diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..92d3100 --- /dev/null +++ b/.gitignore @@ -0,0 +1,118 @@ +venv/ + +# ---> Python +# Byte-compiled / optimized / DLL files +__pycache__/ +*.py[cod] +*$py.class + +# C extensions +*.so + +# Distribution / packaging +.Python +build/ +develop-eggs/ +dist/ +downloads/ +eggs/ +.eggs/ +lib/ +lib64/ +parts/ +sdist/ +var/ +wheels/ +*.egg-info/ +.installed.cfg +*.egg +MANIFEST + +# PyInstaller +# Usually these files are written by a python script from a template +# before PyInstaller builds the exe, so as to inject date/other infos into it. +*.manifest +*.spec + +# Installer logs +pip-log.txt +pip-delete-this-directory.txt + +# Unit test / coverage reports +htmlcov/ +.tox/ +.nox/ +.coverage +.coverage.* +.cache +nosetests.xml +coverage.xml +*.cover +.hypothesis/ +.pytest_cache/ + +# Translations +*.mo +*.pot + +# Django stuff: +*.log +local_settings.py +db.sqlite3 + +# Flask stuff: +instance/ +.webassets-cache + +# Scrapy stuff: +.scrapy + +# Sphinx documentation +docs/_build/ + +# PyBuilder +target/ + +# Jupyter Notebook +.ipynb_checkpoints + +# IPython +profile_default/ +ipython_config.py + +# pyenv +.python-version + +# celery beat schedule file +celerybeat-schedule + +# SageMath parsed files +*.sage.py + +# Environments +.env +.venv +env/ +venv/ +ENV/ +env.bak/ +venv.bak/ + +# Spyder project settings +.spyderproject +.spyproject + +# Rope project settings +.ropeproject + +# mkdocs documentation +/site + +# mypy +.mypy_cache/ +.dmypy.json +dmypy.json + +# Pyre type checker +.pyre/ + diff --git a/Entities/Core.md b/Entities/Core.md deleted file mode 100644 index 18ed91a..0000000 --- a/Entities/Core.md +++ /dev/null @@ -1,45 +0,0 @@ -The Core is the central VM on which the AniNIX's primary services are built. It is both a production platform and software repository location. - -# Etymology -The Core is so named because all the rest of the AniNIX is built around it. - -# Capacity and Components -The AniNIX is a [[ShadowArch]][[Category:ArchLinux]] installation. It receives the following resources from [[Forge2]]: -* 4 Cores -* 8GB RAM -* Virtualized GPU -* 2TB storage -* USB device assignment -* Virtual bridged network interface -* Bluetooth adapter passthrough -* CD/DVD drive -* BluRay drive - -# Hosted Services and Entities -{{Reference|Aether}}{{Reference|Cerberus}}{{Reference|Foundation}}{{Reference|Grimoire}}{{Reference|Heartbeat}}{{Reference|IRC}}{{Reference|TheRaven}}{{Reference|Singularity}}{{Reference|Sora}}{{Reference|SSH}}{{Reference|WebServer}}{{Reference|Wiki}}{{Reference|WolfPack}}{{Reference|Yggdrasil}} - -# Connections -{{Reference|Shadowfeed}}{{Reference|Eyes}}{{Reference|Windows}}{{Reference|DarkNet}} - -# Additional Reference -## Storage stack -The AniNIX uses the following storage stack, from user-accessed files to bits on disk. Bootability is from an unencrypted [https://wiki.archlinux.org/index.php/EXT4 EXT4 boot sector] and MBR [https://wiki.archlinux.org/index.php/GRUB GRUB] bootloader. -* Files -* [https://wiki.archlinux.org/index.php/XFS XFS Filesystem] -* LUKS volume -* LVM physical volume -* 2TB Physical disk - -The output of "lsblk -o NAME,KNAME,SIZE,FSTYPE,TYPE,MOUNTPOINT,LABEL,PARTLABEL" gives the following layout. Additional shares mounted to accomodate users are not shown.
-NAME                     KNAME  SIZE FSTYPE      TYPE  MOUNTPOINT                  LABEL     PARTLABEL
-sda                      sda    1.8T             disk
-├─sda1                   sda1   500M ext4        part  /boot                       COREBOOT
-└─sda2                   sda2   1.8T LVM2_member part
-  ├─corestorage-coreswap dm-0    10G crypto_LUKS lvm
-  │ └─coreswap           dm-3    10G swap        crypt [SWAP]
-  └─corestorage-core     dm-1   1.8T crypto_LUKS lvm
-    └─sysroot            dm-2   1.8T xfs         crypt /
-sr0                      sr0   1024M             rom    
-}} - -[[Category:LDAP]] \ No newline at end of file diff --git a/Entities/DarkNet.d/Free_Internet_Practices.md b/Entities/DarkNet.d/Free_Internet_Practices.md deleted file mode 100644 index 69eedd5..0000000 --- a/Entities/DarkNet.d/Free_Internet_Practices.md +++ /dev/null @@ -1,26 +0,0 @@ -In the wake of the catastropic [http://money.cnn.com/2017/12/14/technology/fcc-net-neutrality-vote/index.html FCC vote to kill Net Neutrality], [[DarkNet|privacy VPN]] machines may become more prevalent to allow unfettered and uncensored access to the Internet. In the meantime, some less-drastic measures can be taken to help allow access to fettered, deprioritized, slow-laned, or censored traffic. - -Please visit the #freenet channel on [https://aninix.net/irc/ AniNIX::IRC] with questions or suggestions. - -# Recommendations -These settings are mostly for good encryption to prevent eavesdropping and good compression of traffic to better tolerate throttled links. -* Install Google Chrome. - * Turn on [https://chrome.google.com/webstore/detail/data-saver/pfmgfdlgomnbgkofeojodiodmgpgmkac?hl=en-US Data Saver] in your [chrome://extensions extensions]. - * Android users may find this inside Chrome under the triple-dot icon at the top right. -* Conduct a security review of Chrome as a best practice against ISP eavesdropping and deep packet inspection (which can be used for throttling or controlling your traffic). - * Check under [chrome://settings Chrome's settings] > "Advanced" > "Privacy and Security" to make sure the settings meet your need. We strongly encourage the "Protect you and your device from dangerous sites" and 'Send a "Do Not Track" request with your browsing traffic' options. - * Visit [https://myaccount.google.com/security?pli=1 myaccount.google.com/security] to run an account audit. - * Set up Google Authenticator or other two-factor solutions. -* Disable automatically downloading updates and instead patch machines weekly or when they're being shutdown. **Note: we strongly encourage patching! Make sure that you regularly check for patches.** - * Windows users can do this by following [[Forge2#Windows Update|these instructions]] under the Windows Update header. - * Linux users should make sure to download patches at night and perhaps share package files from a central package cache. - * Android users can do this from the Google Play store under Settings > Auto-update apps. -* Coordinate large downloads to occur during minimum usage hours. This is dependent on sysadmin analytics. -* Install Tor Browser to access censored content. - * Windows users can download from [https://www.torproject.org/download/download.html.en Tor]. - * Android users can install [https://play.google.com/store/apps/details?id=info.guardianproject.orfox Orfox] and [https://play.google.com/store/apps/details?id=org.torproject.android Orbot]. -* Set "Compression yes" in ~/.ssh/config. Older clients may need to additionally add "CompressionLevel 8". - -# Fight Back -* We still have a widget added to the WebServer root to allow you to continue to petition Congress against the FCC's decision. -* [https://techcrunch.com/2017/12/14/new-york-attorney-general-announces-a-multi-state-lawsuit-challenging-the-net-neutrality-vote/ Several states are suing.] Stay informed through [https://www.eff.org/ EFF] and [https://battleforthenet.com/ BattleForTheNet], and contribute where you can. \ No newline at end of file diff --git a/Entities/DarkNet.md b/Entities/DarkNet.md deleted file mode 100644 index 8704dbf..0000000 --- a/Entities/DarkNet.md +++ /dev/null @@ -1,26 +0,0 @@ -The DarkNet VM is the privacy protection of the AniNIX. The AniNIX does not believe in security by obscurity or in censorship; as such, everyone should have a voice. - -# Etymology -The DarkNet is named for an anonymous network whose access is controlled only by the admins and whose usage is known only to them. It's entirely closed and anonymous. - -# Capacity and Components -* [[ShadowArch]] -* 1 core -* 1024M of RAM -* 150G of storage -* Virtualized NIC - -# Hosted Services and Entities -The DarkNet uses a small package list but runs more than the standard ShadowArch install. Also included are the xfce4, xorg-server, tor-browser-en(AUR), transmission-gtk, transmission-cli, and openvpn packages. -## Abilities -* Encrypted storage by default to a passphrase known only to admins. -* Tor proxy service, integrated with both text lynx and GUI tor-browser-en browsers. - * Lynx is aliased to "torsocks lynx" globally -* Anonymous VPN via OpenVPN (details available on request) - -## Hosted -{{Reference|WolfPack}}{{Reference|VirusScan}} - -# Connections -{{Reference|Core}} -}} \ No newline at end of file diff --git a/Entities/Forge2.md b/Entities/Forge2.md deleted file mode 100644 index c027662..0000000 --- a/Entities/Forge2.md +++ /dev/null @@ -1,88 +0,0 @@ -The Forge2 is the primary hardware platform on which the AniNIX runs. - -# Etymology -The Forge2 the second Forge build, the original having been two towers instead of one. - -It is so named because the exterior is solid black with soft red LED's internally -- this creates an appearance similar to a furnace. - -The Forge builds are also so named because projects are created, developed, and tested in these frames. - -# Capacity and Components -* 6-core hyperthreaded core i7 at 3.4GHz, water-cooled by Corsair H100i two-fan cooler -* 24 GB RAM -* 13.2 TB onboard storage. One hotswap slot open. - * 60 GB solid state boot drive for Windows 10 Pro Hypervisor (Hyper-V) - * 1 1TB drive dedicated to additional user space and VM's - * 1 2TB drive dedicated to Windows data formatted as NTFS - * 1 2TB drive dedicated to Windows Backup formatted as NTFS - * 2 2TB drive dedicated to [[Core|AniNIX::Core]] -- see Core for the filesystem hierarchy there. - * One hotswap bay for [[Aether|AniNIX::Aether]] backups. - * 1 150GB drive for the [[DarkNet]] VM -* USB 2.0 & 3.0 and eSATA slots -* 2 10GB NIC's -- one for VM's and one for Windows -* Bluetooth Adapter -* Hyper-V virtualization under Windows 10 Pro[[Category:Microsoft]] -* 1200W Corsair power supply -* EVGA x79 Dark motherboard with PCI-e SATA extender -* SLI'ed GTX 760 GPU's with 4GB onboard cache each -* Corsair K70 Keyboard w/ red LED and Corsair M65 mouse. -* CyberPower UPS -[[Category:Corsair]] -[[Category:EVGA]] -[[Category:Intel]] -[[Category:Seagate]] -[[Category:Kingston]] - -# Hosted Services and Entities -{{Reference|Core}}{{Reference|Windows}}{{Reference|DarkNet}} - -# Connections -{{Reference|Infrastructure}}{{Reference|Shadowfeed}}{{Reference|Core}}{{Reference|Windows}} - -# Additional Reference -## Gallery -A gallery will be added. [[Category:TODO]] -}} -# Hypervisor Notes -Hyper-V integrates VM's with Windows, allowing VM's to be started at Windows boot, providing direct disk access, and managing assignment of cores, memory, and disk. - -ShadowArch guests with a GUI should include xf86-video-fbdev and set GRUB_CMDLINE_LINUX_DEFAULT="quiet video=hyperv_fb:1920x1080" to get maximum screen resolution. - -Hyper-V comes with a few limitations. PCI and USB devices can't be passed through without 3rd-party software, but this was considered acceptable. - -Hyper-V guests require significant configuration to prevent performance problems. Dynamic memory should be disabled to prevent a guest from overrunning the host. Data Exchange, Backup, and Guest Services should all be disabled from integration services. Disable checkpoints. Automatic start action should either be on startup or disabled, and automatic stop action should always be poweroff. - -Hyper-V itself also requires configuration of the Windows host. The default High Performance power profile turns off monitors when not in use but does not put the entire frame to sleep -- this is the desired behavior. - -## Antivirus -Make sure Hyper-V, if using [[VirusScan|antivirus]] follows the [[VirusScan#Hyper-V|Hyper-V considerations]]. - -Presently, this still caused drops in virtual disks, crashing several VM's, so we are suspending antivirus on the hypervisor, along with most general-purpose browsing. Read the following for other user experiences. -1. https://www.cnet.com/how-to/i-dont-use-anti-virus-software-am-i-nuts/ -1. https://www.reddit.com/r/windows/comments/41b0k0/is_antivirus_software_still_necessary_for_windows/ - -## Windows Update -The Windows Update service, if it deems the system too out of date or in need of critical fixes, may forcibly restart the system. We recommend keeping the Windows Update service disabled on hypervisors until patching is desired. This can be done in services.msc. - -We recommend addtionally setting the "gpedit.msc > Computer Configuration \ Administrative Templates \ Windows Components \ Windows Update \ Configure Automatic Updates" option if you have a Pro or Enterprise license. - -## Sleep Mode -Sleep mode, even immediately interrupted, has been observed to break network connectivity and VM uptime. When running as a Hypervisor, it is advisable to disable sleep and hibernate modes. Change these from Group Policy under Administrative Templates>System>Power Management>Sleep Settings. Enable "Turn Off Hybrid Sleep" and disable "Allow Standby States (S1-S3) when sleeping". - -## Previous Hypervisors -### VirtualBox -Oracle VirtualBox is a free hypervisor that can run on almost any OS. This makes deployment and device driver management entirely on the stock OS, which was Windows in our case thus alleviating driver problems. Management is also easy, particularly with an admin account, so it's easy to assign cores, memory, and such to a VM. VirtualBox can assign raw disk access with VBoxManage. Use Windows Disk Manager (diskmgmt.msc) to identify the disk. In the case below, 7 is the disk number. -
"C:\Program Files\Oracle\VirtualBox\VBoxManage.exe" internalcommands createrawvmdk -filename "C:\Users\Admin\VirtualBox VMs\raw7.vmdk" -rawdisk \\.\PhysicalDrive7
- -VirtualBox was dropped due to buggy integration with the running OS and the inability to start VM's at OS Boot. -### ArchLInux/KVM-enabled KVM -The Forge2 frame has a 60GB SSD installed for KVM-enabled QEMU virtualization inside a minimal ArchLinux host. This implementation allows passing any host resources to the guest, including USB and PCI devices which is an advantage over other Hypervisors. - -While Intel VT-d provided by the motherboard ostensibly supports this passthrough, it had hardware caps on the x79 that the AniNIX could not afford (4 hard drives, 1 CD drive) without disabling KVM, and the network bridging created problems for VPN clients. - -# Alternatives -You could in theory put the hardware for an AniNIX network clone in the Cloud. There are steps to set up ArchLinux in [http://codito.in/archlinux-on-azure/ Microsoft Azure] and [https://bbs.archlinux.org/viewtopic.php?id=186707 Google Cloud]. This may be advantageous for sites that have uptime concerns, low local resources, or physical security concerns. - -From a cost perspective, power and network for a Forge2 and [[Shadowfeed|AniNIX::Shadowfeed]] costs roughly $100 per month with a $6000 buy-in. Equivalent cloud solutions would need to supply at least one full backup image with highly available power and network, along with [[Forge2#Capacity and Components|equivalent capacity]]. - -You should look at [[Aether|AniNIX::Aether]] notes on cloud computing if you consider this as an option. \ No newline at end of file diff --git a/Entities/Forge3.md b/Entities/Forge3.md deleted file mode 100644 index 6b3d5e2..0000000 --- a/Entities/Forge3.md +++ /dev/null @@ -1,50 +0,0 @@ -AniNIX::Forge3 will be a successor to [[Forge2|AniNIX::Forge2]] and [[Infrastructure|AniNIX::Infrastructure]]. [[AniNIX::Core]] will be turned into hardware rather than VM, and a new systemd+qemu [[ShadowArch]] install will take the role of [[Hypervisor]] from [[Windows]]. Options being evaluated are below. - -**This is not yet live.** - -# New Rack Layout -* Forge2 bottom shelf, relegated to Windows [[Games]] and typically powered off. - * Requires 27.2 x 9.9 x 25.5 inchs -* Middle shelf: 2 PSU's in lateral -* Next shelf: soundproof-wrapped 2 x [https://unixsurplus.com/collections/supermicro-servers/products/supermicro-1u-x8dtu-f-dual-intel-xeon-e5645-hex-core-2-4ghz-1u-server?variant=23868756487 SuperMicro X8DTU-F servers] -- one as [[Core]] and one as [[Hypervisor]]/Dev. - * Requires 32" x 19" x 4" - * Hypervisor will virtualize [[Darknet]], [[Sharingan]], [[Aether]], [[Maat]], [[Cerberus]], and [[DedSec]] VM's. -* Top shelf: - * [[Shadowfeed]] - * [[Geth/Nazara]] - * [[Print]] - * Dev switch - -## Network -WAN link runs from modem to Shadowfeed WAN. Shadowfeed LAN are -1. Nazara -1. PRD ether -1. PRD IPMI -1. Switch WAN - -Switch LAN are -1. Dev ether -1. Dev IPMI -1. Dev table ether -1. Windows - -## USB -Each PSU has a USB that should be able to connect to Nazara. This will allow Nazara to monitor active power state into Nagios. - -## Power -UPS 1 sockets are provided from one wall outlet, max load 1200W and average load 300W. -1. HA - 1. PRD PSU (500W) - 1. Dev PSU (500W) -1. Surge only - 1. Dev table strip - 1. Laptop charger (100W) - -UPS 2 sockets are provided from a second wall outlet, max load 1300W and average load 100W, on a 25' 12-gauge outdoor extension cable. -1. HA - 1. Shadowfeed - 1. Nazara - 1. Switch - 1. Desk light (typically off) -1. Non-HA - 1. Windows (1200W) \ No newline at end of file diff --git a/Entities/Games.md b/Entities/Games.md deleted file mode 100644 index ad6367e..0000000 --- a/Entities/Games.md +++ /dev/null @@ -1,52 +0,0 @@ -The Games are a list of PC or emulated games available for users to play. - -# Etymology -Let's not play games -- this service is self-named. - -# Relevant Files and Software -[[Category:TODO]] -## AAA Titles -* The [https://assassinscreed.wikia.com/ Assassin's Creed] series -* Dishonored -* Deus Ex: Human Revolution -## Indie games -* Hacknet_ -## MMO's -* [http://swtor.com/ Star Wars: The Old Republic] -- AniNIX members are presently playing for the Empire faction and working with the [http://mandocabure.proboards.com/ Mando Cabure] guild. Ping an admin on IRC or Discord to join the gaming. -
# This game can be installed on ShadowArch with the following:
-pacman -S wine-staging wine-mono
-winecfg
-winetricks d3dx9 vcrun2008 msls31 winhttp
-1.  Download launcher from swtor.com
-wine ./SWTOR_launcher.exe
-timeout 60 wine ~/.wine/drive_c/Program\ Files\ \(x86\)/Electronic\ Arts/BioWare/Star\ Wars\ -\ The\ Old\ Republic/launcher.exe
-vim ~/.wine/drive_c/Program\ Files\ \(x86\)/Electronic\ Arts/BioWare/Star\ Wars\ -\ The\ Old\ Republic/launcher.settings
-1.  Change bitraider_disable to true and download mode to SSN.
-wine ~/.wine/drive_c/Program\ Files\ \(x86\)/Electronic\ Arts/BioWare/Star\ Wars\ -\ The\ Old\ Republic/launcher.exe
-
- -* [http://www.crypticstudios.com/startrek Star Trek Online] -## Independent Games -: These are excellent for a [[Games/Team-building_Exercise|team-building exercise]]. -* [http://artemis.eochu.net Artemis Bridge Simulator] -* [https://unvanquished.net Unvanquished] -## Emulators -* Desmune -* VisualBoy Advance -* ScummVM - -# Available Clients -We are investigating NVidia SHIELD technology for the AAA titles. - -The [[Games#Independent Titles|independent titles]] have game clients that can be downloaded and the AniNIX made to be the hosting server. - -# Additional Reference -## Recovery -Recovering games used to be a tired process of maintaining product keys. Today, this is less an impact. Instead, one should buy games through services that allow reinstallation of the same. [https://steampowered.com Steam] and [https://uplay.ubi.com/ Uplay] both support this functionality. SWTOR and MMO's like it do not install unique content directly to the local machine, so they are easily reinstalled. - -Independent games or freeware should be preserved through keeping copies of the installers. - -## Streaming -Linux [[Tachikoma]] or [[DedSec]] hosts can stream from a Games install using Steam in-home streaming. Wireless AC connections are recommended, and [https://support.steampowered.com/kb_article.php?ref=8571-GLVN-8711 firewall rules] need to be made. -}} -[[Category:Internal_Service]] \ No newline at end of file diff --git a/Entities/Geth_Armature.md b/Entities/Geth_Armature.md deleted file mode 100644 index c7d02e9..0000000 --- a/Entities/Geth_Armature.md +++ /dev/null @@ -1,24 +0,0 @@ -The Geth Armature is a robotic body that allows the Geth to interact with the real world. - -# Uses -1. Physical patrolling -1. Lock inspection -1. Invalid care, for those unable to move on their own. -1. Hardware inspection, in the case of an [[Sharingan|AniNIX::Sharingan]] alert. -1. Potentially firing off other Geth-controlled units, such as carrying an IR module into range of a Roomba. - -# Hardware -We're coding for [http://www.swiftstreamrc.com/product/robo-buddy/ RoboBuddy from SwiftStream], but the process to be documented will be very similar for any mobile IP camera. Key requirements: -* Articulation on the camera -* Onboard lights -* Durability of frame -* Self-recharging -* Good resolution - -# Softare -In development! [[Category:TODO]] - -# Etymology -While many Geth mobile units were modeled after their Quarian creators, larger security units were more utilitarian. The collapsible, giraffe-like Armature were the heavy armor that could be deployed into hostile territory to protect their holdings. Similarly, ours protects our locations. - -[[Category:Entity]] \ No newline at end of file diff --git a/Entities/Holocron.md b/Entities/Holocron.md deleted file mode 100644 index bc75d83..0000000 --- a/Entities/Holocron.md +++ /dev/null @@ -1,82 +0,0 @@ -WARNING: Holocrons should not hold copies of sensitive information.
-The Holocron is a mobile USB designed to take over any computer hardware and run as an element of the AniNIX. - -# Etymology -Named for the [http://starwars.wikia.com/wiki/Holocron_of_Heresies Sith Holocron] from the Star Wars universe, the Holocron is a method for AniNIX admins to craft and record all their personal code and knowledge, including [[Aether|AniNIX::Aether]] backups, [[Foundation|Git]] repo checkouts, etc. It should be secured and difficult to crack to protect the secrets within, just as its namesake -- the better the traps, the better the knowledge it can hold. - -# Capacity and Components -Holocrons have no defined capacity since they are not bound to any set of hardware. The portable storage space is bound to the drive on which it's written. - -# Hosted Services and Entities -No services or entities are hosted. - -# Connections -Holocron can dial to any host desired. It should have VPN, SSH, remote-desktop, browser, code version control, and file transfer clients available. - -# Additional Reference -Implementation details for Holocron are below. - -## Host drive -We currently recommend a [https://www.pcnation.com/web/details/ZY1268/Corsair-Flash-Survivor-Stealth-64GB-USB-3-0-Flash-Drive-CMFSS3B-64GB-00843591066389?mkwid=s_dc&pcrid=64230955823&pkw=&pmt=&plc=&gclid=Cj0KEQjwo_y4BRD0nMnfoqqnxtEBEiQAWdA124R1SSj-sqFREK5wSAXJca5AVpUXJuKfbi3IuD_Sn2IaArOC8P8HAQ Corsair Survivor Stealth] for Holocrons. This offers 64GB of flash storage with the following layout, in a form that is both impact- and water-resistant, making it a resilient tool.[[Category:Corsair]] - -
-NAME          MAJ:MIN RM  SIZE RO TYPE  MOUNTPOINT
-fd0             2:0    1    4K  0 disk
-sda             8:0    0    1G  0 disk
-sdb             8:16   1 59.6G  0 disk
-|-sdb1          8:17   1   40G  0 part  /mnt/xplatfrm
-|-sdb2          8:18   1  9.3G  0 part  /boot
-`-sdb3          8:19   1  9.3G  0 part
-  `-spartacus 254:0    0  9.3G  0 crypt /
-sr0            11:0    1  544K  0 rom
-
- -WARNING: Do not store sensitive information on Holocrons!
Though a Holocron has its root encrypted, /boot is not and the device is portable. Physical access is death! The storage can be cloned and cracked with sufficient computing resources. The encryption is a delay but not a hard-stop protecting your information. If you have access to an encrypted machine like [[Core|AniNIX::Core]] there is no reason to keep sensitive information on this, a client device. If you have nothing else, this encryption is better than none. - -The Israelis and such have been working out ways to listen with directional mics to crack encryption, and I have no guarantee they didn't use some similar hardware assault to crack the encryption. The algorithm might be smart enough, but the hardware may give rise to a more direct way. Moreover, with the hardware being mobile, the firmware and bootloader could be assaulted to broadcast key signatures from memory, or someone could record you entering the decryption password. Some example vectors are below: -* [http://www.tau.ac.il/~tromer/acoustic/ Accoustic attacks on RSA] -* [https://dx.eng.uiowa.edu/dave/lukstext.php A sample LUKS crack] -* [http://www.prnewswire.com/news-releases/passware-first-to-enable-computer-forensics-to-crack-linux-disk-encryption-luks-300004871.html Another potential LUKS crack] - -## Installation -1. Install [[ShadowArch]] to the / partition. Remember to remove the first four lines so that your mount options are used with your storage layout. -1. Create a folder /boot/iso in the / partition. -1. Edit /etc/grub.d/40_custom: - 1. See [https://wiki.archlinux.org/index.php/Multiboot_USB_drive Arch's multiboot] for individual GRUB entries. - 1. Also see [https://releng.archlinux.org/pxeboot/ Arch's netboot] for a GRUB entry to use for netboot. -1. Load ISOs and pack for travel. - - -Example 40_custom file: -
-1. !/bin/bash
-exec tail -n +3 $0
-probe -u $root --set=rootuuid
-set imgdevpath="/dev/disk/by-uuid/$rootuuid"
-menuentry 'ArchLinux ISO' {
-	set isofile='/iso/archlinux.iso'
-	loopback loop $isofile
-	linux (loop)/arch/boot/x86_64/vmlinuz archisodevice=/dev/loop0 img_dev=$imgdevpath img_loop=$isofile earlymodules=loop
-	initrd (loop)/arch/boot/x86_64/archiso.img
-}
-menuentry "Kali Linux ISO" {
-	set isofile='/iso/kali-linux.iso'
-	loopback loop $isofile
-	linux (loop)/live/vmlinuz boot=live findiso=$isofile noconfig=sudo username=root hostname=kali earlymodules=loop
-	initrd (loop)/live/initrd.img
-}
-menuentry "CentOS ISO" {
-	set isofile='/boot/iso/CentOS.iso'
-	loopback loop $isofile
-	linux (loop)/isolinux/vmlinuz noeject inst.stage2=hd:/dev/sdb2:/$isofile
-	initrd (loop)/isolinux/initrd.img
-}
-
- -## Recommended uses -* ArchLinux ISO: This ISO can be used to have a clean point from which to start -- its signature and size can be compared against [https://archlinux.org/download the ArchLinux page] for integrity. -* Kali Linux ISO: This ISO is a hack suite, porting the latest tools with the user. -* CentOS ISO: This allows a user to access an enterprise network using a trusted OS with a known signature. -* ArchLinux local install: This is a portable workspace for the carrier -- packages installed here will be persistent, and allow the user to boot their own toolset without any or much network traffic. -* Cross-platform storage: This allows Spartacus to perform as a usual flash-drive. -}} \ No newline at end of file diff --git a/Entities/Infrastructure.md b/Entities/Infrastructure.md deleted file mode 100644 index 45025cd..0000000 --- a/Entities/Infrastructure.md +++ /dev/null @@ -1,26 +0,0 @@ -The Infrastructure is a conglomerate of machines with mostly proprietary firmware providing power and connectivity to the AniNIX. - -# Etymology -This should be self-explanatory -- the Infrastructure describes the lowest-level connection between the digital world of the AniNIX and the physical world. The Infrastructure passes raw resources from the physical world for the AniNIX to manipulate. - -# Capacity and Components -The capacity of the Infrastructure is limited by the following areas: -* Power: 1500VA / 900W with surge protection on all sockets and battery power on three sockets for roughly 20 minutes of operation under the usual AniNIX load. [[Category:HasBattery]] Power is provided by Madison Gas & Electric [[Category:MG&E]] via a CyberPower UPS [[Category:CyberPower]] -* Network: Charter Communications modem providing, ostensibly, a 500MB/s upload and 6Gb/s download speed. SpeedTest.com results fluctuate. [[Category:Charter]] - -# Hosted Services and Entities -{{Reference|Shadowfeed}}{{Reference|Forge2}} - -# Connections -{{Reference|Windows}} - -# Additional Reference -For hosts seeking insight into the Infrastructure, they can install the PowerPanel software from CyberPower. ArchLinux contains a copy of it in the AUR: [https://aur.archlinux.org/packages/powerpanel/ linked here] - -The following files are then critical for configuration, after the USB device is connected to the monitoring host: -* /etc/pwrstatd.conf -* /etc/powerpanel/pwrstatd-email.sh -* /etc/powerpanel/pwrstatd-lowbatt.sh -* /etc/powerpanel/pwrstatd-powerfail.sh -* /usr/lib/systemd/system/pwrstatd.service -}} \ No newline at end of file diff --git a/Entities/Nazara.md b/Entities/Nazara.md deleted file mode 100644 index 9b7eca7..0000000 --- a/Entities/Nazara.md +++ /dev/null @@ -1,17 +0,0 @@ -A Nazara host is a gateway to accessing other hosts. It is a safeguard against admin error. - -# Etymology - -Nazara hosts are named because they are the first line of defense against administrative error -- they prevent admins from being locked out of correcting their changes. - -# Capacity and Components -A Nazara host needs minimal CPU or memory. - -# Hosted Services and Entities -Nothing is hosted by a Nazara. - -# Connections -Any host should be able to connect to a Nazara with [SSH](../Services/SSH.md) and X11, and it should be able to dial to any service provider. - -# Additional Reference -Nazara hosts should be deployed alongside any Hypervisor. They can be as simple as a Pi-hole with SSH access, and they should be allowed to receive SSH connections from a non-tcp/22/ssh port. diff --git a/Entities/Print.md b/Entities/Print.md deleted file mode 100644 index f38a265..0000000 --- a/Entities/Print.md +++ /dev/null @@ -1,10 +0,0 @@ -Print is the printer/scanner of the AniNIX, aimed at offering the option to convert materials from digital to physical and vice-versa. - -# Etymology=This entity is self-named. - -# Capacity and Components=A [[Category:Brother]]Brother MFC-J430W will fill this role nicely, with color printing, scanning, and (unused) faxing abilities. It can be easily installed from [https://aninix.net/foundation/ConfigPackages/ ConfigPackages]. - -# Hosted Services and Entities=There are no hosted aspects. - -# Connections={{Reference|Core}} -}} \ No newline at end of file diff --git a/Entities/Roomba.md b/Entities/Roomba.md deleted file mode 100644 index 4e27523..0000000 --- a/Entities/Roomba.md +++ /dev/null @@ -1 +0,0 @@ -[[Category:TODO]]Roomba is a cleaning bot for the AniNIX \ No newline at end of file diff --git a/Entities/Rufus.md b/Entities/Rufus.md deleted file mode 100644 index fc7905f..0000000 --- a/Entities/Rufus.md +++ /dev/null @@ -1,42 +0,0 @@ -Rufus is an overlay to make use of unused clock cycles on AniNIX hardware. It allows the AniNIX to take what would otherwise be wasted power and network presence and put it to either profit or charity. - -# Etymology=Rufus is named after the naked mole rat from the Kim Possible TV series; a ubiquitious companion to the protagonists, Rufus' species is also capable of great feats of digging, given their traditionally subterranean habitat. The Rufus system is equally useful at mining resources for the AniNIX, keeping it online. - -# Capacity and Components=Capacity depends on the number of rigs available. A "rig" may simply be a [[Geth/Hub|AniNIX::Geth hub]], a running VM, or a full-featured rig. - -Our full-featured rigs are built from cheap consumer-grade parts.[https://www.youtube.com/watch?v=3YMxGGXme8g Motherboard Ethereum mining presentation], accessed 2/5/18]. We have a list of our current desired parts at [https://secure.newegg.com/Wishlist/SharedWishlistDetail?ID=vcB3403ONPRZhXHgzQNC%2fg%3d%3d Newegg]. - -# Hosted Services and Entities -## Ethereum -[https://ethereum.org Ethereum]https://wiki.archlinux.org/index.php/Ethereum is a decentralized currency and contract blockchain. - -Install and upgrade python3. From that, we can install [http://raspnode.com/diyEthereumPyeth.html PyEthApp] to mine the currency. -
-pip3 install pyethapp
-
- -Multiple miners can be supported in a single network, but port 30303 must be forwarded to the first node. Other nodes in the cluster will connect their ethminer to that node. - -Funds can be transferred to an Ethereum wallet by TODO.[[Category:TODO]][[Category:Coinbase]] - -## Bitcoin -Bitcoinhttps://wiki.archlinux.org/index.php/Bitcoin is another decentralized blockchain currency -- in fact, it was the first and most popular. - -Mining is done by connecting GPU's or [https://www.amazon.com/s/ref=nb_sb_noss?url=search-alias%3Daps&field-keywords=Raspberry+pi+ASIC+bitcoin ASIC miners] to your host. From there, install bfgminer and benchmark the attached ASIC's. This can be done by standalone block mining or pool mining, where a group of miners agree to mine for the same block through shared and decentralized work. - -When satisfied with the operation of the benchmarking, bfgminer can be run with all hardware and a Coinbase address to receive the funds. - -## Folding@Home -[https://foldingathome.org/ Folding@Home]https://wiki.archlinux.org/index.php/Folding@home is a Stanford project for protein folding research, helping researchers solve disease problems. This is our premiere project for our [https://aninix.net/pages/charity.php charity work]. - -Install the [https://aur.archlinux.org/packages/foldingathome/ Folding@Home package] from Stanford. This will allow you to receive units of work from Stanford and process them. - -## BOINC -[http://boinc.berkeley.edu/ BOINC] is a Berkley project for supporting underfunded research projects by allowing open computing resources. - -Install the [https://www.archlinux.org/packages/?name=boinc-nox boinc-nox]https://wiki.archlinux.org/index.php/BOINC package from Berkley. Enabling the service will use your compute resources for the needy projects. - -# Connections=Rufus runs on any available hardware. - -# Additional Reference=[https://aninix.net/irc/ Contact an admin] for current ROI -- example math can be seen in [https://www.youtube.com/watch?v=8eXI_7O4Svc this presentation]. Also, [https://www.youtube.com/watch?v=U_LK0t_qaPo this presentation] offers an overview of how Ethereum the protocol works.}} -# References \ No newline at end of file diff --git a/Entities/Shadowfeed.md b/Entities/Shadowfeed.md deleted file mode 100644 index eb0e8ee..0000000 --- a/Entities/Shadowfeed.md +++ /dev/null @@ -1,51 +0,0 @@ -The Shadowfeed is the networking gateway between the AniNIX and the outside world -- it broadcasts the AniNIX signal and allows the network to communicate. - -# Etymology -The Shadowfeed is named after a resistance communications network in the Star Wars universe. The [http://starwars.wikia.com/wiki/CIS_Shadowfeed Shadowfeed] was a disseminated network routed through existing communications technology, allowing a separatist movement to broadcast its message. - -# Capacity and Components -The Shadowfeed is an Netgear R7000 Nighthawk router hardware flashed with DD-WRT firmware.[[Category:DD-WRT]][[Category:Netgear]] It can hold numerous clients wirelessly, and it supports wired USB 2.0 and 3.0 hard-drives to create simple NAS storage. There are five physical slots, one occupied by wired connection to the Forge2 frame, one by a connection to the Verizon wireless tower, and one to the Infrastructure. One remaining slot is free with a 100ft Cat5e cable and the other reserved for hotswap in case of port failure or LAN need. - -Note: the best place we've found to grab firmware updates is [https://ddwrt-kong.clonevince.fr/ this upload site for Kong's builds]. Ensure that you are on build 33525 or later to avoid being vulnerable to [https://aircrack-ng.blogspot.com/2017/10/krack-wpa-vulnerability-key.html KRACK]. Follow the instructions [https://dd-wrt.com/wiki/index.php/Installation from the DD-WRT Wiki] to flash your router with new firmware or to patch. Make sure to watch for the peacocking notes! Use the dork "kong dd-wrt build " -- if you use Chromecasts for [[Geth|AniNIX::Geth]], make sure to look for explicit validation of the devices, or run your own extensive regressions. - -# Hosted Services and Entities -Nothing is hosted by the Shadowfeed, but it is manageable by either SSH or an onboard webserver.[[Category:Lighttpd]] - -# Connections -The Shadowfeed has a number of hosts and entities that connect to it -- unknown entities are routed to a guest network, while known hosts are allowed inside the DMZ where they can access internal services. Direct AniNIX network members are listed below. -{{Reference|Core}}{{Reference|Windows}}{{Reference|DarkNet}}{{Reference|Print}}{{Reference|Bastion}}{{Reference|Tricorder}}{{Reference|Geth}}{{Reference|Forge2}}{{Reference|Infrastructure}} - -# Additional Reference -## Add NAT Rule -
-iptables -t nat -I PREROUTING -p tcp -d $(nvram get wan_ipaddr) --dport 3389 -j DNAT --to 10.0.1.2 [ -s SourceIP ]
-iptables -I FORWARD -p tcp -d 10.0.1.2 --dport 3389 -j ACCEPT
-iptables -t nat -I PREROUTING -p udp -d $(nvram get wan_ipaddr) --dport 3389 -j DNAT --to 10.0.1.2 [ -s SourceIP ]
-iptables -I FORWARD -p udp -d 10.0.1.2 --dport 3389 -j ACCEPT
-
-## Direct config alteration -nvram show will get all the current options, whereas nvram get variable will return a variable. - -nvram set or unset change variables. - -nvram commit pushes the change. - -## Guest Wifi -[https://dd-wrt.com/wiki/index.php/Guest_Network See here.] - -## Sample Startup Script -The following will insert firewall lines into your sample startup script to harden your network edge. This allows [[WebServer|web]], [[SSH]], [[IRC]], [[Geth|AniNIX::Geth]], and [[Nazara|bastion]] access through the firewall, dropping all others. It also sets up the block chain for [[Cerberus|AniNIX::Cerberus]]. - -
-iptables -N severe
-iptables -I INPUT 2 -i vlan2 -j DROP
-iptables -I INPUT 2 -i vlan2 -p tcp -m tcp --dport 22 -j ACCEPT
-iptables -I INPUT 2 -i vlan2 -p tcp -m tcp --dport 80 -j ACCEPT
-iptables -I INPUT 2 -i vlan2 -p tcp -m tcp --dport 443 -j ACCEPT
-iptables -I INPUT 2 -i vlan2 -p tcp -m tcp --dport 6641 -j ACCEPT
-iptables -I INPUT 2 -i vlan2 -p tcp -m tcp --dport 6697 -j ACCEPT
-iptables -I INPUT 2 -i vlan2 -p tcp -m tcp --dport 9022 -j ACCEPT
-iptables -I INPUT 2 -j severe
-iptables -I FORWARD -j severe
-
-}} \ No newline at end of file diff --git a/Entities/Tachikoma.md b/Entities/Tachikoma.md deleted file mode 100644 index 1e43348..0000000 --- a/Entities/Tachikoma.md +++ /dev/null @@ -1,10 +0,0 @@ -|Tachikoma|Tachikoma are individual user or service machines.| -word -These are named after [https://www.youtube.com/watch?v=lNY53tZ2geg Tachikoma from Ghost in the Shell]. These AI-powered tanks offered personal transportation, concealment, - -# Capacity and Components -Capacity is indeterminate -- depends on the hardware being used. - -# Hosted Services and Entities=No services should be hosted for Tachikoma, despite [[SSH|an SSH server for remote access]]. - -# Connections=Varies by purpose}} \ No newline at end of file diff --git a/Entities/Tricorder.md b/Entities/Tricorder.md deleted file mode 100644 index facbaf7..0000000 --- a/Entities/Tricorder.md +++ /dev/null @@ -1,48 +0,0 @@ -Omnitool is a mobile smartphone client of the network. - -# Etymology -The Tricorder is named after the fictional and ubiquitous devices from the Star Trek universe. Because the Tricorder is useful in a number of situations, hand-held in the same way, and is almost always handled by an Admin save during sleep, the name was apt. - -Besides, we like the subtlety, craftiness, and paranoia of the Romulans. - -# Capacity and Components -This is a Verizon Wireless Droid Turbo smartphone running the Android OS. [[Category:USCellular]][[Category:Google]] -* 48 hours of usability -* 5.2" Gorilla Glass 4 Display with 1920x1080 resolution -* 32 GB of onboard storage, encrypted with Android PIN -* Microphone -* 16MP Camera -* CDMA, GSM, WCDMA, UMTS, LTE Network-capable with US Cellular SIM - -# Hosted Services and Entities -The Tricorder can host a couple remote-management tools. -* Apps can be remotely installed with [https://play.google.com/ Google Play Store]. -* Location identification, remote locking, and remote wiping can be achieved with [https://google.com/android/devicemanager Google Device Manager]. -* SMS, notifications, and call response can be remotely controlled with a vivoactive HR or [https://aninix.net/wiki/Subscriptions#Pushbullet Pushbullet]. - -# Connections -This device has clients for the following entities. -{{Reference|Singularity}}{{Reference|Yggdrasil}}{{Reference|Eyes}}{{Reference|SSH}} -This device physically can connect to the following. -{{Reference|Infrastructure}}{{Reference|Shadowfeed}}{{Reference|Forge2}} -This device can also extend Bluetooth and WiFi technology to the following devices, to extend the AniNIX's reach. -* Drones, such as the Parrot AR.Drone 2.0, over WiFi -* Smart devices, like the Garmin vivoactive HR smartwatch or smart scales, over bluetooth -* Car and other stereos over Bluetooth (this is particularly useful for playing back audio from Yggdrasil) -* Bluetooth-capable devices for file transfer -* WiFi-capable devices via ad-hoc WiFi network - -# Additional Reference -* [https://www.lg.com/us/cell-phones/lg-US701-Black-us-cellular Reference page] -* [https://memory-alpha.wikia.com/wiki/Romulan_tricorder Star Trek Wiki page] -## Recovery Path -Please encrypt your Tricorder for privacy reasons. For those concerned, here is your recovery path, should the device be rendered inoperable or inaccessible. -* The Google Play Store records all applications installed on the phone. -* Music, pictures, and video should be replicated from [[Yggdrasil|AniNIX::Yggdrasil]]. Please use an [[SSH|SFTP]] client to regularly store your necessary files on your AniNIX account, or upload your files to a trusted storage service. For insecure files, [https://drive.google.com Google Drive] is sufficient and free. -* Customizations will be lost but should be easily recreated. -* SSH Keys should be recreated. Remove any existing public keys from servers the device had access to. -* Android devices can be remotely wiped, locked, or pinged from Android Device Manager. - -Most severe problems with an Android device can be fixed with a factory reset, patching, app re-installation from the Play Store, and pulling down any desired files. While this is a cumbersome process, for non-rooted, encrypted devices, this is often the easiest route. -}} -{{Mobile}} \ No newline at end of file diff --git a/Entities/Windows.md b/Entities/Windows.md deleted file mode 100644 index cfdc340..0000000 --- a/Entities/Windows.md +++ /dev/null @@ -1,49 +0,0 @@ -: Warning: Windows may reformat non-Windows partitions with no warning during boot. We recommend keeping strong backups and controlling when Windows Update runs. See [http://www.omgubuntu.co.uk/2016/08/windows-10-anniversary-update-delete-partition OMGUbuntu's article] for end user experiences. -Windows is a ubiquitous desktop environment for home computing, still compromising the majority of the market. The AniNIX hosts a virtualized Windows host to access the tools and software developed for that OS. - -# Etymology -The Windows host is named for the OS it runs. - -# Capacity and Components -Windows' components are provided by Microsoft. [[Category:Microsoft]] The Windows host is granted networking, USB assignments, the GTX 760 pair, 2TB of storage, 8 GB RAM, and 4 cores from [[Forge2]]. - -# Hosted Services and Entities -{{Reference|Games}}{{Reference|VirusScan}} -## Customization -There is a desktop theme available to skin the Windows desktop environment in the same fashion as [[ShadowArch]], the WebServer and the Wiki. Download it from [https://aninix.net/aninix.deskthemepack this link]. -## Standard Packages -Available from [https://aninix.net/wolfpack WolfPack's repo]: -* SeaMonkey Browser - * Chrome Browser can be used in place of SeaMonkey or in addition to support Chromecasts. -* PuTTY Terminal Emulator -* WinSCP File Transfer -* Launchy to emulate Linux Alt+F2 running -* VNC viewer -* Xming X11 server -* DaemonTools Lite for mounting ISO's. - -## Hypervisor Role -A Hypervisor should also be deployed. -* A Windows 10 Pro license offers Hyper-V, which allows enterprise-style VM availability -* VMWare Workstation or VirtualBox are also alternatives. - -## Work Role Packages -* WebEx -* AnyConnect -* One productivity suite from: - * LibreOffice - * Microsoft Office -* Notepad++ - -# Connections -{{Reference|Forge2}}{{Reference|Shadowfeed}}{{Reference|Infrastructure}} - -# Additional Reference -Remember the following things when dealing with Windows: -* Windows updates and upgrades stand a very good chance of being destructive to other systems and itself. Never upgrade without a backup, and everything installed on Windows should have an independent recovery plan. See [[Games#Recovery]] for an example. -* Windows tries to send data to Microsoft. Check account settings to opt out. -* Always disable autorun to help slow malware. - -## Unified Credentials -Install [https://pgina.org/ pGina] for LDAP authentication, including with [[Sora|AniNIX::Sora]].[[Category:LDAP]] -}} \ No newline at end of file diff --git a/Layouts/.Internet/Shadowfeed/10.0.1.0/Core/Darknet b/Layouts/.Internet/Shadowfeed/10.0.1.0/Core/Darknet new file mode 100644 index 0000000..e69de29 diff --git a/Layouts/.Internet/Shadowfeed/10.0.1.0/Core/Geth-Hub-N b/Layouts/.Internet/Shadowfeed/10.0.1.0/Core/Geth-Hub-N new file mode 100644 index 0000000..e69de29 diff --git a/Layouts/.Internet/Shadowfeed/10.0.1.0/Core/Maat b/Layouts/.Internet/Shadowfeed/10.0.1.0/Core/Maat new file mode 100644 index 0000000..e69de29 diff --git a/Layouts/.Internet/Shadowfeed/10.0.1.0/Core/MaatBuilder b/Layouts/.Internet/Shadowfeed/10.0.1.0/Core/MaatBuilder new file mode 100644 index 0000000..e69de29 diff --git a/Layouts/.Internet/Shadowfeed/10.0.1.0/Core/Sharingan b/Layouts/.Internet/Shadowfeed/10.0.1.0/Core/Sharingan new file mode 100644 index 0000000..e69de29 diff --git a/Layouts/.Internet/Shadowfeed/10.0.1.0/Nazara b/Layouts/.Internet/Shadowfeed/10.0.1.0/Nazara new file mode 100644 index 0000000..e69de29 diff --git a/Layouts/.Internet/Shadowfeed/10.0.2.0/Chamberlain b/Layouts/.Internet/Shadowfeed/10.0.2.0/Chamberlain new file mode 100644 index 0000000..e69de29 diff --git a/Layouts/.Internet/Shadowfeed/10.0.2.0/Nest b/Layouts/.Internet/Shadowfeed/10.0.2.0/Nest new file mode 100644 index 0000000..e69de29 diff --git a/Layouts/.Internet/Shadowfeed/10.0.2.0/iRobot b/Layouts/.Internet/Shadowfeed/10.0.2.0/iRobot new file mode 100644 index 0000000..e69de29 diff --git a/Layouts/.Internet/Shadowfeed/10.0.3.0/Games b/Layouts/.Internet/Shadowfeed/10.0.3.0/Games new file mode 100644 index 0000000..e69de29 diff --git a/Layouts/.Internet/Shadowfeed/10.0.3.0/Tachikoma b/Layouts/.Internet/Shadowfeed/10.0.3.0/Tachikoma new file mode 100644 index 0000000..e69de29 diff --git a/Layouts/.Internet/Shadowfeed/10.0.3.0/Tricorder b/Layouts/.Internet/Shadowfeed/10.0.3.0/Tricorder new file mode 100644 index 0000000..e69de29 diff --git a/Layouts/Diagrams.md b/Layouts/Diagrams.md new file mode 100644 index 0000000..0babb04 --- /dev/null +++ b/Layouts/Diagrams.md @@ -0,0 +1,39 @@ +Access layout looks something like the below: +``` +Internet +└── Shadowfeed + ├<> 10.0.1.0 + │   ├── Core + ^   │   ├── Darknet + │   │   ├── Geth-Hub-N + │   │   ├── Maat + │   │   ├── MaatBuilder + │   │   └── Sharingan + │   └── Nazara + ├── 10.0.2.0 + │   ├── Chamberlain + ^   ├── iRobot + │   └── Nest + └── 10.0.3.0 + ├── Games + ├── Tachikoma + └── Tricorder +``` + +For more details on what runs on what host, look to [AniNIX/Ubiqtorate](/AniNIX/Ubiqtorate), particularly the `playbooks/deploy.yml` file, and the network traffic captured in [AniNIX/Sharingan](https://sharingan.aninix.net/). + +The general idea here is thus: +* 10.0.1.0/24 is the service subnet, with NAT access from Shadowfeed creating a pseudo-secured DMZ for other AniNIX-controlled machines. + * SSH and HTTPS access is then filtered through the NAT controls -- typically, traffic passes through Core to ensure the right security headers get set and only the approved applications get accessed. + * This also assists in letting Core's network IDS and IPS capture threat data for Sharingan. + * It also assists in that +* 10.0.2.0/24 is the vendor subnet -- machines here get external access but no access to any host not themselves in 10.0.0.0/8. +* 10.0.3.0/24 is the user subnet -- machines here can access the external world and 10.0.1.0/24 but not 10.0.2.0/24. + +Ideally, only the following external ports are open: +* 22/tcp/ssh to Core, for read-write access +* 443/tcp/https to Core, for read-only access +* 6697/tcp/ircs to Core, for communication access +* Some external NAT port for bastion access to Nazara. + +This ideal isn't currently met, due to some application limitations, but we're working on it. diff --git a/Layouts/Entities.md b/Layouts/Entities.md new file mode 100644 index 0000000..b02bc16 --- /dev/null +++ b/Layouts/Entities.md @@ -0,0 +1,611 @@ +This is a high-level overview of the hosts used by the AniNIX. A truer source-of-truth is in [AniNIX/Ubiqtorate](/AniNIX/Ubiqtorate), but we include this for conversation and dialog. + +# Core + +The Core is the central VM on which the AniNIX's primary services are built. It is both a production platform and software repository location. + +## Etymology +The Core is so named because all the rest of the AniNIX is built around it. + +## Capacity and Components +The AniNIX is a [AniNIX/ShadowArch](/AniNIX/ShadowArch) installation. It receives the following resources from [[Forge2]]: +* 4 Cores +* 8GB RAM +* Virtualized GPU +* 2TB storage +* USB device assignment +* Virtual bridged network interface +* Bluetooth adapter passthrough +* CD/DVD drive +* BluRay drive + +## Hosted Services and Entities +{{Reference|Aether}}{{Reference|Cerberus}}{{Reference|Foundation}}{{Reference|Grimoire}}{{Reference|Heartbeat}}{{Reference|IRC}}{{Reference|TheRaven}}{{Reference|Singularity}}{{Reference|Sora}}{{Reference|SSH}}{{Reference|WebServer}}{{Reference|Wiki}}{{Reference|WolfPack}}{{Reference|Yggdrasil}} + +## Connections +{{Reference|Shadowfeed}}{{Reference|Eyes}}{{Reference|Windows}}{{Reference|DarkNet}} + +## Additional Reference +### Storage stack +The AniNIX uses the following storage stack, from user-accessed files to bits on disk. Bootability is from an unencrypted [https://wiki.archlinux.org/index.php/EXT4 EXT4 boot sector] and MBR [https://wiki.archlinux.org/index.php/GRUB GRUB] bootloader. +* Files +* [https://wiki.archlinux.org/index.php/XFS XFS Filesystem] +* LUKS volume +* LVM physical volume +* 2TB Physical disk + +The output of "lsblk -o NAME,KNAME,SIZE,FSTYPE,TYPE,MOUNTPOINT,LABEL,PARTLABEL" gives the following layout. Additional shares mounted to accomodate users are not shown.
+NAME                     KNAME  SIZE FSTYPE      TYPE  MOUNTPOINT                  LABEL     PARTLABEL
+sda                      sda    1.8T             disk
+├─sda1                   sda1   500M ext4        part  /boot                       COREBOOT
+└─sda2                   sda2   1.8T LVM2_member part
+  ├─corestorage-coreswap dm-0    10G crypto_LUKS lvm
+  │ └─coreswap           dm-3    10G swap        crypt [SWAP]
+  └─corestorage-core     dm-1   1.8T crypto_LUKS lvm
+    └─sysroot            dm-2   1.8T xfs         crypt /
+sr0                      sr0   1024M             rom    
+}} + +[[Category:LDAP]]The DarkNet VM is the privacy protection of the AniNIX. The AniNIX does not believe in security by obscurity or in censorship; as such, everyone should have a voice. + +## Etymology +The DarkNet is named for an anonymous network whose access is controlled only by the admins and whose usage is known only to them. It's entirely closed and anonymous. + +## Capacity and Components +* [[ShadowArch]] +* 1 core +* 1024M of RAM +* 150G of storage +* Virtualized NIC + +## Hosted Services and Entities +The DarkNet uses a small package list but runs more than the standard ShadowArch install. Also included are the xfce4, xorg-server, tor-browser-en(AUR), transmission-gtk, transmission-cli, and openvpn packages. +### Abilities +* Encrypted storage by default to a passphrase known only to admins. +* Tor proxy service, integrated with both text lynx and GUI tor-browser-en browsers. + * Lynx is aliased to "torsocks lynx" globally +* Anonymous VPN via OpenVPN (details available on request) + +### Hosted +{{Reference|WolfPack}}{{Reference|VirusScan}} + +## Connections +{{Reference|Core}} +}}The Forge2 is the primary hardware platform on which the AniNIX runs. + +## Etymology +The Forge2 the second Forge build, the original having been two towers instead of one. + +It is so named because the exterior is solid black with soft red LED's internally -- this creates an appearance similar to a furnace. + +The Forge builds are also so named because projects are created, developed, and tested in these frames. + +## Capacity and Components +* 6-core hyperthreaded core i7 at 3.4GHz, water-cooled by Corsair H100i two-fan cooler +* 24 GB RAM +* 13.2 TB onboard storage. One hotswap slot open. + * 60 GB solid state boot drive for Windows 10 Pro Hypervisor (Hyper-V) + * 1 1TB drive dedicated to additional user space and VM's + * 1 2TB drive dedicated to Windows data formatted as NTFS + * 1 2TB drive dedicated to Windows Backup formatted as NTFS + * 2 2TB drive dedicated to [[Core|AniNIX::Core]] -- see Core for the filesystem hierarchy there. + * One hotswap bay for [[Aether|AniNIX::Aether]] backups. + * 1 150GB drive for the [[DarkNet]] VM +* USB 2.0 & 3.0 and eSATA slots +* 2 10GB NIC's -- one for VM's and one for Windows +* Bluetooth Adapter +* Hyper-V virtualization under Windows 10 Pro[[Category:Microsoft]] +* 1200W Corsair power supply +* EVGA x79 Dark motherboard with PCI-e SATA extender +* SLI'ed GTX 760 GPU's with 4GB onboard cache each +* Corsair K70 Keyboard w/ red LED and Corsair M65 mouse. +* CyberPower UPS +[[Category:Corsair]] +[[Category:EVGA]] +[[Category:Intel]] +[[Category:Seagate]] +[[Category:Kingston]] + +## Hosted Services and Entities +{{Reference|Core}}{{Reference|Windows}}{{Reference|DarkNet}} + +## Connections +{{Reference|Infrastructure}}{{Reference|Shadowfeed}}{{Reference|Core}}{{Reference|Windows}} + +## Additional Reference +### Gallery +A gallery will be added. [[Category:TODO]] +}} +## Hypervisor Notes +Hyper-V integrates VM's with Windows, allowing VM's to be started at Windows boot, providing direct disk access, and managing assignment of cores, memory, and disk. + +ShadowArch guests with a GUI should include xf86-video-fbdev and set GRUB_CMDLINE_LINUX_DEFAULT="quiet video=hyperv_fb:1920x1080" to get maximum screen resolution. + +Hyper-V comes with a few limitations. PCI and USB devices can't be passed through without 3rd-party software, but this was considered acceptable. + +Hyper-V guests require significant configuration to prevent performance problems. Dynamic memory should be disabled to prevent a guest from overrunning the host. Data Exchange, Backup, and Guest Services should all be disabled from integration services. Disable checkpoints. Automatic start action should either be on startup or disabled, and automatic stop action should always be poweroff. + +Hyper-V itself also requires configuration of the Windows host. The default High Performance power profile turns off monitors when not in use but does not put the entire frame to sleep -- this is the desired behavior. + +### Antivirus +Make sure Hyper-V, if using [[VirusScan|antivirus]] follows the [[VirusScan##Hyper-V|Hyper-V considerations]]. + +Presently, this still caused drops in virtual disks, crashing several VM's, so we are suspending antivirus on the hypervisor, along with most general-purpose browsing. Read the following for other user experiences. +1. https://www.cnet.com/how-to/i-dont-use-anti-virus-software-am-i-nuts/ +1. https://www.reddit.com/r/windows/comments/41b0k0/is_antivirus_software_still_necessary_for_windows/ + +### Windows Update +The Windows Update service, if it deems the system too out of date or in need of critical fixes, may forcibly restart the system. We recommend keeping the Windows Update service disabled on hypervisors until patching is desired. This can be done in services.msc. + +We recommend addtionally setting the "gpedit.msc > Computer Configuration \ Administrative Templates \ Windows Components \ Windows Update \ Configure Automatic Updates" option if you have a Pro or Enterprise license. + +### Sleep Mode +Sleep mode, even immediately interrupted, has been observed to break network connectivity and VM uptime. When running as a Hypervisor, it is advisable to disable sleep and hibernate modes. Change these from Group Policy under Administrative Templates>System>Power Management>Sleep Settings. Enable "Turn Off Hybrid Sleep" and disable "Allow Standby States (S1-S3) when sleeping". + +### Previous Hypervisors +#### VirtualBox +Oracle VirtualBox is a free hypervisor that can run on almost any OS. This makes deployment and device driver management entirely on the stock OS, which was Windows in our case thus alleviating driver problems. Management is also easy, particularly with an admin account, so it's easy to assign cores, memory, and such to a VM. VirtualBox can assign raw disk access with VBoxManage. Use Windows Disk Manager (diskmgmt.msc) to identify the disk. In the case below, 7 is the disk number. +
"C:\Program Files\Oracle\VirtualBox\VBoxManage.exe" internalcommands createrawvmdk -filename "C:\Users\Admin\VirtualBox VMs\raw7.vmdk" -rawdisk \\.\PhysicalDrive7
+ +VirtualBox was dropped due to buggy integration with the running OS and the inability to start VM's at OS Boot. +#### ArchLInux/KVM-enabled KVM +The Forge2 frame has a 60GB SSD installed for KVM-enabled QEMU virtualization inside a minimal ArchLinux host. This implementation allows passing any host resources to the guest, including USB and PCI devices which is an advantage over other Hypervisors. + +While Intel VT-d provided by the motherboard ostensibly supports this passthrough, it had hardware caps on the x79 that the AniNIX could not afford (4 hard drives, 1 CD drive) without disabling KVM, and the network bridging created problems for VPN clients. + +## Alternatives +You could in theory put the hardware for an AniNIX network clone in the Cloud. There are steps to set up ArchLinux in [http://codito.in/archlinux-on-azure/ Microsoft Azure] and [https://bbs.archlinux.org/viewtopic.php?id=186707 Google Cloud]. This may be advantageous for sites that have uptime concerns, low local resources, or physical security concerns. + +From a cost perspective, power and network for a Forge2 and [[Shadowfeed|AniNIX::Shadowfeed]] costs roughly $100 per month with a $6000 buy-in. Equivalent cloud solutions would need to supply at least one full backup image with highly available power and network, along with [[Forge2##Capacity and Components|equivalent capacity]]. + +You should look at [[Aether|AniNIX::Aether]] notes on cloud computing if you consider this as an option.AniNIX::Forge3 will be a successor to [[Forge2|AniNIX::Forge2]] and [[Infrastructure|AniNIX::Infrastructure]]. [[AniNIX::Core]] will be turned into hardware rather than VM, and a new systemd+qemu [[ShadowArch]] install will take the role of [[Hypervisor]] from [[Windows]]. Options being evaluated are below. + +**This is not yet live.** + +## New Rack Layout +* Forge2 bottom shelf, relegated to Windows [[Games]] and typically powered off. + * Requires 27.2 x 9.9 x 25.5 inchs +* Middle shelf: 2 PSU's in lateral +* Next shelf: soundproof-wrapped 2 x [https://unixsurplus.com/collections/supermicro-servers/products/supermicro-1u-x8dtu-f-dual-intel-xeon-e5645-hex-core-2-4ghz-1u-server?variant=23868756487 SuperMicro X8DTU-F servers] -- one as [[Core]] and one as [[Hypervisor]]/Dev. + * Requires 32" x 19" x 4" + * Hypervisor will virtualize [[Darknet]], [[Sharingan]], [[Aether]], [[Maat]], [[Cerberus]], and [[DedSec]] VM's. +* Top shelf: + * [[Shadowfeed]] + * [[Geth/Nazara]] + * [[Print]] + * Dev switch + +### Network +WAN link runs from modem to Shadowfeed WAN. Shadowfeed LAN are +1. Nazara +1. PRD ether +1. PRD IPMI +1. Switch WAN + +Switch LAN are +1. Dev ether +1. Dev IPMI +1. Dev table ether +1. Windows + +### USB +Each PSU has a USB that should be able to connect to Nazara. This will allow Nazara to monitor active power state into Nagios. + +### Power +UPS 1 sockets are provided from one wall outlet, max load 1200W and average load 300W. +1. HA + 1. PRD PSU (500W) + 1. Dev PSU (500W) +1. Surge only + 1. Dev table strip + 1. Laptop charger (100W) + +UPS 2 sockets are provided from a second wall outlet, max load 1300W and average load 100W, on a 25' 12-gauge outdoor extension cable. +1. HA + 1. Shadowfeed + 1. Nazara + 1. Switch + 1. Desk light (typically off) +1. Non-HA + 1. Windows (1200W)The Games are a list of PC or emulated games available for users to play. + +## Etymology +Let's not play games -- this service is self-named. + +## Relevant Files and Software +[[Category:TODO]] +### AAA Titles +* The [https://assassinscreed.wikia.com/ Assassin's Creed] series +* Dishonored +* Deus Ex: Human Revolution +### Indie games +* Hacknet_ +### MMO's +* [http://swtor.com/ Star Wars: The Old Republic] -- AniNIX members are presently playing for the Empire faction and working with the [http://mandocabure.proboards.com/ Mando Cabure] guild. Ping an admin on IRC or Discord to join the gaming. +
## This game can be installed on ShadowArch with the following:
+pacman -S wine-staging wine-mono
+winecfg
+winetricks d3dx9 vcrun2008 msls31 winhttp
+1.  Download launcher from swtor.com
+wine ./SWTOR_launcher.exe
+timeout 60 wine ~/.wine/drive_c/Program\ Files\ \(x86\)/Electronic\ Arts/BioWare/Star\ Wars\ -\ The\ Old\ Republic/launcher.exe
+vim ~/.wine/drive_c/Program\ Files\ \(x86\)/Electronic\ Arts/BioWare/Star\ Wars\ -\ The\ Old\ Republic/launcher.settings
+1.  Change bitraider_disable to true and download mode to SSN.
+wine ~/.wine/drive_c/Program\ Files\ \(x86\)/Electronic\ Arts/BioWare/Star\ Wars\ -\ The\ Old\ Republic/launcher.exe
+
+ +* [http://www.crypticstudios.com/startrek Star Trek Online] +### Independent Games +: These are excellent for a [[Games/Team-building_Exercise|team-building exercise]]. +* [http://artemis.eochu.net Artemis Bridge Simulator] +* [https://unvanquished.net Unvanquished] +### Emulators +* Desmune +* VisualBoy Advance +* ScummVM + +## Available Clients +We are investigating NVidia SHIELD technology for the AAA titles. + +The [[Games##Independent Titles|independent titles]] have game clients that can be downloaded and the AniNIX made to be the hosting server. + +## Additional Reference +### Recovery +Recovering games used to be a tired process of maintaining product keys. Today, this is less an impact. Instead, one should buy games through services that allow reinstallation of the same. [https://steampowered.com Steam] and [https://uplay.ubi.com/ Uplay] both support this functionality. SWTOR and MMO's like it do not install unique content directly to the local machine, so they are easily reinstalled. + +Independent games or freeware should be preserved through keeping copies of the installers. + +### Streaming +Linux [[Tachikoma]] or [[DedSec]] hosts can stream from a Games install using Steam in-home streaming. Wireless AC connections are recommended, and [https://support.steampowered.com/kb_article.php?ref=8571-GLVN-8711 firewall rules] need to be made. +}} +[[Category:Internal_Service]]The Geth Armature is a robotic body that allows the Geth to interact with the real world. + +## Uses +1. Physical patrolling +1. Lock inspection +1. Invalid care, for those unable to move on their own. +1. Hardware inspection, in the case of an [[Sharingan|AniNIX::Sharingan]] alert. +1. Potentially firing off other Geth-controlled units, such as carrying an IR module into range of a Roomba. + +## Hardware +We're coding for [http://www.swiftstreamrc.com/product/robo-buddy/ RoboBuddy from SwiftStream], but the process to be documented will be very similar for any mobile IP camera. Key requirements: +* Articulation on the camera +* Onboard lights +* Durability of frame +* Self-recharging +* Good resolution + +## Softare +In development! [[Category:TODO]] + +## Etymology +While many Geth mobile units were modeled after their Quarian creators, larger security units were more utilitarian. The collapsible, giraffe-like Armature were the heavy armor that could be deployed into hostile territory to protect their holdings. Similarly, ours protects our locations. + +[[Category:Entity]]WARNING: Holocrons should not hold copies of sensitive information.
+The Holocron is a mobile USB designed to take over any computer hardware and run as an element of the AniNIX. + +## Etymology +Named for the [http://starwars.wikia.com/wiki/Holocron_of_Heresies Sith Holocron] from the Star Wars universe, the Holocron is a method for AniNIX admins to craft and record all their personal code and knowledge, including [[Aether|AniNIX::Aether]] backups, [[Foundation|Git]] repo checkouts, etc. It should be secured and difficult to crack to protect the secrets within, just as its namesake -- the better the traps, the better the knowledge it can hold. + +## Capacity and Components +Holocrons have no defined capacity since they are not bound to any set of hardware. The portable storage space is bound to the drive on which it's written. + +## Hosted Services and Entities +No services or entities are hosted. + +## Connections +Holocron can dial to any host desired. It should have VPN, SSH, remote-desktop, browser, code version control, and file transfer clients available. + +## Additional Reference +Implementation details for Holocron are below. + +### Host drive +We currently recommend a [https://www.pcnation.com/web/details/ZY1268/Corsair-Flash-Survivor-Stealth-64GB-USB-3-0-Flash-Drive-CMFSS3B-64GB-00843591066389?mkwid=s_dc&pcrid=64230955823&pkw=&pmt=&plc=&gclid=Cj0KEQjwo_y4BRD0nMnfoqqnxtEBEiQAWdA124R1SSj-sqFREK5wSAXJca5AVpUXJuKfbi3IuD_Sn2IaArOC8P8HAQ Corsair Survivor Stealth] for Holocrons. This offers 64GB of flash storage with the following layout, in a form that is both impact- and water-resistant, making it a resilient tool.[[Category:Corsair]] + +
+NAME          MAJ:MIN RM  SIZE RO TYPE  MOUNTPOINT
+fd0             2:0    1    4K  0 disk
+sda             8:0    0    1G  0 disk
+sdb             8:16   1 59.6G  0 disk
+|-sdb1          8:17   1   40G  0 part  /mnt/xplatfrm
+|-sdb2          8:18   1  9.3G  0 part  /boot
+`-sdb3          8:19   1  9.3G  0 part
+  `-spartacus 254:0    0  9.3G  0 crypt /
+sr0            11:0    1  544K  0 rom
+
+ +WARNING: Do not store sensitive information on Holocrons!
Though a Holocron has its root encrypted, /boot is not and the device is portable. Physical access is death! The storage can be cloned and cracked with sufficient computing resources. The encryption is a delay but not a hard-stop protecting your information. If you have access to an encrypted machine like [[Core|AniNIX::Core]] there is no reason to keep sensitive information on this, a client device. If you have nothing else, this encryption is better than none. + +The Israelis and such have been working out ways to listen with directional mics to crack encryption, and I have no guarantee they didn't use some similar hardware assault to crack the encryption. The algorithm might be smart enough, but the hardware may give rise to a more direct way. Moreover, with the hardware being mobile, the firmware and bootloader could be assaulted to broadcast key signatures from memory, or someone could record you entering the decryption password. Some example vectors are below: +* [http://www.tau.ac.il/~tromer/acoustic/ Accoustic attacks on RSA] +* [https://dx.eng.uiowa.edu/dave/lukstext.php A sample LUKS crack] +* [http://www.prnewswire.com/news-releases/passware-first-to-enable-computer-forensics-to-crack-linux-disk-encryption-luks-300004871.html Another potential LUKS crack] + +### Installation +1. Install [[ShadowArch]] to the / partition. Remember to remove the first four lines so that your mount options are used with your storage layout. +1. Create a folder /boot/iso in the / partition. +1. Edit /etc/grub.d/40_custom: + 1. See [https://wiki.archlinux.org/index.php/Multiboot_USB_drive Arch's multiboot] for individual GRUB entries. + 1. Also see [https://releng.archlinux.org/pxeboot/ Arch's netboot] for a GRUB entry to use for netboot. +1. Load ISOs and pack for travel. + + +Example 40_custom file: +
+1. !/bin/bash
+exec tail -n +3 $0
+probe -u $root --set=rootuuid
+set imgdevpath="/dev/disk/by-uuid/$rootuuid"
+menuentry 'ArchLinux ISO' {
+	set isofile='/iso/archlinux.iso'
+	loopback loop $isofile
+	linux (loop)/arch/boot/x86_64/vmlinuz archisodevice=/dev/loop0 img_dev=$imgdevpath img_loop=$isofile earlymodules=loop
+	initrd (loop)/arch/boot/x86_64/archiso.img
+}
+menuentry "Kali Linux ISO" {
+	set isofile='/iso/kali-linux.iso'
+	loopback loop $isofile
+	linux (loop)/live/vmlinuz boot=live findiso=$isofile noconfig=sudo username=root hostname=kali earlymodules=loop
+	initrd (loop)/live/initrd.img
+}
+menuentry "CentOS ISO" {
+	set isofile='/boot/iso/CentOS.iso'
+	loopback loop $isofile
+	linux (loop)/isolinux/vmlinuz noeject inst.stage2=hd:/dev/sdb2:/$isofile
+	initrd (loop)/isolinux/initrd.img
+}
+
+ +### Recommended uses +* ArchLinux ISO: This ISO can be used to have a clean point from which to start -- its signature and size can be compared against [https://archlinux.org/download the ArchLinux page] for integrity. +* Kali Linux ISO: This ISO is a hack suite, porting the latest tools with the user. +* CentOS ISO: This allows a user to access an enterprise network using a trusted OS with a known signature. +* ArchLinux local install: This is a portable workspace for the carrier -- packages installed here will be persistent, and allow the user to boot their own toolset without any or much network traffic. +* Cross-platform storage: This allows Spartacus to perform as a usual flash-drive. +}}The Infrastructure is a conglomerate of machines with mostly proprietary firmware providing power and connectivity to the AniNIX. + +## Etymology +This should be self-explanatory -- the Infrastructure describes the lowest-level connection between the digital world of the AniNIX and the physical world. The Infrastructure passes raw resources from the physical world for the AniNIX to manipulate. + +## Capacity and Components +The capacity of the Infrastructure is limited by the following areas: +* Power: 1500VA / 900W with surge protection on all sockets and battery power on three sockets for roughly 20 minutes of operation under the usual AniNIX load. [[Category:HasBattery]] Power is provided by Madison Gas & Electric [[Category:MG&E]] via a CyberPower UPS [[Category:CyberPower]] +* Network: Charter Communications modem providing, ostensibly, a 500MB/s upload and 6Gb/s download speed. SpeedTest.com results fluctuate. [[Category:Charter]] + +## Hosted Services and Entities +{{Reference|Shadowfeed}}{{Reference|Forge2}} + +## Connections +{{Reference|Windows}} + +## Additional Reference +For hosts seeking insight into the Infrastructure, they can install the PowerPanel software from CyberPower. ArchLinux contains a copy of it in the AUR: [https://aur.archlinux.org/packages/powerpanel/ linked here] + +The following files are then critical for configuration, after the USB device is connected to the monitoring host: +* /etc/pwrstatd.conf +* /etc/powerpanel/pwrstatd-email.sh +* /etc/powerpanel/pwrstatd-lowbatt.sh +* /etc/powerpanel/pwrstatd-powerfail.sh +* /usr/lib/systemd/system/pwrstatd.service +}}A Nazara host is a gateway to accessing other hosts. It is a safeguard against admin error. + +## Etymology + +Nazara hosts are named because they are the first line of defense against administrative error -- they prevent admins from being locked out of correcting their changes. + +## Capacity and Components +A Nazara host needs minimal CPU or memory. + +## Hosted Services and Entities +Nothing is hosted by a Nazara. + +## Connections +Any host should be able to connect to a Nazara with [SSH](../Services/SSH.md) and X11, and it should be able to dial to any service provider. + +## Additional Reference +Nazara hosts should be deployed alongside any Hypervisor. They can be as simple as a Pi-hole with SSH access, and they should be allowed to receive SSH connections from a non-tcp/22/ssh port. +Print is the printer/scanner of the AniNIX, aimed at offering the option to convert materials from digital to physical and vice-versa. + +## Etymology=This entity is self-named. + +## Capacity and Components=A [[Category:Brother]]Brother MFC-J430W will fill this role nicely, with color printing, scanning, and (unused) faxing abilities. It can be easily installed from [https://aninix.net/foundation/ConfigPackages/ ConfigPackages]. + +## Hosted Services and Entities=There are no hosted aspects. + +## Connections={{Reference|Core}} +}}[[Category:TODO]]Roomba is a cleaning bot for the AniNIXRufus is an overlay to make use of unused clock cycles on AniNIX hardware. It allows the AniNIX to take what would otherwise be wasted power and network presence and put it to either profit or charity. + +## Etymology=Rufus is named after the naked mole rat from the Kim Possible TV series; a ubiquitious companion to the protagonists, Rufus' species is also capable of great feats of digging, given their traditionally subterranean habitat. The Rufus system is equally useful at mining resources for the AniNIX, keeping it online. + +## Capacity and Components=Capacity depends on the number of rigs available. A "rig" may simply be a [[Geth/Hub|AniNIX::Geth hub]], a running VM, or a full-featured rig. + +Our full-featured rigs are built from cheap consumer-grade parts.[https://www.youtube.com/watch?v=3YMxGGXme8g Motherboard Ethereum mining presentation], accessed 2/5/18]. We have a list of our current desired parts at [https://secure.newegg.com/Wishlist/SharedWishlistDetail?ID=vcB3403ONPRZhXHgzQNC%2fg%3d%3d Newegg]. + +## Hosted Services and Entities +### Ethereum +[https://ethereum.org Ethereum]https://wiki.archlinux.org/index.php/Ethereum is a decentralized currency and contract blockchain. + +Install and upgrade python3. From that, we can install [http://raspnode.com/diyEthereumPyeth.html PyEthApp] to mine the currency. +
+pip3 install pyethapp
+
+ +Multiple miners can be supported in a single network, but port 30303 must be forwarded to the first node. Other nodes in the cluster will connect their ethminer to that node. + +Funds can be transferred to an Ethereum wallet by TODO.[[Category:TODO]][[Category:Coinbase]] + +### Bitcoin +Bitcoinhttps://wiki.archlinux.org/index.php/Bitcoin is another decentralized blockchain currency -- in fact, it was the first and most popular. + +Mining is done by connecting GPU's or [https://www.amazon.com/s/ref=nb_sb_noss?url=search-alias%3Daps&field-keywords=Raspberry+pi+ASIC+bitcoin ASIC miners] to your host. From there, install bfgminer and benchmark the attached ASIC's. This can be done by standalone block mining or pool mining, where a group of miners agree to mine for the same block through shared and decentralized work. + +When satisfied with the operation of the benchmarking, bfgminer can be run with all hardware and a Coinbase address to receive the funds. + +### Folding@Home +[https://foldingathome.org/ Folding@Home]https://wiki.archlinux.org/index.php/Folding@home is a Stanford project for protein folding research, helping researchers solve disease problems. This is our premiere project for our [https://aninix.net/pages/charity.php charity work]. + +Install the [https://aur.archlinux.org/packages/foldingathome/ Folding@Home package] from Stanford. This will allow you to receive units of work from Stanford and process them. + +### BOINC +[http://boinc.berkeley.edu/ BOINC] is a Berkley project for supporting underfunded research projects by allowing open computing resources. + +Install the [https://www.archlinux.org/packages/?name=boinc-nox boinc-nox]https://wiki.archlinux.org/index.php/BOINC package from Berkley. Enabling the service will use your compute resources for the needy projects. + +## Connections=Rufus runs on any available hardware. + +## Additional Reference=[https://aninix.net/irc/ Contact an admin] for current ROI -- example math can be seen in [https://www.youtube.com/watch?v=8eXI_7O4Svc this presentation]. Also, [https://www.youtube.com/watch?v=U_LK0t_qaPo this presentation] offers an overview of how Ethereum the protocol works.}} +## ReferencesThe Shadowfeed is the networking gateway between the AniNIX and the outside world -- it broadcasts the AniNIX signal and allows the network to communicate. + +## Etymology +The Shadowfeed is named after a resistance communications network in the Star Wars universe. The [http://starwars.wikia.com/wiki/CIS_Shadowfeed Shadowfeed] was a disseminated network routed through existing communications technology, allowing a separatist movement to broadcast its message. + +## Capacity and Components +The Shadowfeed is an Netgear R7000 Nighthawk router hardware flashed with DD-WRT firmware.[[Category:DD-WRT]][[Category:Netgear]] It can hold numerous clients wirelessly, and it supports wired USB 2.0 and 3.0 hard-drives to create simple NAS storage. There are five physical slots, one occupied by wired connection to the Forge2 frame, one by a connection to the Verizon wireless tower, and one to the Infrastructure. One remaining slot is free with a 100ft Cat5e cable and the other reserved for hotswap in case of port failure or LAN need. + +Note: the best place we've found to grab firmware updates is [https://ddwrt-kong.clonevince.fr/ this upload site for Kong's builds]. Ensure that you are on build 33525 or later to avoid being vulnerable to [https://aircrack-ng.blogspot.com/2017/10/krack-wpa-vulnerability-key.html KRACK]. Follow the instructions [https://dd-wrt.com/wiki/index.php/Installation from the DD-WRT Wiki] to flash your router with new firmware or to patch. Make sure to watch for the peacocking notes! Use the dork "kong dd-wrt build " -- if you use Chromecasts for [[Geth|AniNIX::Geth]], make sure to look for explicit validation of the devices, or run your own extensive regressions. + +## Hosted Services and Entities +Nothing is hosted by the Shadowfeed, but it is manageable by either SSH or an onboard webserver.[[Category:Lighttpd]] + +## Connections +The Shadowfeed has a number of hosts and entities that connect to it -- unknown entities are routed to a guest network, while known hosts are allowed inside the DMZ where they can access internal services. Direct AniNIX network members are listed below. +{{Reference|Core}}{{Reference|Windows}}{{Reference|DarkNet}}{{Reference|Print}}{{Reference|Bastion}}{{Reference|Tricorder}}{{Reference|Geth}}{{Reference|Forge2}}{{Reference|Infrastructure}} + +## Additional Reference +### Add NAT Rule +
+iptables -t nat -I PREROUTING -p tcp -d $(nvram get wan_ipaddr) --dport 3389 -j DNAT --to 10.0.1.2 [ -s SourceIP ]
+iptables -I FORWARD -p tcp -d 10.0.1.2 --dport 3389 -j ACCEPT
+iptables -t nat -I PREROUTING -p udp -d $(nvram get wan_ipaddr) --dport 3389 -j DNAT --to 10.0.1.2 [ -s SourceIP ]
+iptables -I FORWARD -p udp -d 10.0.1.2 --dport 3389 -j ACCEPT
+
+### Direct config alteration +nvram show will get all the current options, whereas nvram get variable will return a variable. + +nvram set or unset change variables. + +nvram commit pushes the change. + +### Guest Wifi +[https://dd-wrt.com/wiki/index.php/Guest_Network See here.] + +### Sample Startup Script +The following will insert firewall lines into your sample startup script to harden your network edge. This allows [[WebServer|web]], [[SSH]], [[IRC]], [[Geth|AniNIX::Geth]], and [[Nazara|bastion]] access through the firewall, dropping all others. It also sets up the block chain for [[Cerberus|AniNIX::Cerberus]]. + +
+iptables -N severe
+iptables -I INPUT 2 -i vlan2 -j DROP
+iptables -I INPUT 2 -i vlan2 -p tcp -m tcp --dport 22 -j ACCEPT
+iptables -I INPUT 2 -i vlan2 -p tcp -m tcp --dport 80 -j ACCEPT
+iptables -I INPUT 2 -i vlan2 -p tcp -m tcp --dport 443 -j ACCEPT
+iptables -I INPUT 2 -i vlan2 -p tcp -m tcp --dport 6641 -j ACCEPT
+iptables -I INPUT 2 -i vlan2 -p tcp -m tcp --dport 6697 -j ACCEPT
+iptables -I INPUT 2 -i vlan2 -p tcp -m tcp --dport 9022 -j ACCEPT
+iptables -I INPUT 2 -j severe
+iptables -I FORWARD -j severe
+
+}}|Tachikoma|Tachikoma are individual user or service machines.| +word +These are named after [https://www.youtube.com/watch?v=lNY53tZ2geg Tachikoma from Ghost in the Shell]. These AI-powered tanks offered personal transportation, concealment, + +## Capacity and Components +Capacity is indeterminate -- depends on the hardware being used. + +## Hosted Services and Entities=No services should be hosted for Tachikoma, despite [[SSH|an SSH server for remote access]]. + +## Connections=Varies by purpose}}Omnitool is a mobile smartphone client of the network. + +## Etymology +The Tricorder is named after the fictional and ubiquitous devices from the Star Trek universe. Because the Tricorder is useful in a number of situations, hand-held in the same way, and is almost always handled by an Admin save during sleep, the name was apt. + +Besides, we like the subtlety, craftiness, and paranoia of the Romulans. + +## Capacity and Components +This is a Verizon Wireless Droid Turbo smartphone running the Android OS. [[Category:USCellular]][[Category:Google]] +* 48 hours of usability +* 5.2" Gorilla Glass 4 Display with 1920x1080 resolution +* 32 GB of onboard storage, encrypted with Android PIN +* Microphone +* 16MP Camera +* CDMA, GSM, WCDMA, UMTS, LTE Network-capable with US Cellular SIM + +## Hosted Services and Entities +The Tricorder can host a couple remote-management tools. +* Apps can be remotely installed with [https://play.google.com/ Google Play Store]. +* Location identification, remote locking, and remote wiping can be achieved with [https://google.com/android/devicemanager Google Device Manager]. +* SMS, notifications, and call response can be remotely controlled with a vivoactive HR or [https://aninix.net/wiki/Subscriptions##Pushbullet Pushbullet]. + +## Connections +This device has clients for the following entities. +{{Reference|Singularity}}{{Reference|Yggdrasil}}{{Reference|Eyes}}{{Reference|SSH}} +This device physically can connect to the following. +{{Reference|Infrastructure}}{{Reference|Shadowfeed}}{{Reference|Forge2}} +This device can also extend Bluetooth and WiFi technology to the following devices, to extend the AniNIX's reach. +* Drones, such as the Parrot AR.Drone 2.0, over WiFi +* Smart devices, like the Garmin vivoactive HR smartwatch or smart scales, over bluetooth +* Car and other stereos over Bluetooth (this is particularly useful for playing back audio from Yggdrasil) +* Bluetooth-capable devices for file transfer +* WiFi-capable devices via ad-hoc WiFi network + +## Additional Reference +* [https://www.lg.com/us/cell-phones/lg-US701-Black-us-cellular Reference page] +* [https://memory-alpha.wikia.com/wiki/Romulan_tricorder Star Trek Wiki page] +### Recovery Path +Please encrypt your Tricorder for privacy reasons. For those concerned, here is your recovery path, should the device be rendered inoperable or inaccessible. +* The Google Play Store records all applications installed on the phone. +* Music, pictures, and video should be replicated from [[Yggdrasil|AniNIX::Yggdrasil]]. Please use an [[SSH|SFTP]] client to regularly store your necessary files on your AniNIX account, or upload your files to a trusted storage service. For insecure files, [https://drive.google.com Google Drive] is sufficient and free. +* Customizations will be lost but should be easily recreated. +* SSH Keys should be recreated. Remove any existing public keys from servers the device had access to. +* Android devices can be remotely wiped, locked, or pinged from Android Device Manager. + +Most severe problems with an Android device can be fixed with a factory reset, patching, app re-installation from the Play Store, and pulling down any desired files. While this is a cumbersome process, for non-rooted, encrypted devices, this is often the easiest route. +}} +{{Mobile}}: Warning: Windows may reformat non-Windows partitions with no warning during boot. We recommend keeping strong backups and controlling when Windows Update runs. See [http://www.omgubuntu.co.uk/2016/08/windows-10-anniversary-update-delete-partition OMGUbuntu's article] for end user experiences. +Windows is a ubiquitous desktop environment for home computing, still compromising the majority of the market. The AniNIX hosts a virtualized Windows host to access the tools and software developed for that OS. + +## Etymology +The Windows host is named for the OS it runs. + +## Capacity and Components +Windows' components are provided by Microsoft. [[Category:Microsoft]] The Windows host is granted networking, USB assignments, the GTX 760 pair, 2TB of storage, 8 GB RAM, and 4 cores from [[Forge2]]. + +## Hosted Services and Entities +{{Reference|Games}}{{Reference|VirusScan}} +### Customization +There is a desktop theme available to skin the Windows desktop environment in the same fashion as [[ShadowArch]], the WebServer and the Wiki. Download it from [https://aninix.net/aninix.deskthemepack this link]. +### Standard Packages +Available from [https://aninix.net/wolfpack WolfPack's repo]: +* SeaMonkey Browser + * Chrome Browser can be used in place of SeaMonkey or in addition to support Chromecasts. +* PuTTY Terminal Emulator +* WinSCP File Transfer +* Launchy to emulate Linux Alt+F2 running +* VNC viewer +* Xming X11 server +* DaemonTools Lite for mounting ISO's. + +### Hypervisor Role +A Hypervisor should also be deployed. +* A Windows 10 Pro license offers Hyper-V, which allows enterprise-style VM availability +* VMWare Workstation or VirtualBox are also alternatives. + +### Work Role Packages +* WebEx +* AnyConnect +* One productivity suite from: + * LibreOffice + * Microsoft Office +* Notepad++ + +## Connections +{{Reference|Forge2}}{{Reference|Shadowfeed}}{{Reference|Infrastructure}} + +## Additional Reference +Remember the following things when dealing with Windows: +* Windows updates and upgrades stand a very good chance of being destructive to other systems and itself. Never upgrade without a backup, and everything installed on Windows should have an independent recovery plan. See [[Games##Recovery]] for an example. +* Windows tries to send data to Microsoft. Check account settings to opt out. +* Always disable autorun to help slow malware. + +### Unified Credentials +Install [https://pgina.org/ pGina] for LDAP authentication, including with [[Sora|AniNIX::Sora]].[[Category:LDAP]] +}} diff --git a/Layouts/Security_Layout.md b/Layouts/Security_Layout.md deleted file mode 100644 index 75a700e..0000000 --- a/Layouts/Security_Layout.md +++ /dev/null @@ -1,68 +0,0 @@ -This offers a detail of the security hierarchy of the AniNIX, which is layered in the following sections. - -# Physical security -Physical security includes storing the [[Forge2]] in a locked second-floor building. [[Cerberus]] offers reporting on events in this location. Admins co-locate with this location and are trained in combat and close quarters defense. Physical intrusions will be rebuffed to the fullest extent of the law. - -# Network/Software protection -{{Organizer|Firewall| -{{Organizer|Shadowfeed| -{{Organizer|Trusted DMZ| -{{Reference|DarkNet}} -{{Organizer|Core| -{{Organizer|Cerberus| -{{Organizer|Firewall| -Most of the services in the AniNIX are monitored by network-level intrusion detection -## Open-access Services -{{Reference|WebServer}}{{Reference|TheRaven}}{{Reference|Foundation}}{{Reference|Heartbeat}} -## Password-Restricted Services -{{Reference|IRC}}{{Reference|Wiki}}{{Reference|Yggdrasil}} -## Remote Access -{{Organizer|Cerberus| -The SSH service supports password and key authentication. -{{Reference|SSH}} -|Cerberus}} -}} -|Cerberus}} -|Core}} -{{Organizer|Windows| -{{Organizer|Firewall| -{{Reference|Games}} -}} -|Windows}} -}} -{{Organizer|Guest DMZ| -Any visitors to the AniNIX premises are given access to the outside Internet via the Shadowfeed, but this access is isolated away from AniNIX systems. -}} -|Shadowfeed}} -}} - -# Filesystem security -{{Organizer|Forge2| -{{Organizer|Cerberus| -{{Organizer|VirusScan| -The Hypervisor content lives here. -|VirusScan}} -|Cerberus}} -{{Organizer|Core| -{{Organizer|LUKS-on-LVM Volume| -{{Organizer|Cerberus| -{{Organizer|VirusScan| -Most of the data lives inside these layers. -|VirusScan}} -|Cerberus}} -}} -|Core}} -{{Organizer|Windows| -{{Organizer|VirusScan| -The Windows data lives here. -|VirusScan}} -|Windows}} -|Forge2}} - -# Backups -[[Windows]] and [[Core]] are backed up locally on mirrored, non-RAID disks. They are also backed up to a 4TB hard drive from the [[Forge2]] to an off site safety deposit box in a bank, making it very difficult to destroy all copies of these hosts. - -Should all backups be lost, the [[Aether]] project also backs up Core's critical configuration files and a list of files in [[Yggdrasil]] to an anonymous list of servers. [[Grimoire]]'s databases are independently archived to a password-based tarball and stored in cloud storage. - -[[Category:Security]] -[[Category:Layout]] \ No newline at end of file diff --git a/Layouts/Service_and_Host_Layout.md b/Layouts/Service_and_Host_Layout.md deleted file mode 100644 index 49fcc65..0000000 --- a/Layouts/Service_and_Host_Layout.md +++ /dev/null @@ -1,19 +0,0 @@ -{{Reference|Holocron}} -{{Organizer|Infrastructure| -{{Organizer|Shadowfeed| -{{Reference|Tricorder}}{{Reference|Geth}}{{Reference|Bastion}}{{Reference|Print}}{{Reference|TeamRed}}{{Reference|TeamGreen}}{{Reference|TeamBlue}} -{{Organizer|Forge2| -{{Organizer|Windows| -{{Reference|Games}} -|Windows}} -{{Organizer|Core| -{{Reference|Aether}}{{Reference|Cerberus}}{{Reference|Foundation}}{{Reference|Geth}}{{Reference|Grimoire}}{{Reference|Heartbeat}}{{Reference|IRC}}{{Reference|TheRaven}}{{Reference|Singularity}}{{Reference|Sora}}{{Reference|SSH}}{{Reference|WebServer}}{{Reference|Wiki}}{{Reference|WolfPack}}{{Reference|VirusScan}}{{Reference|Yggdrasil}} -|Core}} -{{Organizer|DarkNet| -{{Reference|VirusScan}}{{Reference|WolfPack}} -|DarkNet}} -|Forge2}} -|Shadowfeed}} -|Infrastructure}} - -[[Category:Layout]] \ No newline at end of file diff --git a/Operation/Archive/RCAs_2016-2018.md b/Operation/Archive/RCAs_2016-2018.md deleted file mode 100644 index debe3bd..0000000 --- a/Operation/Archive/RCAs_2016-2018.md +++ /dev/null @@ -1,66 +0,0 @@ -{{DowntimeRCA|Windows Update Failure|cause -As background, [[Windows|AniNIX::Windows]] was installed originally as Windows 7 Home. It was later upgraded to Windows 10 Home and then Windows 10 Pro to add functionality for Hyper-V and Remote Desktop (though only to targeted IP's -- this service is considered a convenience and a vulnerability). - -The AniNIX was brought down after a Windows update on 8/24/2016. The AniNIX had had other downtimes recently on calls with Microsoft as the Windows cdrom.sys driver was not recognizing drives that were ostensibly plug-and-play. Many fixes, including reordering SATA slots, registry updates, calls with drive manufacturers for drivers, adding/removing the hardware in Device Manager, etc. had been tried and not succeeded. This issue was on hold at the time of the update. - -When Windows started again, it would only flash a "CRITICAL_PROCESS_DIED" error message. Booting with [[Holocron|AniNIX::Holocron]] showed no memory issues or other hardware problems. Using a Windows installation medium (on USB), we were not able to restore to a system restore point before the update or correct the issue with the installation. We were also not able to access the prior system images taken with the Windows backup utility. - -Discussions with Microsoft indicate that the upgrades fro Windows 7 to Windows 10 Pro had suffered silent failures that were not logged to the user. While the operating system would limp along in functionality, it was unable to be repaired and required a reinstall. -|length=~24 hours -|resolution - -At this point, the [[Forge2|AniNIX::Forge2]] frame was disconnected and all SATA lines except for the 60GB SSD were severed. Windows 10 Pro was re-installed to this disk, and display drivers were re-installed. The standard and Hypervisor packages were re-installed. [[Games]] were left to be rebuilt over time. - -The frame was then brought down again and other drives reconnected, with the exception of the original Windows 10 drive. This drive will be left disconnected and system images abandoned short-term as a form of backup. Instead, backups will be taken of all installers used during the recovery process along with the Windows 10 Pro product key and registry. -|commits -}} - -{{DowntimeRCA|Windows Virtual Disk Failure|cause -On 9/17/2016, the [[Forge2#Hypervisor_Notes|AniNIX::Forge2]] Hypervisor logged error messages about a reset being sent to the RAID1 device, an [[Windows]] warning-level event with an id of 129 and source storahci. From then on, every five seconds, error messages were logged about disks: "An error was detected on device \Device\Harddisk1\DR1 during a paging operation." with an error ID of 51 and source of disk. Also every five seconds, NTFS error of id 140 was logged with the error message "The system failed to flush data to the transaction log. Corruption may occur in VolumeId: F:, DeviceName: \Device\HarddiskVolume1. (A device which does not exist was specified.)". - -These error messages occurred silently for several hours. Finally, on trying to access a mounted virtual disk inside [[Core|AniNIX::Core]] on 9/18/2016, ArchLinux displayed a cascade of block update failures and required a reboot. All virtual machines on the Forge2 were to be rebooted, but none came up as Hyper-V could not detect the disks. The entire frame was restarted, VM definitions repaired manually, and services restored. - -This issue recurred a few days later and perhaps once a week after. -|length=6 hours over a series of downtimes -|resolution=Hyper-V resource files and executables were excluded from antivirus scanning. When the antivirus didn't respect this, we dropped antivirus from the Hyper-V host. -|commits=[https://aninix.net/mediawiki/index.php?title=Forge2&type=revision&diff=722&oldid=712 Wiki change] -}} - -{{DowntimeRCA|Windows Update Service Reboots|cause -The Windows Update Service, if it does not see a reboot recently, will reboot the host to install updates. This causes downtimes on the [[Core]] VM and other service VM's; remote recovery has also been made difficult by BIOS randomly changing the boot device. - -Thanks to Mathisen from ##windows on Freenode, we found a GPO we're testing. Set the "gpedit.msc > Computer Configuration \ Administrative Templates \ Windows Components \ Windows Update \ Configure Automatic Updates" option to Enabled and "Notify to download / Notify to install". This should stop automatic reboots but requires a Pro or Enterprise license. -|length=2 hours from unattended host -|resolution=Apply Group Policy. -|commits -https://aninix.net/mediawiki/index.php?title=Forge2&type=revision&diff=767&oldid=722 -}} - -{{DowntimeRCA|Charter ISP Outage|cause -At 0043 CST on 11/18/2016, the Charter Residential modem lost connectivity with the wider Internet. Service was not restored until 6:45 a.m., and the admin was physically away from the system. At 1045 CST same-day, a direct check of the IP address luckily showed that the AniNIX had recovered its original IP before the outage. -|resolution -Admins have changed ISP contracting to be notified immediately of outages and resumption of service. - -The upcoming changes to the [[Cerberus|AniNIX::Cerberus]] project will include detection of changes in WAN IP and will notify admins of changes so that the remote DNS can be updated. Admins will also investigate dynamic DNS services.[[Category:TODO]]. -|length=6 hours of technical downtime, extended to 10 hours of practical downtime by a lack of reporting tools on ISP outages. -|commits -* [https://aninix.net/mediawiki/index.php?title=Incident_Response&type=revision&diff=769&oldid=741 Wiki]}} - -{{DowntimeRCA|Windows Sleep Hangs Core VM|cause=Admin Error -- accidentally clicked sleep during RDP disconnect -|length=8 hours -|resolution=I was able to access the [[Shadowfeed|AniNIX::Shadowfeed]] and [[Forge2|AniNIX::Forge2]] entities by port forwarding through [[Bastion|AniNIX::Bastion]] from my [[Tricorder|AniNIX::Tricorder]], as I was offsite. I was able to restart [[Core|AniNIX::Core]] and supply passphrases to unlock the storage. - -This downtime was exacerbated as I did not check [[Heartbeat|AniNIX::Heartbeat]] after resuming the hypervisor. - -We've added notes for removing sleep options on servers and remote Heartbeat monitoring in response to this incident. -|commits=* [https://aninix.net/mediawiki/index.php?title=Forge2&curid=64&diff=984&oldid=932 Wiki for Forge2 notes] -* [https://aninix.net/mediawiki/index.php?title=Heartbeat&curid=83&diff=985&oldid=980 Wiki for Heartbeat notes] -}} - -{{DowntimeRCA|Windows Wake Hangs Hypervisor|cause=Code issue|length=30 minutes|resolution=All services were restarted.|commits=None yet. I plan to move Bastion to its own host, and to ensure Forge2 runs VMware ESXi rather than Hyper-V. This will take time and planning.}} - -{{DowntimeRCA|Alliant Energy Outage|cause=Power company|length=9 hours|resolution=AniNIX staff noticed connections drop to AniNIX services on 2018-09-18 12:05 CDT. At this point, power had already been out for 22 minutes and UPS power was exhausted, resulting in a shutdown of AniNIX hardware. Alliant notified AniNIX on-site admins 40 minutes later of the outage, and power was restored by 16:00. Unfortunately, AniNIX staff were not able to resume service operation until 21:15.|commits=We will add monitoring either through [[Nazara|AniNIX::Nazara]] or [[Forge2|AniNIX::Forge2]] of the UPS, but this will not prevent an outage. The [[Forge3|rebuild]] may improve uptime capacity, but until a generator is on-premise, this outage is unpreventable. That generator cost will take significant time to defray.}} - -{{DowntimeRCA|Charter ISP Outage|cause=ISP|length=4 hours|resolution=AniNIX on-site admin detected the outage at 2018-10-04 00:05 CDT and restarted modem hardware on-site several times. When this didn't work, the admin contacted the ISP and reported the outage. ISP acknowledged the outage and field techs were sent to repair the outage in the area. Service was restored at 04:10 CDT|commits=None. Our Zapier/Freshping alerting service worked appropriately, and [[Sharingan|AniNIX::Sharingan]] sent out notifications as designed when service resumed.}} - -[[Category:RCA Archive]] \ No newline at end of file diff --git a/Operation/Design_Scope.md b/Operation/Design_Scope.md deleted file mode 100644 index be50346..0000000 --- a/Operation/Design_Scope.md +++ /dev/null @@ -1,34 +0,0 @@ -I'm defining scope for the various [[:Category:Service|services]] and special-use [[:Category:Entity|entities]]. Use this as a reference for [[Design Principles|design review]]. [[Category:Layout]] - -# Infrastructure -* [[SSH]] for read-write access to servers -* [[WebServer]] for server read-only and application access -* [[Grimoire]] for data storage -* [[Shadowfeed]] for networking -* [[Infrastructure]] for providing resources like power, cooling, and connectivity to the outside world. -* [[Tricorder]] and [[ShadowArch]] for end-user environments. - -# Maintenance -* [[Aether]] for backups -* [[Heartbeat]] for monitoring -* [[Maat]] for regular regressions - -# Security -* [[Sora]] for authentication -* [[Cerberus]] for intrusion detection/prevention -* [[VirusScan]] for malware -* [[DedSec]] for penetration testing -* [[DarkNet]] for privacy -* [[Cerberus]] for testing patches - -# Content -* [[Yggdrasil]] for media -* [[Wiki]] for documentation -* [[Singularity]] for news -* [[IRC]] for communication -* [[Foundation]] for code - -# Special Interest -* [[Geth]] for real-world interaction and automation -* [[TheRaven]] for artificial intelligence -* [[Holocron]] for portable toolsets. \ No newline at end of file diff --git a/Operation/How_to_Get_Involved.md b/Operation/How_to_Get_Involved.md deleted file mode 100644 index 43160fa..0000000 --- a/Operation/How_to_Get_Involved.md +++ /dev/null @@ -1,22 +0,0 @@ -The AniNIX is currently recruiting user involvement. As such, we're providing some example background here for new persons, broken down by background. Unless a technical means is provided, your best method of passing along your feedback is [https://aninix.net/irc/ the IRC web client] or [[IRC|your own IRC client]]. Thank you to everyone who is contributing now! -[[Category:Operation]] - -# Everyone -Everyone should be willing to report issues with AniNIX software, documentation, or provided services -- connect to [[IRC|AniNIX::IRC]] to report these issues. Also sign into this service if you have an idea for new functionality, enhancements or other improvements the AniNIX should be considering! - -# Administrative, Legal, or Business Staff -Administrative, legal, or business staff are especially encouraged to review the mission statement, design principles, and development best practices in [[:Category:Operation]]. This is the "business" and "legal" model on which the AniNIX runs and is currently vague in non-technical aspects. - -# Artists -Graphic designers are encouraged to review [https://aninix.net/style.css the CSS stylesheet] and [[Special:NewFiles]] to help provide artistic direction. The current aim is a near-terminal like look with white-and-black icons surrounded by red hexagon. Review [[Design_Principles#Graphical_Design|our design principles for graphics]] to understand our motivations and aims. We welcome criticism and debate on these points. - -# Educators -Educators will be exceptionally helpful in reviewing documentation. Anything on this Wiki could be reviewed for clarity and understanding. If concepts aren't adequately explained we need to know so that we can link to wider documentation or clarify. - -Of particular interest to educators is [[:Category:Class]]. These are offerings from the AniNIX personnel are used in demos and for teaching, and we could always use review and comments on our methodology. - -# Physical Activity Professionals -The [[Martial_Arts/Cardio|cardio]] page could always use new exercises or providers to follow. - -# Technical Personnel -These folks are the core of the AniNIX contributing community. This wiki and [https://aninix.net/foundation the Foundation git repo] need review and comments. Submit [[QANs]] as you see the need. \ No newline at end of file diff --git a/Operation/Incident_Reports.md b/Operation/Incident_Reports.md index 727d086..c917bd8 100644 --- a/Operation/Incident_Reports.md +++ b/Operation/Incident_Reports.md @@ -1,26 +1,3 @@ -These are cybersecurity incidents that the AniNIX has had to remedy due to some failure in our detection and prevention systems. - -**Note**: We explicitly exclude routine incidents, such as IP's banned for SSH brute-force, files quarantined after virus scanning, and other routine housekeeping. - -# January 2018 Spambot Detection -An attacker used a default password to pull down a Perl SMTP spambot and email list to spam fake Bank of America emails to users, attempting to phish them into clicking an xplotica link. - -* When: 11-29-2017 through 1-4-2018 -* Who: IRL identity unknown; last source IP 196.52.32.4 (Netherlands residential) -* What: Spambot -* * Vector: Attacker used a default password to access a monitoring user account; spambot and target lists were downloaded from a GoDaddy webhost (now nonfunctional). - -Detection was provided by the ISP and [https://www.abusix.com/ Abusix]. The Postfix service was shut down, and forensic analysis performed starting with the /var/spool/mail folder and tmux session capture. - -# Impact -This has negatively impacted the AniNIX's reputation as an SMTP source -- we are following up with Abusix and Google to restore our reputation. - -Current forensic investigation does not indicate a compromise to any AniNIX privileged information. - -## Our Response -* Monitoring user password has been rotated on all systems. -* Automatic password rotation for service accounts will be added to the service deploy automation. -* Sharingan needs updates to better monitor lastlog output and the sshd "Accepted" regex in journald. Postfix will be evaluated for appropriate MTA settings and restored to service later. - -Contact an admin for access to incident files. +These are cybersecurity and availability incidents that the AniNIX has had to remedy due to some failure in our detection and prevention systems within the last two years. +**Note**: We explicitly exclude routine incidents, such as IP's banned for SSH brute-force, files quarantined after virus scanning, and other routine housekeeping. We are also not including maintenance outages or short-term (<8 hours) ISP events. diff --git a/Operation/Incident_Response.md b/Operation/Incident_Response.md index 0dc30f9..dffcf0a 100644 --- a/Operation/Incident_Response.md +++ b/Operation/Incident_Response.md @@ -1,45 +1,35 @@ # CERT Grab-bag -CERT, or Computing Emergency Response Team, is an acronym for first-responders to cybersecurity and computing incidents. +[CERT][1], or Computing Emergency Response Team, is an acronym for first-responders to cybersecurity and computing incidents. The FBI maintains a cyber incident reporting service -- should the incident be of a sufficiently malicious nature, it should be reported to the authorities. See [https://www.fbi.gov/file-repository/law-enforcement-cyber-incident-reporting.pdf/view this whitepaper] for a breakdown of how to report. CERT individuals should keep a copy of the following things at all times in a grab-bag: * The above whitepaper for FBI contacts -* The [https://aninix.net/mediawiki/index.php?title=Template:Incident_Report&printable=yes AniNIX CERT Form] -* Copies of [[Category:Layouts|AniNIX layouts]] +* An up-to-date Git clone of this Wiki +* Laptop and mobile phone +* Any phyical-security tools +* Kali Linux and ArchLinux ISOs in ready-to-boot format * Scratch paper and thumb drives for evidentiary capture, along with chain of custody labels -[https://www.youtube.com/watch?v=PhROeWMPBqU Skillset via YouTube], accessed 1/4/18 # Incident vs. Disaster -An incident is an unplanned event affecting a service or agency, where a disaster reflects multiple services or agencies.[https://www.linkedin.com/learning/introduction-to-ethical-hacking/information-security LinkedIn Intro to Ethical Hacking Course] by Lisa Bock A catastrophe is defined as one-step worse -- a destruction of AniNIX software and hardware necessitating rebuilding the same and likely a relocation of any operations and facilities. +An incident is an unplanned event affecting a service or agency, where a disaster reflects multiple services or agencies. A catastrophe is defined as one-step worse -- a destruction of AniNIX software and hardware necessitating rebuilding the same and likely a relocation of any operations and facilities. # Required Follow-ups : See TOGAF, COBIT, and ITIL standards for design methods for incident response. Also available is documentation from [https://duckduckgo.com/?q=NIST+Creating+security+plans+for+federal+information+systems&ia=web NIST] on how to formulate security plans. -If any disruption of service is caused, an [[RCAs|root-cause analysis (RCA)]] will be filed and users will be notified via [[Singularity|RSS]] and [[IRC]]. Alternatively, cybersecurity incidents will be documented as [[Incident Reports]] and deep-dives can be requested of AniNIX staff. +If any significant disruption of service is caused (more than 8 hours), an [Incident Report](./Incident_Reports.md) will be filed and users will be notified via [RSS](https://singularity.aninix.net), [IRC](https://irc.aninix.net), and all relevant social media. -As the AniNIX learns of better configuration processes or usage methodology, this Wiki will be updated, which will automatically notify users subscribed to [[Special:RecentChanges]] via RSS. +As the AniNIX learns of better configuration processes or usage methodology, this Wiki will be updated, which will automatically notify users via IRC. -Critical patches to AniNIX software and scripts should be added to [[Foundation|AniNIX::Foundation]] immediately with a proper commit message and notifications sent. +Critical patches to AniNIX software and scripts should be added to [AniNIX/Foundation](https://foundation.aninix.net/) immediately with a proper commit message -- with the right webhooks set, this will send a notification via IRC. # Service-level incident response -The AniNIX maintains onsite [[Security_Layout#Backups|backups]] -- the affected service will be stopped, repaired from best-effort backups, and restarted. Unaffected services will not be disrupted. +The AniNIX maintains onsite backups -- the affected service will be stopped, repaired from best-effort backups, and restarted. Unaffected services will not be disrupted. # Software Disaster Recovery Should a collective failure of software occur, all services will be stopped until the damage can be repaired. The AniNIX has onsite backups to this end. ## ISP events -In the event of an ISP event, a redundant method of providing access is available, but some services will be significantly limited or disabled to limit bandwidth usage. If ISP's are unavailable, admins should send the following: - -:Hello, all, - -:Internet access to the network is currently unavailable. To meet with an admin or check on the status, please visit the AniNIX Discord Channel. We will let you know when services are back. - -::**Attach Discord static invite here** - -:Thank you for your patience. -:AniNIX Admins - -Admins should also keep a list of [[Sora|registered users]]' emails in a local location -- we recommend storing them in an [[Tricorder|AniNIX::Tricorder]] along with the last known good IP of the AniNIX. +In the event of an ISP event, a redundant method of providing access is available, but some services will be significantly limited or disabled to limit bandwidth usage. If ISP's are unavailable, admins should notify @everyone on Discord and stay available until access is restored. # Hardware Incident Response In the event of the failure of a redundant or unnecessary hardware component, an admin will: @@ -56,12 +46,13 @@ Should hardware critically fail, the AniNIX does not currently have a support ag If necessary, restoration from the safety-deposit backup will be utilized. # Complete Disaster Recovery -In the event of a complete disaster, the first line of defense is a hard-drive stored in a safety deposit box with a complete backup of the [[Core|AniNIX::Core]] VM, which includes the source code to rebuild all other machines. +In the event of a complete disaster, the first line of defense is a hard-drive stored in a safety deposit box with a complete backup of the AniNIX/Core VM, which includes the source code to rebuild all other machines. # Catastrophic Loss Or Attack -Should all else have been compromised, a large number of [[Aether|AniNIX::Aether]] nodes will allow rebuilding the system from source code, though there will be a massive loss of data. Some of this will be recoverable over time through file lists stored in the Aether packages, but other data will be lost. This is the last-ditch recovery method. +Should all else have been compromised, a large number of [AniNIX/Aether](/AniNIX/Aether) nodes will allow rebuilding the system from source code, though there will be a massive loss of data. Some of this will be recoverable over time through file lists stored in the Aether packages, but other data will be lost. This is the last-ditch recovery method. AniNIX admins maintain "bug-out" bags for massive environmental, political, or criminal disturbances, with copies of the Aether package on encrypted storage. They are trained to safely self-evacuate and rebuild the network in a safe location. This recovery method will take a long time to effect; users should watch the aninix.net domain name for a return of some IRC daemon with which to use to communicate with admins. As soon as possible, admins will reach out to the userbase to announce when services will be restored, the reason for loss of service, and the extent of data loss. -# References -[[Category:Operation]] \ No newline at end of file + +[1]: https://www.youtube.com/watch?v=PhROeWMPBqU "Skillset via YouTube, accessed 1/4/18" +[2]: https://www.linkedin.com/learning/introduction-to-ethical-hacking/information-security "LinkedIn 'Intro to Ethical Hacking Course' by Lisa Bock" diff --git a/Operation/Manual_of_Style.md b/Operation/Manual_of_Style.md index 3c9ca62..a84a9f5 100644 --- a/Operation/Manual_of_Style.md +++ b/Operation/Manual_of_Style.md @@ -2,85 +2,24 @@ This is intended to give contributors a baseline for editing. # Proper naming Services on this network are properly titled in the below format. This should always be used the first time a service is referenced. -
AniNIX::{ServiceName}[/{Area}][ \\ {Title}]
+``` +AniNIX/{ServiceName}[ | {Area}] +``` # Grammar -Grammar is a writer's toolbox. You can't build good sentences without knowing how to use your tools. Since a wiki article should be as clear as possible for all those reading it, editors should keep their edits as grammatically correct as is possible, in order to ensure clear communication of the information being provided.[http://assassinscreed.wikia.com/wiki/Assassin's_Creed_Wiki:Manual_of_Style Assassin's Creed Wiki MoS] - -## Capitalization -Words should be capitalized at the start of each sentence, and when they are denoting a name or title, in line with current grammatical precedent, for example: - -::"The Aether project should be used to back up critical servers." - -## Titles of works -Titles of works should be italicized to make clear that they are names; the titles of articles, chapters, and other short works should not be italicized, but are enclosed in double quotation marks. +Grammar is a writer's toolbox. You can't build good sentences without knowing how to use your tools. Since a wiki article should be as clear as possible for all those reading it, editors should keep their edits as grammatically correct as is possible, in order to ensure clear communication of the information being provided. Follow proper English language standards. # Writing Style -:*“I believe the road to hell is paved with adverbs”* -- Stephen King +_Be concise._ Professionals are already taxed for time to maximize their utility; they need clear, direct language to understand what needs to be done. In this simplicity of purpose beauty is found, not in flowerly, lengthy prose. -We now come to the meat of an article: the words themselves. When you're editing wikis, you're both academic and artist. You have to be accurate, but you also have to be interesting. Neither one can dominate; you have to skillfully balance both. +_Contain your scope._ Avoid letting your scope creep beyond what is meaningful to the task at hand; documentation should be like the tools being described: narrowly defined, and deeply explored. -**Keep your writing concise.** Don't use two words where one will do. Keeping your writing simple will make it easy to understand and easy to expand on. Use complete sentences whenever possible. When you write, use grammar as a toolbox: know the rules, but only break them on purpose. +_Be impersonal._ Avoid making statements that indicate personal preference as an authority; rather, indicate why what's being done is the best available. -**Check your spelling and grammar.** Do not use 'u' in place of 'you' or '2' in place of 'to'. Write the way you would for a class paper or a newspaper article. - -**Keep all of the topics you cover within the scope of the article.** What that means is, you don't need to give a detailed history of all AI on the page about [[TheRaven|AniNIX::TheRaven]]. Consider the article's title as your point of origin and write from that perspective. Make use of the wiki's ability to link to more detailed articles or external sources for more information. - -**Write from an impersonal perspective.** Do not use "I." For example, do not write, "In the years that followed, Ezio began a quest to rediscover the lost history of the Order, As far as I know." Avoid drawing attention to the author (yourself) as much as possible. - -**Be bold.** If you know something is wrong, correct it. If you think you could word something better, write it. If an article has a glaring deficiency, fill it. Even if your first attempt isn't golden, you can fix it later or someone else will come along and fix it for you. Don't be afraid to screw up. - - -**Use present tense.** These services, enttitles and policies are active, living, and fluid -- because they're changing now, we use present tense to describe current state. +_Use present tense._ These services, enttitles and policies are active, living, and fluid -- because they're changing now, we use present tense to describe current state. # Images -Images make an article memorable and pretty. They can speak where words fail. At the same time, misplaced or untidy images can detract from an article. When choosing images, keep in mind placement, size, and the appropriateness of the image to the section. Let images flow with the text instead of break it up. - -Large images such as screenshots should use the "thumb" (example:[[Image:CoolImage.png|thumb]]) option which displays large images as thumbnails. Images should generally be right aligned to enhance readability by allowing a smooth flow of text down the left margin - the "thumb" option does this by default. If an infobox is not being used in an article, a right aligned picture in the lead section is encouraged. - -Images should be kept to a minimal number -- three or fewer inline images per article. High-quality images should be stored in [[Yggdrasil|AniNIX::Yggdrasil]]. - -### Galleries -When an article has many images, or can be improved by having more, and having inline images can detract from its readability, the use of a section is encouraged. See the [[#Useful_Snippits|Useful Snippets]] for how to implement that. - -Galleries should be five images or less. More images than that or exceptionally high-quality images should be in [[Yggdrasil]]. +We generally will not use images in these projects -- very little is represented better as images than as code snippets for a deep infrastructure system like the AniNIX. If you do need images, generally speaking it is best to contact an AniNIX admin to distribute the image via some CDN outside of Foundation, rather than committing it directly. Repos that are mirrored out to GitHub may be an exception. # Useful Snippets -## Tables -
-{|class="wikitable"
-|-
-| Cell 1 || Cell2
-|-
-|}
-
-## Transclusion -This will include an entire other page in yours. -
{{:Wiki}}
-## Links -Internal:
[[Wiki]]
-External:
[https://aninix.net/root.php WebServer]
-## Styling -
-*Bold*
-**Italic**
-
- -## Images -
-[[File:Image|thumb|250px|right|Some caption]]
-
- -## Gallery -
-
-Image:Example.jpg|Caption
-Image:Example.jpg|Caption
-
-
- -## If/then -
{{#if:{{{add|}}}|==Additional Reference
-{{{add}}}|}}
- -[[Category:Operation]] \ No newline at end of file +See [the upstream syntax notes](https://daringfireball.net/projects/markdown/syntax) for examples. diff --git a/Operation/Mission_Statement.md b/Operation/Mission_Statement.md deleted file mode 100644 index 957801a..0000000 --- a/Operation/Mission_Statement.md +++ /dev/null @@ -1,6 +0,0 @@ -The mission statement of the AniNIX is simple: -1. Provide an example suite of services and serve a small userbase -1. Provide documentation and source code to allow anyone to replicate the system. -1. Contribute actively to the global community by involvement in the open-source community and charity work. - -[[Category:Operation]] \ No newline at end of file diff --git a/Operation/Provisioning.md b/Operation/Provisioning.md index 46bcb6e..e965099 100644 --- a/Operation/Provisioning.md +++ b/Operation/Provisioning.md @@ -3,66 +3,50 @@ Provisioning is the process by which new users, services, and hosts are added to # Users ## Notes on Administrative and Daemon Users -These users should always be created as local users. Daemon users should be given /sbin/nologin or /bin/false as their login shell to prevent them from doing bad things -- systemd service files will appropriately set UID/GID on processes and shells aren't needed. These daemon users should always have local credentials to be immune to failures in remote services like [[Sora]] +These users should always be created as local users. Daemon users should be given /sbin/nologin or /bin/false as their login shell to prevent them from doing bad things -- systemd service files will appropriately set UID/GID on processes and shells aren't needed. These daemon users should always have local credentials to be immune to failures in remote services like [AniNIX/Sora](/AniNIX/Ubiqtorate/src/branch/main/roles/Sora). * Many services, like IRC, TheRaven, Heartbeat, Sora, and others will use a daemon user at the OS level. These should be local passwords. * At the OS, the admin will be the root user. * SSH should have one deprivileged user that is local. * IRC will have netadmins provisioned with local passwords; these netadmins will need a corresponding LDAP account only for IRCServices. Failure to log in with IRCServices is more acceptable than losing control of the daemon itself. The IRC modules can be unloaded and registration enabled if a local account is needed. -* Wiki can only be either LDAP-enabled or local; as we want unified credentials, loss of edit privileges for everyone is acceotable in the case that LDAP has failed. - * The following snippet can be used to lock down a specific wiki so only administrators (sysop) can edit. -
-$wgGroupPermissions['*']['edit'] = false;
-$wgGroupPermissions['*']['read'] = false;
-$wgGroupPermissions['user']['read'] = false;
-$wgGroupPermissions['user']['edit'] = false;
-$wgGroupPermissions['sysop']['read'] = true;
-$wgGroupPermissions['sysop']['edit'] = true;
-
+ +## Template User Notification +``` +Hello, , + +You have a new set of credentials to the AniNIX! Your new user ID is and your initial password is . Please reset your password at https://password.aninix.net/ + +You now have access to all the public services of the AniNIX! Your credentials will work across the board. Please make sure to review our operational documentation (https://foundation.aninix.net/AniNIX/Wiki), particularly the User Ethics page, to understand what the AniNIX is and how to properly contribute. + +If you have any questions, please stop by our IRC network (https://irc.aninix.net) and sign in to NickServ. We'd be happy to talk with you anytime -- admins are indicated with the '^', '~', or '@' sign in the #lobby channel. Again, welcome to the network! + +~AniNIX Admins +``` ## Groups Most groups will be local to a given host; ssh-allow and git permissions will be local, for example. LDAP should at least have an ldapuser group to act as the primary group for LDAP users. +# Service Authorization via AniNIX/Sora +This project should be the central credential store for end-users on the AniNIX. Below are some notes to help with the setup. Code for provisioning this access should be in the template configs in [AniNIX/Ubiqtorate](/AniNIX/Ubiqtorate) -## [[Sora]] -This project should be the central credential store for end-users on the AniNIX. Below are some notes to help with the setup. +## ShadowArch +OS Accounts can be added with PAM/NSLCD authentication being enabled. See [the Arch Wiki](https://wiki.archlinux.org/index.php/LDAP_authentication) and [this link](https://eng.ucmerced.edu/soe/computing/services/ssh-based-service/ldap-ssh-access) for more basic steps to set this up. _Note:_ Make sure SSH services are secured with a required group of ssh-allow before enabling this. -### [[ShadowArch|OS]] -OS Accounts can be added with PAM/NSLCD authentication being enabled. See [https://wiki.archlinux.org/index.php/LDAP_authentication the Arch Wiki] for basic steps to set this up. - -Note: Make sure [[SSH]] services are secured with a required group of ssh-allow before enabling this. See [https://eng.ucmerced.edu/soe/computing/services/ssh-based-service/ldap-ssh-access this link] for how to enable SSH access. - -### [[IRC]] +## IRC All LDAP accounts are enabled for IRC NickServ access -- the LDAP uid will be the owning nickname. Group membership is allowed, but admins may drop nicks if another user is being created with the uid. -### [[Wiki]] -Wiki's have LDAP groups attached to them; those who will be editors on a given Wiki will be given the Wiki's group to log in with. +## Foundation +Foundation allows user creation from LDAP -- we then disable registration in the config. Users can form their own organizations and create repos with admin oversight. -### [[Singularity]] -[[Category:TODO]] We are working to integrate the ttrss-ldap-auth-git package from the ArchLinux AUR. +## Singularity +We are working to integrate the ttrss-ldap-auth-git package from the ArchLinux AUR. -## [[Yggdrasil]] -Yggdrasil currently relies on Plex.tv for account management. Users seeking access to this project will need a Plex.tv account for streaming access. File access can be given with an SFTP jailed account in Sora. - -## Template User Notification -Hello, , - -You have a new set of credentials to the AniNIX! Your new user ID is and your initial password is . Please [[SSH#Available_Clients|SSH]] to @aninix.net and change your password as soon as possible. - -You now have access to all the [[:Category:Public_Service|public services]] of the AniNIX! Your credentials will work across the board. Please make sure to review [[:Category:Operation|our operational documentation]], particularly the User Ethics page, to understand what the AniNIX is and how to properly contribute. - -If you have any questions, please stop by [https://aninix.net/irc our IRC network] and sign in to NickServ. We'd be happy to talk with you anytime -- admins are indicated with the '@' or '~' sign in the #lobby channel. Again, welcome to the network! +## Yggdrasil +Yggdrasil uses the Emby LDAP plugin set up inside the application to provide LDAP access. # Services -Services should be provisioned from the [[Foundation]] -- this ensures that standards are followed and a best-attempt is made at security practices. Configure the service post-install to fit your need. +Services should be provisioned from the Foundation and Ubiqtorate -- this ensures that standards are followed and a best-attempt is made at security practices. Configure the service post-install to fit your need. # Hosts -Hosts should be provisioned on an as-needed basis. A default AniNIX network includes the following: -* [[Shadowfeed]] -* [[Core]] -* [[DarkNet]] -* [[Bastion]] - -[[Category:Operation]] -[[Category:Security]] \ No newline at end of file +Hosts should be provisioned on an as-needed basis. A default AniNIX network is exemplified in [this inventory](/AniNIX/Ubiqtorate/src/branch/main/examples/msn0.yml). diff --git a/Operation/RCAs.md b/Operation/RCAs.md deleted file mode 100644 index 5b518c7..0000000 --- a/Operation/RCAs.md +++ /dev/null @@ -1,4 +0,0 @@ -These are some recent unplanned downtimes on the AniNIX, starting from 8/24/2016. We provide this list and root-cause analyses (RCA's) so that other networks can learn from them or suggest better practices for us to follow. Past years' RCA's are recorded in [[:Category:RCA Archive]]. -[[Category:Operation]] - -{{DowntimeRCA|Charter ISP Outage|cause=ISP|length=4.5 hours|resolution=AniNIX off-site admin detected the outage at 2019-06-18 16:08 CDT. Phone calls to the ISP confirmed a physical outage. ISP acknowledged the outage and field techs were sent to repair the outage in the area. Service was restored at 20:16 CDT.|commits=Our Zapier/Freshping alerting service worked appropriately, and [[Sharingan|AniNIX::Sharingan]] sent out notifications as designed when service resumed. However, admin staff had run out of coffee -- coffee will be purchased to prevent further outages, as the tech stops working when the coffee runs out.}} \ No newline at end of file diff --git a/Operation/README.md b/Operation/README.md index ebf4d27..a1646f6 100644 --- a/Operation/README.md +++ b/Operation/README.md @@ -1,36 +1,19 @@ -To get started with the AniNIX stack, some familiarity with key concepts and technologies is encouraged. +The AniNIX is currently recruiting user involvement. As such, we're providing some example background here for new persons, broken down by background. Thank you to everyone who is contributing now! -# The AniNIX -Contributing users should be familiar with the following pages, though these are only a selection of [[:Category:Operation|our operational policies]]. -* [[User Ethics]] for the integrity required of contributors and users -* [[Design Principles]] -- how to design projects -* [[Development Best Practices]] for safe project work -* [[QANs]] for requesting bug fixes, and [[Bug Bounties]] for ongoing research projects. +# Everyone +Everyone should be willing to report issues with AniNIX software, documentation, or provided services -- connect to [IRC](https://irc.aninix.net/) or any of our social media to report these issues. Also sign into this service if you have an idea for new functionality, enhancements or other improvements the AniNIX should be considering! -# Basic Applications -RSS (Really Simple Syndication) is a format of [https://en.wikipedia.org/wiki/XML XML] files presented over Internet HTTP links. It requires a reader like [[AniNIX::Singularity]], but many sites will have an orange icon with a dot and three curves to indicate their RSS feed -- we have one on our [https://aninix.net/ Root] page. +# Administrative, Legal, or Business Staff +Administrative, legal, or business staff are especially encouraged to review the mission statement, design principles, and development best practices in [Policies](/AniNIX/Wiki/src/branch/main/Policies) and [Policies](/AniNIX/Wiki/src/branch/main/Policies). This is the "business" and "legal" model on which the AniNIX runs and is currently vague in non-technical aspects. -IRC or Internet Relay Chat is our primary means of communication. IRC clients connect to an IRC server -- the server also hosts services, such as a channel registry (ChanServ) and nickname reservation (NickServ). Our [[IRC|IRC Wiki page]] has details on clients to connect to our IRC, as well as links to tutorials and a channel mode listing. +# Artists +Graphic designers are encouraged to review our stylesheets and any repo icons to help provide artistic direction. The current aim is a near-terminal like look with white-and-black icons surrounded by red hexagon. Review our (Design Principles](./Design_Principles.md) to understand our motivations and aims. We welcome criticism and debate on these points. -[[Wiki]] is a Web application for community-driven content. Wikipedia maintains a [https://en.wikipedia.org/wiki/Help:Getting_started Getting Started] guide that's excellent reading for new users of the application. +# Educators +Educators will be exceptionally helpful in reviewing documentation. Anything on this Wiki and any other repo's Markdown files could be reviewed for clarity and understanding. If concepts aren't adequately explained we need to know so that we can link to wider documentation or clarify. -Git through [[Foundation|AniNIX::Foundation]] is a complicated system. While known as the "stupid content tracker", there are books written on Git for its many features. New users should start with the [https://linux.die.net/man/1/git git] man page and [https://linux.die.net/man/7/gittutorial turorial]. +# Physical Activity Professionals +[AniNIX Martial Arts](/martialarts) is always looking for input on how we teach, exercises we use, and other technique suggestions. Feel free to stop by any time. -The shell is the user's primary method of interacting with the OS -- this is done with a local or remote terminal emulator. TLDP has a very [http://tldp.org/LDP/Bash-Beginners-Guide/html/ valuable guide] that new persons should read. - -# Code Development -One of my favorite places for learning code development is [https://www.codingame.com/start Codingame], where students are given challenges to solve in their programming language of choice. Compiled code on the AniNIX generally is written in C# or C, and we'd recommend new users choose one of these if they want to contribute to new projects. - -Users should also see [https://www.w3schools.com/ W3Schools] for front-end development through the HTML/CSS/PHP/JavaScript stack for a [[WebServer]]. HTML is used to create the structure of the page, CSS the format of colors etc., PHP for server-side code, and Javascript for client-side code. - -# The Operating System -To get started on the operating system, Google: -* [http://google.com/search?q=Unix+Basics Unix Basics] -* [http://google.com/search?q=OSI+Model OSI Model] and IPv4 Routing -* [https://wiki.archlinux.org/index.php/General_recommendations ArchLinux General Recommendations] - -# Learning about Security -* Users should try to go through [https://ssd.eff.org/ Surveillance Self-defense] from the Electronic Frontier Foundation. - * Younger users can use [[:Category:Google|Google]]'s [https://beinternetawesome.withgoogle.com/en_us Be Internet Awesome]. - -[[Category:Operation]] \ No newline at end of file +# Technical Personnel +These folks are the core of the AniNIX contributing community. This wiki and [https://aninix.net/foundation the Foundation git repo] need review and comments. Submit [issues](/issues) as you see the need. diff --git a/Operation/Social_Media.md b/Operation/Social_Media.md deleted file mode 100644 index 747d784..0000000 --- a/Operation/Social_Media.md +++ /dev/null @@ -1,5 +0,0 @@ -The AniNIX does want to be accessible to end-users, and social media is a global phenomenon that most people are aware of. However, we feel a general distrust for global social media -- self-hosting is optimal for retaining privacy and unifying credentials across services in a way that the AniNIX can protect its end-users. - -Currently, our approach to social media is to identify platforms where we may have an interest in promoting the network, and to establish accounts in those areas with a single post linking back to the AniNIX equivalent. Please see [https://aninix.net/pages/social.php our social index] for accounts and platforms on which we have a presence today. - -[[Category:Operation]] \ No newline at end of file diff --git a/Operation/TeamBlue.md b/Operation/TeamBlue.md deleted file mode 100644 index d0108cb..0000000 --- a/Operation/TeamBlue.md +++ /dev/null @@ -1,33 +0,0 @@ -{{Entity|TeamBlue| -TeamBlue acts as the defensive side of penetration testing and is the primary testground for [[Cerberus|AniNIX::Cerberus]] and all of [[:Category:Security|our security best-practices]]. -|word=Blue teams are colored after police and friendly forces in penetration testing exercises. -|cap=1 core, 2GB RAM, 30GB hard-drive. -|host=TeamBlue should have the extras from Cerberus installed. -{{Reference|Cerberus}}{{Reference|VirusScan}} -|conn=This box is expected to be attacked by TeamRed. We may add CFEngine for compliance and patching control, and use this machine to test patches before pushing them to Core, Bastion, DarkNet, and Team VM's. -{{Reference|Core}}{{Reference|Sora}} -|add -Watch [https://wiki.archlinux.org/index.php/List_of_applications/Security ArchLinux's Security application list] for tools specific to your use case. - -# Security Essentials -Alien Vault recommends the following five security essentials for a "blue" security team.[https://www.alienvault.com/forms/webcast-thank-you/how-to-simplify-pci-dss-compliance-with-unified-security-management How to Simplify PCI-DSS Compliance with Unified Security Management], accessed 9/7/2017 -## Asset Discovery -This can be coordinated through a nmap script like below, or through [[Geth|AniNIX::Geth]]'s [https://home-assistant.io/components/discovery/ discovery].module. -## Vulnerability Assessment -We're looking at a couple candidates for this: [[Category:TODO]] -* lynis -* OpenSCAP -## Intrusion Detection -This functionality is provided by [[Cerberus|AniNIX::Cerberus]]. We're considering Tripwire and OSSEC to replace AIDE inside Cerberus. -## Behaviorial Monitoring -We use [[Heartbeat|AniNIX::Heartbeat]] to set each system's baseline and audit logs for user behavior. -## Log Management -We're evaluating using [[AniNIX::Bastion]] as a rsyslog host. -## Encryption -### At rest -We use dmcrypt to encrypt files by default at the storage layer via [[ShadowArch|AniNIX::ShadowArch]] -### In motion -We use [[:Category:SSL|SSL]] for encrypting data in motion. -}} -# References -[[Category:Security]] \ No newline at end of file diff --git a/Operation/TeamGreen.md b/Operation/TeamGreen.md deleted file mode 100644 index aa7fe9a..0000000 --- a/Operation/TeamGreen.md +++ /dev/null @@ -1,9 +0,0 @@ -{{Entity|TeamGreen| -TeamGreen runs regular QA regressions and reports results on the [[Foundation|AniNIX::Foundation]] repositories. -|word=Similar to [[TeamRed]] and [[TeamBlue]], this box is named for ensuring the quality of AniNIX code. -|cap=1 core, 1GB memory, 30GB hard-drive. -|host=TeamGreen should host a set of Docker images generated from the ConfigPackages/TeamGreen repo. We are considering using Jenkins to monitor the repo and update regressions, but there are security concerns with that application. TeamGreen code should be written in Python3 using doctest, py.test, hypothesis, and Radon. -|conn -{{Reference|Foundation}} -|add -1. See [https://www.digitalocean.com/community/tutorials/docker-explained-using-dockerfiles-to-automate-building-of-images this article] on how to build Docker images for projects.}} \ No newline at end of file diff --git a/Operation/TeamRed.md b/Operation/TeamRed.md deleted file mode 100644 index fa5ecfe..0000000 --- a/Operation/TeamRed.md +++ /dev/null @@ -1,8 +0,0 @@ -{{Entity|TeamRed| -This host acts a penetration testing box. -|word=Most high-level organizations have adopted active penetration testing policies. Usually the offensive sector is known as a "red team" as opposed to the defensive "blue team".[http://www.csoonline.com/article/2122440/disaster-recovery/emergency-preparedness-red-team-versus-blue-team-how-to-run-an-effective-simulation.html CSO] accessed 6/21/17 -|cap=1 core, 2GB RAM, 30GB drive -|host=No real services are hosted by this machine. It is an array of tools based on either [https://www.kali.org/ Kali Linux] or the [[ShadowArch]] -k flag. It may make extensive usefulness of the [https://aninix.net/foundation/ExploitChecks ExploitChecks] in AniNIX::Foundation. -|conn=This machine targets [[TeamBlue]]. -|add=}} -[[Category:Security]] \ No newline at end of file diff --git a/Operation/User_Ethics.md b/Operation/User_Ethics.md deleted file mode 100644 index 350748b..0000000 --- a/Operation/User_Ethics.md +++ /dev/null @@ -1,42 +0,0 @@ -AniNIX users should follow good ethical principles when using the network. AniNIX resources should be used in accordance with these principles -- activity outside the network is not ours to dictate. - -# Our Mission Statement -{{:Mission Statement}} - -# Open Source -> Main article on [https://opensource.com/open-source-way OpenSource.com] -Open-source means that are willing to provide access to as much information as possible, sharing our experience, work, and assets with the world. (We cannot disclose security tokens and other privileged information for our own self-preservation.) We intend for anyone to take the AniNIX model and inspect it, modify, or enhance it by looking at our documentation and source code. We believe this yields the benefits of control, training, security, and stability to our users, as the more people inspect something the fewer errors are likely to be present. - -# The Hacker Ethic -> Main article on [https://en.wikipedia.org/wiki/Hacker_ethic Wikipedia] - -When you give people the means to be creative for themselves and to share their work, they can create beautiful communities of industry and passion. With proper moderation against malice, the human collective evolves, and the AniNIX seeks to include this. - -The AniNIX subscribes to the Hacker Ethic and should build itself to support the same. In order, these are the ideals development in the AniNIX should encourage: -* World improvement: The world is not a friendly place to your average person. Compute power can be leveraged to improving people's lives, not just in the pursuit of personal power or profit at the expense of others. Projects within the AniNIX should serve the betterment of the wider world in some fashion or at least some portion of the userbase. We do not use our resources to profiteer from others, particularly their lack of access. -* Openness and sharing, particularly open-source: We are world citizens, with equal human rights. Sharing, collaboration, and openness improve the lives of everyone and let us grow as a planet. AniNIX projects and source should be openly available; security keys and credentials may be obfuscated to protect the network. -* Decentralization: True democracy is the voice of the people -- the rule of the majority. Too much centralization results in an easy target that can be destroyed by those seeking their own power and profit and to silence opposition. When everyone in the masses has a voice that can't be silenced, they carry immense weight for revolutionizing and improving life. -* Equal, free access to computing: The Internet is the last bastion of human free speech and stream-of-consciousness, and open access for everyone gives everyone a voice. Computers allow free educational materials and community-building, and learning to use them promotes intellectualism and self-education. No one should be barred based on race, gender identity, gender expression, sexual orientation, ability, age, cultural identity, IQ, religion, socioeconomic status, etc. -- the sole grounds for blocking access is to prevent specific, malicious actions, such as identity theft, human trafficking, etc. - -## AniNIX Application -* The AniNIX provides a number of [[Category:Charity|free-to-access offerings]] in the interest of giving back and we support a number of [https://aninix.net/pages/charity.php charitable organizations] to support the aim of world improvement. -* The Wiki and [[Foundation|AniNIX::Foundation]] offer all the documentation and code necessary to replicate AniNIX services. -* The Wiki and Foundation combination allow replication of the complete AniNIX suite, allowing for multiple instantiations and decentralized access. -* The AniNIX makes as many of its applications Web-accessible as possible to reduce the barrier to entry -- even a public library terminal should have sufficient resources. We also provide the [[ShadowArch]] installer and [[Holocron|AniNIX::Holocron]] project to give everyone access to their own secure computing environment for minimal cost. - -# Good-faith Contributions -All contributions to the AniNIX should be done in good faith -- users will not be punished for bad work submitted in an honest fashion. However, in the interest of promoting good faith, they should also be respectful of criticism and advice on how to improve their work. The AniNIX seeks to improve steadily and welcomes debate and discussion. - -If you have concerns or suggestions, please use the talk page of a topic to discuss them. - -# Respect to Peers -Please respect your peers in all communication. The AniNIX administrators reserve the right to terminate services at any time to any user found to be disruptive or damaging to the network. We seek a collaborative, not elitist, environment, and all viewpoints should be welcome in a debate. - -# Handling of Malware -The AniNIX, being security-minded, handles malware. Please make sure you only transfer malware in secured, inert formats to other users and clearly label it as such so that they know to analyze it. - -The use of malware to attack, harm, or malign the network will not be tolerated. Ensure all testing is done in isolated networks with protected machines to prevent accidental assaults. - -Be sure to read [https://www.law.cornell.edu/uscode/text/18/1030 18 US Code 1030] (thanks to Cornell for providing a copy), particularly section a5A, before distributing or publishing malware source. - -[[Category:Operation]] \ No newline at end of file diff --git a/Operation/Design_Principles.md b/Policies/Design_Principles.md similarity index 100% rename from Operation/Design_Principles.md rename to Policies/Design_Principles.md diff --git a/Operation/Development_Best_Practices.md b/Policies/Development_Best_Practices.md similarity index 100% rename from Operation/Development_Best_Practices.md rename to Policies/Development_Best_Practices.md diff --git a/Policies/User_Ethics.md b/Policies/User_Ethics.md new file mode 100644 index 0000000..8f66fb7 --- /dev/null +++ b/Policies/User_Ethics.md @@ -0,0 +1,46 @@ +AniNIX users should follow good ethical principles when using the network. AniNIX resources should be used in accordance with these principles -- activity outside the network is not ours to dictate. + +# Our Mission Statement +The mission statement of the AniNIX is simple: +1. Provide an example suite of services and serve a small userbase +1. Provide documentation and source code to allow anyone to replicate the system. +1. Contribute actively to the global community by involvement in the open-source community and charity work. + +# Open Source +[Open-source][1] means that are willing to provide access to as much information as possible, sharing our experience, work, and assets with the world. (We cannot disclose security tokens and other privileged information for our own self-preservation.) We intend for anyone to take the AniNIX model and inspect it, modify, or enhance it by looking at our documentation and source code. We believe this yields the benefits of control, training, security, and stability to our users, as the more people inspect something the fewer errors are likely to be present. + +# The Hacker Ethic +When you give people the means to be creative for themselves and to share their work, they can create beautiful communities of industry and passion. With proper moderation against malice, the human collective evolves, and the AniNIX seeks to include this. + +The AniNIX subscribes to the [Hacker Ethic][2] and should build itself to support the same. In order, these are the ideals development in the AniNIX should encourage: +* _World improvement_: The world is not a friendly place to your average person. Compute power can be leveraged to improving people's lives, not just in the pursuit of personal power or profit at the expense of others. Projects within the AniNIX should serve the betterment of the wider world in some fashion or at least some portion of the userbase. We do not use our resources to profiteer from others, particularly their lack of access. +* _Openness and sharing, particularly open-source_: We are world citizens, with equal human rights. Sharing, collaboration, and openness improve the lives of everyone and let us grow as a planet. AniNIX projects and source should be openly available; security keys and credentials may be obfuscated to protect the network. +* _Decentralization_: True democracy is the voice of the people -- the rule of the majority. Too much centralization results in an easy target that can be destroyed by those seeking their own power and profit and to silence opposition. When everyone in the masses has a voice that can't be silenced, they carry immense weight for revolutionizing and improving life. +* _Equal, free access to computing_: The Internet is the last bastion of human free speech and stream-of-consciousness, and open access for everyone gives everyone a voice. Computers allow free educational materials and community-building, and learning to use them promotes intellectualism and self-education. No one should be barred based on race, gender identity, gender expression, sexual orientation, ability, age, cultural identity, IQ, religion, socioeconomic status, etc. -- the sole grounds for blocking access is to prevent specific, malicious actions, such as identity theft, human trafficking, etc. + +## AniNIX Application +* The AniNIX provides a number of free-to-access offerings in the interest of giving back and we support a number of charitable organizations for the aim of world improvement. + * We actively fold for [Folding@Home](https://stats.foldingathome.org/team/250807). + * We support [DAREBEE](https://darebee.com). + * We support [Wikipedia](https://wikipedia.org). +* The [AniNIX/Foundation](https://foundation.aninix.net) offers all the documentation and code necessary to replicate AniNIX services. +* The AniNIX makes as many of its applications Web-accessible and offline-accessible as possible to reduce the barrier to entry -- even a public library terminal should have sufficient resources. + +# Good-faith Contributions +All contributions to the AniNIX should be done in good faith -- users will not be punished for bad work submitted in an honest fashion. However, in the interest of promoting good faith, they should also be respectful of criticism and advice on how to improve their work. The AniNIX seeks to improve steadily and welcomes debate and discussion. + +If you have concerns or suggestions, please use the talk page of a topic to discuss them. + +# Respect to Peers +Please respect your peers in all communication. The AniNIX administrators reserve the right to terminate services at any time to any user found to be disruptive or damaging to the network. We seek a collaborative, not elitist, environment, and all viewpoints should be welcome in a debate. + +# Handling of Malware +The AniNIX, being security-minded, handles malware. Please make sure you only transfer malware in secured, inert formats to other users and clearly label it as such so that they know to analyze it. + +The use of malware to attack, harm, or malign the network will not be tolerated. Ensure all testing is done in isolated networks with protected machines to prevent accidental assaults. + +Be sure to read [18 US Code 1030](https://www.law.cornell.edu/uscode/text/18/1030) (thanks to Cornell for providing a copy), particularly section a5A, before distributing or publishing malware source. + + +[1]: https://opensource.com/open-source-way "OpenSource.com" +[2]: https://en.wikipedia.org/wiki/Hacker_ethic "Wikipedia" diff --git a/Providers/Category:Anope.md b/Providers/Category:Anope.md deleted file mode 100644 index 7681d9a..0000000 --- a/Providers/Category:Anope.md +++ /dev/null @@ -1,2 +0,0 @@ -[https://www.anope.org/ Homepage] -[[Category:Provider]] \ No newline at end of file diff --git a/Providers/Category:ArchLinux.md b/Providers/Category:ArchLinux.md deleted file mode 100644 index 635b1df..0000000 --- a/Providers/Category:ArchLinux.md +++ /dev/null @@ -1,2 +0,0 @@ -[https://www.archlinux.org/ Homepage] -[[Category:Provider]] \ No newline at end of file diff --git a/Providers/Category:Avast.md b/Providers/Category:Avast.md deleted file mode 100644 index c236739..0000000 --- a/Providers/Category:Avast.md +++ /dev/null @@ -1,2 +0,0 @@ -[Https://avast.com/ Homepage] -[[Category:Provider]] \ No newline at end of file diff --git a/Providers/Category:Brother.md b/Providers/Category:Brother.md deleted file mode 100644 index ef7517b..0000000 --- a/Providers/Category:Brother.md +++ /dev/null @@ -1,3 +0,0 @@ -http://brother.com/ - -[[Category:Provider]] \ No newline at end of file diff --git a/Providers/Category:Canonical.md b/Providers/Category:Canonical.md deleted file mode 100644 index 194d287..0000000 --- a/Providers/Category:Canonical.md +++ /dev/null @@ -1,2 +0,0 @@ -[http://www.canonical.com/ Homepage] -[[Category:Provider]] \ No newline at end of file diff --git a/Providers/Category:Charter.md b/Providers/Category:Charter.md deleted file mode 100644 index 3f904f2..0000000 --- a/Providers/Category:Charter.md +++ /dev/null @@ -1,2 +0,0 @@ -[https://charter.com/ Homepage] -[[Category:Provider]] \ No newline at end of file diff --git a/Providers/Category:Corsair.md b/Providers/Category:Corsair.md deleted file mode 100644 index f5e8444..0000000 --- a/Providers/Category:Corsair.md +++ /dev/null @@ -1,2 +0,0 @@ -[Http://corsair.com Homepage] -[[Category:Provider]] \ No newline at end of file diff --git a/Providers/Category:CyberPower.md b/Providers/Category:CyberPower.md deleted file mode 100644 index 814dad7..0000000 --- a/Providers/Category:CyberPower.md +++ /dev/null @@ -1,2 +0,0 @@ -[https://cyberpowersystems.com Homepage] -[[Category:Provider]] \ No newline at end of file diff --git a/Providers/Category:DAREBEE.md b/Providers/Category:DAREBEE.md deleted file mode 100644 index a00ad78..0000000 --- a/Providers/Category:DAREBEE.md +++ /dev/null @@ -1,2 +0,0 @@ -[https://darebee.com DAREBEE] is a free site that offers body-weight and little-equipment workouts -- this is an excellent application of the open-source principle in a non-computing format. Feel free to watch this site for new workouts, either for one-offs or 30-day programs. -[[Category:Provider]] \ No newline at end of file diff --git a/Providers/Category:DD-WRT.md b/Providers/Category:DD-WRT.md deleted file mode 100644 index ea5d0d7..0000000 --- a/Providers/Category:DD-WRT.md +++ /dev/null @@ -1,4 +0,0 @@ -DD-WRT is a partially open-source firmware for routers -- it contains both open-source components and proprietary drivers for hardware. - -[http://dd-wrt.com Homepage] and [http://dd-wrt.com/wiki a Wiki] are available to help users configure their own hardware. -[[Category:Provider]] \ No newline at end of file diff --git a/Providers/Category:EVGA.md b/Providers/Category:EVGA.md deleted file mode 100644 index 8fdaa2f..0000000 --- a/Providers/Category:EVGA.md +++ /dev/null @@ -1,2 +0,0 @@ -[Https://evga.com Homepage] -[[Category:Provider]] \ No newline at end of file diff --git a/Providers/Category:Emby.md b/Providers/Category:Emby.md deleted file mode 100644 index 6b624bb..0000000 --- a/Providers/Category:Emby.md +++ /dev/null @@ -1,3 +0,0 @@ -[[Category:Provider]] - -[https://emby.media/ Provider homepage] \ No newline at end of file diff --git a/Providers/Category:Foscam.md b/Providers/Category:Foscam.md deleted file mode 100644 index 82796f2..0000000 --- a/Providers/Category:Foscam.md +++ /dev/null @@ -1,2 +0,0 @@ -[http://foscam.us/ Home page] -[[Category:Provider]] \ No newline at end of file diff --git a/Providers/Category:Google.md b/Providers/Category:Google.md deleted file mode 100644 index 447dab5..0000000 --- a/Providers/Category:Google.md +++ /dev/null @@ -1,4 +0,0 @@ -Google is a provider with which the AniNIX has a love-hate relationship. It provides convenient, Linux-friendly devices in their Androids and Chromecasts, and they provide a number of highly useful Web services. However, they have been caught with [https://thehackernews.com/2017/11/android-location-tracking.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+TheHackersNews+%28The+Hackers+News+-+Security+Blog%29 privacy violations], and their reach is so extensive as to be a risk to any privacy-minded operation. Users should make choose carefully before using this provider and understand the risks. - -[https://google.com Homepage] -[[Category:Provider]] \ No newline at end of file diff --git a/Providers/Category:Intel.md b/Providers/Category:Intel.md deleted file mode 100644 index 546d85b..0000000 --- a/Providers/Category:Intel.md +++ /dev/null @@ -1,2 +0,0 @@ -[Http://Intel.com Homepage] -[[Category:Provider]] \ No newline at end of file diff --git a/Providers/Category:Kingston.md b/Providers/Category:Kingston.md deleted file mode 100644 index 3f21bfa..0000000 --- a/Providers/Category:Kingston.md +++ /dev/null @@ -1,2 +0,0 @@ -[[Http://Kingston.com/ Homepage] -[[Category:Provider]] \ No newline at end of file diff --git a/Providers/Category:MG%26E.md b/Providers/Category:MG%26E.md deleted file mode 100644 index c6684f2..0000000 --- a/Providers/Category:MG%26E.md +++ /dev/null @@ -1,2 +0,0 @@ -[http://mge.com/ Homepage] -[[Category:Provider]] \ No newline at end of file diff --git a/Providers/Category:Nagios.md b/Providers/Category:Nagios.md deleted file mode 100644 index 8785e48..0000000 --- a/Providers/Category:Nagios.md +++ /dev/null @@ -1,3 +0,0 @@ -Nagios is a monitoring software company. - -[https://nagios.org Nagios homepage] [[Category:Provider]] \ No newline at end of file diff --git a/Providers/Category:Netgear.md b/Providers/Category:Netgear.md deleted file mode 100644 index ea1204d..0000000 --- a/Providers/Category:Netgear.md +++ /dev/null @@ -1,5 +0,0 @@ -Netgear is a wireless hardware provider. - -[http://netgear.com/ Homepage] is here. - -[[Category:Provider]] \ No newline at end of file diff --git a/Providers/Category:Oracle.md b/Providers/Category:Oracle.md deleted file mode 100644 index edbf79d..0000000 --- a/Providers/Category:Oracle.md +++ /dev/null @@ -1 +0,0 @@ -[[Category:Provider]] \ No newline at end of file diff --git a/Providers/README.md b/Providers/README.md deleted file mode 100644 index 6ed49ca..0000000 --- a/Providers/README.md +++ /dev/null @@ -1,30 +0,0 @@ -[https://www.anope.org/ Homepage] -[[Category:Provider]][https://www.archlinux.org/ Homepage] -[[Category:Provider]][Https://avast.com/ Homepage] -[[Category:Provider]]http://brother.com/ - -[[Category:Provider]][http://www.canonical.com/ Homepage] -[[Category:Provider]][https://charter.com/ Homepage] -[[Category:Provider]][Http://corsair.com Homepage] -[[Category:Provider]][https://cyberpowersystems.com Homepage] -[[Category:Provider]][https://darebee.com DAREBEE] is a free site that offers body-weight and little-equipment workouts -- this is an excellent application of the open-source principle in a non-computing format. Feel free to watch this site for new workouts, either for one-offs or 30-day programs. -[[Category:Provider]]DD-WRT is a partially open-source firmware for routers -- it contains both open-source components and proprietary drivers for hardware. - -[http://dd-wrt.com Homepage] and [http://dd-wrt.com/wiki a Wiki] are available to help users configure their own hardware. -[[Category:Provider]][[Category:Provider]] - -[https://emby.media/ Provider homepage][Https://evga.com Homepage] -[[Category:Provider]][http://foscam.us/ Home page] -[[Category:Provider]]Google is a provider with which the AniNIX has a love-hate relationship. It provides convenient, Linux-friendly devices in their Androids and Chromecasts, and they provide a number of highly useful Web services. However, they have been caught with [https://thehackernews.com/2017/11/android-location-tracking.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+TheHackersNews+%28The+Hackers+News+-+Security+Blog%29 privacy violations], and their reach is so extensive as to be a risk to any privacy-minded operation. Users should make choose carefully before using this provider and understand the risks. - -[https://google.com Homepage] -[[Category:Provider]][Http://Intel.com Homepage] -[[Category:Provider]][[Http://Kingston.com/ Homepage] -[[Category:Provider]][http://mge.com/ Homepage] -[[Category:Provider]]Nagios is a monitoring software company. - -[https://nagios.org Nagios homepage] [[Category:Provider]]Netgear is a wireless hardware provider. - -[http://netgear.com/ Homepage] is here. - -[[Category:Provider]][[Category:Provider]] diff --git a/README.md b/README.md index 9263dfc..978762c 100644 --- a/README.md +++ b/README.md @@ -1,26 +1,25 @@ -Welcome to the AniNIX's Wiki. This is the documentation source for the AniNIX network. The implementation details are disclosed here to act as a reference for others and to join the open-source community. +Welcome to the AniNIX's Wiki. This is the starting documentation source for the AniNIX network. The implementation details are disclosed here to act as a reference for others and to join the open-source community. Any comments, concerns, or suggestions should be submitted as issues. # Sections This wiki is divided into sections. -* Classes: some classes being taught by AniNIX staff -* Entities: a list of hosts, VM's, and hardware used by the network -* Operation: a list of policies and procedures for contributing to the AniNIX. -* Providers: a list of software, hardware, and service providers - -Information on individual services will be under `roles` in [AniNIX/Ubiqtorate](../Ubiqtorate). +* _Technology_Table.md_: This is a good place to start understanding how the AniNIX works -- here we map problems to solutions via tools. +* _Layouts.md_: High-level view of our software, hardware, and hardening layouts, with links to other repos. +* _Policy_: A breakdown of our policies around the AniNIX. +* _Operation_: a list of operational procedures for contributing to and operating the AniNIX. +* _Providers.md_: a list of software, hardware, and service providers # Etymology -Wiki, in an [interesting article](http://www.todayifoundout.com/index.php/2010/10/where-the-word-wiki-comes-from/), is cited to mean "quick". This Wiki and many like it are a quick, easily editable and Web-accessible database for presenting information to a wider audience. - The AniNIX is an open-source, closed-membership network of services available to those known to its admins. Its name is a combination of [animus](http://www.merriam-webster.com/dictionary/animus), meaning governing spirit, and Linux, the platform on which it is built. +Wiki, in an [interesting article](http://www.todayifoundout.com/index.php/2010/10/where-the-word-wiki-comes-from/), is cited to mean "quick". This Wiki and many like it are a quick, easily editable and Web-accessible database for presenting information to a wider audience. + # Relevant Files and Software This Wiki is simply a stream of Markdown files that Foundation will interpret. This makes it similarly simple to edit, fork, branch, and backup. # Available Clients -Any browser or Git client will sufice. +Any browser or Git client will suffice. # Equivalents or Competition Some real-world equivalents include [Wikipedia](https://en.wikipedia.org/), [FANDOM (formerly Wikia)](https://fandom.com), and the oft-referenced [ArchLinux Wiki](https://wiki.archlinux.org/). diff --git a/Technology_Table.md b/Technology_Table.md new file mode 100644 index 0000000..2235a1e --- /dev/null +++ b/Technology_Table.md @@ -0,0 +1,99 @@ +We want, as much as possible, to focus on one tool solving one problem, with as many tools as possible to cover our surface. Also, we strive to keep our tools self-hosted for reasons in our [design principles](./Policies/Design Principles.md). These lists are not 100% comprehensive -- generic, common parts like Ethernet cables or system libraries aren't listed as they're easily replaced by competent staff. + +See our design principles for our selected development languages as well. + +# Self-written solutions +_NOTE_: These solutions are chosen very, very carefully. We write them either for educational reasons or because they fill a very specific role unique to the AniNIX. All of these are candidates to be replaced with upstream tools. + +| Problem | Tool | +| --------------------- | --------------------------------------------------- | +| Backups | [AniNIX/Aether](/AniNIX/Aether) | +| CI/CD Pipeline | [AniNIX/Maat](/AniNIX/Maat) | +| Cryptography | [AniNIX/CryptoWorkbench](/AniNIX/CryptoWorkbench) | +| IRCbot | [AniNIX/TheRaven](/AniNIX/TheRaven) | +| Language reference | [AniNIX/HelloWorld](/AniNIX/HelloWorld) | +| Secure code standards | [AniNIX/Inquisitorius](/AniNIX/Inquisitorius) | +| Standard functions | [AniNIX/Uniglot](/AniNIX/Uniglot) | +| Web crawler | [AniNIX/WolfPack](/AniNIX/WolfPack) | + +# On-site Hardware +| Problem | Tool | Provider Reference | +| --------------------- | ---------------------- | -------------------------- | +| Server | Supermicro X-series | https://unixsurplus.com | +| Automation Node | Raspberry Pi | https://raspberrypi.org | +| Smartphone | LG G8 | https://www.lg.com/us | +| Router | Netgear R7000 | https://www.netgear.com | +| Personal hardware | HP Omen | https://www.omen.com/ | +| UPS | CyberPower | https://cyberpowersystems.com/ | +| Keyboards | Corsair K70 | https://www.corsair.com/ | +| NVR Cameras | OOSSXX | http://oossxx.com/ | +| HVAC w/ alarms | Nest Thermostat/Protect| https://store.google.com | +| Remote access | Chamberlain MyQ | https://www.chamberlain.com/ | +| Housekeeping | iRobot Roomba and Brava| http://irobot.com/ | +| Paper handling | Brother printing | http://brother.com/ | + +# Self-hosted solutions + +## Platforms +| Problem | Tool | Provider Reference | +| --------------------- | ---------------------- | -------------------------- | +| Main OS | [AniNIX/ShadowArch](/AniNIX/ShadowArch) | http://archlinux.org/ | +| Embedded OS | Raspbian |https://www.raspberrypi.org/| +| Mobile OS | Android | https://www.android.com/ | +| Read-only access | [AniNIX/WebServer](/AniNIX/Ubiqtorate/src/branch/main/roles/WebServer) | http://openresty.org/en/ | +| Read-write access | [SSH](/AniNIX/Ubiqtorate/src/branch/main/roles/SSH) | https://www.openssh.com | +| Network configuration | Netctl | https://wiki.archlinux.org/index.php/netctl | +| Service management | systemd | https://wiki.archlinux.org/index.php/systemd | +| Terminal management | tmux | https://tmux.github.io/ | +| Window management | XFCE4 | http://www.xfce.org | +| Office suite | LibreOffice | https://www.libreoffice.org| +| Browser | Google Chrome | https://www.google.com/chrome/ | +| News tracking | [AniNIX/Singularity](/AniNIX/Ubiqtorate/src/branch/main/roles/Singularity) | https://tt-rss.org/ | +| Media CDN | [AniNIX/Yggdrasil](/AniNIX/Ubiqtorate/src/branch/main/roles/Yggdrasil) | https://emby.media/ | + +## DevOps +| Problem | Tool | Provider Reference | +| --------------------- | ---------------------- | -------------------------- | +| Work tracking | [AniNIX/Foundation](/AniNIX/Ubiqtorate/src/branch/main/roles/Foundation) | https://gitea.io/ | +| Revision control | Git | https://git-scm.com/ | +| Documentation | [This Wiki](/AniNIX/Wiki) | https://daringfireball.net/projects/markdown/ | +| Infra-as-Code | [AniNIX/Ubiqtorate](/AniNIX/Ubiqtorate) | https://docs.ansible.com/ | +| Hypervisor | [AniNIX/MaatHypervisor](/AniNIX/Ubiqtorate/src/branch/main/roles/MaatHypervisor) | https://wiki.qemu.org/ | +| Network lookup | [AniNIX/Nazara](/AniNIX/Ubiqtorate/src/branch/main/roles/Nazara) | https://pi-hole.net | +| Routing management | [AniNIX/Shadowfeed](/AniNIX/Ubiqtorate/src/branch/main/roles/Shadowfeed) | https://dd-wrt.com/ | +| Communication | [AniNIX/IRC](/AniNIX/Ubiqtorate/src/branch/main/roles/IRC) | https://www.anope.org/, + +## Security +In the AAA model, authorization is delegated to each individual application consuming the authentication and auditing. + +| Problem | Tool | Provider Reference | +| --------------------- | ---------------------- | -------------------------- | +| Penetration testing | Kali Linux | https://www.kali.org/ | +| Vulnerability scanning| OpenVAS | https://www.openvas.org/ | +| SIEM | [AniNIX/Sharingan](/AniNIX/Ubiqtorate/src/branch/main/roles/Sharingan) | https://www.graylog.org/ | +| Authentication | [AniNIX/Sora](/AniNIX/Ubiqtorate/src/branch/main/roles/Sora) | https://www.openldap.org/ | +| Auditing | syslog-ng | https://www.syslog-ng.com/ | +| Identity verification | GPG | https://www.gnupg.org/ | +| VPN | Nord | http://nordvpn.com/ | +| Network encryption | [SSL](/AniNIX/Ubiqtorate/src/branch/main/roles/SSL) | https://letsencrypt.org/ | +| Network IPS | sshguard | https://www.sshguard.net/ | +| Network IDS | suricata | http://suricata-ids.org/ | +| OSINT | oinkmaster | http://oinkmaster.sourceforge.net/ | +| Host IDS | clamav | https://www.clamav.net/ | +| Disk encryption | LUKS-on-LVM | https://gitlab.com/cryptsetup/cryptsetup/ | +| Warrant protection | [AniNIX/WarrantCanary](/AniNIX/WarrantCanary) | +| Physical security | [AniNIX Martial Arts](/martialarts) | https://ushapkidofederation.files.wordpress.com/ | + +# Purchased / Managed Solutions +| Problem | Tool | Provider Reference | +| --------------------- | ---------------------- | -------------------------- | +| Backup communications | Discord | https://discordapp.com | +| Power | Alliant Energy | https://www.alliantenergy.com/ | +| Internet | Charter ISP | https://www.spectrum.com/ | +| Backup Internet | US Cellular | http://uscellular.com/ | +| Code publishing | GitHub | https://github.com/ | +| Cloud office suite | Google Suite | https://workspace.google.com/ | +| Payment | Stripe | https://stripe.com/ | +| Banking | Chase | https://www.chase.com/ | +| Workout options | DAREBEE | https://darebee.com | +| Team-building | [Imperial Intelligence](/swtor/Imperial_Intelligence) | http://swtor.com/ | diff --git a/tests/test_doc_coverage.py b/tests/test_doc_coverage.py new file mode 100644 index 0000000..6fba874 --- /dev/null +++ b/tests/test_doc_coverage.py @@ -0,0 +1,21 @@ +import pytest +import requests + +def test_ensure_all_repos_represented(): + """ + Make sure that the 'Technology_Table.md' covers all our repos. + """ + testresult = True + r = requests.get('https://foundation.aninix.net/') + body = r.content.__str__() + repos = [url for url in body.split('"') if url.startswith('/AniNIX') and not url.find('?') != -1 ] + with open('Technology_Table.md') as techtable_file: + techtable = techtable_file.read() + for repo in repos: + try: + testresult == testresult and (techtable.index(repo) != -1) + except ValueError as e: + print(repo) + print(e) + testresult = False + assert testresult