From b0ac1458b7c11bd0c34e43187d66c12b46ddd599 Mon Sep 17 00:00:00 2001 From: Mauricio Vargas Date: Sun, 11 Jul 2021 12:23:45 -0400 Subject: [PATCH 1/6] jitsi, same as used at PUC --- .../files/etc/update-motd.d/99-one-click | 19 + .../files/root/i-agree-to-jitsi-license.sh | 18 + jitsi-20-04/scripts/01-packages.sh | 58 ++ jitsi-20-04/scripts/90-cleanup.sh | 52 ++ jitsi-20-04/scripts/99-img_check.sh | 682 ++++++++++++++++++ jitsi-20-04/template.json | 57 ++ 6 files changed, 886 insertions(+) create mode 100755 jitsi-20-04/files/etc/update-motd.d/99-one-click create mode 100755 jitsi-20-04/files/root/i-agree-to-jitsi-license.sh create mode 100644 jitsi-20-04/scripts/01-packages.sh create mode 100755 jitsi-20-04/scripts/90-cleanup.sh create mode 100755 jitsi-20-04/scripts/99-img_check.sh create mode 100644 jitsi-20-04/template.json diff --git a/jitsi-20-04/files/etc/update-motd.d/99-one-click b/jitsi-20-04/files/etc/update-motd.d/99-one-click new file mode 100755 index 0000000..ff16ccf --- /dev/null +++ b/jitsi-20-04/files/etc/update-motd.d/99-one-click @@ -0,0 +1,19 @@ +#!/bin/sh +# +# Configured as part of the DigitalOcean 1-Click Image build process + +myip=$(hostname -I | awk '{print$1}') +cat < /usr/share/keyrings/jitsi-keyring.gpg' + +# Create a sources.list.d file with the repository: +echo 'deb [signed-by=/usr/share/keyrings/jitsi-keyring.gpg] https://download.jitsi.org stable/' | sudo tee /etc/apt/sources.list.d/jitsi-stable.list > /dev/null + +# update apt +apt-get -y update +apt-get -y upgrade + +# requisites for jitsi +apt-get -y install ca-certificates-java coturn fontconfig-config fonts-dejavu-core fonts-lato java-common javascript-common\ + libavahi-client3 libavahi-common-data libavahi-common3 libcups2 libevent-core-2.1-7\ + libevent-extra-2.1-7 libevent-openssl-2.1-7 libevent-pthreads-2.1-7 libfontconfig1 libgd3 libgraphite2-3\ + libharfbuzz0b libhiredis0.14 libidn11 libjbig0 libjpeg-turbo8 libjpeg8 libjs-jquery liblcms2-2\ + libmysqlclient21 libnginx-mod-http-image-filter libnginx-mod-http-xslt-filter libnginx-mod-mail\ + libnginx-mod-stream libnspr4 libnss3 libpcsclite1 libpq5 libruby2.7 libtiff5 libwebp6 libxpm4 lua-bitop\ + lua-event lua-expat lua-filesystem lua-sec lua-socket lua5.2 mysql-common nginx nginx-common nginx-core\ + openjdk-16-jre-headless prosody rake ruby ruby-hocon ruby-minitest ruby-net-telnet ruby-power-assert\ + ruby-test-unit ruby-xmlrpc ruby2.7 rubygems-integration sqlite3 ssl-cert unzip zip + +# apt-get -y install debconf-utils + +# echo "jitsi-videobridge2 jitsi-videobridge/jvb-hostname string example.digitalocean.com" | debconf-set-selections +# echo "jitsi-meet-web-config jitsi-meet/cert-choice select Generate a new self-signed certificate (You will later get a chance to obtain a Let's encrypt certificate)" | debconf-set-selections + +# install let's encrypt +apt-get -y install python3-certbot-nginx + +# install Digital Ocean agent +curl -sSL https://repos.insights.digitalocean.com/install.sh | bash + +# add some security +echo "y" | ufw enable +apt-get -y install fail2ban +systemctl start fail2ban +systemctl enable fail2ban +printf '[sshd]\nenabled = true\nport = 22\nfilter = sshd\nlogpath = /var/log/auth.log\nmaxretry = 5' | tee -a /etc/fail2ban/jail.local +printf '\n\n[http-auth]\nenabled = true\nport = http,https\nlogpath = /var/log/auth.log\nmaxretry = 5' | tee -a /etc/fail2ban/jail.local +systemctl restart fail2ban + +# open ports +ufw allow http +ufw allow https +ufw allow ssh +sudo ufw allow 10000/udp + +# Disable and remove the swapfile prior to snapshotting +swapoff /swapfile +rm -f /swapfile + diff --git a/jitsi-20-04/scripts/90-cleanup.sh b/jitsi-20-04/scripts/90-cleanup.sh new file mode 100755 index 0000000..eec2af7 --- /dev/null +++ b/jitsi-20-04/scripts/90-cleanup.sh @@ -0,0 +1,52 @@ +#!/bin/bash + +set -o errexit + +# Ensure /tmp exists and has the proper permissions before +# checking for security updates +# https://github.com/digitalocean/marketplace-partners/issues/94 +if [[ ! -d /tmp ]]; then + mkdir /tmp +fi +chmod 1777 /tmp + +if [ -n "$(command -v yum)" ]; then + yum update -y + yum clean all +elif [ -n "$(command -v apt-get)" ]; then + apt-get -y update + apt-get -y upgrade + apt-get -y autoremove + apt-get -y autoclean +fi + +rm -rf /tmp/* /var/tmp/* +history -c +cat /dev/null > /root/.bash_history +unset HISTFILE +find /var/log -mtime -1 -type f -exec truncate -s 0 {} \; +rm -rf /var/log/*.gz /var/log/*.[0-9] /var/log/*-???????? +rm -rf /var/lib/cloud/instances/* +rm -f /root/.ssh/authorized_keys /etc/ssh/*key* +touch /etc/ssh/revoked_keys +chmod 600 /etc/ssh/revoked_keys + +# Securely erase the unused portion of the filesystem +GREEN='\033[0;32m' +NC='\033[0m' +printf "\n${GREEN}Writing zeros to the remaining disk space to securely +erase the unused portion of the file system. +Depending on your disk size this may take several minutes. +The secure erase will complete successfully when you see:${NC} + dd: writing to '/zerofile': No space left on device\n +Beginning secure erase now\n" + +dd if=/dev/zero of=/zerofile & + PID=$! + while [ -d /proc/$PID ] + do + printf "." + sleep 5 + done +sync; rm /zerofile; sync +cat /dev/null > /var/log/lastlog; cat /dev/null > /var/log/wtmp diff --git a/jitsi-20-04/scripts/99-img_check.sh b/jitsi-20-04/scripts/99-img_check.sh new file mode 100755 index 0000000..91f1080 --- /dev/null +++ b/jitsi-20-04/scripts/99-img_check.sh @@ -0,0 +1,682 @@ +#!/bin/bash +# +# DigitalOcean Marketplace Image Validation Tool +# © 2018 DigitalOcean LLC. +# This code is licensed under MIT license (see LICENSE.txt for details) +# +VERSION="v. 1.6" +RUNDATE=$( date ) + +# Script should be run with SUDO +if [ "$EUID" -ne 0 ] + then echo "[Error] - This script must be run with sudo or as the root user." + exit 1 +fi + +STATUS=0 +PASS=0 +WARN=0 +FAIL=0 + +# $1 == command to check for +# returns: 0 == true, 1 == false +cmdExists() { + if command -v "$1" > /dev/null 2>&1; then + return 0 + else + return 1 + fi +} + +function getDistro { + if [ -f /etc/os-release ]; then + # freedesktop.org and systemd + . /etc/os-release + OS=$NAME + VER=$VERSION_ID +elif type lsb_release >/dev/null 2>&1; then + # linuxbase.org + OS=$(lsb_release -si) + VER=$(lsb_release -sr) +elif [ -f /etc/lsb-release ]; then + # For some versions of Debian/Ubuntu without lsb_release command + . /etc/lsb-release + OS=$DISTRIB_ID + VER=$DISTRIB_RELEASE +elif [ -f /etc/debian_version ]; then + # Older Debian/Ubuntu/etc. + OS=Debian + VER=$(cat /etc/debian_version) +elif [ -f /etc/SuSe-release ]; then + # Older SuSE/etc. + : +elif [ -f /etc/redhat-release ]; then + # Older Red Hat, CentOS, etc. + VER=$( cat /etc/redhat-release | cut -d" " -f3 | cut -d "." -f1) + d=$( cat /etc/redhat-release | cut -d" " -f1 | cut -d "." -f1) + if [[ $d == "CentOS" ]]; then + OS="CentOS Linux" + fi +else + # Fall back to uname, e.g. "Linux ", also works for BSD, etc. + OS=$(uname -s) + VER=$(uname -r) +fi +} +function loadPasswords { +SHADOW=$(cat /etc/shadow) +} + +function checkAgent { + # Check for the presence of the do-agent in the filesystem + if [ -d /var/opt/digitalocean/do-agent ];then + echo -en "\e[41m[FAIL]\e[0m DigitalOcean Monitoring Agent detected.\n" + ((FAIL++)) + STATUS=2 + if [[ $OS == "CentOS Linux" ]]; then + echo "The agent can be removed with 'sudo yum remove do-agent' " + elif [[ $OS == "Ubuntu" ]]; then + echo "The agent can be removed with 'sudo apt-get purge do-agent' " + fi + else + echo -en "\e[32m[PASS]\e[0m DigitalOcean Monitoring agent was not found\n" + ((PASS++)) + fi +} + +function checkLogs { + cp_ignore="/var/log/cpanel-install.log" + echo -en "\nChecking for log files in /var/log\n\n" + # Check if there are log archives or log files that have not been recently cleared. + for f in /var/log/*-????????; do + [[ -e $f ]] || break + if [ $f != $cp_ignore ]; then + echo -en "\e[93m[WARN]\e[0m Log archive ${f} found\n" + ((WARN++)) + if [[ $STATUS != 2 ]]; then + STATUS=1 + fi + fi + done + for f in /var/log/*.[0-9];do + [[ -e $f ]] || break + echo -en "\e[93m[WARN]\e[0m Log archive ${f} found\n" + ((WARN++)) + if [[ $STATUS != 2 ]]; then + STATUS=1 + fi + done + for f in /var/log/*.log; do + [[ -e $f ]] || break + if [[ "${f}" = '/var/log/lfd.log' && "$( cat "${f}" | egrep -v '/var/log/messages has been reset| Watching /var/log/messages' | wc -c)" -gt 50 ]]; then + if [ $f != $cp_ignore ]; then + echo -en "\e[93m[WARN]\e[0m un-cleared log file, ${f} found\n" + ((WARN++)) + if [[ $STATUS != 2 ]]; then + STATUS=1 + fi + fi + elif [[ "${f}" != '/var/log/lfd.log' && "$( cat "${f}" | wc -c)" -gt 50 ]]; then + if [ $f != $cp_ignore ]; then + echo -en "\e[93m[WARN]\e[0m un-cleared log file, ${f} found\n" + ((WARN++)) + if [[ $STATUS != 2 ]]; then + STATUS=1 + fi + fi + fi + done +} +function checkTMP { + # Check the /tmp directory to ensure it is empty. Warn on any files found. + return 1 +} +function checkRoot { + user="root" + uhome="/root" + for usr in $SHADOW + do + IFS=':' read -r -a u <<< "$usr" + if [[ "${u[0]}" == "${user}" ]]; then + if [[ ${u[1]} == "!" ]] || [[ ${u[1]} == "!!" ]] || [[ ${u[1]} == "*" ]]; then + echo -en "\e[32m[PASS]\e[0m User ${user} has no password set.\n" + ((PASS++)) + else + echo -en "\e[41m[FAIL]\e[0m User ${user} has a password set on their account.\n" + ((FAIL++)) + STATUS=2 + fi + fi + done + if [ -d ${uhome}/ ]; then + if [ -d ${uhome}/.ssh/ ]; then + if ls ${uhome}/.ssh/*> /dev/null 2>&1; then + for key in ${uhome}/.ssh/* + do + if [ "${key}" == "${uhome}/.ssh/authorized_keys" ]; then + + if [ "$( cat "${key}" | wc -c)" -gt 50 ]; then + echo -en "\e[41m[FAIL]\e[0m User \e[1m${user}\e[0m has a populated authorized_keys file in \e[93m${key}\e[0m\n" + akey=$(cat ${key}) + echo "File Contents:" + echo $akey + echo "--------------" + ((FAIL++)) + STATUS=2 + fi + elif [ "${key}" == "${uhome}/.ssh/id_rsa" ]; then + if [ "$( cat "${key}" | wc -c)" -gt 0 ]; then + echo -en "\e[41m[FAIL]\e[0m User \e[1m${user}\e[0m has a private key file in \e[93m${key}\e[0m\n" + akey=$(cat ${key}) + echo "File Contents:" + echo $akey + echo "--------------" + ((FAIL++)) + STATUS=2 + else + echo -en "\e[93m[WARN]\e[0m User \e[1m${user}\e[0m has empty private key file in \e[93m${key}\e[0m\n" + ((WARN++)) + if [[ $STATUS != 2 ]]; then + STATUS=1 + fi + fi + elif [ "${key}" != "${uhome}/.ssh/known_hosts" ]; then + echo -en "\e[93m[WARN]\e[0m User \e[1m${user}\e[0m has a file in their .ssh directory at \e[93m${key}\e[0m\n" + ((WARN++)) + if [[ $STATUS != 2 ]]; then + STATUS=1 + fi + else + if [ "$( cat "${key}" | wc -c)" -gt 50 ]; then + echo -en "\e[93m[WARN]\e[0m User \e[1m${user}\e[0m has a populated known_hosts file in \e[93m${key}\e[0m\n" + ((WARN++)) + if [[ $STATUS != 2 ]]; then + STATUS=1 + fi + fi + fi + done + else + echo -en "\e[32m[ OK ]\e[0m User \e[1m${user}\e[0m has no SSH keys present\n" + fi + else + echo -en "\e[32m[ OK ]\e[0m User \e[1m${user}\e[0m does not have an .ssh directory\n" + fi + if [ -f /root/.bash_history ];then + + BH_S=$( cat /root/.bash_history | wc -c) + + if [[ $BH_S -lt 200 ]]; then + echo -en "\e[32m[PASS]\e[0m ${user}'s Bash History appears to have been cleared\n" + ((PASS++)) + else + echo -en "\e[41m[FAIL]\e[0m ${user}'s Bash History should be cleared to prevent sensitive information from leaking\n" + ((FAIL++)) + STATUS=2 + fi + + return 1; + else + echo -en "\e[32m[PASS]\e[0m The Root User's Bash History is not present\n" + ((PASS++)) + fi + else + echo -en "\e[32m[ OK ]\e[0m User \e[1m${user}\e[0m does not have a directory in /home\n" + fi + echo -en "\n\n" + return 1 +} + +function checkUsers { + # Check each user-created account + for user in $(awk -F: '$3 >= 1000 && $1 != "nobody" {print $1}' /etc/passwd;) + do + # Skip some other non-user system accounts + if [[ $user == "centos" ]]; then + : + elif [[ $user == "nfsnobody" ]]; then + : + else + echo -en "\nChecking user: ${user}...\n" + for usr in $SHADOW + do + IFS=':' read -r -a u <<< "$usr" + if [[ "${u[0]}" == "${user}" ]]; then + if [[ ${u[1]} == "!" ]] || [[ ${u[1]} == "!!" ]] || [[ ${u[1]} == "*" ]]; then + echo -en "\e[32m[PASS]\e[0m User ${user} has no password set.\n" + ((PASS++)) + else + echo -en "\e[41m[FAIL]\e[0m User ${user} has a password set on their account. Only system users are allowed on the image.\n" + ((FAIL++)) + STATUS=2 + fi + fi + done + #echo "User Found: ${user}" + uhome="/home/${user}" + if [ -d "${uhome}/" ]; then + if [ -d "${uhome}/.ssh/" ]; then + if ls "${uhome}/.ssh/*"> /dev/null 2>&1; then + for key in ${uhome}/.ssh/* + do + if [ "${key}" == "${uhome}/.ssh/authorized_keys" ]; then + if [ "$( cat "${key}" | wc -c)" -gt 50 ]; then + echo -en "\e[41m[FAIL]\e[0m User \e[1m${user}\e[0m has a populated authorized_keys file in \e[93m${key}\e[0m\n" + akey=$(cat ${key}) + echo "File Contents:" + echo $akey + echo "--------------" + ((FAIL++)) + STATUS=2 + fi + elif [ "${key}" == "${uhome}/.ssh/id_rsa" ]; then + if [ "$( cat "${key}" | wc -c)" -gt 0 ]; then + echo -en "\e[41m[FAIL]\e[0m User \e[1m${user}\e[0m has a private key file in \e[93m${key}\e[0m\n" + akey=$(cat ${key}) + echo "File Contents:" + echo $akey + echo "--------------" + ((FAIL++)) + STATUS=2 + else + echo -en "\e[93m[WARN]\e[0m User \e[1m${user}\e[0m has empty private key file in \e[93m${key}\e[0m\n" + ((WARN++)) + if [[ $STATUS != 2 ]]; then + STATUS=1 + fi + fi + elif [ "${key}" != "${uhome}/.ssh/known_hosts" ]; then + + echo -en "\e[93m[WARN]\e[0m User \e[1m${user}\e[0m has a file in their .ssh directory named \e[93m${key}\e[0m\n" + ((WARN++)) + if [[ $STATUS != 2 ]]; then + STATUS=1 + fi + + else + if [ "$( cat "${key}" | wc -c)" -gt 50 ]; then + echo -en "\e[93m[WARN]\e[0m User \e[1m${user}\e[0m has a known_hosts file in \e[93m${key}\e[0m\n" + ((WARN++)) + if [[ $STATUS != 2 ]]; then + STATUS=1 + fi + fi + fi + + + done + else + echo -en "\e[32m[ OK ]\e[0m User \e[1m${user}\e[0m has no SSH keys present\n" + fi + else + echo -en "\e[32m[ OK ]\e[0m User \e[1m${user}\e[0m does not have an .ssh directory\n" + fi + else + echo -en "\e[32m[ OK ]\e[0m User \e[1m${user}\e[0m does not have a directory in /home\n" + fi + + # Check for an uncleared .bash_history for this user + if [ -f "${uhome}/.bash_history" ]; then + BH_S=$( cat "${uhome}/.bash_history" | wc -c ) + + if [[ $BH_S -lt 200 ]]; then + echo -en "\e[32m[PASS]\e[0m ${user}'s Bash History appears to have been cleared\n" + ((PASS++)) + else + echo -en "\e[41m[FAIL]\e[0m ${user}'s Bash History should be cleared to prevent sensitive information from leaking\n" + ((FAIL++)) + STATUS=2 + + fi + echo -en "\n\n" + fi + fi + done +} +function checkFirewall { + + if [[ $OS == "Ubuntu" ]]; then + fw="ufw" + ufwa=$(ufw status |head -1| sed -e "s/^Status:\ //") + if [[ $ufwa == "active" ]]; then + FW_VER="\e[32m[PASS]\e[0m Firewall service (${fw}) is active\n" + ((PASS++)) + else + FW_VER="\e[93m[WARN]\e[0m No firewall is configured. Ensure ${fw} is installed and configured\n" + ((WARN++)) + fi + elif [[ $OS == "CentOS Linux" ]]; then + if [ -f /usr/lib/systemd/system/csf.service ]; then + fw="csf" + if [[ $(systemctl status $fw >/dev/null 2>&1) ]]; then + + FW_VER="\e[32m[PASS]\e[0m Firewall service (${fw}) is active\n" + ((PASS++)) + elif cmdExists "firewall-cmd"; then + if [[ $(systemctl is-active firewalld >/dev/null 2>&1 && echo 1 || echo 0) ]]; then + FW_VER="\e[32m[PASS]\e[0m Firewall service (${fw}) is active\n" + ((PASS++)) + else + FW_VER="\e[93m[WARN]\e[0m No firewall is configured. Ensure ${fw} is installed and configured\n" + ((WARN++)) + fi + else + FW_VER="\e[93m[WARN]\e[0m No firewall is configured. Ensure ${fw} is installed and configured\n" + ((WARN++)) + fi + else + fw="firewalld" + if [[ $(systemctl is-active firewalld >/dev/null 2>&1 && echo 1 || echo 0) ]]; then + FW_VER="\e[32m[PASS]\e[0m Firewall service (${fw}) is active\n" + ((PASS++)) + else + FW_VER="\e[93m[WARN]\e[0m No firewall is configured. Ensure ${fw} is installed and configured\n" + ((WARN++)) + fi + fi + elif [[ "$OS" =~ Debian.* ]]; then + # user could be using a number of different services for managing their firewall + # we will check some of the most common + if cmdExists 'ufw'; then + fw="ufw" + ufwa=$(ufw status |head -1| sed -e "s/^Status:\ //") + if [[ $ufwa == "active" ]]; then + FW_VER="\e[32m[PASS]\e[0m Firewall service (${fw}) is active\n" + ((PASS++)) + else + FW_VER="\e[93m[WARN]\e[0m No firewall is configured. Ensure ${fw} is installed and configured\n" + ((WARN++)) + fi + elif cmdExists "firewall-cmd"; then + fw="firewalld" + if [[ $(systemctl is-active --quiet $fw) ]]; then + FW_VER="\e[32m[PASS]\e[0m Firewall service (${fw}) is active\n" + ((PASS++)) + else + FW_VER="\e[93m[WARN]\e[0m No firewall is configured. Ensure ${fw} is installed and configured\n" + ((WARN++)) + fi + else + # user could be using vanilla iptables, check if kernel module is loaded + fw="iptables" + if [[ $(lsmod | grep -q '^ip_tables' 2>/dev/null) ]]; then + FW_VER="\e[32m[PASS]\e[0m Firewall service (${fw}) is active\n" + ((PASS++)) + else + FW_VER="\e[93m[WARN]\e[0m No firewall is configured. Ensure ${fw} is installed and configured\n" + ((WARN++)) + fi + fi + fi + +} +function checkUpdates { + if [[ $OS == "Ubuntu" ]] || [[ "$OS" =~ Debian.* ]]; then + # Ensure /tmp exists and has the proper permissions before + # checking for security updates + # https://github.com/digitalocean/marketplace-partners/issues/94 + if [[ ! -d /tmp ]]; then + mkdir /tmp + fi + chmod 1777 /tmp + + echo -en "\nUpdating apt package database to check for security updates, this may take a minute...\n\n" + apt-get -y update > /dev/null + + uc=$(apt-get --just-print upgrade | grep -i "security" | wc -l) + if [[ $uc -gt 0 ]]; then + update_count=$(( ${uc} / 2 )) + else + update_count=0 + fi + + if [[ $update_count -gt 0 ]]; then + echo -en "\e[41m[FAIL]\e[0m There are ${update_count} security updates available for this image that have not been installed.\n" + echo -en + echo -en "Here is a list of the security updates that are not installed:\n" + sleep 2 + apt-get --just-print upgrade | grep -i security | awk '{print $2}' | awk '!seen[$0]++' + echo -en + ((FAIL++)) + STATUS=2 + else + echo -en "\e[32m[PASS]\e[0m There are no pending security updates for this image.\n\n" + fi + elif [[ $OS == "CentOS Linux" ]]; then + echo -en "\nChecking for available security updates, this may take a minute...\n\n" + + update_count=$(yum check-update --security --quiet | wc -l) + if [[ $update_count -gt 0 ]]; then + echo -en "\e[41m[FAIL]\e[0m There are ${update_count} security updates available for this image that have not been installed.\n" + ((FAIL++)) + STATUS=2 + else + echo -en "\e[32m[PASS]\e[0m There are no pending security updates for this image.\n" + ((PASS++)) + fi + else + echo "Error encountered" + exit 1 + fi + + return 1; +} +function checkCloudInit { + + if hash cloud-init 2>/dev/null; then + CI="\e[32m[PASS]\e[0m Cloud-init is installed.\n" + ((PASS++)) + else + CI="\e[41m[FAIL]\e[0m No valid verison of cloud-init was found.\n" + ((FAIL++)) + STATUS=2 + fi + return 1 +} +function checkMongoDB { + # Check if MongoDB is installed + # If it is, verify the version is allowed (non-SSPL) + + if [[ $OS == "Ubuntu" ]] || [[ "$OS" =~ Debian.* ]]; then + + if [[ -f "/usr/bin/mongod" ]]; then + version=$(/usr/bin/mongod --version --quiet | grep "db version" | sed -e "s/^db\ version\ v//") + + if version_gt $version 4.0.0; then + if version_gt $version 4.0.3; then + echo -en "\e[41m[FAIL]\e[0m An SSPL version of MongoDB is present, ${version}" + ((FAIL++)) + STATUS=2 + else + echo -en "\e[32m[PASS]\e[0m The version of MongoDB installed, ${version} is not under the SSPL" + ((PASS++)) + fi + else + if version_gt $version 3.6.8; then + echo -en "\e[41m[FAIL]\e[0m An SSPL version of MongoDB is present, ${version}" + ((FAIL++)) + STATUS=2 + else + echo -en "\e[32m[PASS]\e[0m The version of MongoDB installed, ${version} is not under the SSPL" + ((PASS++)) + fi + fi + + + else + echo -en "\e[32m[PASS]\e[0m MongoDB is not installed" + ((PASS++)) + fi + + elif [[ $OS == "CentOS Linux" ]]; then + + if [[ -f "/usr/bin/mongod" ]]; then + version=$(/usr/bin/mongod --version --quiet | grep "db version" | sed -e "s/^db\ version\ v//") + + + if version_gt $version 4.0.0; then + if version_gt $version 4.0.3; then + echo -en "\e[41m[FAIL]\e[0m An SSPL version of MongoDB is present" + ((FAIL++)) + STATUS=2 + else + echo -en "\e[32m[PASS]\e[0m The version of MongoDB installed is not under the SSPL" + ((PASS++)) + fi + else + if version_gt $version 3.6.8; then + echo -en "\e[41m[FAIL]\e[0m An SSPL version of MongoDB is present" + ((FAIL++)) + STATUS=2 + else + echo -en "\e[32m[PASS]\e[0m The version of MongoDB installed is not under the SSPL" + ((PASS++)) + fi + fi + + + + else + echo -en "\e[32m[PASS]\e[0m MongoDB is not installed" + ((PASS++)) + fi + + else + echo "ERROR: Unable to identify distribution" + ((FAIL++)) + STATUS 2 + return 1 + fi + + +} + +function version_gt() { test "$(printf '%s\n' "$@" | sort -V | head -n 1)" != "$1"; } + + +clear +echo "DigitalOcean Marketplace Image Validation Tool ${VERSION}" +echo "Executed on: ${RUNDATE}" +echo "Checking local system for Marketplace compatibility..." + +getDistro + +echo -en "\n\e[1mDistribution:\e[0m ${OS}\n" +echo -en "\e[1mVersion:\e[0m ${VER}\n\n" + +ost=0 +osv=0 + +if [[ $OS == "Ubuntu" ]]; then + ost=1 + if [[ $VER == "20.04" ]]; then + osv=1 + elif [[ $VER == "18.04" ]]; then + osv=1 + elif [[ $VER == "16.04" ]]; then + osv=1 + else + osv=0 + fi + +elif [[ "$OS" =~ Debian.* ]]; then + ost=1 + case "$VER" in + 9) + osv=1 + ;; + 10) + osv=1 + ;; + *) + osv=2 + ;; + esac + +elif [[ $OS == "CentOS Linux" ]]; then + ost=1 + if [[ $VER == "8" ]]; then + osv=1 + elif [[ $VER == "7" ]]; then + osv=1 + elif [[ $VER == "6" ]]; then + osv=1 + else + osv=2 + fi +else + ost=0 +fi + +if [[ $ost == 1 ]]; then + echo -en "\e[32m[PASS]\e[0m Supported Operating System Detected: ${OS}\n" + ((PASS++)) +else + echo -en "\e[41m[FAIL]\e[0m ${OS} is not a supported Operating System\n" + ((FAIL++)) + STATUS=2 +fi + +if [[ $osv == 1 ]]; then + echo -en "\e[32m[PASS]\e[0m Supported Release Detected: ${VER}\n" + ((PASS++)) +elif [[ $ost == 1 ]]; then + echo -en "\e[41m[FAIL]\e[0m ${OS} ${VER} is not a supported Operating System Version\n" + ((FAIL++)) + STATUS=2 +else + echo "Exiting..." + exit 1 +fi + +checkCloudInit + +echo -en "${CI}" + +checkFirewall + +echo -en "${FW_VER}" + +checkUpdates + +loadPasswords + +checkLogs + +echo -en "\n\nChecking all user-created accounts...\n" +checkUsers + +echo -en "\n\nChecking the root account...\n" +checkRoot + +checkAgent + +checkMongoDB + + +# Summary +echo -en "\n\n---------------------------------------------------------------------------------------------------\n" + +if [[ $STATUS == 0 ]]; then + echo -en "Scan Complete.\n\e[32mAll Tests Passed!\e[0m\n" +elif [[ $STATUS == 1 ]]; then + echo -en "Scan Complete. \n\e[93mSome non-critical tests failed. Please review these items.\e[0m\e[0m\n" +else + echo -en "Scan Complete. \n\e[41mOne or more tests failed. Please review these items and re-test.\e[0m\n" +fi +echo "---------------------------------------------------------------------------------------------------" +echo -en "\e[1m${PASS} Tests PASSED\e[0m\n" +echo -en "\e[1m${WARN} WARNINGS\e[0m\n" +echo -en "\e[1m${FAIL} Tests FAILED\e[0m\n" +echo -en "---------------------------------------------------------------------------------------------------\n" + +if [[ $STATUS == 0 ]]; then + echo -en "We did not detect any issues with this image. Please be sure to manually ensure that all software installed on the base system is functional, secure and properly configured (or facilities for configuration on first-boot have been created).\n\n" + exit 0 +elif [[ $STATUS == 1 ]]; then + echo -en "Please review all [WARN] items above and ensure they are intended or resolved. If you do not have a specific requirement, we recommend resolving these items before image submission\n\n" + exit 0 +else + echo -en "Some critical tests failed. These items must be resolved and this scan re-run before you submit your image to the DigitalOcean Marketplace.\n\n" + exit 1 +fi diff --git a/jitsi-20-04/template.json b/jitsi-20-04/template.json new file mode 100644 index 0000000..0f8f831 --- /dev/null +++ b/jitsi-20-04/template.json @@ -0,0 +1,57 @@ +{ + "variables": { + "token": "{{env `DIGITALOCEAN_TOKEN`}}", + "image_name": "marketplace-snapshot-{{timestamp}}", + "apt_packages": "nginx" + }, + "builders": [ + { + "type": "digitalocean", + "api_token": "{{user `token`}}", + "image": "ubuntu-20-04-x64", + "region": "sfo2", + "size": "s-1vcpu-1gb", + "ssh_username": "root", + "snapshot_name": "{{user `image_name`}}" + } + ], + "provisioners": [ + { + "type": "shell", + "inline": [ + "cloud-init status --wait" + ] + }, + { + "type": "file", + "source": "files/etc/", + "destination": "/etc/" + }, + { + "type": "file", + "source": "files/var/", + "destination": "/var/" + }, + { + "type": "file", + "source": "files/root/", + "destination": "/root/" + }, + { + "type": "shell", + "inline": [ + "apt -qqy update", + "apt -qqy -o Dpkg::Options::='--force-confdef' -o Dpkg::Options::='--force-confold' full-upgrade", + "apt -qqy -o Dpkg::Options::='--force-confdef' -o Dpkg::Options::='--force-confold' install {{user `apt_packages`}}" + ] + }, + { + "type": "shell", + "scripts": [ + "scripts/01-packages.sh", + "scripts/90-cleanup.sh", + "scripts/99-img_check.sh" + ] + } + ] +} From 09a038e99fa780e695cdf4bf08491f239b7272fd Mon Sep 17 00:00:00 2001 From: Mauricio Vargas Date: Wed, 6 Oct 2021 14:37:07 -0400 Subject: [PATCH 2/6] trying to fix openssh --- jitsi-20-04/files/etc/update-motd.d/99-one-click | 2 +- .../files/root/i-agree-to-jitsi-license.sh | 12 ++++++++---- jitsi-20-04/scripts/01-packages.sh | 15 +++++++++------ jitsi-20-04/template.json | 5 ----- 4 files changed, 18 insertions(+), 16 deletions(-) diff --git a/jitsi-20-04/files/etc/update-motd.d/99-one-click b/jitsi-20-04/files/etc/update-motd.d/99-one-click index ff16ccf..b636d8b 100755 --- a/jitsi-20-04/files/etc/update-motd.d/99-one-click +++ b/jitsi-20-04/files/etc/update-motd.d/99-one-click @@ -7,7 +7,7 @@ cat < echo 'deb [signed-by=/usr/share/keyrings/jitsi-keyring.gpg] https://download.jitsi.org stable/' | sudo tee /etc/apt/sources.list.d/jitsi-stable.list > /dev/null # update apt -apt-get -y update -apt-get -y upgrade +apt-get -yq update # requisites for jitsi -apt-get -y install ca-certificates-java coturn fontconfig-config fonts-dejavu-core fonts-lato java-common javascript-common\ +apt-get -yq install ca-certificates-java coturn fontconfig-config fonts-dejavu-core fonts-lato java-common javascript-common\ libavahi-client3 libavahi-common-data libavahi-common3 libcups2 libevent-core-2.1-7\ libevent-extra-2.1-7 libevent-openssl-2.1-7 libevent-pthreads-2.1-7 libfontconfig1 libgd3 libgraphite2-3\ libharfbuzz0b libhiredis0.14 libidn11 libjbig0 libjpeg-turbo8 libjpeg8 libjs-jquery liblcms2-2\ @@ -32,14 +34,14 @@ apt-get -y install ca-certificates-java coturn fontconfig-config fonts-dejavu-co # echo "jitsi-meet-web-config jitsi-meet/cert-choice select Generate a new self-signed certificate (You will later get a chance to obtain a Let's encrypt certificate)" | debconf-set-selections # install let's encrypt -apt-get -y install python3-certbot-nginx +apt-get -yq install python3-certbot-nginx # install Digital Ocean agent curl -sSL https://repos.insights.digitalocean.com/install.sh | bash # add some security echo "y" | ufw enable -apt-get -y install fail2ban +apt-get -yq install fail2ban systemctl start fail2ban systemctl enable fail2ban printf '[sshd]\nenabled = true\nport = 22\nfilter = sshd\nlogpath = /var/log/auth.log\nmaxretry = 5' | tee -a /etc/fail2ban/jail.local @@ -50,7 +52,8 @@ systemctl restart fail2ban ufw allow http ufw allow https ufw allow ssh -sudo ufw allow 10000/udp +ufw allow 4443/tcp +ufw allow 10000/udp # Disable and remove the swapfile prior to snapshotting swapoff /swapfile diff --git a/jitsi-20-04/template.json b/jitsi-20-04/template.json index 0f8f831..2f95c20 100644 --- a/jitsi-20-04/template.json +++ b/jitsi-20-04/template.json @@ -27,11 +27,6 @@ "source": "files/etc/", "destination": "/etc/" }, - { - "type": "file", - "source": "files/var/", - "destination": "/var/" - }, { "type": "file", "source": "files/root/", From e7e45d942ae291c051c26bef344cb4ac91f822aa Mon Sep 17 00:00:00 2001 From: Mauricio Vargas Date: Wed, 6 Oct 2021 15:04:25 -0400 Subject: [PATCH 3/6] confdef --- jitsi-20-04/scripts/01-packages.sh | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/jitsi-20-04/scripts/01-packages.sh b/jitsi-20-04/scripts/01-packages.sh index 268d2dc..cc1c958 100644 --- a/jitsi-20-04/scripts/01-packages.sh +++ b/jitsi-20-04/scripts/01-packages.sh @@ -2,6 +2,7 @@ # non-interactive install export DEBIAN_FRONTEND=noninteractive +apt-get -qqy -o Dpkg::Options::=\"--force-confdef\" -o " # Add a swap file to prevent build time OOM errors fallocate -l 8G /swapfile @@ -15,10 +16,11 @@ curl https://download.jitsi.org/jitsi-key.gpg.key | sudo sh -c 'gpg --dearmor > echo 'deb [signed-by=/usr/share/keyrings/jitsi-keyring.gpg] https://download.jitsi.org stable/' | sudo tee /etc/apt/sources.list.d/jitsi-stable.list > /dev/null # update apt -apt-get -yq update +apt-get -qqy -o Dpkg::Options::=\"--force-confdef\" update +apt-get -qqy -o Dpkg::Options::=\"--force-confdef\" upgrade # requisites for jitsi -apt-get -yq install ca-certificates-java coturn fontconfig-config fonts-dejavu-core fonts-lato java-common javascript-common\ +apt-get -qqy -o Dpkg::Options::=\"--force-confdef\" install ca-certificates-java coturn fontconfig-config fonts-dejavu-core fonts-lato java-common javascript-common\ libavahi-client3 libavahi-common-data libavahi-common3 libcups2 libevent-core-2.1-7\ libevent-extra-2.1-7 libevent-openssl-2.1-7 libevent-pthreads-2.1-7 libfontconfig1 libgd3 libgraphite2-3\ libharfbuzz0b libhiredis0.14 libidn11 libjbig0 libjpeg-turbo8 libjpeg8 libjs-jquery liblcms2-2\ @@ -34,14 +36,14 @@ apt-get -yq install ca-certificates-java coturn fontconfig-config fonts-dejavu-c # echo "jitsi-meet-web-config jitsi-meet/cert-choice select Generate a new self-signed certificate (You will later get a chance to obtain a Let's encrypt certificate)" | debconf-set-selections # install let's encrypt -apt-get -yq install python3-certbot-nginx +apt-get -qqy -o Dpkg::Options::=\"--force-confdef\" install python3-certbot-nginx # install Digital Ocean agent curl -sSL https://repos.insights.digitalocean.com/install.sh | bash # add some security echo "y" | ufw enable -apt-get -yq install fail2ban +apt-get -qqy -o Dpkg::Options::=\"--force-confdef\" install fail2ban systemctl start fail2ban systemctl enable fail2ban printf '[sshd]\nenabled = true\nport = 22\nfilter = sshd\nlogpath = /var/log/auth.log\nmaxretry = 5' | tee -a /etc/fail2ban/jail.local From 9f1ffc1dd3470da0f76e0f7b1ad0f0bd95a86980 Mon Sep 17 00:00:00 2001 From: Mauricio Vargas Date: Wed, 6 Oct 2021 15:43:56 -0400 Subject: [PATCH 4/6] 1st setup --- .../per-instance}/i-agree-to-jitsi-license.sh | 0 jitsi-20-04/scripts/01-packages.sh | 11 +++++------ jitsi-20-04/template.json | 15 +++------------ 3 files changed, 8 insertions(+), 18 deletions(-) rename jitsi-20-04/files/{root => var/lib/cloud/scripts/per-instance}/i-agree-to-jitsi-license.sh (100%) diff --git a/jitsi-20-04/files/root/i-agree-to-jitsi-license.sh b/jitsi-20-04/files/var/lib/cloud/scripts/per-instance/i-agree-to-jitsi-license.sh similarity index 100% rename from jitsi-20-04/files/root/i-agree-to-jitsi-license.sh rename to jitsi-20-04/files/var/lib/cloud/scripts/per-instance/i-agree-to-jitsi-license.sh diff --git a/jitsi-20-04/scripts/01-packages.sh b/jitsi-20-04/scripts/01-packages.sh index cc1c958..6435820 100644 --- a/jitsi-20-04/scripts/01-packages.sh +++ b/jitsi-20-04/scripts/01-packages.sh @@ -2,7 +2,6 @@ # non-interactive install export DEBIAN_FRONTEND=noninteractive -apt-get -qqy -o Dpkg::Options::=\"--force-confdef\" -o " # Add a swap file to prevent build time OOM errors fallocate -l 8G /swapfile @@ -16,11 +15,11 @@ curl https://download.jitsi.org/jitsi-key.gpg.key | sudo sh -c 'gpg --dearmor > echo 'deb [signed-by=/usr/share/keyrings/jitsi-keyring.gpg] https://download.jitsi.org stable/' | sudo tee /etc/apt/sources.list.d/jitsi-stable.list > /dev/null # update apt -apt-get -qqy -o Dpkg::Options::=\"--force-confdef\" update -apt-get -qqy -o Dpkg::Options::=\"--force-confdef\" upgrade +apt-get -qqy -o Dpkg::Options::=--force-confdef update +apt-get -qqy -o Dpkg::Options::=--force-confdef upgrade # requisites for jitsi -apt-get -qqy -o Dpkg::Options::=\"--force-confdef\" install ca-certificates-java coturn fontconfig-config fonts-dejavu-core fonts-lato java-common javascript-common\ +apt-get -qqy -o Dpkg::Options::=--force-confdef install ca-certificates-java coturn fontconfig-config fonts-dejavu-core fonts-lato java-common javascript-common\ libavahi-client3 libavahi-common-data libavahi-common3 libcups2 libevent-core-2.1-7\ libevent-extra-2.1-7 libevent-openssl-2.1-7 libevent-pthreads-2.1-7 libfontconfig1 libgd3 libgraphite2-3\ libharfbuzz0b libhiredis0.14 libidn11 libjbig0 libjpeg-turbo8 libjpeg8 libjs-jquery liblcms2-2\ @@ -36,14 +35,14 @@ apt-get -qqy -o Dpkg::Options::=\"--force-confdef\" install ca-certificates-java # echo "jitsi-meet-web-config jitsi-meet/cert-choice select Generate a new self-signed certificate (You will later get a chance to obtain a Let's encrypt certificate)" | debconf-set-selections # install let's encrypt -apt-get -qqy -o Dpkg::Options::=\"--force-confdef\" install python3-certbot-nginx +apt-get -qqy -o Dpkg::Options::=--force-confdef install python3-certbot-nginx # install Digital Ocean agent curl -sSL https://repos.insights.digitalocean.com/install.sh | bash # add some security echo "y" | ufw enable -apt-get -qqy -o Dpkg::Options::=\"--force-confdef\" install fail2ban +apt-get -qqy -o Dpkg::Options::=--force-confdef install fail2ban systemctl start fail2ban systemctl enable fail2ban printf '[sshd]\nenabled = true\nport = 22\nfilter = sshd\nlogpath = /var/log/auth.log\nmaxretry = 5' | tee -a /etc/fail2ban/jail.local diff --git a/jitsi-20-04/template.json b/jitsi-20-04/template.json index 2f95c20..9ecc7a2 100644 --- a/jitsi-20-04/template.json +++ b/jitsi-20-04/template.json @@ -1,8 +1,7 @@ { "variables": { "token": "{{env `DIGITALOCEAN_TOKEN`}}", - "image_name": "marketplace-snapshot-{{timestamp}}", - "apt_packages": "nginx" + "image_name": "marketplace-snapshot-{{timestamp}}" }, "builders": [ { @@ -29,16 +28,8 @@ }, { "type": "file", - "source": "files/root/", - "destination": "/root/" - }, - { - "type": "shell", - "inline": [ - "apt -qqy update", - "apt -qqy -o Dpkg::Options::='--force-confdef' -o Dpkg::Options::='--force-confold' full-upgrade", - "apt -qqy -o Dpkg::Options::='--force-confdef' -o Dpkg::Options::='--force-confold' install {{user `apt_packages`}}" - ] + "source": "files/var/", + "destination": "/var/" }, { "type": "shell", From 8d61aa5f171b6f3888a884e113b1dfd796b04458 Mon Sep 17 00:00:00 2001 From: Mauricio Vargas Date: Wed, 6 Oct 2021 17:41:32 -0400 Subject: [PATCH 5/6] jitsi ok --- jitsi-20-04/files/etc/update-motd.d/99-one-click | 3 ++- .../complete-jitsi-setup.sh} | 11 +++-------- jitsi-20-04/template.json | 4 ++-- 3 files changed, 7 insertions(+), 11 deletions(-) rename jitsi-20-04/files/{var/lib/cloud/scripts/per-instance/i-agree-to-jitsi-license.sh => root/complete-jitsi-setup.sh} (56%) diff --git a/jitsi-20-04/files/etc/update-motd.d/99-one-click b/jitsi-20-04/files/etc/update-motd.d/99-one-click index b636d8b..bf31d56 100755 --- a/jitsi-20-04/files/etc/update-motd.d/99-one-click +++ b/jitsi-20-04/files/etc/update-motd.d/99-one-click @@ -12,7 +12,8 @@ https://github.com/pachadotdev/droplet-1-clicks/tree/master/jitsi-20-04 I you want to use this image, you agree to the Apache License. See https://github.com/jitsi/jitsi/blob/master/LICENSE. -Type 'bash i-agree-to-jitsi-license.sh' to complete Jitsi setup. +Type 'bash complete-jitsi-setup.sh' to complete Jitsi setup if and only if you +agree to the Jitsi License. ******************************************************************************** To delete this message of the day: rm -rf $(readlink -f ${0}) diff --git a/jitsi-20-04/files/var/lib/cloud/scripts/per-instance/i-agree-to-jitsi-license.sh b/jitsi-20-04/files/root/complete-jitsi-setup.sh similarity index 56% rename from jitsi-20-04/files/var/lib/cloud/scripts/per-instance/i-agree-to-jitsi-license.sh rename to jitsi-20-04/files/root/complete-jitsi-setup.sh index cfc470c..64faf2a 100755 --- a/jitsi-20-04/files/var/lib/cloud/scripts/per-instance/i-agree-to-jitsi-license.sh +++ b/jitsi-20-04/files/root/complete-jitsi-setup.sh @@ -11,12 +11,7 @@ apt-get upgrade printf "\n-------------------------\nConfiguring Jitsi for your domain\n-------------------------\n" -echo "Have you already pointed a domain to your droplet in DigitalOcean's dashboard?" -select yn in "Yes" "No"; do - case $yn in - Yes ) apt-get -y install jicofo jitsi-meet jitsi-meet-prosody jitsi-meet-turnserver jitsi-meet-web jitsi-meet-web-config jitsi-videobridge2; - bash /usr/share/jitsi-meet/scripts/install-letsencrypt-cert.sh break;; - No ) exit;; - esac -done +apt-get -y install jicofo jitsi-meet jitsi-meet-prosody jitsi-meet-turnserver jitsi-meet-web jitsi-meet-web-config jitsi-videobridge2 + +bash /usr/share/jitsi-meet/scripts/install-letsencrypt-cert.sh diff --git a/jitsi-20-04/template.json b/jitsi-20-04/template.json index 9ecc7a2..af30b01 100644 --- a/jitsi-20-04/template.json +++ b/jitsi-20-04/template.json @@ -28,8 +28,8 @@ }, { "type": "file", - "source": "files/var/", - "destination": "/var/" + "source": "files/root/", + "destination": "/root/" }, { "type": "shell", From 5786de239d50b933db735482b0a6431eb86b1eae Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pach=C3=A1?= Date: Thu, 24 Feb 2022 14:57:52 -0500 Subject: [PATCH 6/6] Update 99-one-click --- jitsi-20-04/files/etc/update-motd.d/99-one-click | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/jitsi-20-04/files/etc/update-motd.d/99-one-click b/jitsi-20-04/files/etc/update-motd.d/99-one-click index bf31d56..cb6e3ec 100755 --- a/jitsi-20-04/files/etc/update-motd.d/99-one-click +++ b/jitsi-20-04/files/etc/update-motd.d/99-one-click @@ -7,7 +7,7 @@ cat <