Avoid nfs altogether

e634287f · Bob Mottram · 33b7625b · e634287f · e634287f · e634287f
Commit e634287f authored 7 years ago by Bob Mottram
--- a/src/freedombone-image-customise
+++ b/src/freedombone-image-customise
@@ -1039,7 +1039,6 @@ function image_setup_utils {
    chroot "$rootdir" apt-get -yq dist-upgrade
    chroot "$rootdir" apt-get -yq install ca-certificates
    chroot "$rootdir" apt-get -yq install apt-utils
-    chroot "$rootdir" apt-get -yq install nfs-kernel-server

    if [[ $ARCHITECTURE == 'amd64' ]]; then
        chroot "$rootdir" apt-get -yq install linux-image-amd64
@@ -1206,7 +1205,7 @@ function image_setup_utils {
    chroot "$rootdir" apt-get -yq install tripwire

    # filesystem optimisations
-    sed -i 's|btrfs subvol=@|btrfs defaults,subvol=@,compress=lzo,ssd|g' $rootdir/etc/fstab
+    #sed -i 's|btrfs subvol=@|btrfs defaults,subvol=@,compress=lzo,ssd|g' $rootdir/etc/fstab
 }

 function image_install_nodejs {

--- a/src/freedombone-tests
+++ b/src/freedombone-tests
@@ -844,26 +844,6 @@ function test_stig {
    output "V-38641" $? ${SETLANG}
    ################

-    ##RHEL-06-000269
-    ##Remote file systems must be mounted with the nodev option.
-    if [ "$(mount | grep nfs | wc -l)" -gt 0 ];then
-        bash $STIG_TESTS_DIR/check-nfs.sh nodev >/dev/null 2>&1 &
-
-        stig_spinner $!
-        output "V-38652" $? ${SETLANG}
-    fi
-    ################
-
-    ##RHEL-06-000270
-    ##Remote file systems must be mounted with the nosuid option.
-    if [ "$(mount | grep nfs | wc -l)" -gt 0 ];then
-        bash $STIG_TESTS_DIR/check-nfs.sh nosuid >/dev/null 2>&1 &
-
-        stig_spinner $!
-        output "V-38654" $? ${SETLANG}
-    fi
-    ################
-
    ##RHEL-06-000271
    ##The noexec option must be added to removable media partitions.
    if [ "$(grep -Hv ^0$ /sys/block/*/removable | sed s/removable:.*$/device\\/uevent/ | xargs grep -H ^DRIVER=sd | sed s/device.uevent.*$/size/ | xargs grep -Hv ^0$ | cut -d / -f 4 | wc -l)" -gt 0 ];then
@@ -946,15 +926,6 @@ function test_stig {
    output "V-38675" $? ${SETLANG}
    ################

-    ##RHEL-06-000309
-    ##The NFS server must not have the insecure file locking option enabled.
-
-    bash $STIG_TESTS_DIR/check-nfs-insecure.sh > /dev/null 2>&1 &
-
-    stig_spinner $!
-    output "V-38677" $? ${SETLANG}
-    ################
-
    ##RHEL-06-000319
    ##The system must limit users to 10 simultaneous system logins, or a site-defined number, in accordance with operational requirements.

@@ -1046,15 +1017,6 @@ function test_stig {
    output "V-38462" $? ${SETLANG}
    ################

-    ##RHEL-06-000515
-    ##The NFS server must not have the all_squash option enabled.
-
-    bash $STIG_TESTS_DIR/check-nfs-all-squash.sh > /dev/null 2>&1 &
-
-    stig_spinner $!
-    output "V-38460" $? ${SETLANG}
-    ################
-
    ##RHEL-06-000523
    ##The systems local IPv6 firewall must implement a deny-all, allow-by-exception policy for inbound packets.


--- a/src/freedombone-utils-setup
+++ b/src/freedombone-utils-setup
@@ -381,15 +381,6 @@ function create_completion_file {
    fi
 }

-function disable_nfs_insecure_locks {
-    apt-get -yq install nfs-kernel-server
-    if grep 'insecure_locks' /etc/exports; then
-        sed -i 's|,insecure_locks||g' /etc/exports
-        sed -i 's|insecure_locks,||g' /etc/exports
-        exportfs -a
-    fi
-}
-
 function remove_management_engine_interface {
    # see https://www.kernel.org/doc/Documentation/misc-devices/mei/mei.txt
    # Disabling this interface doesn't cure the problems of ME, but it
@@ -488,9 +479,6 @@ function disable_ctrl_alt_del {
 }

 function lockdown_permissions {
-    if [ -d /etc/fs/nfs ]; then
-        remove_nfs
-    fi
    if [ -d /root/.npm ]; then
        find /root/.npm -name package.json -exec chmod 700 {} \;
    fi
@@ -625,11 +613,6 @@ function create_usb_canary {
    mark_completed $FUNCNAME
 }

-function remove_nfs {
-    apt-get -yq remove nfs-kernel-server
-    apt-get -yq remove nfs-common
-}
-
 function setup_firewall {
    function_check create_completion_file
    create_completion_file
@@ -700,9 +683,6 @@ function setup_utils {
    function_check proc_filesystem_settings
    proc_filesystem_settings

-    function_check remove_nfs
-    remove_nfs
-
    function_check optimise_filesystem
    optimise_filesystem

@@ -730,9 +710,6 @@ function setup_utils {
    function_check remove_bluetooth
    remove_bluetooth

-    function_check disable_nfs_insecure_locks
-    disable_nfs_insecure_locks
-
    function_check set_login_umask
    set_login_umask