diff options
Diffstat (limited to 'straper/db/public/users')
| -rw-r--r-- | straper/db/public/users/groups-sanitized.txt | 80 | ||||
| -rw-r--r-- | straper/db/public/users/login-users.txt | 3 | ||||
| -rw-r--r-- | straper/db/public/users/login.defs | 192 | ||||
| -rw-r--r-- | straper/db/public/users/passwd-sanitized.txt | 50 | ||||
| -rw-r--r-- | straper/db/public/users/shells | 11 | ||||
| -rw-r--r-- | straper/db/public/users/sshd_config | 133 |
6 files changed, 469 insertions, 0 deletions
diff --git a/straper/db/public/users/groups-sanitized.txt b/straper/db/public/users/groups-sanitized.txt new file mode 100644 index 0000000..55c01eb --- /dev/null +++ b/straper/db/public/users/groups-sanitized.txt @@ -0,0 +1,80 @@ +root:0 +daemon:1 +bin:2 +sys:3 +adm:4 +tty:5 +disk:6 +lp:7 +mail:8 +news:9 +uucp:10 +man:12 +proxy:13 +kmem:15 +dialout:20 +fax:21 +voice:22 +cdrom:24 +floppy:25 +tape:26 +sudo:27 +audio:29 +dip:30 +www-data:33 +backup:34 +operator:37 +list:38 +irc:39 +src:40 +shadow:42 +utmp:43 +video:44 +sasl:45 +plugdev:46 +staff:50 +games:60 +users:100 +nogroup:65534 +systemd-journal:999 +systemd-network:998 +crontab:997 +input:996 +sgx:995 +clock:994 +kvm:993 +render:992 +netdev:101 +messagebus:991 +systemd-timesync:990 +_ssh:102 +bluetooth:103 +lukasz:1000 +systemd-resolve:988 +polkitd:986 +borg:1001 +borgbrowse:1002 +docker:989 +tcpdump:104 +mysql:105 +plocate:106 +ssl-cert:107 +prosody:108 +uuidd:109 +prometheus:111 +grafana:112 +msmtp:110 +postfix:113 +postdrop:114 +vlock:115 +tss:116 +fwupd-refresh:985 +lufi:987 +ice:117 +mumble-server:118 +avahi:119 +unbound:120 +alloy:984 +debian-tor:121 +i2pd:122 +gopher:123 diff --git a/straper/db/public/users/login-users.txt b/straper/db/public/users/login-users.txt new file mode 100644 index 0000000..3636d59 --- /dev/null +++ b/straper/db/public/users/login-users.txt @@ -0,0 +1,3 @@ +root home=/root shell=/bin/bash +lukasz home=/home/lukasz shell=/usr/bin/zsh +borg home=/home/borg shell=/bin/bash diff --git a/straper/db/public/users/login.defs b/straper/db/public/users/login.defs new file mode 100644 index 0000000..91d3ec4 --- /dev/null +++ b/straper/db/public/users/login.defs @@ -0,0 +1,192 @@ +# +# /etc/login.defs - Configuration control definitions for the shadow package. +# + +# REQUIRED for useradd/userdel/usermod +# Directory where mailboxes reside, _or_ name of file, relative to the +# home directory. If you _do_ define MAIL_DIR and MAIL_FILE, +# MAIL_DIR takes precedence. +# +# Essentially: +# - MAIL_DIR defines the location of users mail spool files +# (for mbox use) by appending the username to MAIL_DIR as defined +# below. +# - MAIL_FILE defines the location of the users mail spool files as the +# fully-qualified filename obtained by prepending the user home +# directory before $MAIL_FILE +# +# NOTE: This is no more used for setting up users MAIL environment variable +# which is, starting from shadow 4.0.12-1 in Debian, entirely the +# job of the pam_mail PAM modules +# See default PAM configuration files provided for +# login, su, etc. +# +# This is a temporary situation: setting these variables will soon +# move to /etc/default/useradd and the variables will then be +# no more supported +MAIL_DIR /var/mail +#MAIL_FILE .mail + +# +# Enable display of unknown usernames when login(1) failures are recorded. +# +# WARNING: Unknown usernames may become world readable. +# See #290803 and #298773 for details about how this could become a security +# concern +LOG_UNKFAIL_ENAB no + +# +# Enable logging of successful logins +# +LOG_OK_LOGINS no + +# +# If defined, file which maps tty line to TERM environment parameter. +# Each line of the file is in a format similar to "vt100 tty01". +# +#TTYTYPE_FILE /etc/ttytype + +# +# If defined, file which inhibits all the usual chatter during the login +# sequence. If a full pathname, then hushed mode will be enabled if the +# user's name or shell are found in the file. If not a full pathname, then +# hushed mode will be enabled if the file exists in the user's home directory. +# +HUSHLOGIN_FILE .hushlogin +#HUSHLOGIN_FILE /etc/hushlogins + +# +# *REQUIRED* The default PATH settings, for superuser and normal users. +# +# (they are minimal, add the rest in the shell startup files) +ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin +ENV_PATH PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games + +# +# Terminal permissions for terminals after login(1). +# These settings are ignored for remote and other logins. +# +# TTYGROUP Login tty will be assigned this group ownership. +# TTYPERM Login tty will be set to this permission. +# +#TTYGROUP tty +TTYPERM 0600 + +# +# Login configuration initializations: +# +# ERASECHAR Terminal ERASE character ('\010' = backspace). +# KILLCHAR Terminal KILL character ('\025' = CTRL/U). +# +# The ERASECHAR and KILLCHAR are used only on System V machines. +# +ERASECHAR 0177 +KILLCHAR 025 + +# HOME_MODE is used by useradd(8) and newusers(8) to set the mode for new +# home directories. +HOME_MODE 0700 + +# +# Password aging controls: +# +# PASS_MAX_DAYS Maximum number of days a password may be used. +# PASS_MIN_DAYS Minimum number of days allowed between password changes. +# PASS_WARN_AGE Number of days warning given before a password expires. +# +PASS_MAX_DAYS 99999 +PASS_MIN_DAYS 0 +PASS_WARN_AGE 7 + +# +# Min/max values for automatic uid selection in useradd(8) +# +UID_MIN 1000 +UID_MAX 60000 +# System accounts +#SYS_UID_MIN 101 +#SYS_UID_MAX 999 +# Extra per user uids +SUB_UID_MIN 100000 +SUB_UID_MAX 600100000 +SUB_UID_COUNT 65536 + +# +# Min/max values for automatic gid selection in groupadd(8) +# +GID_MIN 1000 +GID_MAX 60000 +# System accounts +#SYS_GID_MIN 101 +#SYS_GID_MAX 999 +# Extra per user group ids +SUB_GID_MIN 100000 +SUB_GID_MAX 600100000 +SUB_GID_COUNT 65536 + +# +# Max number of login(1) retries if password is bad +# This will most likely be overriden by PAM, since the default pam_unix module +# has it's own built in of 3 retries. However, this is a safe fallback in case +# you are using an authentication module that does not enforce PAM_MAXTRIES. +# +LOGIN_RETRIES 5 + +# +# Max time in seconds for login(1) +# +LOGIN_TIMEOUT 60 + +# +# Which fields may be changed by regular users using chfn(1) - use +# any combination of letters "frwh" (full name, room number, work +# phone, home phone). If not defined, no changes are allowed. +# For backward compatibility, "yes" = "rwh" and "no" = "frwh". +# +CHFN_RESTRICT rwh + +# +# If set to MD5, MD5-based algorithm will be used for encrypting password +# If set to SHA256, SHA256-based algorithm will be used for encrypting password +# If set to SHA512, SHA512-based algorithm will be used for encrypting password +# If set to BCRYPT, BCRYPT-based algorithm will be used for encrypting password +# If set to YESCRYPT, YESCRYPT-based algorithm will be used for encrypting password +# If set to DES, DES-based algorithm will be used for encrypting password (default) +# MD5 and DES should not be used for new hashes, see crypt(5) for recommendations. +# Overrides the MD5_CRYPT_ENAB option +# +# Note: It is recommended to use a value consistent with +# the PAM modules configuration. +# +ENCRYPT_METHOD YESCRYPT + +# +# Should login be allowed if we can't cd to the home directory? +# Default is no. +# +DEFAULT_HOME yes + +# +# The pwck(8) utility emits a warning for any system account with a home +# directory that does not exist. Some system accounts intentionally do +# not have a home directory. Such accounts may have this string as +# their home directory in /etc/passwd to avoid a spurious warning. +# +NONEXISTENT /nonexistent + +# +# If defined, this command is run when removing a user. +# It should remove any at/cron/print jobs etc. owned by +# the user to be removed (passed as the first argument). +# +#USERDEL_CMD /usr/sbin/userdel_local + +# +# If set to yes, userdel(8) will remove the user's group if it contains no more +# members, and useradd(8) will create by default a group with the name of the +# user. +# +# Other former uses of this variable are not used in PAM environments, such as +# Debian. +# +USERGROUPS_ENAB yes diff --git a/straper/db/public/users/passwd-sanitized.txt b/straper/db/public/users/passwd-sanitized.txt new file mode 100644 index 0000000..79fc10b --- /dev/null +++ b/straper/db/public/users/passwd-sanitized.txt @@ -0,0 +1,50 @@ +root:0:0:root:/root:/bin/bash +daemon:1:1:daemon:/usr/sbin:/usr/sbin/nologin +bin:2:2:bin:/bin:/usr/sbin/nologin +sys:3:3:sys:/dev:/usr/sbin/nologin +sync:4:65534:sync:/bin:/bin/sync +games:5:60:games:/usr/games:/usr/sbin/nologin +man:6:12:man:/var/cache/man:/usr/sbin/nologin +lp:7:7:lp:/var/spool/lpd:/usr/sbin/nologin +mail:8:8:mail:/var/mail:/usr/sbin/nologin +news:9:9:news:/var/spool/news:/usr/sbin/nologin +uucp:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin +proxy:13:13:proxy:/bin:/usr/sbin/nologin +www-data:33:33:www-data:/var/www:/usr/sbin/nologin +backup:34:34:backup:/var/backups:/usr/sbin/nologin +list:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin +irc:39:39:ircd:/run/ircd:/usr/sbin/nologin +_apt:42:65534::/nonexistent:/usr/sbin/nologin +nobody:65534:65534:nobody:/nonexistent:/usr/sbin/nologin +systemd-network:998:998:systemd Network Management:/:/usr/sbin/nologin +dhcpcd:100:65534:DHCP Client Daemon:/usr/lib/dhcpcd:/bin/false +messagebus:991:991:System Message Bus:/nonexistent:/usr/sbin/nologin +systemd-timesync:990:990:systemd Time Synchronization:/:/usr/sbin/nologin +sshd:989:65534:sshd user:/run/sshd:/usr/sbin/nologin +lukasz:1000:1000:lukasz,,,:/home/lukasz:/usr/bin/zsh +systemd-resolve:988:988:systemd Resolver:/:/usr/sbin/nologin +dnsmasq:987:65534:dnsmasq:/var/lib/misc:/usr/sbin/nologin +polkitd:986:986:User for polkitd:/:/usr/sbin/nologin +borg:1001:1001::/home/borg:/bin/bash +tcpdump:101:104::/nonexistent:/usr/sbin/nologin +mysql:102:105:MariaDB Server:/nonexistent:/bin/false +prosody:103:108:Prosody XMPP Server:/var/lib/prosody:/usr/sbin/nologin +uuidd:104:109::/run/uuidd:/usr/sbin/nologin +usbmux:105:46:usbmux daemon:/var/lib/usbmux:/usr/sbin/nologin +prometheus:107:111:Prometheus daemon:/var/lib/prometheus:/usr/sbin/nologin +grafana:108:112::/usr/share/grafana:/bin/false +msmtp:106:110::/var/lib/msmtp:/usr/sbin/nologin +postfix:109:113:Postfix MTA:/var/spool/postfix:/usr/sbin/nologin +tss:110:116:TPM software stack:/var/lib/tpm:/bin/false +fwupd-refresh:985:985:Firmware update daemon:/var/lib/fwupd:/usr/sbin/nologin +lufi:999:987::/srv/lufi:/usr/sbin/nologin +ice:111:117:Ice Service account:/var/lib/ice:/usr/sbin/nologin +mumble-server:112:118::/var/lib/mumble-server:/usr/sbin/nologin +avahi:113:119:Avahi mDNS daemon:/run/avahi-daemon:/usr/sbin/nologin +unbound:114:120::/var/lib/unbound:/usr/sbin/nologin +loki:115:65534::/nonexistent:/bin/false +promtail:116:65534::/nonexistent:/bin/false +alloy:997:984:alloy user:/var/lib/alloy:/sbin/nologin +debian-tor:117:121::/var/lib/tor:/bin/false +i2pd:118:122::/var/lib/i2pd:/usr/sbin/nologin +gopher:119:123::/var/gopher:/usr/sbin/nologin diff --git a/straper/db/public/users/shells b/straper/db/public/users/shells new file mode 100644 index 0000000..ee9995a --- /dev/null +++ b/straper/db/public/users/shells @@ -0,0 +1,11 @@ +# /etc/shells: valid login shells +/bin/sh +/usr/bin/sh +/bin/bash +/usr/bin/bash +/bin/rbash +/usr/bin/rbash +/usr/bin/dash +/usr/bin/tmux +/bin/zsh +/usr/bin/zsh diff --git a/straper/db/public/users/sshd_config b/straper/db/public/users/sshd_config new file mode 100644 index 0000000..e7bec65 --- /dev/null +++ b/straper/db/public/users/sshd_config @@ -0,0 +1,133 @@ + +# This is the sshd server system-wide configuration file. See +# sshd_config(5) for more information. + +# This sshd was compiled with PATH=/usr/local/bin:/usr/bin:/bin:/usr/games + +# The strategy used for options in the default sshd_config shipped with +# OpenSSH is to specify options with their default value where +# possible, but leave them commented. Uncommented options override the +# default value. + +Include /etc/ssh/sshd_config.d/*.conf + +#Port 22 +#AddressFamily any +#ListenAddress 0.0.0.0 +#ListenAddress :: + +#HostKey /etc/ssh/ssh_host_rsa_key +#HostKey /etc/ssh/ssh_host_ecdsa_key +#HostKey /etc/ssh/ssh_host_ed25519_key + +# Ciphers and keying +#RekeyLimit default none + +# Logging +#SyslogFacility AUTH +#LogLevel INFO + +# Authentication: + +#LoginGraceTime 2m +#PermitRootLogin prohibit-password +#StrictModes yes +#MaxAuthTries 6 +#MaxSessions 10 + +#PubkeyAuthentication yes + +# Expect .ssh/authorized_keys2 to be disregarded by default in future. +#AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2 + +#AuthorizedPrincipalsFile none + +#AuthorizedKeysCommand none +#AuthorizedKeysCommandUser nobody + +# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts +#HostbasedAuthentication no +# Change to yes if you don't trust ~/.ssh/known_hosts for +# HostbasedAuthentication +#IgnoreUserKnownHosts no +# Don't read the user's ~/.rhosts and ~/.shosts files +#IgnoreRhosts yes + +# To disable tunneled clear text passwords, change to "no" here! +#PasswordAuthentication yes +#PermitEmptyPasswords no + +# Change to "yes" to enable keyboard-interactive authentication. Depending on +# the system's configuration, this may involve passwords, challenge-response, +# one-time passwords or some combination of these and other methods. +# Beware issues with some PAM modules and threads. +KbdInteractiveAuthentication no + +# Kerberos options +#KerberosAuthentication no +#KerberosOrLocalPasswd yes +#KerberosTicketCleanup yes +#KerberosGetAFSToken no + +# GSSAPI options +#GSSAPIAuthentication no +#GSSAPICleanupCredentials yes +#GSSAPIStrictAcceptorCheck yes +#GSSAPIKeyExchange no + +# Set this to 'yes' to enable PAM authentication, account processing, +# and session processing. If this is enabled, PAM authentication will +# be allowed through the KbdInteractiveAuthentication and +# PasswordAuthentication. Depending on your PAM configuration, +# PAM authentication via KbdInteractiveAuthentication may bypass +# the setting of "PermitRootLogin prohibit-password". +# If you just want the PAM account and session checks to run without +# PAM authentication, then enable this but set PasswordAuthentication +# and KbdInteractiveAuthentication to 'no'. +UsePAM yes + +#AllowAgentForwarding yes +#AllowTcpForwarding yes +#GatewayPorts no +X11Forwarding no +#X11DisplayOffset 10 +#X11UseLocalhost yes +#PermitTTY yes +PrintMotd no +#PrintLastLog yes +#TCPKeepAlive yes +#PermitUserEnvironment no +#Compression delayed +#ClientAliveInterval 0 +#ClientAliveCountMax 3 +#UseDNS no +#PidFile /run/sshd.pid +#MaxStartups 10:30:100 +#PermitTunnel no +#ChrootDirectory none +#VersionAddendum none + +# no default banner path +#Banner none + +# Allow client to pass locale and color environment variables +AcceptEnv LANG LC_* COLORTERM NO_COLOR + +# override default of no subsystems +Subsystem sftp /usr/lib/openssh/sftp-server + +# Example of overriding settings on a per-user basis +#Match User anoncvs +# X11Forwarding no +# AllowTcpForwarding no +# PermitTTY no +# ForceCommand cvs server +# === custom hardening === +Port 57385 +PermitRootLogin no +PasswordAuthentication no +PubkeyAuthentication yes +MaxAuthTries 3 +LoginGraceTime 30 +AllowUsers lukasz borg + |
