-42.json @@ -0,0 +1,47 @@ +{ + "created": "2026-01-28T11:13:04-07:00", + "updated": "2026-01-28T11:13:04-07:00", + "name": "allow-always-list-usr-lib-apt-methods-http-https-tcp-brave-browser-apt-release-s3-brave-com-53-42", + "description": "", + "action": "allow", + "duration": "always", + "operator": { + "operand": "list", + "data": "", + "type": "list", + "list": [ + { + "operand": "dest.host", + "data": "_https._tcp.brave-browser-apt-release.s3.brave.com", + "type": "simple", + "list": null, + "sensitive": false + }, + { + "operand": "dest.port", + "data": "53", + "type": "simple", + "list": null, + "sensitive": false + }, + { + "operand": "user.id", + "data": "42", + "type": "simple", + "list": null, + "sensitive": false + }, + { + "operand": "process.path", + "data": "/usr/lib/apt/methods/http", + "type": "simple", + "list": null, + "sensitive": false + } + ], + "sensitive": false + }, + "enabled": true, + "precedence": false, + "nolog": false +} \ No newline at end of file diff --git a/config/settings/opensnitch/rules/allow-always-list-usr-lib-apt-methods-http-ubuntu-com-53-42.json b/config/settings/opensnitch/rules/allow-always-list-usr-lib-apt-methods-http-ubuntu-com-53-42.json new file mode 100755 index 0000000..786b3ec --- /dev/null +++ b/config/settings/opensnitch/rules/allow-always-list-usr-lib-apt-methods-http-ubuntu-com-53-42.json @@ -0,0 +1,47 @@ +{ + "created": "2026-01-28T11:11:49-07:00", + "updated": "2026-01-28T11:11:49-07:00", + "name": "allow-always-list-usr-lib-apt-methods-http-ubuntu-com-53-42", + "description": "", + "action": "allow", + "duration": "always", + "operator": { + "operand": "list", + "data": "", + "type": "list", + "list": [ + { + "operand": "dest.host", + "data": "^(|.*\\.)ubuntu\\.com$", + "type": "regexp", + "list": null, + "sensitive": false + }, + { + "operand": "dest.port", + "data": "53", + "type": "simple", + "list": null, + "sensitive": false + }, + { + "operand": "user.id", + "data": "42", + "type": "simple", + "list": null, + "sensitive": false + }, + { + "operand": "process.path", + "data": "/usr/lib/apt/methods/http", + "type": "simple", + "list": null, + "sensitive": false + } + ], + "sensitive": false + }, + "enabled": true, + "precedence": false, + "nolog": false +} \ No newline at end of file diff --git a/config/settings/opensnitch/rules/allow-always-list-usr-lib-apt-methods-http-ubuntu-com-80-42.json b/config/settings/opensnitch/rules/allow-always-list-usr-lib-apt-methods-http-ubuntu-com-80-42.json new file mode 100755 index 0000000..629b8cd --- /dev/null +++ b/config/settings/opensnitch/rules/allow-always-list-usr-lib-apt-methods-http-ubuntu-com-80-42.json @@ -0,0 +1,47 @@ +{ + "created": "2026-01-28T11:11:57-07:00", + "updated": "2026-01-28T11:11:57-07:00", + "name": "allow-always-list-usr-lib-apt-methods-http-ubuntu-com-80-42", + "description": "", + "action": "allow", + "duration": "always", + "operator": { + "operand": "list", + "data": "", + "type": "list", + "list": [ + { + "operand": "dest.host", + "data": "^(|.*\\.)ubuntu\\.com$", + "type": "regexp", + "list": null, + "sensitive": false + }, + { + "operand": "dest.port", + "data": "80", + "type": "simple", + "list": null, + "sensitive": false + }, + { + "operand": "user.id", + "data": "42", + "type": "simple", + "list": null, + "sensitive": false + }, + { + "operand": "process.path", + "data": "/usr/lib/apt/methods/http", + "type": "simple", + "list": null, + "sensitive": false + } + ], + "sensitive": false + }, + "enabled": true, + "precedence": false, + "nolog": false +} \ No newline at end of file diff --git a/config/settings/opensnitch/rules/allow-always-list-usr-lib-snapd-snapd-api-snapcraft-io-443.json b/config/settings/opensnitch/rules/allow-always-list-usr-lib-snapd-snapd-api-snapcraft-io-443.json new file mode 100755 index 0000000..2967ecd --- /dev/null +++ b/config/settings/opensnitch/rules/allow-always-list-usr-lib-snapd-snapd-api-snapcraft-io-443.json @@ -0,0 +1,40 @@ +{ + "created": "2026-02-07T11:02:20-07:00", + "updated": "2026-02-07T11:02:20-07:00", + "name": "allow-always-list-usr-lib-snapd-snapd-api-snapcraft-io-443", + "description": "", + "action": "allow", + "duration": "always", + "operator": { + "operand": "list", + "data": "", + "type": "list", + "list": [ + { + "operand": "dest.host", + "data": "api.snapcraft.io", + "type": "simple", + "list": null, + "sensitive": false + }, + { + "operand": "dest.port", + "data": "443", + "type": "simple", + "list": null, + "sensitive": false + }, + { + "operand": "process.path", + "data": "/usr/lib/snapd/snapd", + "type": "simple", + "list": null, + "sensitive": false + } + ], + "sensitive": false + }, + "enabled": true, + "precedence": false, + "nolog": false +} \ No newline at end of file diff --git a/config/settings/opensnitch/rules/allow-always-list-usr-lib-snapd-snapd-api-snapcraft-io-53.json b/config/settings/opensnitch/rules/allow-always-list-usr-lib-snapd-snapd-api-snapcraft-io-53.json new file mode 100755 index 0000000..6fff3e4 --- /dev/null +++ b/config/settings/opensnitch/rules/allow-always-list-usr-lib-snapd-snapd-api-snapcraft-io-53.json @@ -0,0 +1,40 @@ +{ + "created": "2026-02-07T11:01:46-07:00", + "updated": "2026-02-07T11:01:46-07:00", + "name": "allow-always-list-usr-lib-snapd-snapd-api-snapcraft-io-53", + "description": "", + "action": "allow", + "duration": "always", + "operator": { + "operand": "list", + "data": "", + "type": "list", + "list": [ + { + "operand": "dest.host", + "data": "api.snapcraft.io", + "type": "simple", + "list": null, + "sensitive": false + }, + { + "operand": "dest.port", + "data": "53", + "type": "simple", + "list": null, + "sensitive": false + }, + { + "operand": "process.path", + "data": "/usr/lib/snapd/snapd", + "type": "simple", + "list": null, + "sensitive": false + } + ], + "sensitive": false + }, + "enabled": true, + "precedence": false, + "nolog": false +} \ No newline at end of file diff --git a/config/settings/opensnitch/rules/allow-always-list-usr-lib-snapd-snapd-dashboard-snapcraft-io-443.json b/config/settings/opensnitch/rules/allow-always-list-usr-lib-snapd-snapd-dashboard-snapcraft-io-443.json new file mode 100755 index 0000000..9264d0b --- /dev/null +++ b/config/settings/opensnitch/rules/allow-always-list-usr-lib-snapd-snapd-dashboard-snapcraft-io-443.json @@ -0,0 +1,40 @@ +{ + "created": "2026-02-07T11:02:56-07:00", + "updated": "2026-02-07T11:02:56-07:00", + "name": "allow-always-list-usr-lib-snapd-snapd-dashboard-snapcraft-io-443", + "description": "", + "action": "allow", + "duration": "always", + "operator": { + "operand": "list", + "data": "", + "type": "list", + "list": [ + { + "operand": "dest.host", + "data": "dashboard.snapcraft.io", + "type": "simple", + "list": null, + "sensitive": false + }, + { + "operand": "dest.port", + "data": "443", + "type": "simple", + "list": null, + "sensitive": false + }, + { + "operand": "process.path", + "data": "/usr/lib/snapd/snapd", + "type": "simple", + "list": null, + "sensitive": false + } + ], + "sensitive": false + }, + "enabled": true, + "precedence": false, + "nolog": false +} \ No newline at end of file diff --git a/config/settings/opensnitch/rules/allow-always-list-usr-lib-snapd-snapd-dashboard-snapcraft-io-53.json b/config/settings/opensnitch/rules/allow-always-list-usr-lib-snapd-snapd-dashboard-snapcraft-io-53.json new file mode 100755 index 0000000..7ae9362 --- /dev/null +++ b/config/settings/opensnitch/rules/allow-always-list-usr-lib-snapd-snapd-dashboard-snapcraft-io-53.json @@ -0,0 +1,40 @@ +{ + "created": "2026-02-07T11:02:48-07:00", + "updated": "2026-02-07T11:02:48-07:00", + "name": "allow-always-list-usr-lib-snapd-snapd-dashboard-snapcraft-io-53", + "description": "", + "action": "allow", + "duration": "always", + "operator": { + "operand": "list", + "data": "", + "type": "list", + "list": [ + { + "operand": "dest.host", + "data": "dashboard.snapcraft.io", + "type": "simple", + "list": null, + "sensitive": false + }, + { + "operand": "dest.port", + "data": "53", + "type": "simple", + "list": null, + "sensitive": false + }, + { + "operand": "process.path", + "data": "/usr/lib/snapd/snapd", + "type": "simple", + "list": null, + "sensitive": false + } + ], + "sensitive": false + }, + "enabled": true, + "precedence": false, + "nolog": false +} \ No newline at end of file diff --git a/config/settings/opensnitch/rules/allow-always-list-usr-lib-snapd-snapd-snapcraftcontent-com-443.json b/config/settings/opensnitch/rules/allow-always-list-usr-lib-snapd-snapd-snapcraftcontent-com-443.json new file mode 100755 index 0000000..a495414 --- /dev/null +++ b/config/settings/opensnitch/rules/allow-always-list-usr-lib-snapd-snapd-snapcraftcontent-com-443.json @@ -0,0 +1,40 @@ +{ + "created": "2026-02-07T11:02:38-07:00", + "updated": "2026-02-07T11:02:38-07:00", + "name": "allow-always-list-usr-lib-snapd-snapd-snapcraftcontent-com-443", + "description": "", + "action": "allow", + "duration": "always", + "operator": { + "operand": "list", + "data": "", + "type": "list", + "list": [ + { + "operand": "dest.host", + "data": "^(|.*\\.)snapcraftcontent\\.com$", + "type": "regexp", + "list": null, + "sensitive": false + }, + { + "operand": "dest.port", + "data": "443", + "type": "simple", + "list": null, + "sensitive": false + }, + { + "operand": "process.path", + "data": "/usr/lib/snapd/snapd", + "type": "simple", + "list": null, + "sensitive": false + } + ], + "sensitive": false + }, + "enabled": true, + "precedence": false, + "nolog": false +} \ No newline at end of file diff --git a/config/settings/opensnitch/rules/allow-always-list-usr-lib-snapd-snapd-snapcraftcontent-com-53.json b/config/settings/opensnitch/rules/allow-always-list-usr-lib-snapd-snapd-snapcraftcontent-com-53.json new file mode 100755 index 0000000..f94b40a --- /dev/null +++ b/config/settings/opensnitch/rules/allow-always-list-usr-lib-snapd-snapd-snapcraftcontent-com-53.json @@ -0,0 +1,40 @@ +{ + "created": "2026-02-07T11:02:28-07:00", + "updated": "2026-02-07T11:02:28-07:00", + "name": "allow-always-list-usr-lib-snapd-snapd-snapcraftcontent-com-53", + "description": "", + "action": "allow", + "duration": "always", + "operator": { + "operand": "list", + "data": "", + "type": "list", + "list": [ + { + "operand": "dest.host", + "data": "^(|.*\\.)snapcraftcontent\\.com$", + "type": "regexp", + "list": null, + "sensitive": false + }, + { + "operand": "dest.port", + "data": "53", + "type": "simple", + "list": null, + "sensitive": false + }, + { + "operand": "process.path", + "data": "/usr/lib/snapd/snapd", + "type": "simple", + "list": null, + "sensitive": false + } + ], + "sensitive": false + }, + "enabled": true, + "precedence": false, + "nolog": false +} \ No newline at end of file diff --git a/config/settings/opensnitch/rules/allow-always-list-usr-sbin-chronyd-123.json b/config/settings/opensnitch/rules/allow-always-list-usr-sbin-chronyd-123.json new file mode 100755 index 0000000..894f832 --- /dev/null +++ b/config/settings/opensnitch/rules/allow-always-list-usr-sbin-chronyd-123.json @@ -0,0 +1,40 @@ +{ + "created": "2026-01-28T11:09:37-07:00", + "updated": "2026-01-28T11:09:37-07:00", + "name": "allow-always-list-usr-sbin-chronyd-123", + "description": "", + "action": "allow", + "duration": "always", + "operator": { + "operand": "list", + "data": "", + "type": "list", + "list": [ + { + "operand": "dest.port", + "data": "123", + "type": "simple", + "list": null, + "sensitive": false + }, + { + "operand": "user.id", + "data": "102", + "type": "simple", + "list": null, + "sensitive": false + }, + { + "operand": "process.path", + "data": "/usr/sbin/chronyd", + "type": "simple", + "list": null, + "sensitive": false + } + ], + "sensitive": false + }, + "enabled": true, + "precedence": false, + "nolog": false +} diff --git a/config/settings/opensnitch/rules/allow-always-list-usr-sbin-chronyd-4-ntp-ubuntu-com-53.json b/config/settings/opensnitch/rules/allow-always-list-usr-sbin-chronyd-4-ntp-ubuntu-com-53.json new file mode 100755 index 0000000..1be74d9 --- /dev/null +++ b/config/settings/opensnitch/rules/allow-always-list-usr-sbin-chronyd-4-ntp-ubuntu-com-53.json @@ -0,0 +1,40 @@ +{ + "created": "2026-01-31T00:30:23-07:00", + "updated": "2026-01-31T00:30:23-07:00", + "name": "allow-always-list-usr-sbin-chronyd-4-ntp-ubuntu-com-53", + "description": "", + "action": "allow", + "duration": "always", + "operator": { + "operand": "list", + "data": "", + "type": "list", + "list": [ + { + "operand": "dest.host", + "data": "^(|.*\\.)ubuntu\\.com$", + "type": "regexp", + "list": null, + "sensitive": false + }, + { + "operand": "dest.port", + "data": "53", + "type": "simple", + "list": null, + "sensitive": false + }, + { + "operand": "process.path", + "data": "/usr/sbin/chronyd", + "type": "simple", + "list": null, + "sensitive": false + } + ], + "sensitive": false + }, + "enabled": true, + "precedence": false, + "nolog": false +} diff --git a/config/settings/opensnitch/rules/allow-always-list-usr-sbin-chronyd-4460.json b/config/settings/opensnitch/rules/allow-always-list-usr-sbin-chronyd-4460.json new file mode 100755 index 0000000..23336e1 --- /dev/null +++ b/config/settings/opensnitch/rules/allow-always-list-usr-sbin-chronyd-4460.json @@ -0,0 +1,33 @@ +{ + "created": "2026-01-28T11:13:38-07:00", + "updated": "2026-01-28T11:13:38-07:00", + "name": "allow-always-list-usr-sbin-chronyd-4460", + "description": "", + "action": "allow", + "duration": "always", + "operator": { + "operand": "list", + "data": "", + "type": "list", + "list": [ + { + "operand": "dest.port", + "data": "4460", + "type": "simple", + "list": null, + "sensitive": false + }, + { + "operand": "process.path", + "data": "/usr/sbin/chronyd", + "type": "simple", + "list": null, + "sensitive": false + } + ], + "sensitive": false + }, + "enabled": true, + "precedence": false, + "nolog": false +} diff --git a/config/settings/opensnitch/rules/allow-always-list-usr-sbin-chronyd-ntp-bootstrap-ubuntu-com-53.json b/config/settings/opensnitch/rules/allow-always-list-usr-sbin-chronyd-ntp-bootstrap-ubuntu-com-53.json new file mode 100755 index 0000000..d5072ce --- /dev/null +++ b/config/settings/opensnitch/rules/allow-always-list-usr-sbin-chronyd-ntp-bootstrap-ubuntu-com-53.json @@ -0,0 +1,40 @@ +{ + "created": "2026-01-31T00:30:27-07:00", + "updated": "2026-01-31T00:30:27-07:00", + "name": "allow-always-list-usr-sbin-chronyd-ntp-bootstrap-ubuntu-com-53", + "description": "", + "action": "allow", + "duration": "always", + "operator": { + "operand": "list", + "data": "", + "type": "list", + "list": [ + { + "operand": "dest.host", + "data": "ntp-bootstrap.ubuntu.com", + "type": "simple", + "list": null, + "sensitive": false + }, + { + "operand": "dest.port", + "data": "53", + "type": "simple", + "list": null, + "sensitive": false + }, + { + "operand": "process.path", + "data": "/usr/sbin/chronyd", + "type": "simple", + "list": null, + "sensitive": false + } + ], + "sensitive": false + }, + "enabled": true, + "precedence": false, + "nolog": false +} \ No newline at end of file diff --git a/config/settings/opensnitch/rules/allow-always-list-usr-sbin-networkmanager-connectivity-check-ubuntu-com-80-0.json b/config/settings/opensnitch/rules/allow-always-list-usr-sbin-networkmanager-connectivity-check-ubuntu-com-80-0.json new file mode 100755 index 0000000..753612f --- /dev/null +++ b/config/settings/opensnitch/rules/allow-always-list-usr-sbin-networkmanager-connectivity-check-ubuntu-com-80-0.json @@ -0,0 +1,47 @@ +{ + "created": "2026-01-28T11:12:41-07:00", + "updated": "2026-01-28T11:12:41-07:00", + "name": "allow-always-list-usr-sbin-networkmanager-connectivity-check-ubuntu-com-80-0", + "description": "", + "action": "allow", + "duration": "always", + "operator": { + "operand": "list", + "data": "", + "type": "list", + "list": [ + { + "operand": "dest.host", + "data": "connectivity-check.ubuntu.com", + "type": "simple", + "list": null, + "sensitive": false + }, + { + "operand": "dest.port", + "data": "80", + "type": "simple", + "list": null, + "sensitive": false + }, + { + "operand": "user.id", + "data": "0", + "type": "simple", + "list": null, + "sensitive": false + }, + { + "operand": "process.path", + "data": "/usr/sbin/NetworkManager", + "type": "simple", + "list": null, + "sensitive": false + } + ], + "sensitive": false + }, + "enabled": true, + "precedence": false, + "nolog": false +} diff --git a/config/settings/opensnitch/rules/deny-always-list-opt-brave-com-brave-brave-224-0-0-251-5353-1000.json b/config/settings/opensnitch/rules/deny-always-list-opt-brave-com-brave-brave-224-0-0-251-5353-1000.json new file mode 100755 index 0000000..f87c346 --- /dev/null +++ b/config/settings/opensnitch/rules/deny-always-list-opt-brave-com-brave-brave-224-0-0-251-5353-1000.json @@ -0,0 +1,47 @@ +{ + "created": "2026-02-01T16:52:56-07:00", + "updated": "2026-02-01T16:52:56-07:00", + "name": "deny-always-list-opt-brave-com-brave-brave-224-0-0-251-5353-1000", + "description": "", + "action": "deny", + "duration": "always", + "operator": { + "operand": "list", + "data": "", + "type": "list", + "list": [ + { + "operand": "dest.ip", + "data": "224.0.0.251", + "type": "simple", + "list": null, + "sensitive": false + }, + { + "operand": "dest.port", + "data": "5353", + "type": "simple", + "list": null, + "sensitive": false + }, + { + "operand": "user.id", + "data": "1000", + "type": "simple", + "list": null, + "sensitive": false + }, + { + "operand": "process.path", + "data": "/opt/brave.com/brave/brave", + "type": "simple", + "list": null, + "sensitive": false + } + ], + "sensitive": false + }, + "enabled": true, + "precedence": false, + "nolog": false +} \ No newline at end of file diff --git a/config/settings/opensnitch/rules/deny-always-list-opt-brave-com-brave-brave-239-255-255-250-1900.json b/config/settings/opensnitch/rules/deny-always-list-opt-brave-com-brave-brave-239-255-255-250-1900.json new file mode 100755 index 0000000..8435e63 --- /dev/null +++ b/config/settings/opensnitch/rules/deny-always-list-opt-brave-com-brave-brave-239-255-255-250-1900.json @@ -0,0 +1,40 @@ +{ + "created": "2026-01-28T18:26:38-07:00", + "updated": "2026-01-28T18:26:38-07:00", + "name": "deny-always-list-opt-brave-com-brave-brave-239-255-255-250-1900", + "description": "", + "action": "deny", + "duration": "always", + "operator": { + "operand": "list", + "data": "", + "type": "list", + "list": [ + { + "operand": "dest.ip", + "data": "239.255.255.250", + "type": "simple", + "list": null, + "sensitive": false + }, + { + "operand": "dest.port", + "data": "1900", + "type": "simple", + "list": null, + "sensitive": false + }, + { + "operand": "process.path", + "data": "/opt/brave.com/brave/brave", + "type": "simple", + "list": null, + "sensitive": false + } + ], + "sensitive": false + }, + "enabled": true, + "precedence": false, + "nolog": false +} \ No newline at end of file diff --git a/config/settings/opensnitch/rules/deny-always-list-usr-bin-python3-13-239-255-255-250.json b/config/settings/opensnitch/rules/deny-always-list-usr-bin-python3-13-239-255-255-250.json new file mode 100755 index 0000000..3c55537 --- /dev/null +++ b/config/settings/opensnitch/rules/deny-always-list-usr-bin-python3-13-239-255-255-250.json @@ -0,0 +1,33 @@ +{ + "created": "2026-01-28T11:12:27-07:00", + "updated": "2026-01-28T11:12:27-07:00", + "name": "deny-always-list-usr-bin-python3-13-239-255-255-250", + "description": "", + "action": "deny", + "duration": "always", + "operator": { + "operand": "list", + "data": "", + "type": "list", + "list": [ + { + "operand": "dest.ip", + "data": "239.255.255.250", + "type": "simple", + "list": null, + "sensitive": false + }, + { + "operand": "process.path", + "data": "/usr/bin/python3.13", + "type": "simple", + "list": null, + "sensitive": false + } + ], + "sensitive": false + }, + "enabled": true, + "precedence": false, + "nolog": false +} \ No newline at end of file diff --git a/config/settings/opensnitch/rules/deny-always-list-usr-libexec-colord-sane-239-255-255-250-3702-118.json b/config/settings/opensnitch/rules/deny-always-list-usr-libexec-colord-sane-239-255-255-250-3702-118.json new file mode 100755 index 0000000..03d7a6a --- /dev/null +++ b/config/settings/opensnitch/rules/deny-always-list-usr-libexec-colord-sane-239-255-255-250-3702-118.json @@ -0,0 +1,47 @@ +{ + "created": "2026-01-28T11:31:29-07:00", + "updated": "2026-01-28T11:31:29-07:00", + "name": "deny-always-list-usr-libexec-colord-sane-239-255-255-250-3702-118", + "description": "", + "action": "deny", + "duration": "always", + "operator": { + "operand": "list", + "data": "", + "type": "list", + "list": [ + { + "operand": "dest.ip", + "data": "239.255.255.250", + "type": "simple", + "list": null, + "sensitive": false + }, + { + "operand": "dest.port", + "data": "3702", + "type": "simple", + "list": null, + "sensitive": false + }, + { + "operand": "user.id", + "data": "118", + "type": "simple", + "list": null, + "sensitive": false + }, + { + "operand": "process.path", + "data": "/usr/libexec/colord-sane", + "type": "simple", + "list": null, + "sensitive": false + } + ], + "sensitive": false + }, + "enabled": true, + "precedence": false, + "nolog": false +} \ No newline at end of file diff --git a/config/settings/opensnitch/rules/deny-always-list-usr-sbin-avahi-daemon-224-0-0-251-5353.json b/config/settings/opensnitch/rules/deny-always-list-usr-sbin-avahi-daemon-224-0-0-251-5353.json new file mode 100755 index 0000000..76f1cab --- /dev/null +++ b/config/settings/opensnitch/rules/deny-always-list-usr-sbin-avahi-daemon-224-0-0-251-5353.json @@ -0,0 +1,26 @@ +{ + "created": "2026-01-28T11:08:56-07:00", + "updated": "2026-01-28T11:08:56-07:00", + "name": "deny-always-list-usr-sbin-avahi-daemon-224-0-0-251-5353", + "description": "", + "action": "deny", + "duration": "always", + "operator": { + "operand": "list", + "data": "", + "type": "list", + "list": [ + { + "operand": "process.path", + "data": "/usr/sbin/avahi-daemon", + "type": "simple", + "list": null, + "sensitive": false + } + ], + "sensitive": false + }, + "enabled": true, + "precedence": false, + "nolog": false +} diff --git a/config/settings/opensnitch/rules/deny-always-list-usr-sbin-chronyd-3-ntp-ubuntu-com-53.json b/config/settings/opensnitch/rules/deny-always-list-usr-sbin-chronyd-3-ntp-ubuntu-com-53.json new file mode 100755 index 0000000..307e9fd --- /dev/null +++ b/config/settings/opensnitch/rules/deny-always-list-usr-sbin-chronyd-3-ntp-ubuntu-com-53.json @@ -0,0 +1,40 @@ +{ + "created": "2026-01-28T11:33:02-07:00", + "updated": "2026-01-28T11:33:02-07:00", + "name": "deny-always-list-usr-sbin-chronyd-3-ntp-ubuntu-com-53", + "description": "", + "action": "deny", + "duration": "always", + "operator": { + "operand": "list", + "data": "", + "type": "list", + "list": [ + { + "operand": "dest.host", + "data": "^(|.*\\.)ubuntu\\.com$", + "type": "regexp", + "list": null, + "sensitive": false + }, + { + "operand": "dest.port", + "data": "53", + "type": "simple", + "list": null, + "sensitive": false + }, + { + "operand": "process.path", + "data": "/usr/sbin/chronyd", + "type": "simple", + "list": null, + "sensitive": false + } + ], + "sensitive": false + }, + "enabled": true, + "precedence": false, + "nolog": false +} diff --git a/config/settings/opensnitch/rules/deny-always-simple-usr-geoclue.json b/config/settings/opensnitch/rules/deny-always-simple-usr-geoclue.json new file mode 100755 index 0000000..1d296e6 --- /dev/null +++ b/config/settings/opensnitch/rules/deny-always-simple-usr-geoclue.json @@ -0,0 +1,18 @@ +{ + "created": "2026-01-28T14:32:45-07:00", + "updated": "2026-01-28T14:32:45-07:00", + "name": "deny-always-simple-usr-geoclue", + "description": "", + "action": "deny", + "duration": "always", + "operator": { + "operand": "process.path", + "data": "/usr/libexec/geoclue", + "type": "simple", + "list": [], + "sensitive": false + }, + "enabled": true, + "precedence": false, + "nolog": false +} diff --git a/config/settings/opensnitch/rules/deny-always-simple-usr-sbin-cups-browsed.json b/config/settings/opensnitch/rules/deny-always-simple-usr-sbin-cups-browsed.json new file mode 100755 index 0000000..d8108d3 --- /dev/null +++ b/config/settings/opensnitch/rules/deny-always-simple-usr-sbin-cups-browsed.json @@ -0,0 +1,18 @@ +{ + "created": "2026-01-28T14:32:45-07:00", + "updated": "2026-01-28T14:32:45-07:00", + "name": "deny-always-simple-usr-sbin-cups-browsed", + "description": "", + "action": "deny", + "duration": "always", + "operator": { + "operand": "process.path", + "data": "/usr/sbin/cups-browsed", + "type": "simple", + "list": [], + "sensitive": false + }, + "enabled": true, + "precedence": false, + "nolog": false +} \ No newline at end of file diff --git a/config/settings/opensnitch/settings.conf b/config/settings/opensnitch/settings.conf new file mode 100755 index 0000000..342da1c --- /dev/null +++ b/config/settings/opensnitch/settings.conf @@ -0,0 +1,46 @@ +[General] +statsDialog=1 + +[database] +file=:memory: +max_days=1 +purge_interval=5 +purge_oldest=true +type=0 + +[global] +default_action=0 +default_duration=6 +default_ignore_rules=false +default_ignore_temporary_rules=0 +default_popup_advanced=true +default_popup_advanced_dstip=true +default_popup_advanced_dstport=true +default_popup_advanced_uid=false +default_popup_position=0 +default_target=0 +default_timeout=30 +disable_popups=false + +[notifications] +enabled=true +type=0 + +[promptDialog] +geometry=@ByteArray(\x1\xd9\xd0\xcb\0\x3\0\0\0\0\x6\x93\0\0\x3\x86\0\0\b\x9a\0\0\x4\xde\0\0\x6\x93\0\0\x3\xab\0\0\b\x9a\0\0\x4\xde\0\0\0\0\0\0\0\0\xf\0\0\0\x6\x93\0\0\x3\xab\0\0\b\x9a\0\0\x4\xde) + +[statsDialog] +general_columns_state=@ByteArray(\0\0\0\xff\0\0\0\0\0\0\0\x1\0\0\0\x1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\x4o\0\0\0\a\0\x1\x1\x1\0\0\0\0\0\0\0\0\0\0\0\0\x64\xff\xff\xff\xff\0\0\0\x84\0\0\0\0\0\0\0\a\0\0\0\x64\0\0\0\x1\0\0\0\0\0\0\0\x64\0\0\0\x1\0\0\0\0\0\0\0\x64\0\0\0\x1\0\0\0\0\0\0\x1\x1\0\0\0\x1\0\0\0\0\0\0\0\x64\0\0\0\x1\0\0\0\0\0\0\0\xf5\0\0\0\x1\0\0\0\0\0\0\0\xe9\0\0\0\x1\0\0\0\0\0\0\x3\xe8\0\0\0\0\x64) +general_filter_text= +general_limit_results=0 +geometry=@ByteArray(\x1\xd9\xd0\xcb\0\x3\0\0\0\0\a\x84\0\0\x4&\0\0\f\b\0\0\a\xf7\0\0\a\x84\0\0\x4K\0\0\f\b\0\0\a\xf7\0\0\0\0\0\0\0\0\xf\0\0\0\a\x84\0\0\x4K\0\0\f\b\0\0\a\xf7) +last_tab=0 +nodes_columns_state=@ByteArray(\0\0\0\xff\0\0\0\0\0\0\0\x1\0\0\0\x1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\x5\x88\0\0\0\n\0\x1\x1\x1\0\0\0\0\0\0\0\0\x1\0\0\0\x64\xff\xff\xff\xff\0\0\0\x84\0\0\0\0\0\0\0\n\0\0\0\x64\0\0\0\x1\0\0\0\0\0\0\0>\0\0\0\x1\0\0\0\x3\0\0\0\x64\0\0\0\x1\0\0\0\0\0\0\0\x64\0\0\0\x1\0\0\0\0\0\0\0\x64\0\0\0\x1\0\0\0\0\0\0\0\x64\0\0\0\x1\0\0\0\0\0\0\0\x64\0\0\0\x1\0\0\0\0\0\0\0\x64\0\0\0\x1\0\0\0\0\0\0\0\x64\0\0\0\x1\0\0\0\0\0\0\x2*\0\0\0\x1\0\0\0\0\0\0\x3\xe8\0\0\0\0\x64) +rules_columns_state=@ByteArray(\0\0\0\xff\0\0\0\0\0\0\0\x1\0\0\0\x1\xff\xff\xff\xff\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\x4\x46\0\0\0\n\0\x1\x1\x1\0\0\0\0\0\0\0\0\0\0\0\0\x64\xff\xff\xff\xff\0\0\0\x84\0\0\0\0\0\0\0\n\0\0\0\x64\0\0\0\x1\0\0\0\0\0\0\0\x64\0\0\0\x1\0\0\0\0\0\0\0\x64\0\0\0\x1\0\0\0\0\0\0\0\x64\0\0\0\x1\0\0\0\0\0\0\0\x64\0\0\0\x1\0\0\0\0\0\0\0\x64\0\0\0\x1\0\0\0\0\0\0\0\x64\0\0\0\x1\0\0\0\0\0\0\0\x64\0\0\0\x1\0\0\0\0\0\0\0\x64\0\0\0\x1\0\0\0\0\0\0\0\xc2\0\0\0\x1\0\0\0\0\0\0\x3\xe8\0\0\0\0\x64) +rules_tree_0_expanded=false +rules_tree_1_expanded=false +show_columns=0, 1, 2, 3, 4, 5, 6 +view_columns_state2=@ByteArray(\0\0\0\xff\0\0\0\0\0\0\0\x1\0\0\0\x1\xff\xff\xff\xff\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\x4\xaa\0\0\0\v\0\x1\x1\x1\0\0\0\0\0\0\0\0\0\0\0\0\x64\xff\xff\xff\xff\0\0\0\x84\0\0\0\0\0\0\0\v\0\0\0\x64\0\0\0\x1\0\0\0\0\0\0\0\x64\0\0\0\x1\0\0\0\0\0\0\0\x64\0\0\0\x1\0\0\0\0\0\0\0\x64\0\0\0\x1\0\0\0\0\0\0\0\x64\0\0\0\x1\0\0\0\0\0\0\0\x64\0\0\0\x1\0\0\0\0\0\0\0\x64\0\0\0\x1\0\0\0\0\0\0\0\x64\0\0\0\x1\0\0\0\0\0\0\0\x64\0\0\0\x1\0\0\0\0\0\0\0\xc2\0\0\0\x1\0\0\0\0\0\0\0\x64\0\0\0\x1\0\0\0\0\0\0\x3\xe8\0\0\0\0\x64) +view_columns_state4=@ByteArray(\0\0\0\xff\0\0\0\0\0\0\0\x1\0\0\0\x1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\x3\xe2\0\0\0\x2\0\x1\x1\x1\0\0\0\0\0\0\0\0\x1\0\0\0\x64\xff\xff\xff\xff\0\0\0\x84\0\0\0\0\0\0\0\x2\0\0\x1\x64\0\0\0\x1\0\0\0\x3\0\0\x2~\0\0\0\x1\0\0\0\0\0\0\x3\xe8\0\0\0\0\x64) +view_details_columns_state0=@ByteArray(\0\0\0\xff\0\0\0\0\0\0\0\x1\0\0\0\x1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\xc8\0\0\0\x2\0\x1\x1\x1\0\0\0\0\0\0\0\0\x1\0\0\0\x64\xff\xff\xff\xff\0\0\0\x84\0\0\0\0\0\0\0\x2\0\0\0\x64\0\0\0\x1\0\0\0\x3\0\0\0\x64\0\0\0\x1\0\0\0\0\0\0\x3\xe8\0\0\0\0\x64) +view_details_columns_state2=@ByteArray(\0\0\0\xff\0\0\0\0\0\0\0\x1\0\0\0\x1\xff\xff\xff\xff\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\x4\x46\0\0\0\n\0\x1\x1\x1\0\0\0\0\0\0\0\0\0\0\0\0\x64\xff\xff\xff\xff\0\0\0\x84\0\0\0\0\0\0\0\n\0\0\0\x64\0\0\0\x1\0\0\0\0\0\0\0\x64\0\0\0\x1\0\0\0\0\0\0\0\x64\0\0\0\x1\0\0\0\0\0\0\0\x64\0\0\0\x1\0\0\0\0\0\0\0\x64\0\0\0\x1\0\0\0\0\0\0\0\x64\0\0\0\x1\0\0\0\0\0\0\0\x64\0\0\0\x1\0\0\0\0\0\0\0\x64\0\0\0\x1\0\0\0\0\0\0\0\x64\0\0\0\x1\0\0\0\0\0\0\0\xc2\0\0\0\x1\0\0\0\0\0\0\x3\xe8\0\0\0\0\x64) diff --git a/config/settings/services/mem-alloc.service b/config/settings/services/mem-alloc.service new file mode 100644 index 0000000..545514f --- /dev/null +++ b/config/settings/services/mem-alloc.service @@ -0,0 +1,13 @@ +[Unit] +Description=build and install memory hardened allocator +DefaultDependencies=no +After=sysinit.target local-fs.target +Before=basic.target + +[Service] +Type=oneshot +ExecStart=/usr/mem_alloc.sh +RemainAfterExit=yes + +[Install] +WantedBy=basic.target diff --git a/config/settings/services/mem_alloc.sh b/config/settings/services/mem_alloc.sh new file mode 100755 index 0000000..6d17180 --- /dev/null +++ b/config/settings/services/mem_alloc.sh @@ -0,0 +1,11 @@ +#!/usr/bin/env bash +set -e +set -x +if [ -f '/usr/src/hardened_malloc/Makefile' ]; then + cd /usr/src/hardened_malloc/ + make -s VARIANT=default CONFIG_NATIVE=false +fi +if [ -f '/usr/src/hardened_malloc/out/libhardened_malloc.so' ]; then + echo '/usr/src/hardened_malloc/out/libhardened_malloc.so' | tee /etc/ld.so.preload +fi + diff --git a/config/settings/skel/autorun.desktop b/config/settings/skel/autorun.desktop new file mode 100644 index 0000000..24b95f8 --- /dev/null +++ b/config/settings/skel/autorun.desktop @@ -0,0 +1,6 @@ +[Desktop Entry] +Name=Enable GNOME Extensions +Exec=/usr/gnome_settings.sh +Type=Application +Hidden=false +X-GNOME-Autostart-enabled=true diff --git a/config/settings/skel/bash_profile b/config/settings/skel/bash_profile new file mode 100644 index 0000000..ceb89f0 --- /dev/null +++ b/config/settings/skel/bash_profile @@ -0,0 +1,5 @@ +# ~/.bash_profile +chsh -s /bin/bash +if [ -f ~/.bashrc ]; then + . ~/.bashrc +fi diff --git a/config/settings/skel/bashrc b/config/settings/skel/bashrc new file mode 100644 index 0000000..5dfa5a3 --- /dev/null +++ b/config/settings/skel/bashrc @@ -0,0 +1,8 @@ +# ~/.bashrc + +# Custom aliases +alias la='ls -la' + + +# Set a custom prompt +PS1="[\u@\h \W]\$ " diff --git a/config/settings/skel/gnome_settings.sh b/config/settings/skel/gnome_settings.sh new file mode 100644 index 0000000..548d63a --- /dev/null +++ b/config/settings/skel/gnome_settings.sh @@ -0,0 +1,3 @@ +#!/bin/bash +gnome-extensions enable ubuntu-appindicators@ubuntu.com +gsettings set org.gnome.desktop.interface color-scheme prefer-dark diff --git a/config/settings/skel/profile b/config/settings/skel/profile new file mode 100644 index 0000000..3616d30 --- /dev/null +++ b/config/settings/skel/profile @@ -0,0 +1,14 @@ +# ~/.profile + +if [ -f ~/.bashrc ]; then + . ~/.bashrc +fi + +if [ ! -f $HOME/.config/opensnitch/firstrun]; then + mkdir -p $HOME/.config/opensnitch/ + cp /etc/opensnitchd/settings.conf $HOME/.config/opensnitch/settings.conf + touch $HOME/.config/opensnitch/firstrun +fi + + + diff --git a/scripts/boot_image.sh b/scripts/boot_image.sh index f31fc43..62bb85a 100755 --- a/scripts/boot_image.sh +++ b/scripts/boot_image.sh @@ -4,5 +4,5 @@ cd .. disk="./outputs/boot_image.img" -qemu-system-x86_64 -bios /usr/share/ovmf/OVMF.fd -drive if=none,format=raw,file=$disk,id=hd -device virtio-blk-pci,drive=hd -m 16G -smp 8 -vga none --display default,gl=off -usb -device virtio-tablet-pci -device virtio-keyboard-pci --device virtio-gpu-pci -usb -enable-kvm -machine type=pc-q35-3.1,accel=kvm,kernel_irqchip=on -netdev user,id=net0 -device virtio-net-pci,netdev=net0,mac=52:54:00:12:34:56 +qemu-system-x86_64 -bios /usr/share/ovmf/OVMF.fd -drive if=none,format=raw,file=$disk,id=hd -device virtio-blk-pci,drive=hd -m 16G -smp 8 -vga none --display default,gl=off -usb -device virtio-tablet-pci -device virtio-keyboard-pci --device virtio-gpu-pci -usb -enable-kvm -machine type=q35,accel=kvm,kernel_irqchip=on -netdev user,id=net0 -device virtio-net-pci,netdev=net0,mac=52:54:00:12:34:56 #--display gtk,gl=off --device virtio-gpu diff --git a/scripts/bootstrap_filesystem.sh b/scripts/bootstrap_filesystem.sh new file mode 100755 index 0000000..d5d005f --- /dev/null +++ b/scripts/bootstrap_filesystem.sh @@ -0,0 +1,19 @@ +#!/bin/bash + +if [ "$(id -u)" -ne 0 ]; then + echo "switching from $(id -un) to root" + exec sudo "$0" "$@" +fi +set -e +cd "$(dirname "$0")" +DIR="$(dirname "$0")" +cd .. +echo $PWD + +rm -rf './outputs/root' +if [ ! -d ./outputs/root/bin ]; then + rm -rf './outputs/root' + mkdir -p ./outputs/root/ + debootstrap questing ./outputs/root https://us.archive.ubuntu.com/ubuntu +fi + diff --git a/scripts/build_filesystem.sh b/scripts/build_filesystem.sh index c017244..9246fb1 100755 --- a/scripts/build_filesystem.sh +++ b/scripts/build_filesystem.sh @@ -1,21 +1,26 @@ #!/bin/bash +set -e +set -x +#downloading graphene malloc +if [ ! -f ./dependencies/hardened_malloc/Makefile ]; then + cd "$(dirname "$0")" + DIR="$(dirname "$0")" + cd .. + cd ./dependencies/ + git clone https://github.com/GrapheneOS/hardened_malloc.git +fi + +#switching to root to perform chroot if [ "$(id -u)" -ne 0 ]; then echo "switching from $(id -un) to root" exec sudo "$0" "$@" fi -set -e + cd "$(dirname "$0")" DIR="$(dirname "$0")" cd .. echo $PWD - -rm -rf './outputs/root' -if [ ! -d ./outputs/root/bin ]; then - rm -rf './outputs/root' - mkdir -p ./outputs/root/ - debootstrap questing ./outputs/root https://us.archive.ubuntu.com/ubuntu -fi if mountpoint -q "./outputs/chroot/proc/"; then umount -lf "./outputs/chroot/proc/" fi @@ -26,10 +31,48 @@ if mountpoint -q "./outputs/root/proc/"; then fi rsync -a ./outputs/root/ ./outputs/chroot/ mkdir -p ./outputs/chroot/proc + + mount --bind /proc ./outputs/chroot/proc cp ./config/filesystem_chroot_install.sh ./outputs/chroot/filesystem_chroot_install.sh +cp ./config/apply_initial_host_configuration.sh ./outputs/chroot/apply_initial_host_configuration.sh +cp ./config/config.json ./outputs/chroot/config.json + +#copy opensnitch rules. +echo "copying firewall rules" +rsync -a ./config/settings/opensnitch/ ./outputs/chroot/usr/src/opensnitchd/ + +#setup user skeleton +sudo mkdir -p ./outputs/chroot/etc/skel/.config +printf "yes" | tee ./outputs/chroot/etc/skel/.config/gnome-initial-setup-done +cp ./config/settings/skel/bash_profile ./outputs/chroot/etc/skel/.bash_profile +cp ./config/settings/skel/bashrc ./outputs/chroot/etc/skel/.bashrc +cp ./config/settings/skel/profile ./outputs/chroot/etc/skel/.profile + +cp ./config/settings/skel/gnome_settings.sh ./outputs/chroot/usr/gnome_settings.sh +chmod +x ./outputs/chroot/usr/gnome_settings.sh + +#installing hardened memory allocator if built +if [ -f ./dependencies/hardened_malloc/Makefile ]; then + rsync -a ./dependencies/hardened_malloc/ ./outputs/chroot/usr/src/hardened_malloc/ +fi + +cp ./config/settings/services/*.service ./outputs/chroot/etc/systemd/system/ +find ./config/settings/services/ -type f -name '*.sh' -exec chmod +x {} \; +cp ./config/settings/services/*.sh ./outputs/chroot/usr/ + +echo "installing system from within chroot" chmod +x ./outputs/chroot/filesystem_chroot_install.sh +chmod +x ./outputs/chroot/apply_initial_host_configuration.sh +mkdir -p ./outputs/chroot/lib/modules/ + +echo "installing kernel modules" +rsync -a ./dependencies/linux/modules/lib/modules/ ./outputs/chroot/lib/modules/ + +echo "installing filesystem" chroot ./outputs/chroot /bin/bash -c "/filesystem_chroot_install.sh" +chroot ./outputs/chroot /bin/bash -c "/apply_initial_host_configuration.sh" +cp ./config/settings/skel/autorun.desktop ./outputs/chroot/etc/xdg/autostart/autorun.desktop cd $DIR cd .. diff --git a/scripts/build_image.sh b/scripts/build_image.sh index 8bccb11..184dd63 100755 --- a/scripts/build_image.sh +++ b/scripts/build_image.sh @@ -1,7 +1,7 @@ #!/bin/bash if [ "$(id -u)" -ne 0 ]; then echo "switching from $(id -un) to root" - exec sudo "$0" "$@" + exec sudo ionice -c 3 "$0" "$@" fi set -e cd "$(dirname "$0")" diff --git a/scripts/build_kernel.sh b/scripts/build_kernel.sh index 4cd4fe2..56b08d7 100755 --- a/scripts/build_kernel.sh +++ b/scripts/build_kernel.sh @@ -6,7 +6,7 @@ mkdir -p ./dependencies rootdir=$(dirname "$0") dir=./$(dirname "$0") cd dependencies -[[ -d ./linux ]] || git clone --depth 5 https://github.com/gregkh/linux.git ./linux +[[ -d ./linux ]] || git clone --depth 1 https://github.com/torvalds/linux.git ./linux cd "$(dirname "$0")" cd .. echo $PWD diff --git a/scripts/install_dependencies.sh b/scripts/install_dependencies.sh index d043847..77632d7 100755 --- a/scripts/install_dependencies.sh +++ b/scripts/install_dependencies.sh @@ -4,7 +4,7 @@ if [ "$(id -u)" -ne 0 ]; then exec sudo "$0" "$@" fi set -e -list="kpartx podman debootstrap " +list="kpartx podman debootstrap qemu-system" apt update for item in $list; do apt install -y $item