wallenstein/algo
1
0
Fork 0
mirror of https://github.com/trailofbits/algo.git synced 2025-09-07 04:24:08 +02:00
Code Issues Projects Releases Wiki Activity

Merge branch 'master' into local_openssl_tasks

Browse source
This commit is contained in:
Jack Ivanov 2017-01-22 23:18:48 +03:00 committed by GitHub
commit a4113c9e88
12 changed files with 80 additions and 55 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
.travis.yml
View file

@ -45,7 +45,7 @@ install:
script: script:
- ansible-playbook deploy.yml --syntax-check - ansible-playbook deploy.yml --syntax-check
- ansible-playbook deploy.yml -t local,vpn,dns,ssh_tunneling,security,tests -e "server_ip=$LXC_IP server_user=root IP_subject_alt_name=$LXC_IP local_dns=Y" --skip-tags apparmor - ansible-playbook deploy.yml -t local,vpn,dns,ssh_tunneling,security,tests -e "server_ip=$LXC_IP server_user=root IP_subject_alt_name=$LXC_IP local_dns=Y"
after_script: after_script:
- ./tests/update-users.sh - ./tests/update-users.sh

51
README.md
View file

@ -33,7 +33,7 @@ The easiest way to get an Algo server running is to let it set up a _new_ virtua
macOS: `sudo easy_install pip && sudo pip install --ignore-install -r requirements.txt` macOS: `sudo easy_install pip && sudo pip install --ignore-install -r requirements.txt`
Linux (deb-based): `sudo easy_install pip && sudo apt-get update && sudo apt-get install build-essential libssl-dev libffi-dev python-dev && sudo pip install -r requirements.txt` Linux (deb-based): `sudo apt-get update && sudo apt-get install python-pip build-essential libssl-dev libffi-dev python-dev -y && sudo pip install -r requirements.txt`
Linux (rpm-based): See the [Pre-Install Documentation for RedHat/CentOS 6.x](docs/pre-install_redhat_centos_6.x.md) Linux (rpm-based): See the [Pre-Install Documentation for RedHat/CentOS 6.x](docs/pre-install_redhat_centos_6.x.md)
@ -125,54 +125,7 @@ OpenVPN does not have out-of-the-box client support on any major desktop or mobi
Alpine Linux is not supported out-of-the-box by any major cloud provider. We are interested in supporting Free-, Open-, and HardenedBSD. Follow along or contribute to our BSD support in [this issue](https://github.com/trailofbits/algo/issues/35). Alpine Linux is not supported out-of-the-box by any major cloud provider. We are interested in supporting Free-, Open-, and HardenedBSD. Follow along or contribute to our BSD support in [this issue](https://github.com/trailofbits/algo/issues/35).
## Troubleshooting ## [Troubleshooting](docs/Troubleshooting.md)
### Error: "You have not agreed to the Xcode license agreements"
On macOS, did you try to install the dependencies with pip and encounter the following error?
```
Downloading cffi-1.9.1.tar.gz (407kB): 407kB downloaded
Running setup.py (path:/private/tmp/pip_build_root/cffi/setup.py) egg_info for package cffi
You have not agreed to the Xcode license agreements, please run 'xcodebuild -license' (for user-level acceptance) or 'sudo xcodebuild -license' (for system-wide acceptance) from within a Terminal window to review and agree to the Xcode license agreements.
No working compiler found, or bogus compiler options
passed to the compiler from Python's distutils module.
See the error messages above.
(If they are about -mno-fused-madd and you are on OS/X 10.8,
see http://stackoverflow.com/questions/22313407/ .)
----------------------------------------
Cleaning up...
Command python setup.py egg_info failed with error code 1 in /private/tmp/pip_build_root/cffi
Storing debug log for failure in /Users/algore/Library/Logs/pip.log
```
The Xcode compiler is installed but requires you to accept its license agreement prior to using it. Run `xcodebuild -license` to agree and then retry installing the dependencies.
### Error: "fatal error: 'openssl/opensslv.h' file not found"
On macOS, did you try to install pycrypto and encounter the following error?
```
build/temp.macosx-10.12-intel-2.7/_openssl.c:434:10: fatal error: 'openssl/opensslv.h' file not found
#include <openssl/opensslv.h>
^
1 error generated.
error: command 'cc' failed with exit status 1
----------------------------------------
Cleaning up...
Command /usr/bin/python -c "import setuptools, tokenize;__file__='/private/tmp/pip_build_root/cryptography/setup.py';exec(compile(getattr(tokenize, 'open', open)(__file__).read().replace('\r\n', '\n'), __file__, 'exec'))" install --record /tmp/pip-sREEE5-record/install-record.txt --single-version-externally-managed --compile failed with error code 1 in /private/tmp/pip_build_root/cryptography
Storing debug log for failure in /Users/algore/Library/Logs/pip.log
```
You are running an old version of `pip` that cannot build the `pycrypto` dependency. Upgrade to a new version of `pip` by running `sudo pip install -U pip`.
### Little Snitch is broken when connected to the VPN ### Little Snitch is broken when connected to the VPN

2
ansible.cfg
View file

@ -3,7 +3,7 @@ inventory = inventory
pipelining = True pipelining = True
retry_files_enabled = False retry_files_enabled = False
host_key_checking = False host_key_checking = False
timeout = 30 timeout = 60
[paramiko_connection] [paramiko_connection]
record_host_keys = False record_host_keys = False

2
deploy.yml
View file

@ -7,7 +7,7 @@
pre_tasks: pre_tasks:
- name: Local pre-tasks - name: Local pre-tasks
include: playbooks/local.yml include: playbooks/local.yml
tags: [ 'cloud' ] tags: [ 'always' ]
roles: roles:
- { role: cloud-digitalocean, tags: ['digitalocean'] } - { role: cloud-digitalocean, tags: ['digitalocean'] }

50
docs/Troubleshooting.md Normal file
View file

@ -0,0 +1,50 @@
### Error: "You have not agreed to the Xcode license agreements"
On macOS, did you try to install the dependencies with pip and encounter the following error?
```
Downloading cffi-1.9.1.tar.gz (407kB): 407kB downloaded
Running setup.py (path:/private/tmp/pip_build_root/cffi/setup.py) egg_info for package cffi
You have not agreed to the Xcode license agreements, please run 'xcodebuild -license' (for user-level acceptance) or 'sudo xcodebuild -license' (for system-wide acceptance) from within a Terminal window to review and agree to the Xcode license agreements.
No working compiler found, or bogus compiler options
passed to the compiler from Python's distutils module.
See the error messages above.
(If they are about -mno-fused-madd and you are on OS/X 10.8,
see http://stackoverflow.com/questions/22313407/ .)
----------------------------------------
Cleaning up...
Command python setup.py egg_info failed with error code 1 in /private/tmp/pip_build_root/cffi
Storing debug log for failure in /Users/algore/Library/Logs/pip.log
```
The Xcode compiler is installed but requires you to accept its license agreement prior to using it. Run `xcodebuild -license` to agree and then retry installing the dependencies.
### Error: "fatal error: 'openssl/opensslv.h' file not found"
On macOS, did you try to install pycrypto and encounter the following error?
```
build/temp.macosx-10.12-intel-2.7/_openssl.c:434:10: fatal error: 'openssl/opensslv.h' file not found
#include <openssl/opensslv.h>
^
1 error generated.
error: command 'cc' failed with exit status 1
----------------------------------------
Cleaning up...
Command /usr/bin/python -c "import setuptools, tokenize;__file__='/private/tmp/pip_build_root/cryptography/setup.py';exec(compile(getattr(tokenize, 'open', open)(__file__).read().replace('\r\n', '\n'), __file__, 'exec'))" install --record /tmp/pip-sREEE5-record/install-record.txt --single-version-externally-managed --compile failed with error code 1 in /private/tmp/pip_build_root/cryptography
Storing debug log for failure in /Users/algore/Library/Logs/pip.log
```
You are running an old version of `pip` that cannot build the `pycrypto` dependency. Upgrade to a new version of `pip` by running `sudo pip install -U pip`.
### Various parts of the internet appear to be offline through the VPN
The issue may related to the MTU size, try to use `ping` with the don't fragment bit and various packet size in order to determine the MTU size for your network and set up this properly on the physical adapter.

7
playbooks/common.yml
View file

@ -5,3 +5,10 @@
raw: sudo update-alternatives --install /usr/bin/python python /usr/bin/python2.7 1 raw: sudo update-alternatives --install /usr/bin/python python /usr/bin/python2.7 1
tags: tags:
- update-alternatives - update-alternatives
- name: Ensure the algo ssh key exist on the server
authorized_key:
user: "{{ ansible_ssh_user }}"
state: present
key: "{{ lookup('file', '{{ SSH_keys.public }}') }}"
tags: [ 'always' ]

3
requirements.txt
View file

@ -1,4 +1,4 @@
ansible>=2.1 ansible>=2.1,<2.2.1
dopy==0.3.5 dopy==0.3.5
boto>=2.5 boto>=2.5
boto3 boto3
@ -6,3 +6,4 @@ azure==2.0.0rc5
apache-libcloud apache-libcloud
six six
pyopenssl pyopenssl
jinja2==2.8

9
roles/common/tasks/main.yml
View file

@ -94,3 +94,12 @@
sysctl: name=net.ipv6.conf.all.forwarding value=1 sysctl: name=net.ipv6.conf.all.forwarding value=1
tags: tags:
- always - always
- name: Check apparmor support
shell: apparmor_status
ignore_errors: yes
register: apparmor_status
- set_fact:
apparmor_enabled: true
when: '"profiles are in enforce mode" in apparmor_status.stdout'

2
roles/dns_adblocking/tasks/main.yml
View file

@ -6,6 +6,7 @@
- name: Dnsmasq profile for apparmor configured - name: Dnsmasq profile for apparmor configured
template: src=usr.sbin.dnsmasq.j2 dest=/etc/apparmor.d/usr.sbin.dnsmasq owner=root group=root mode=0600 template: src=usr.sbin.dnsmasq.j2 dest=/etc/apparmor.d/usr.sbin.dnsmasq owner=root group=root mode=0600
when: apparmor_enabled is defined and apparmor_enabled == true
notify: notify:
- restart dnsmasq - restart dnsmasq
@ -14,6 +15,7 @@
- name: Enforce the dnsmasq AppArmor policy - name: Enforce the dnsmasq AppArmor policy
shell: aa-enforce usr.sbin.dnsmasq shell: aa-enforce usr.sbin.dnsmasq
when: apparmor_enabled is defined and apparmor_enabled == true
tags: ['apparmor'] tags: ['apparmor']
- name: Ensure that the dnsmasq service directory exist - name: Ensure that the dnsmasq service directory exist

2
roles/proxy/tasks/main.yml
View file

@ -14,11 +14,13 @@
- name: Privoxy profile for apparmor configured - name: Privoxy profile for apparmor configured
template: src=usr.sbin.privoxy.j2 dest=/etc/apparmor.d/usr.sbin.privoxy owner=root group=root mode=0600 template: src=usr.sbin.privoxy.j2 dest=/etc/apparmor.d/usr.sbin.privoxy owner=root group=root mode=0600
when: apparmor_enabled is defined and apparmor_enabled == true
notify: notify:
- restart privoxy - restart privoxy
- name: Enforce the privoxy AppArmor policy - name: Enforce the privoxy AppArmor policy
shell: aa-enforce usr.sbin.privoxy shell: aa-enforce usr.sbin.privoxy
when: apparmor_enabled is defined and apparmor_enabled == true
tags: ['apparmor'] tags: ['apparmor']
- name: Ensure that the privoxy service directory exist - name: Ensure that the privoxy service directory exist

1
roles/vpn/tasks/main.yml
View file

@ -21,6 +21,7 @@
- name: Enforcing ipsec with apparmor - name: Enforcing ipsec with apparmor
shell: aa-enforce "{{ item }}" shell: aa-enforce "{{ item }}"
when: apparmor_enabled is defined and apparmor_enabled == true
with_items: with_items:
- /usr/lib/ipsec/charon - /usr/lib/ipsec/charon
- /usr/lib/ipsec/lookip - /usr/lib/ipsec/lookip

2
roles/vpn/templates/client_ipsec.conf.j2
View file

@ -3,7 +3,7 @@ conn ikev2-{{ IP_subject_alt_name }}
rekey=no rekey=no
dpdaction=clear dpdaction=clear
keyexchange=ikev2 keyexchange=ikev2
compress=yes compress=no
dpddelay=35s dpddelay=35s
{% if Win10_Enabled is defined and Win10_Enabled == "Y" %} {% if Win10_Enabled is defined and Win10_Enabled == "Y" %}