forked from sealingtech/CLIP
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathCONFIG_BUILD
More file actions
68 lines (58 loc) · 4.17 KB
/
CONFIG_BUILD
File metadata and controls
68 lines (58 loc) · 4.17 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
# Copyright (C) 2011-2012 Tresys Technology, LLC
# Copyright (C) 2013 Cubic Corporation
#
# Authors: Spencer Shimko <sshimko@tresys.com>
# Spencer Shimko <spencer@quarksecurity.com>
#
# These values can be used to tweak the build to facilitate development and debugging.
# CONFIG_BUILD_ENFORCING_MODE is used to put the system in permissive mode or enforcing mode after install.
# CONFIG_BUILD_REMEDIATE openscap (oscap) audits the system using SCAP content then remediates issues by
# modifying the system to resolve identified problems. CLIP uses oscap in
# %post of the kickstart. If this is set to "n" oscap is used to audit but
# not remediate. You can still remediate at run-time after deployment.
# CONFIG_BUILD_UNCONFINED_TOOR allows the toor user to run the unconfined (read->all powerful) toor_r:toor_t role.
# Normally the toor user is confined in the sysadm_r:sysadm_t role.
# CONFIG_BUILD_ENABLE_DHCP enable DHCP for all network interfaces
# CONFIG_BUILD_VPN_INCLUDE_TOOR enable toor user for vpn variant
# CONFIG_BUILD_ENABLE_SSH_6 enable OpenSSH version 6 with modern crypto and the Secure Secure Shell configuation.
# This includes support for ED25519 and RSA keys and disables weak algorithms.
# See here for info on the configuration: https://stribika.github.io/2015/01/04/secure-secure-shell.html
# CONFIG_BUILD_SELINUX_POL_TYPE Set this to mcs or mls depending on the policy you need to build
# Note: these variables and values will be inserted into /root/clip-info.txt for inspection at run-time.
CONFIG_BUILD_ENFORCING_MODE := y
CONFIG_BUILD_REMEDIATE := y
CONFIG_BUILD_UNCONFINED_TOOR := y
CONFIG_BUILD_ENABLE_DHCP := n
CONFIG_BUILD_VPN_ENABLE_TOOR := n
CONFIG_BUILD_ENABLE_SSH_6 := n
CONFIG_BUILD_SELINUX_POL_TYPE := mcs
# List of RPMs that are pre-rolled. These will be linked into our custom yum repo during the build process.
# Once referenced here you can start using them in the kickstart.
# NOTE: You could perform the same task by putting the packages in a directory, creating a yum repo, then adding the path
# to CONFIG_REPOS.
# PRE_ROLLED_PACKAGES := "/home/joeuser/lha-1.14i-19.2.2.el6.rf.x86_64.rpm"
# The ISO_VERSION field doesn't alter functionality at all. The variable name and value will appear in /root/clip-info.txt.
# This provides a way to figure out what version of your repo was used to generate the ISO once it is installed. E.g.
# Tester: "My install is busted."
# Developer: "What version do you have installed?"
# Tester: "I don't know. How do I figure that out?"
# Developer: "Run '# cat /root/clip-info.txt' and send me the output."
ISO_VERSION := $(strip $(shell test -d .git && git log -1|head -1|awk '{ print substr ($$2, 0, 7); }'))
ifeq ($(strip $(ISO_VERSION)),)
ISO_VERSION := 0.1
endif
################################################
### STOP USER CONFIG
################################################
# The values below probably won't have to change.
# This variable can be leveraged by sub-makes (eg in the packages/foo/Makefile).
# if files at this top-level should trigger a rebuild.
ADDTL_DEPS := $(CURDIR)/CONFIG_REPOS $(CURDIR)/CONFIG_BUILD $(CURDIR)/Makefile
# Translate the CONFIG_BUILD_* flags into BASH vars that we insert into things like a kickstart %post
CONFIG_BUILD_BASH_VARS := export CONFIG_BUILD_ENFORCING_MODE=$(strip $(CONFIG_BUILD_ENFORCING_MODE)) CONFIG_BUILD_UNCONFINED_TOOR=$(strip $(CONFIG_BUILD_UNCONFINED_TOOR)) CONFIG_BUILD_REMEDIATE=$(strip $(CONFIG_BUILD_REMEDIATE)) ISO_VERSION=$(strip $(ISO_VERSION)) CONFIG_BUILD_ENABLE_DHCP=$(strip $(CONFIG_BUILD_ENABLE_DHCP))
# Typically we are rolling builds on the target arch. Changing this may have dire consequences.
# (read -> hasn't be tested at all and may result in broken builds and ultimately the end of the universe as we know it).
TARGET_ARCH := $(shell uname -i)
# Quiet down the build output a bit.
QUIET := n
export TARGET_ARCH ADDTL_DEPS QUIET CONFIG_BUILD_BASH_VARS CONFIG_BUILD_ENFORCING_MODE CONFIG_BUILD_UNCONFINED_TOOR ISO_VERSION CONFIG_BUILD_REMEDIATE CONFIG_BUILD_ENABLE_DHCP CONFIG_BUILD_VPN_ENABLE_TOOR CONFIG_BUILD_SELINUX_POL_TYPE