Merge pull request #9 from OS2borgerPC/7-tilføj-anbefalede-sikkerhedsscripts-fra-pc-image-iso-byg

7 tilføj anbefalede sikkerhedsscripts fra pc image iso byg

Author: agnetemoos

Diff for: allow_superuser_to_manage_cups.md

@@ -0,0 +1,24 @@
+---
+title: "Tillad superuser at redigere indstillinger"
+parent: "Anbefalede sikkerhedsscripts"
+source: scripts/allow_superuser_to_manage_cups.sh
+parameters:
+compatibility:  
+  - "22.04"
+  - "BorgerPC"
+included_in_image: true
+---
+
+## Beskrivelse
+Beskrivelse
+
+Dette script er indbygget i image 5.2.0 og fremover.
+
+Specifikt giver kørsel af dette script superuser tilladelse til at kunne redigere diverse printerindstillinger, 
+såsom at tilføje printere, eksempelvis fra en browser via CUPS' webinterface, der er tilgængelig på følgende adresse fra selve maskinen:
+http://localhost:631
+
+
+## Parametre
+Ingen
+

Diff for: apt_get_config_set_dpkg_lock_timeout.md

@@ -0,0 +1,21 @@
+---
+title: "xxxx"
+parent: "Anbefalede sikkerhedsscripts"
+source: scripts/apt_get_config_set_dpkg_lock_timeout.sh
+parameters:
+  - name: "Aktiver?"
+    type: "boolean"
+    default: null
+    mandatory: false
+compatibility:  
+  - "22.04"
+  - "BorgerPC"
+included_in_image: true
+---
+
+## Beskrivelse
+Todo!
+
+## Parametre
+1. Sæt hak for at aktivere.
+

Diff for: apt_get_config_set_fix_broken.md

@@ -0,0 +1,23 @@
+---
+title: "xxxx"
+parent: "Anbefalede sikkerhedsscripts"
+source: scripts/apt_get_config_set_fix_broken.sh
+parameters:
+  - name: "Aktiver?"
+    type: "boolean"
+    default: null
+    mandatory: false
+compatibility:  
+  - "22.04"
+  - "BorgerPC"
+included_in_image: true
+---
+
+## Beskrivelse
+Dette script installerer numlockx og slår numlock til når computeren når til loginsiden.
+
+Dette script er blevet testet og virker på Ubuntu 22.04.
+
+## Parametre
+1. Sæt hak for at aktivere.
+

Diff for: dconf_disable_gnome_remote_desktop.md

@@ -0,0 +1,25 @@
+---
+title: "Bloker for GNOME Remote Desktop (Fjernskrivebord)"
+parent: "Anbefalede sikkerhedsscripts"
+source: scripts/dconf_disable_gnome_remote_desktop.sh
+parameters:
+  - name: "Blokér for GNOME Remote Desktop?"
+    type: "boolean"
+    default: null
+    mandatory: false
+compatibility:  
+  - "22.04"
+  - "BorgerPC"
+included_in_image: true
+---
+
+## Beskrivelse
+Dette script blokerer for GNOME Remote Desktop.
+Inden kørsel af dette script, kan GNOME Remote Desktop aktiveres, hvis Indstillinger ikke er blokeret. 
+Indstillinger er dog blokeret for Borger i alle OS2borgerPC images siden 3.1.0.
+
+Scriptet er ikke relevant for OS2borgerPC Kiosk.
+
+## Parametre
+1. Sæt hak for at blokere for Remote Desktop i Gnome, fjern for at tillade.
+

Diff for: dconf_disable_lock_menu.md

@@ -0,0 +1,23 @@
+---
+title: "Desktop: Fjern lås fra menuen"
+parent: "Anbefalede sikkerhedsscripts"
+source: scripts/dconf_disable_lock_menu.sh
+parameters:
+compatibility:  
+  - "22.04"
+  - "BorgerPC"
+included_in_image: true
+---
+
+## Beskrivelse
+Dette script er i kategorien "Udfases", da fjernelsen af lås fra menu allerede er indbygget i image 5.0.0 og senere,
+og også fordi låsning pt. giver nogle problemer ift. rydning af hjemmemappen.
+
+Fjerner muligheden for at "låse" computeren fra menuen oppe til højre, 
+og den relaterede genvejstast CTRL-l fjernes også.
+
+Dette script er blevet testet og virker på Ubuntu 22.04.
+
+## Parametre
+Ingen
+

Diff for: dconf_disable_user_switching.md

@@ -0,0 +1,23 @@
+---
+title: "Desktop - Fjern brugerskifte fra menuen"
+parent: "Anbefalede sikkerhedsscripts"
+source: scripts/dconf_disable_user_switching.sh
+parameters:
+compatibility:  
+  - "22.04"
+  - "BorgerPC"
+included_in_image: true
+---
+
+## Beskrivelse
+DDette script er i kategorien "Udfases", da fjernelsen af brugerskifte allerede er indbygget i image 5.0.0 og senere,
+og også fordi brugerskifte pt. giver nogle problemer ift. rydning af hjemmemappen.
+
+Fjerner muligheden for at skifte bruger fra menuen oppe til højre.
+Brugerskifte kan derved kun ske ved logud.
+
+Dette script er blevet testet og virker på Ubuntu 22.04.
+
+## Parametre
+Ingen
+

Diff for: lightdm_fix_boot_error.md

@@ -0,0 +1,27 @@
+---
+title: "Fix Light Display Manager Opstarts-fejl"
+parent: "Anbefalede sikkerhedsscripts"
+source: scripts/lightdm_fix_boot_error.sh
+parameters:
+  - name: "Aktivér fix?"
+    type: "boolean"
+    default: null
+    mandatory: false
+compatibility:  
+  - "22.04"
+  - "BorgerPC"
+included_in_image: true
+---
+
+## Beskrivelse
+Scriptet fikser en opstartsfejl i OS2borgerPC, relateret til Light Display Manager (LightDM).
+Fejlen opleves ved, at maskinen ikke kan boote, og ender i terminalen, typisk kort efter installationen.
+
+Typisk ses en eller flere af disse fejlbeskeder i terminalen:
+
+"Failed to start Detect the available GPUs and deal with any system changes"
+"Failed to start Light Display Manager"
+"Bluetooth: hci0: Malformed MSFT vendor event: 0x02" 
+
+## Parametre
+1. Sæt hak for at aktivere fikset. Udelad hak for at deaktivere fikset.

Diff for: lightdm_greeter_setup_scripts.md

@@ -0,0 +1,29 @@
+---
+title: "Login - Slå scriptkørsel ved login til"
+parent: "Anbefalede sikkerhedsscripts"
+source: scripts/lightdm_greeter_setup_scripts.sh
+parameters:
+  - name: "Slet alle tidligere gemte login scripts fra computeren"
+    type: "boolean"
+    default: null
+    mandatory: false
+compatibility:  
+  - "22.04"
+  - "BorgerPC"
+included_in_image: true
+---
+
+## Beskrivelse
+Dette script er i kategorien "Udfases" da det er indbygget i image 5.0.0 og senere.
+
+Slår kørslen af scripts ved loginskærmen til 
+
+Dette script er en forudsætning for at NumLock aktiveres allerede fra loginskærmen med scriptet:
+Desktop - Sæt NumLock-tilstand
+
+OBS: Kræver genstart før de nye indstillinger træder i kraft.
+
+Dette script er blevet testet og virker på Ubuntu 22.04.
+
+## Parametre
+1. Sæt hak for at fjerne alle tidligere gemte login scripts fra computeren, eller lad stå tomt for at lade dem være.

Diff for: remove_new_release_message.md

@@ -0,0 +1,20 @@
+---
+title: "Desktop - Fjern besked om opdatering / opgradering"
+parent: "Anbefalede sikkerhedsscripts"
+source: scripts/remove_new_release_message.sh
+parameters:
+compatibility:  
+  - "22.04"
+  - "BorgerPC"
+included_in_image: true
+---
+
+## Beskrivelse
+Dette script er i kategorien "Udfases" da det er indbygget i image 5.0.0 og nyere.
+
+Dette script fjerner popup om ny LTS-version.
+
+Dette script er blevet testet og virker på Ubuntu 22.04.
+
+## Parametre
+Ingen.

Diff for: scripts/allow_superuser_to_manage_cups.sh

@@ -0,0 +1,3 @@
+#! /usr/bin/env sh
+
+usermod -aG lpadmin superuser

Diff for: scripts/apt_get_config_set_dpkg_lock_timeout.sh

@@ -0,0 +1,17 @@
+#! /usr/bin/env bash
+
+# This script is used to add or remove the setting dpkg lock timeout "300" from the apt-get configuration
+# It takes a single boolean parameter: whether to add the setting or remove it
+
+ACTIVATE=$1
+
+APT_CONFIG_FILE=/etc/apt/apt.conf.d/local
+
+# Always start by trying to remove the line to prevent duplicate entries
+sed --in-place '/Dpkg::Lock/d' $APT_CONFIG_FILE
+
+if [ "$ACTIVATE" = "True" ]; then
+  cat << EOF >> $APT_CONFIG_FILE
+Dpkg::Lock {Timeout "300";};
+EOF
+fi

Diff for: scripts/apt_get_config_set_fix_broken.sh

@@ -0,0 +1,17 @@
+#! /usr/bin/env bash
+
+# This script is used to add or remove the setting fix-broken "true" from the apt-get configuration
+# It takes a single boolean parameter: whether to add the setting or remove it
+
+ACTIVATE=$1
+
+APT_CONFIG_FILE=/etc/apt/apt.conf.d/local
+
+# Always start by trying to remove the line to prevent duplicate entries
+sed --in-place '/Fix-Broken/d' $APT_CONFIG_FILE
+
+if [ "$ACTIVATE" = "True" ]; then
+  cat << EOF >> $APT_CONFIG_FILE
+Apt:Get {Fix-Broken "true";};
+EOF
+fi

Diff for: scripts/dconf_disable_gnome_remote_desktop.sh

@@ -0,0 +1,41 @@
+#! /usr/bin/env sh
+
+set -x
+
+if get_os2borgerpc_config os2_product | grep --quiet kiosk; then
+  echo "Dette script er ikke designet til at blive anvendt på en kiosk-maskine."
+  exit 1
+fi
+
+# Change these three to set a different policy to another value
+POLICY_FILE="/etc/dconf/db/os2borgerpc.d/00-remote-desktop"
+POLICY_LOCK_FILE="/etc/dconf/db/os2borgerpc.d/locks/00-remote-desktop"
+
+ACTIVATE=$1
+
+if [ "$ACTIVATE" = 'True' ]; then
+	# Disable GNOME Remote Desktop VNC + RDP (and also lock to "View Only" which should be superfluous when they can't be
+	# enabled, but...)
+	cat > "$POLICY_FILE" <<-END
+		[org/gnome/desktop/remote-desktop/rdp]
+		enable=false
+		view-only=true
+		[org/gnome/desktop/remote-desktop/vnc]
+		enable=false
+		view-only=true
+	END
+
+	# Tell the system that the values of the dconf keys we've just set can no
+	# longer be overridden by the user
+	cat > "$POLICY_LOCK_FILE" <<-END
+		/org/gnome/desktop/remote-desktop/rdp/enable
+		/org/gnome/desktop/remote-desktop/vnc/enable
+		/org/gnome/desktop/remote-desktop/rdp/view-only
+		/org/gnome/desktop/remote-desktop/vnc/view-only
+	END
+else
+	rm --force "$POLICY_FILE" "$POLICY_LOCK_FILE"
+fi
+
+# Incorporate all of the text files we've just created into the system's dconf databases
+dconf update

Diff for: scripts/dconf_disable_lock_menu.sh

@@ -0,0 +1,32 @@
+#! /usr/bin/env sh
+
+# Removes lock screen from the menu - also removes the related keybind as an intended side effect
+
+set -x
+
+if get_os2borgerpc_config os2_product | grep --quiet kiosk; then
+  echo "Dette script er ikke designet til at blive anvendt på en kiosk-maskine."
+  exit 1
+fi
+
+# Change these three to set a different policy to another value
+POLICY_PATH="org/gnome/desktop/lockdown"
+POLICY="disable-lock-screen"
+POLICY_VALUE="true"
+
+POLICY_FILE="/etc/dconf/db/os2borgerpc.d/00-$POLICY"
+POLICY_LOCK_FILE="/etc/dconf/db/os2borgerpc.d/locks/00-$POLICY"
+
+
+cat > "$POLICY_FILE" <<-END
+	[$POLICY_PATH]
+	$POLICY=$POLICY_VALUE
+END
+# Tell the system that the values of the dconf keys we've just set can no
+# longer be overridden by the user
+cat > "$POLICY_LOCK_FILE" <<-END
+	/$POLICY_PATH/$POLICY
+END
+
+# Incorporate all of the text files we've just created into the system's dconf databases
+dconf update

Diff for: scripts/dconf_disable_user_switching.sh

@@ -0,0 +1,31 @@
+#! /usr/bin/env sh
+
+# Removes user switching from the menu
+
+set -x
+
+if get_os2borgerpc_config os2_product | grep --quiet kiosk; then
+  echo "Dette script er ikke designet til at blive anvendt på en kiosk-maskine."
+  exit 1
+fi
+
+# Change these three to set a different policy to another value
+POLICY_PATH="org/gnome/desktop/lockdown"
+POLICY="disable-user-switching"
+POLICY_VALUE="true"
+
+POLICY_FILE="/etc/dconf/db/os2borgerpc.d/00-$POLICY"
+POLICY_LOCK_FILE="/etc/dconf/db/os2borgerpc.d/locks/00-$POLICY"
+
+cat > "$POLICY_FILE" <<-END
+	[$POLICY_PATH]
+	$POLICY=$POLICY_VALUE
+END
+# Tell the system that the values of the dconf keys we've just set can no
+# longer be overridden by the user
+cat > "$POLICY_LOCK_FILE" <<-END
+	/$POLICY_PATH/$POLICY
+END
+
+# Incorporate all of the text files we've just created into the system's dconf databases
+dconf update

Diff for: scripts/lightdm_fix_boot_error.sh

@@ -0,0 +1,23 @@
+#! /usr/bin/env sh
+
+set -x
+
+if get_os2borgerpc_config os2_product | grep --quiet kiosk; then
+  echo "Dette script er ikke designet til at blive anvendt på en kiosk-maskine."
+  exit 1
+fi
+
+ACTIVATE="$1"
+
+CONF="/etc/lightdm/lightdm.conf.d/login-check-graphical.conf"
+
+if [ "$ACTIVATE" = "True" ]; then
+
+cat << EOF > $CONF
+[LightDM]
+logind-check-graphical=true
+EOF
+
+else
+  rm --force $CONF
+fi