BLFS构建04-安全问题

¶BLFS构建04-安全问题

¶make-ca-1.2

#下载安装p11的依赖包libtasn1
wget https://ftp.gnu.org/gnu/libtasn1/libtasn1-4.13.tar.gz
tar -zxvf libtasn1-4.13.tar.gz
cd libtasn1-4.13
./configure --prefix=/usr --disable-static
make
make install
make -C doc/reference install-data-local

#下载安装make-ca的p11-kit依赖包
wget https://github.com/p11-glue/p11-kit/releases/download/0.23.15/p11-kit-0.23.15.tar.gz
tar -zxvf p11-kit-0.23.15.tar.gz
cd p11-kit-0.23.15
sed '20,$ d' -i trust/trust-extract-compat.in
cat >> trust/trust-extract-compat.in << "EOF"
# Copy existing anchor modifications to /etc/ssl/local
/usr/libexec/make-ca/copy-trust-modifications

# Generate a new trust store
/usr/sbin/make-ca -f -g
EOF

./configure --prefix=/usr  --sysconfdir=/etc --with-trust-paths=/etc/pki/anchors
make
make install
ln -s /usr/libexec/p11-kit/trust-extract-compat /usr/bin/update-ca-certificates

#最后下载安装make-ca
wget https://github.com/djlucas/make-ca/releases/download/v1.2/make-ca-1.2.tar.xz
tar xvf make-ca-1.2.tar.xz
cd make-ca-1.2
make install
#下载 certdata.txt(证书文件)
usr/sbin/make-ca -g
#将新的证书放入系统中
ln -sfv /etc/pki/tls/certs/ca-bundle.crt /etc/ssl/ca-bundle.crt
install -vdm755 /etc/cron.weekly 

cat > /etc/cron.weekly/update-pki.sh << "EOF"
#!/bin/bash
/usr/sbin/make-ca -g
EOF
chmod 754 /etc/cron.weekly/update-pki.sh

#增加传统ca证书
install -vdm755 /etc/ssl/local
#下载ca证书（用宿主机下载）
openssl x509 -in root.crt -text -fingerprint -setalias "CAcert Class 1 root"  -addtrust serverAuth -addtrust emailProtection -addtrust codeSigning  > /etc/ssl/local/CAcert_Class_1_root.pem
openssl x509 -in class3.crt -text -fingerprint -setalias "CAcert Class 3 root"  -addtrust serverAuth -addtrust emailProtection -addtrust codeSigning  > /etc/ssl/local/CAcert_Class_3_root.pem
install -vdm755 /etc/ssl/local
openssl x509 -in /etc/ssl/certs/Makebelieve_CA_Root.pem \
             -text \
             -fingerprint
             -setalias "Disabled Makebelieve CA Root" \
             -addreject serverAuth \
             -addreject emailProtection \
             -addreject codeSigning \
       > /etc/ssl/local/Disabled_Makebelieve_CA_Root.pem
/usr/sbin/make-ca -r -f

¶consolekit2-1.2.1

#下载安装fontconfig的依赖包freetype2
wget https://downloads.sourceforge.net/freetype/freetype-2.9.1.tar.bz2
wget https://downloads.sourceforge.net/freetype/freetype-doc-2.9.1.tar.bz2
tar -jxvf freetype-2.9.1.tar.bz2
cd freetype-2.9.1
tar -xvf ../freetype-doc-2.9.1.tar.bz2 --strip-components=2 -C docs
sed -ri "s:.*(AUX_MODULES.*valid):\1:" modules.cfg
sed -r "s:.*(#.*SUBPIXEL_RENDERING) .*:\1:" -i include/freetype/config/ftoption.h
./configure --prefix=/usr --enable-freetype-config --disable-static
make
make install
install -v -m755 -d /usr/share/doc/freetype-2.9.1
cp -v -R docs/*     /usr/share/doc/freetype-2.9.1
rm -v /usr/share/doc/freetype-2.9.1/freetype-config.1
#下载安装xorg-lib的依赖包fontconfig
wget https://www.freedesktop.org/software/fontconfig/release/fontconfig-2.13.1.tar.bz2
tar -jxvf fontconfig-2.13.1.tar.bz2
cd fontconfig-2.13.1
rm -f src/fcobjshash.h
./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var --disable-docs  --docdir=/usr/share/doc/fontconfig-2.13.1
make
make install
install -v -dm755  /usr/share/{man/man{1,3,5},doc/fontconfig-2.13.1/fontconfig-devel}
install -v -m644 fc-*/*.1         /usr/share/man/man1
install -v -m644 doc/*.3          /usr/share/man/man3
install -v -m644 doc/fonts-conf.5 /usr/share/man/man5
install -v -m644 doc/fontconfig-devel/* /usr/share/doc/fontconfig-2.13.1/fontconfig-devel
install -v -m644 doc/*.{pdf,sgml,txt,html} /usr/share/doc/fontconfig-2.13.1
##配置文件路径
/etc/fonts/*, /etc/fonts/conf.d/* and /usr/share/fontconfig/conf.avail/*
#配置util-macros的依赖xorg环境
mkdir xc
cd xc
export XORG_PREFIX="/usr"
export XORG_CONFIG="--prefix=$XORG_PREFIX --sysconfdir=/etc --localstatedir=/var --disable-static"
cat > /etc/profile.d/xorg.sh << EOF
XORG_PREFIX="$XORG_PREFIX"
XORG_CONFIG="--prefix=\$XORG_PREFIX --sysconfdir=/etc --localstatedir=/var --disable-static"
export XORG_PREFIX XORG_CONFIG
EOF

chmod 644 /etc/profile.d/xorg.sh

cat >> /etc/profile.d/xorg.sh << "EOF"

pathappend $XORG_PREFIX/bin             PATH
pathappend $XORG_PREFIX/lib/pkgconfig   PKG_CONFIG_PATH
pathappend $XORG_PREFIX/share/pkgconfig PKG_CONFIG_PATH

pathappend $XORG_PREFIX/lib             LIBRARY_PATH
pathappend $XORG_PREFIX/include         C_INCLUDE_PATH
pathappend $XORG_PREFIX/include         CPLUS_INCLUDE_PATH

ACLOCAL="aclocal -I $XORG_PREFIX/share/aclocal"

export PATH PKG_CONFIG_PATH ACLOCAL LIBRARY_PATH C_INCLUDE_PATH CPLUS_INCLUDE_PATH
EOF

echo "$XORG_PREFIX/lib" >> /etc/ld.so.conf
sed "s@/usr/X11R6@$XORG_PREFIX@g" -i /etc/man_db.conf
ln -svf $XORG_PREFIX/share/X11 /usr/share/X11
ln -svf $XORG_PREFIX /usr/X11R6
#下载xorgproto依赖包util-macros
wget https://www.x.org/pub/individual/util/util-macros-1.19.2.tar.bz2
tar -jxvf util-macros-1.19.2.tar.bz2
cd util-macros-1.19.2
./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var
make install
#下载安装libxau的依赖xorgproto-2018.4
https://xorg.freedesktop.org/archive/individual/proto/xorgproto-2018.4.tar.bz2
tar -jxvf xorgproto-2018.4.tar.bz2
cd xorgproto-2018.4
mkdir build
cd build
meson --prefix=/usr .. && ninja
ninja install
install -vdm 755 $XORG_PREFIX/share/doc/xorgproto-2018.4
install -vm 644 ../[^m]*.txt ../PM_spec $XORG_PREFIX/share/doc/xorgproto-2018.4
#下载安装libxcb的依赖libxau
wget https://www.x.org/pub/individual/lib/libXau-1.0.9.tar.bz2
tar -jxvf libXau-1.0.9.tar.bz2
cd libXau-1.0.9
./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var
make install
#下载安装libxcb的依赖xcb-proto
wget https://xcb.freedesktop.org/dist/xcb-proto-1.13.tar.bz2
tar -jxvf xcb-proto-1.13.tar.bz2
cd xcb-proto-1.13
./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var
make install
#下载安装xorg-lib的依赖包libxcb
wget https://xcb.freedesktop.org/dist/libxcb-1.13.1.tar.bz2
tar -jxvf libxcb-1.13.1.tar.bz2
cd libxcb-1.13.1
sed -i "s/pthread-stubs//" configure
./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var --disable-static --without-doxygen --docdir='${datadir}'/doc/libxcb-1.13.1
make
make install
#下载安装consolekit的依赖xorg-lib
cat > lib-7.md5 << "EOF"
c5ba432dd1514d858053ffe9f4737dd8  xtrans-1.3.5.tar.bz2
034fdd6cc5393974d88aec6f5bc96162  libX11-1.6.7.tar.bz2
52df7c4c1f0badd9f82ab124fb32eb97  libXext-1.3.3.tar.bz2
d79d9fe2aa55eb0f69b1a4351e1368f7  libFS-1.0.7.tar.bz2
addfb1e897ca8079531669c7c7711726  libICE-1.0.9.tar.bz2
87c7fad1c1813517979184c8ccd76628  libSM-1.2.3.tar.bz2
eeea9d5af3e6c143d0ea1721d27a5e49  libXScrnSaver-1.2.3.tar.bz2
8f5b5576fbabba29a05f3ca2226f74d3  libXt-1.1.5.tar.bz2
41d92ab627dfa06568076043f3e089e4  libXmu-1.1.2.tar.bz2
20f4627672edb2bd06a749f11aa97302  libXpm-3.5.12.tar.bz2
e5e06eb14a608b58746bdd1c0bd7b8e3  libXaw-1.0.13.tar.bz2
07e01e046a0215574f36a3aacb148be0  libXfixes-5.0.3.tar.bz2
f7a218dcbf6f0848599c6c36fc65c51a  libXcomposite-0.4.4.tar.bz2
802179a76bded0b658f4e9ec5e1830a4  libXrender-0.9.10.tar.bz2
58fe3514e1e7135cf364101e714d1a14  libXcursor-1.1.15.tar.bz2
0cf292de2a9fa2e9a939aefde68fd34f  libXdamage-1.1.4.tar.bz2
0920924c3a9ebc1265517bdd2f9fde50  libfontenc-1.1.3.tar.bz2
b7ca87dfafeb5205b28a1e91ac3efe85  libXfont2-2.0.3.tar.bz2
331b3a2a3a1a78b5b44cfbd43f86fcfe  libXft-2.3.2.tar.bz2
1f0f2719c020655a60aee334ddd26d67  libXi-1.7.9.tar.bz2
0d5f826a197dae74da67af4a9ef35885  libXinerama-1.1.4.tar.bz2
28e486f1d491b757173dd85ba34ee884  libXrandr-1.5.1.tar.bz2
5d6d443d1abc8e1f6fc1c57fb27729bb  libXres-1.2.0.tar.bz2
ef8c2c1d16a00bd95b9fdcef63b8a2ca  libXtst-1.2.3.tar.bz2
210b6ef30dda2256d54763136faa37b9  libXv-1.0.11.tar.bz2
4cbe1c1def7a5e1b0ed5fce8e512f4c6  libXvMC-1.0.10.tar.bz2
d7dd9b9df336b7dd4028b6b56542ff2c  libXxf86dga-1.1.4.tar.bz2
298b8fff82df17304dfdb5fe4066fe3a  libXxf86vm-1.1.4.tar.bz2
d2f1f0ec68ac3932dd7f1d9aa0a7a11c  libdmx-1.1.4.tar.bz2
8f436e151d5106a9cfaa71857a066d33  libpciaccess-0.14.tar.bz2
4a4cfeaf24dab1b991903455d6d7d404  libxkbfile-1.0.9.tar.bz2
42dda8016943dc12aff2c03a036e0937  libxshmfence-1.3.tar.bz2
EOF

mkdir lib &&
cd lib &&
grep -v '^#' ../lib-7.md5 | awk '{print $2}' | wget -i- -c \
    -B https://www.x.org/pub/individual/lib/ &&
md5sum -c ../lib-7.md5
##切换到bash
bash -e
##使用脚本批量安装(使用root)
for package in $(grep -v '^#' ../lib-7.md5 | awk '{print $2}')
do
  packagedir=${package%.tar.bz2}
  tar -xf $package
  pushd $packagedir
  case $packagedir in
    libICE* )
      ./configure $XORG_CONFIG ICE_LIBS=-lpthread
    ;;

    libXfont2-[0-9]* )
      ./configure $XORG_CONFIG --disable-devel-docs
    ;;

    libXt-[0-9]* )
      ./configure $XORG_CONFIG \
                  --with-appdefaultdir=/etc/X11/app-defaults
    ;;

    * )
      ./configure $XORG_CONFIG
    ;;
  esac
  make
  #make check 2>&1 | tee ../$packagedir-make_check.log
  make install
  popd
  rm -rf $packagedir
  /sbin/ldconfig
done

#下载安装consolekit的依赖dbus-glib-0.110
wget https://dbus.freedesktop.org/releases/dbus-glib/dbus-glib-0.110.tar.gz
tar -zxvf dbus-glib-0.110.tar.gz
cd dbus-glib-0.110
groupadd -g 18 messagebus
useradd -c "D-Bus Message Daemon User" -d /var/run/dbus -u 18 -g messagebus -s /bin/false messagebus
./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var  --disable-doxygen-docs --disable-xml-docs  --disable-static --docdir=/usr/share/doc/dbus-1.12.12 --with-console-auth-dir=/run/console --with-system-pid-file=/run/dbus/pid --with-system-socket=/run/dbus/system_bus_socket

¶cracklib

wget http://ftp.lfs-matrix.net/pub/blfs/8.4/c/cracklib-2.9.6.tar.gz 
wget http://ftp.lfs-matrix.net/pub/blfs/8.4/c/cracklib-words-2.9.6.gz
tar -zxvf cracklib-2.9.6.tar.gz
cd cracklib-2.9.6
sed -i '/skipping/d' util/packer.c &&

./configure --prefix=/usr    \
            --disable-static \
            --with-default-dict=/lib/cracklib/pw_dict &&
make

make install                      &&
mv -v /usr/lib/libcrack.so.* /lib &&
ln -sfv ../../lib/$(readlink /usr/lib/libcrack.so) /usr/lib/libcrack.so
install -v -m644 -D    ../cracklib-words-2.9.6.gz \
                         /usr/share/dict/cracklib-words.gz     &&

gunzip -v                /usr/share/dict/cracklib-words.gz     &&
ln -v -sf cracklib-words /usr/share/dict/words                 &&
echo $(hostname) >>      /usr/share/dict/cracklib-extra-words  &&
install -v -m755 -d      /lib/cracklib                         &&

create-cracklib-dict     /usr/share/dict/cracklib-words \
                         /usr/share/dict/cracklib-extra-words

¶gnupg

• gnupg

wget http://ftp.lfs-matrix.net/pub/blfs/8.4/g/gnupg-2.2.13.tar.bz2
tar -jxvf gnupg-2.2.13.tar.bz2
cd gnupg-2.2.13
sed -e '/noinst_SCRIPTS = gpg-zip/c sbin_SCRIPTS += gpg-zip' \
    -i tools/Makefile.in

./configure --prefix=/usr            \
            --enable-symcryptrun     \
            --docdir=/usr/share/doc/gnupg-2.2.13
make

makeinfo --html --no-split -o doc/gnupg_nochunks.html doc/gnupg.texi &&
makeinfo --plaintext       -o doc/gnupg.txt           doc/gnupg.texi
make install

install -v -m755 -d /usr/share/doc/gnupg-2.2.13/html            &&
install -v -m644    doc/gnupg_nochunks.html \
                    /usr/share/doc/gnupg-2.2.13/html/gnupg.html &&
install -v -m644    doc/*.texi doc/gnupg.txt \
                    /usr/share/doc/gnupg-2.2.13

• gnupg依赖libassuan,libgcrypt,libgpg-error,libksba和npth

#lubassuan
wget http://ftp.lfs-matrix.net/pub/blfs/8.4/g/gnupg-2.2.13.tar.bz2
tar -jxvf libassuan-2.5.3.tar.bz2
cd libassuan-2.5.3
./configure --prefix=/usr
make
make install
#libgpg-error
wget  https://www.gnupg.org/ftp/gcrypt/libgpg-error/libgpg-error-1.35.tar.bz2
tar -jxvf libgpg-error-1.35.tar.bz2
cd libgpg-error-1.35
./configure --prefix=/usr
make
make install
install -v -m644 -D README /usr/share/doc/libgpg-error-1.35/README
#libgcrypt
wget  https://www.gnupg.org/ftp/gcrypt/libgcrypt/libgcrypt-1.8.4.tar.bz2
tar -jxvf libgcrypt-1.8.4.tar.bz2
cd libgcrypt-1.8.4
./configure --prefix=/usr
make
makeinfo --html --no-split -o doc/gcrypt_nochunks.html doc/gcrypt.texi &&
makeinfo --plaintext       -o doc/gcrypt.txt           doc/gcrypt.texi

make install

install -v -dm755   /usr/share/doc/libgcrypt-1.8.4 &&
install -v -m644    README doc/{README.apichanges,fips*,libgcrypt*} \
                    /usr/share/doc/libgcrypt-1.8.4

#libksba
wget https://www.gnupg.org/ftp/gcrypt/libksba/libksba-1.3.5.tar.bz2
tar -jxvf libksba-1.3.5.tar.bz2
cd libksba-1.3.5
./configure --prefix=/usr
make 
make install

#npth
wget https://www.gnupg.org/ftp/gcrypt/npth/npth-1.6.tar.bz2
tar -jxvf npth-1.6.tar.bz2
cd npth-1.6
./configure --prefix=/usr
make
make install

¶gnutls

• gnutls

wget http://ftp.lfs-matrix.net/pub/blfs/8.4/g/gnutls-3.6.6.tar.xz
tar xvf gnutls-3.6.6.tar.xz
cd gnutls-3.6.6

./configure --prefix=/usr \
            --disable-guile \
            --with-default-trust-store-pkcs11="pkcs11:" \
            --with-included-unistring
make
make install
make -C doc/reference install-data-local

• gnutls依赖nettle

wget wget http://ftp.lfs-matrix.net/pub/blfs/8.4/g/nettle-3.4.1.tar.gz
tar -zxvf nettle-3.4.1.tar.gz
cd nettle-3.4.1
./configure --prefix=/usr --disable-static
make
make install &&
chmod   -v   755 /usr/lib/lib{hogweed,nettle}.so &&
install -v -m755 -d /usr/share/doc/nettle-3.4.1 &&
install -v -m644 nettle.html /usr/share/doc/nettle-3.4.1

¶gpgme

wget wget http://ftp.lfs-matrix.net/pub/blfs/8.4/g/gpgme-1.12.0.tar.bz2
tar -jxvf gpgme-1.12.0.tar.bz2
cd gpgme-1.12.0
./configure --prefix=/usr --disable-gpg-test
make
make install

¶haveged

wget wget http://ftp.lfs-matrix.net/pub/blfs/8.4/h/haveged-1.9.2.tar.gz
tar -zxvf haveged-1.9.2.tar.gz 
cd haveged-1.9.2
./configure --prefix=/usr
make
make install
mkdir -pv    /usr/share/doc/haveged-1.9.2 &&
cp -v README /usr/share/doc/haveged-1.9.2
#开机启动
cd /sources/blfs-bootscripts-20180105/
make install-haveged

¶iptables

wget wget http://ftp.lfs-matrix.net/pub/blfs/8.4/i/iptables-1.8.2.tar.bz2
tar -jxvf iptables-1.8.2.tar.bz2
cd iptables-1.8.2

./configure --prefix=/usr      \
            --sbindir=/sbin    \
            --disable-nftables \
            --enable-libipq    \
            --with-xtlibdir=/lib/xtables &&
make

make install &&
ln -sfv ../../sbin/xtables-legacy-multi /usr/bin/iptables-xml &&

for file in ip4tc ip6tc ipq iptc xtables
do
  mv -v /usr/lib/lib${file}.so.* /lib &&
  ln -sfv ../../lib/$(readlink /usr/lib/lib${file}.so) /usr/lib/lib${file}.so
done

#开机启动
cd /sources/blfs-bootscripts-20180105/
make install-iptables

#配置网络防火墙
/etc/rc.d/init.d/iptables start

cat > /etc/rc.d/rc.iptables << "EOF"
#!/bin/sh

# Begin rc.iptables

# Insert connection-tracking modules
# (not needed if built into the kernel)
modprobe nf_conntrack
modprobe xt_LOG

# Enable broadcast echo Protection
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

# Disable Source Routed Packets
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
echo 0 > /proc/sys/net/ipv4/conf/default/accept_source_route

# Enable TCP SYN Cookie Protection
echo 1 > /proc/sys/net/ipv4/tcp_syncookies

# Disable ICMP Redirect Acceptance
echo 0 > /proc/sys/net/ipv4/conf/default/accept_redirects

# Do not send Redirect Messages
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
echo 0 > /proc/sys/net/ipv4/conf/default/send_redirects

# Drop Spoofed Packets coming in on an interface, where responses
# would result in the reply going out a different interface.
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter

# Log packets with impossible addresses.
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
echo 1 > /proc/sys/net/ipv4/conf/default/log_martians

# be verbose on dynamic ip-addresses  (not needed in case of static IP)
echo 2 > /proc/sys/net/ipv4/ip_dynaddr

# disable Explicit Congestion Notification
# too many routers are still ignorant
echo 0 > /proc/sys/net/ipv4/tcp_ecn

# Set a known state
iptables -P INPUT   DROP
iptables -P FORWARD DROP
iptables -P OUTPUT  DROP

# These lines are here in case rules are already in place and the
# script is ever rerun on the fly. We want to remove all rules and
# pre-existing user defined chains before we implement new rules.
iptables -F
iptables -X
iptables -Z

iptables -t nat -F

# Allow local-only connections
iptables -A INPUT  -i lo -j ACCEPT

# Free output on any interface to any ip for any service
# (equal to -P ACCEPT)
iptables -A OUTPUT -j ACCEPT

# Permit answers on already established connections
# and permit new connections related to established ones
# (e.g. port mode ftp)
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

# Log everything else. What's Windows' latest exploitable vulnerability?
iptables -A INPUT -j LOG --log-prefix "FIREWALL:INPUT "

# End $rc_base/rc.iptables
EOF
chmod 700 /etc/rc.d/rc.iptables

¶libcap

• libcap

wget http://ftp.lfs-matrix.net/pub/blfs/8.4/l/libcap-2.26.tar.xz
tar -xvf libcap-2.26.tar.xz
cd libcap-2.26
make -C pam_cap
install -v -m755 pam_cap/pam_cap.so /lib/security &&
install -v -m644 pam_cap/capability.conf /etc/security

• libcap依赖linux-pam

wget http://ftp.lfs-matrix.net/pub/blfs/8.4/l/Linux-PAM-1.3.0.tar.bz2
wget wget http://ftp.lfs-matrix.net/pub/blfs/8.4/l/Linux-PAM-1.2.0-docs.tar.bz2
tar -jxvf Linux-PAM-1.3.0.tar.bz2
cd Linux-PAM-1.3.0
tar -xf ../Linux-PAM-1.2.0-docs.tar.bz2 --strip-components=1
./configure --prefix=/usr                    \
            --sysconfdir=/etc                \
            --libdir=/usr/lib                \
            --disable-regenerate-docu        \
            --enable-securedir=/lib/security \
            --docdir=/usr/share/doc/Linux-PAM-1.3.0 &&
make

install -v -m755 -d /etc/pam.d &&

cat > /etc/pam.d/other << "EOF"
auth     required       pam_deny.so
account  required       pam_deny.so
password required       pam_deny.so
session  required       pam_deny.so
EOF

make install &&
chmod -v 4755 /sbin/unix_chkpwd &&

for file in pam pam_misc pamc
do
  mv -v /usr/lib/lib${file}.so.* /lib &&
  ln -sfv ../../lib/$(readlink /usr/lib/lib${file}.so) /usr/lib/lib${file}.so
done

#配置linux-pam

install -vdm755 /etc/pam.d
cat > /etc/pam.d/system-account << "EOF" &&
# Begin /etc/pam.d/system-account

account   required    pam_unix.so

# End /etc/pam.d/system-account
EOF

cat > /etc/pam.d/system-auth << "EOF" &&
# Begin /etc/pam.d/system-auth

auth      required    pam_unix.so

# End /etc/pam.d/system-auth
EOF

cat > /etc/pam.d/system-session << "EOF"
# Begin /etc/pam.d/system-session

session   required    pam_unix.so

# End /etc/pam.d/system-session
EOF

cat > /etc/pam.d/system-password << "EOF"
# Begin /etc/pam.d/system-password

# check new passwords for strength (man pam_cracklib)
password  required    pam_cracklib.so    authtok_type=UNIX retry=1 difok=5 \
                                         minlen=9 dcredit=1 ucredit=1 \
                                         lcredit=1 ocredit=1 minclass=0 \
                                         maxrepeat=0 maxsequence=0 \
                                         maxclassrepeat=0 \
                                         dictpath=/lib/cracklib/pw_dict
# use sha512 hash for encryption, use shadow, and use the
# authentication token (chosen password) set by pam_cracklib
# above (or any previous modules)
password  required    pam_unix.so        sha512 shadow use_authtok

# End /etc/pam.d/system-password
EOF

# Begin /etc/pam.d/other

auth        required        pam_warn.so
auth        required        pam_deny.so
account     required        pam_warn.so
account     required        pam_deny.so
password    required        pam_warn.so
password    required        pam_deny.so
session     required        pam_warn.so
session     required        pam_deny.so

# End /etc/pam.d/other

¶liboauth

• liboauth

wget http://ftp.lfs-matrix.net/pub/blfs/8.4/l/liboauth-1.0.3.tar.gz
wget http://www.linuxfromscratch.org/patches/blfs/8.4/liboauth-1.0.3-openssl-1.1.0-3.patch
tar -zxvf liboauth-1.0.3.tar.gz
cd liboauth-1.0.3
patch -Np1 -i ../liboauth-1.0.3-openssl-1.1.0-3.patch
./configure --prefix=/usr --disable-static &&
make
make install
install -v -dm755 /usr/share/doc/liboauth-1.0.3 &&
cp -rv doc/html/* /usr/share/doc/liboauth-1.0.3

• curl

wget http://ftp.lfs-matrix.net/pub/blfs/8.4/c/curl-7.64.0.tar.xz
tar xvf curl-7.64.0.tar.xz
cd curl-7.64.0
./configure --prefix=/usr                           \
            --disable-static                        \
            --enable-threaded-resolver              \
            --with-ca-path=/etc/ssl/certs &&
make

make install &&

rm -rf docs/examples/.deps &&

find docs \( -name Makefile\* -o -name \*.1 -o -name \*.3 \) -exec rm {} \; &&

install -v -d -m755 /usr/share/doc/curl-7.64.0 &&
cp -v -R docs/*     /usr/share/doc/curl-7.64.0

¶libpwquality

wget http://ftp.lfs-matrix.net/pub/blfs/8.4/l/libpwquality-1.4.0.tar.bz2
tar -jxvf libpwquality-1.4.0.tar.bz2
cd libpwquality-1.4.0
./configure --prefix=/usr --disable-static \
            --with-securedir=/lib/security \
            --with-python-binary=python3   &&
make
make install
#配置libpwquality
mv /etc/pam.d/system-password{,.orig} &&
cat > /etc/pam.d/system-password << "EOF"
# Begin /etc/pam.d/system-password

# check new passwords for strength (man pam_pwquality)
password  required    pam_pwquality.so   authtok_type=UNIX retry=1 difok=1 \
                                         minlen=8 dcredit=0 ucredit=0 \
                                         lcredit=0 ocredit=0 minclass=1 \
                                         maxrepeat=0 maxsequence=0 \
                                         maxclassrepeat=0 geoscheck=0 \
                                         dictcheck=1 usercheck=1 \
                                         enforcing=1 badwords="" \
                                         dictpath=/lib/cracklib/pw_dict
# use sha512 hash for encryption, use shadow, and use the
# authentication token (chosen password) set by pam_pwquality
# above (or any previous modules)
password  required    pam_unix.so        sha512 shadow use_authtok

# End /etc/pam.d/system-password
EOF

¶krb5

wget http://ftp.lfs-matrix.net/pub/blfs/8.4/k/krb5-1.17.tar.gz
tar -zxvf krb5-1.17.tar.gz
cd krb5-1.17

cd src &&

sed -i -e 's@\^u}@^u cols 300}@' tests/dejagnu/config/default.exp     &&
sed -i -e '/eq 0/{N;s/12 //}'    plugins/kdb/db2/libdb2/test/run.test &&

./configure --prefix=/usr            \
            --sysconfdir=/etc        \
            --localstatedir=/var/lib \
            --with-system-et         \
            --with-system-ss         \
            --with-system-verto=no   \
            --enable-dns-for-realm &&
make
make install &&

for f in gssapi_krb5 gssrpc k5crypto kadm5clnt kadm5srv \
         kdb5 kdb_ldap krad krb5 krb5support verto ; do

    find /usr/lib -type f -name "lib$f*.so*" -exec chmod -v 755 {} \;
done          &&

mv -v /usr/lib/libkrb5.so.3*        /lib &&
mv -v /usr/lib/libk5crypto.so.3*    /lib &&
mv -v /usr/lib/libkrb5support.so.0* /lib &&

ln -v -sf ../../lib/libkrb5.so.3.3        /usr/lib/libkrb5.so        &&
ln -v -sf ../../lib/libk5crypto.so.3.1    /usr/lib/libk5crypto.so    &&
ln -v -sf ../../lib/libkrb5support.so.0.1 /usr/lib/libkrb5support.so &&

mv -v /usr/bin/ksu /bin &&
chmod -v 755 /bin/ksu   &&

install -v -dm755 /usr/share/doc/krb5-1.17 &&
cp -vfr ../doc/*  /usr/share/doc/krb5-1.17

#配置
cat > /etc/krb5.conf << "EOF"
# Begin /etc/krb5.conf

[libdefaults]
    default_realm = <EXAMPLE.ORG>
    encrypt = true

[realms]
    <EXAMPLE.ORG> = {
        kdc = <belgarath.example.org>
        admin_server = <belgarath.example.org>
        dict_file = /usr/share/dict/words
    }

[domain_realm]
    .<example.org> = <EXAMPLE.ORG>

[logging]
    kdc = SYSLOG:INFO:AUTH
    admin_server = SYSLOG:INFO:AUTH
    default = SYSLOG:DEBUG:DAEMON

# End /etc/krb5.conf
EOF
#密码不能被忘记
kdb5_util create -r <EXAMPLE.ORG> -s
kadmin.local
kadmin.local: add_policy dict-only
kadmin.local: addprinc -policy dict-only <loginname>
kadmin.local: addprinc -randkey host/<belgarath.example.org>
kadmin.local: ktadd host/<belgarath.example.org>
/usr/sbin/krb5kdc
kinit <loginname>
klist
ktutil
ktutil: rkt /etc/krb5.keytab
ktutil: l

#配置启动脚本
cd /sources/blfs-bootscripts-20180105/
make install-krb5

¶nss

• nss

wget https://archive.mozilla.org/pub/security/nss/releases/NSS_3_42_1_RTM/src/nss-3.42.1.tar.gz
wget http://www.linuxfromscratch.org/patches/blfs/8.4/nss-3.42.1-standalone-1.patch
tar -zxvf nss-3.42.1.tar.gz
cd nss-3.42.1

patch -Np1 -i ../nss-3.42.1-standalone-1.patch &&

cd nss &&

make -j1 BUILD_OPT=1                  \
  NSPR_INCLUDE_DIR=/usr/include/nspr  \
  USE_SYSTEM_ZLIB=1                   \
  ZLIB_LIBS=-lz                       \
  NSS_ENABLE_WERROR=0                 \
  $([ $(uname -m) = x86_64 ] && echo USE_64=1) \
  $([ -f /usr/include/sqlite3.h ] && echo NSS_USE_SYSTEM_SQLITE=1)

cd ../dist                                                          &&

install -v -m755 Linux*/lib/*.so              /usr/lib              &&
install -v -m644 Linux*/lib/{*.chk,libcrmf.a} /usr/lib              &&

install -v -m755 -d                           /usr/include/nss      &&
cp -v -RL {public,private}/nss/*              /usr/include/nss      &&
chmod -v 644                                  /usr/include/nss/*    &&

install -v -m755 Linux*/bin/{certutil,nss-config,pk12util} /usr/bin &&

install -v -m644 Linux*/lib/pkgconfig/nss.pc  /usr/lib/pkgconfig

#配置nss

• nss依赖nspr

wget https://archive.mozilla.org/pub/nspr/releases/v4.20/src/nspr-4.20.tar.gz
tar -zxvf nspr-4.20.tar.gz
cd nspr-4.20

cd nspr                                                     &&
sed -ri 's#^(RELEASE_BINS =).*#\1#' pr/src/misc/Makefile.in &&
sed -i 's#$(LIBRARY) ##'            config/rules.mk         &&

./configure --prefix=/usr \
            --with-mozilla \
            --with-pthreads \
            $([ $(uname -m) = x86_64 ] && echo --enable-64bit) &&
make

make install

¶polkit

• polkit

wget http://ftp.lfs-matrix.net/pub/blfs/8.4/p/polkit-0.115.tar.gz
wget http://www.linuxfromscratch.org/patches/blfs/8.4/polkit-0.115-security_patch-3.patch

• polkit依赖js52

#zip
wget http://ftp.lfs-matrix.net/pub/blfs/8.4/m/mozjs-60.1.0.tar.bz2
tar -jxvf mozjs-60.1.0.tar.bz2
cd mozjs-60.1.0

• js52依赖zip

wget https://downloads.sourceforge.net/infozip/zip30.tar.gz
tar -zxvf zip30.tar.gz
cd zip30
make -f unix/Makefile generic_gcc
make prefix=/usr MANDIR=/usr/share/man/man1 -f unix/Makefile install

#icu
wget http://download.icu-project.org/files/icu4c/63.1/icu4c-63_1-src.tgz
tar -zxvf icu4c-63_1-src.tgz
cd icu

cd source                                    &&

./configure --prefix=/usr                    &&
make
make install

¶shadow

• 如果你安装了cracklib和linux-pam,需要重新安装

wget http://ftp.lfs-matrix.net/pub/blfs/8.4/s/shadow-4.6.tar.xz
tar -xvf shadow-4.6.tar.xz 
cd shadow-4.6

sed -i 's/groups$(EXEEXT) //' src/Makefile.in &&

find man -name Makefile.in -exec sed -i 's/groups\.1 / /'   {} \; &&
find man -name Makefile.in -exec sed -i 's/getspnam\.3 / /' {} \; &&
find man -name Makefile.in -exec sed -i 's/passwd\.5 / /'   {} \; &&

sed -i -e 's@#ENCRYPT_METHOD DES@ENCRYPT_METHOD SHA512@' \
       -e 's@/var/spool/mail@/var/mail@' etc/login.defs &&

sed -i 's/1000/999/' etc/useradd                           &&

./configure --sysconfdir=/etc --with-group-name-max-length=32 &&
make

make install &&
mv -v /usr/bin/passwd /bin

#配置
sed -i 's/yes/no/' /etc/default/useradd

#配置/etc/login.defs
install -v -m644 /etc/login.defs /etc/login.defs.orig &&
for FUNCTION in FAIL_DELAY               \
                FAILLOG_ENAB             \
                LASTLOG_ENAB             \
                MAIL_CHECK_ENAB          \
                OBSCURE_CHECKS_ENAB      \
                PORTTIME_CHECKS_ENAB     \
                QUOTAS_ENAB              \
                CONSOLE MOTD_FILE        \
                FTMP_FILE NOLOGINS_FILE  \
                ENV_HZ PASS_MIN_LEN      \
                SU_WHEEL_ONLY            \
                CRACKLIB_DICTPATH        \
                PASS_CHANGE_TRIES        \
                PASS_ALWAYS_WARN         \
                CHFN_AUTH ENCRYPT_METHOD \
                ENVIRON_FILE
do
    sed -i "s/^${FUNCTION}/# &/" /etc/login.defs
done

#配置/etc/pam.d/ 
cat > /etc/pam.d/login << "EOF"
# Begin /etc/pam.d/login

# Set failure delay before next prompt to 3 seconds
auth      optional    pam_faildelay.so  delay=3000000

# Check to make sure that the user is allowed to login
auth      requisite   pam_nologin.so

# Check to make sure that root is allowed to login
# Disabled by default. You will need to create /etc/securetty
# file for this module to function. See man 5 securetty.
#auth      required    pam_securetty.so

# Additional group memberships - disabled by default
#auth      optional    pam_group.so

# include system auth settings
auth      include     system-auth

# check access for the user
account   required    pam_access.so

# include system account settings
account   include     system-account

# Set default environment variables for the user
session   required    pam_env.so

# Set resource limits for the user
session   required    pam_limits.so

# Display date of last login - Disabled by default
#session   optional    pam_lastlog.so

# Display the message of the day - Disabled by default
#session   optional    pam_motd.so

# Check user's mail - Disabled by default
#session   optional    pam_mail.so      standard quiet

# include system session and password settings
session   include     system-session
password  include     system-password

# End /etc/pam.d/login
EOF

#配置passwd文件
cat > /etc/pam.d/passwd << "EOF"
# Begin /etc/pam.d/passwd

password  include     system-password

# End /etc/pam.d/passwd
EOF

#配置su文件
cat > /etc/pam.d/su << "EOF"
# Begin /etc/pam.d/su

# always allow root
auth      sufficient  pam_rootok.so

# Allow users in the wheel group to execute su without a password
# disabled by default
#auth      sufficient  pam_wheel.so trust use_uid

# include system auth settings
auth      include     system-auth

# limit su to users in the wheel group
auth      required    pam_wheel.so use_uid

# include system account settings
account   include     system-account

# Set default environment variables for the service user
session   required    pam_env.so

# include system session settings
session   include     system-session

# End /etc/pam.d/su
EOF

#配置change文件
cat > /etc/pam.d/chage << "EOF"
# Begin /etc/pam.d/chage

# always allow root
auth      sufficient  pam_rootok.so

# include system auth, account, and session settings
auth      include     system-auth
account   include     system-account
session   include     system-session

# Always permit for authentication updates
password  required    pam_permit.so

# End /etc/pam.d/chage
EOF

#其他程序
for PROGRAM in chfn chgpasswd chpasswd chsh groupadd groupdel \
               groupmems groupmod newusers useradd userdel usermod
do
    install -v -m644 /etc/pam.d/chage /etc/pam.d/${PROGRAM}
    sed -i "s/chage/$PROGRAM/" /etc/pam.d/${PROGRAM}
done

#配置登录访问
[ -f /etc/login.access ] && mv -v /etc/login.access{,.NOUSE}
#配置资源限制
[ -f /etc/limits ] && mv -v /etc/limits{,.NOUSE}

¶stunnel

wget http://ftp.lfs-matrix.net/pub/blfs/8.4/s/stunnel-5.50.tar.gz
tar -zxvf stunnel-5.50.tar.gz 
cd stunnel-5.50

groupadd -g 51 stunnel &&
useradd -c "stunnel Daemon" -d /var/lib/stunnel \
        -g stunnel -s /bin/false -u 51 stunnel

./configure --prefix=/usr        \
            --sysconfdir=/etc    \
            --localstatedir=/var \
            --disable-systemd    &&
make
make docdir=/usr/share/doc/stunnel-5.50 install
install -v -m750 -o stunnel -g stunnel -d /var/lib/stunnel/run &&
chown stunnel:stunnel /var/lib/stunnel

cat >/etc/stunnel/stunnel.conf << "EOF"
; File: /etc/stunnel/stunnel.conf

; Note: The pid and output locations are relative to the chroot location.

pid    = /run/stunnel.pid
chroot = /var/lib/stunnel
client = no
setuid = stunnel
setgid = stunnel
cert   = /etc/stunnel/stunnel.pem

;debug = 7
;output = stunnel.log

;[https]
;accept  = 443
;connect = 80
;; "TIMEOUTclose = 0" is a workaround for a design flaw in Microsoft SSL
;; Microsoft implementations do not use SSL close-notify alert and thus
;; they are vulnerable to truncation attacks
;TIMEOUTclose = 0

EOF

#配置开机启动
cd /sources/blfs-bootscripts-20180105/
make install-stunnel

¶sudo

wget http://ftp.lfs-matrix.net/pub/blfs/8.4/s/sudo-1.8.27.tar.gz 
tar -zxvf sudo-1.8.27.tar.gz
cd sudo-1.8.27
./configure --prefix=/usr              \
            --libexecdir=/usr/lib      \
            --with-secure-path         \
            --with-all-insults         \
            --with-env-editor          \
            --docdir=/usr/share/doc/sudo-1.8.27 \
            --with-passprompt="[sudo] password for %p: " &&
make
make install &&
ln -sfv libsudo_util.so.0.0.0 /usr/lib/sudo/libsudo_util.so.0

#配置sudo
cat > /etc/sudoers.d/sudo << "EOF"
Defaults secure_path="/usr/bin:/bin:/usr/sbin:/sbin"
%wheel ALL=(ALL) ALL
EOF

cat > /etc/pam.d/sudo << "EOF"
# Begin /etc/pam.d/sudo

# include the default auth settings
auth      include     system-auth

# include the default account settings
account   include     system-account

# Set default environment variables for the service user
session   required    pam_env.so

# include system session defaults
session   include     system-session

# End /etc/pam.d/sudo
EOF
chmod 644 /etc/pam.d/sudo

¶tripwire

wget http://ftp.lfs-matrix.net/pub/blfs/8.4/t/tripwire-open-source-2.4.3.7.tar.gz
tar -zxvf tripwire-open-source-2.4.3.7.tar.gz
cd tripwire-open-source-2.4.3.7

sed -e '/^CLOBBER/s/false/true/'         \
    -e 's|TWDB="${prefix}|TWDB="/var|'   \
    -e '/TWMAN/ s|${prefix}|/usr/share|' \
    -e '/TWDOCS/s|${prefix}/doc/tripwire|/usr/share/doc/tripwire-2.4.3.7|' \
    -i installer/install.cfg                               &&

find . -name Makefile.am | xargs                           \
    sed -i 's/^[[:alpha:]_]*_HEADERS.*=/noinst_HEADERS =/' &&

sed '/dist/d' -i man/man?/Makefile.am                      &&
autoreconf -fi                                             &&

./configure --prefix=/usr --sysconfdir=/etc/tripwire       &&
make

twadmin --create-polfile --site-keyfile /etc/tripwire/site.key \
    /etc/tripwire/twpol.txt &&
tripwire --init

¶volume_key

• volume_key

wget http://ftp.lfs-matrix.net/pub/blfs/8.4/v/volume_key-0.3.12.tar.gz
tar -zxvf volume_key-0.3.12.tar.gz
cd volume_key-volume_key-0.3.12/
autoreconf -fiv              &&
./configure --prefix=/usr    \
            --without-python &&
make

• volume_key依赖cryptsetup

sudo wget http://ftp.lfs-matrix.net/pub/blfs/8.4/c/cryptsetup-2.0.6.tar.xz
tar -xvf cryptsetup-2.0.6.tar.xz
cd cryptsetup-2.0.6
./configure --prefix=/usr \
            --with-crypto_backend=openssl &&
make

make install

• cryptsetup的依赖json-c

wget http://ftp.lfs-matrix.net/pub/blfs/8.4/j/json-c-0.13.1.tar.gz
 tar -zxvf json-c-0.13.1.tar.gz
cd json-c-0.13.1

./configure --prefix=/usr --disable-static &&
make
make install