2fd3e0e31d
Rename live-usb service files, hook scripts, and package lists from soosef to fieldwitness. Fix remaining VERISOO_ env vars in docker compose and kubernetes configs. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
40 lines
1.2 KiB
Bash
Executable File
40 lines
1.2 KiB
Bash
Executable File
#!/bin/bash
|
|
# Security hardening for the live image.
|
|
set -euo pipefail
|
|
|
|
echo "=== Applying security hardening ==="
|
|
|
|
# Disable core dumps (Python doesn't zero memory — core dumps leak keys)
|
|
echo "* hard core 0" >> /etc/security/limits.conf
|
|
echo "fs.suid_dumpable = 0" >> /etc/sysctl.d/99-fieldwitness.conf
|
|
echo "kernel.core_pattern=|/bin/false" >> /etc/sysctl.d/99-fieldwitness.conf
|
|
|
|
# Disable swap (keys persist in swap pages)
|
|
systemctl mask swap.target || true
|
|
echo "vm.swappiness = 0" >> /etc/sysctl.d/99-fieldwitness.conf
|
|
|
|
# Enable UFW with deny-all + allow web UI
|
|
ufw default deny incoming
|
|
ufw default allow outgoing
|
|
ufw allow 5000/tcp comment "FieldWitness Web UI"
|
|
ufw allow 22/tcp comment "SSH"
|
|
ufw --force enable || true
|
|
|
|
# Disable unnecessary services
|
|
systemctl disable bluetooth.service 2>/dev/null || true
|
|
systemctl disable avahi-daemon.service 2>/dev/null || true
|
|
systemctl disable cups.service 2>/dev/null || true
|
|
|
|
# Enable FieldWitness service
|
|
systemctl enable fieldwitness.service
|
|
|
|
# Auto-login to openbox (so the browser opens without login prompt)
|
|
mkdir -p /etc/lightdm/lightdm.conf.d
|
|
cat > /etc/lightdm/lightdm.conf.d/50-autologin.conf << 'EOF'
|
|
[Seat:*]
|
|
autologin-user=fieldwitness
|
|
autologin-user-timeout=0
|
|
EOF
|
|
|
|
echo "=== Hardening complete ==="
|