makefile and debian

Makefile

@@ -0,0 +1,7 @@
+VERSION := $(shell cat version)
+
+install: install-vm
+
+install-vm:
+	bash ./install
+	bash ./configure-sudo-prompt --force

README.md

@@ -16,10 +16,11 @@ Leverage Qubes template non-persistence to fend off malware at VM startup: Lock-
 
 ### Installing
 
-1. In a template VM, install the service files
+1. In a template VM, install and configure
    ```
    cd Qubes-VM-hardening
    sudo bash install
+   sudo bash configure-sudo-prompt
    ```
 
 2. Activate by specifying one of the following Qubes services for your VM(s)...

debian/changelog

@@ -0,0 +1,5 @@
+qubes-vm-hardening (0.9.3-1) unstable; urgency=medium
+
+  * Initial release
+
+ -- Christopher Laprise <tasket@protonmail.com>  Mon, 2 Sep 2018 08:01:15 -0400

debian/compat

@@ -0,0 +1 @@
+10

debian/control

@@ -0,0 +1,18 @@
+Source: Qubes-VM-hardening
+Section: admin
+Priority: optional
+Maintainer: Christopher Laprise <tasket@protonmail.com>
+Build-Depends: debhelper (>= 10)
+Standards-Version: 4.1.2
+Homepage: https://www.qubes-os.org
+
+Package: qubes-vm-hardening
+Architecture: all
+Depends: ${misc:Depends} qubes-core-agent
+Description: Prevent malware persistence in Qubes virtual machines.
+ Reconfigures Qubes VM templates to block casual sudo access,
+ protects user startup scripts, and includes a service that can
+ quarantine, whitelist and check file hashes at startup before
+ the /rw volume comes online.
+ 
+ See https://www.github.com/tasket/Qubes-VM-hardening for more info.

debian/copyright

@@ -0,0 +1,18 @@
+Files: debian/*
+Copyright: 2018-2019 Christopher Laprise <tasket@protonmail.com>
+License: GPL-3
+ This package is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+ .
+ This package is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ GNU General Public License for more details.
+ .
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <https://www.gnu.org/licenses/>
+ .
+ On Debian systems, the complete text of the GNU General
+ Public License version 3 can be found in "/usr/share/common-licenses/GPL-3".

debian/install

@@ -0,0 +1 @@
+

debian/postinst

@@ -0,0 +1,48 @@
+#!/bin/sh
+# postinst script for qubes-tunnel
+#
+# see: dh_installdeb(1)
+
+
+
+###   TODO:
+###   Fix postinst and install files in 'debian' folder.
+
+
+
+set -e
+
+# summary of how this script can be called:
+#        * <postinst> `configure' <most-recently-configured-version>
+#        * <old-postinst> `abort-upgrade' <new version>
+#        * <conflictor's-postinst> `abort-remove' `in-favour' <package>
+#          <new-version>
+#        * <postinst> `abort-remove'
+#        * <deconfigured's-postinst> `abort-deconfigure' `in-favour'
+#          <failed-install-package> <version> `removing'
+#          <conflicting-package> <version>
+# for details, see https://www.debian.org/doc/debian-policy/ or
+# the debian-policy package
+
+
+case "$1" in
+    configure)
+        systemctl daemon-reload
+        systemctl enable vm-boot-protect.service
+    ;;
+
+    abort-upgrade|abort-remove|abort-deconfigure)
+    ;;
+
+    *)
+        echo "postinst called with unknown argument \`$1'" >&2
+        exit 1
+    ;;
+esac
+
+# dh_installdeb will replace this with shell code automatically
+# generated by other debhelper scripts.
+
+#DEBHELPER#
+
+exit 0

debian/rules

@@ -0,0 +1,25 @@
+#!/usr/bin/make -f
+# See debhelper(7) (uncomment to enable)
+# output every command that modifies files on the build system.
+#export DH_VERBOSE = 1
+
+
+# see FEATURE AREAS in dpkg-buildflags(1)
+#export DEB_BUILD_MAINT_OPTIONS = hardening=+all
+
+# see ENVIRONMENT in dpkg-buildflags(1)
+# package maintainers to append CFLAGS
+#export DEB_CFLAGS_MAINT_APPEND  = -Wall -pedantic
+# package maintainers to append LDFLAGS
+#export DEB_LDFLAGS_MAINT_APPEND = -Wl,--as-needed
+
+
+%:
+	dh $@
+
+
+# dh_make generated override targets
+# This is example for Cmake (See https://bugs.debian.org/641051 )
+#override_dh_auto_configure:
+#	dh_auto_configure -- #	-DCMAKE_LIBRARY_PATH=$(DEB_HOST_MULTIARCH)
+

debian/source/format

@@ -0,0 +1 @@
+3.0 (quilt)

install

@@ -41,6 +41,6 @@ awk '($1~"^/rw/" || $2~"^/rw$") && ($4!~"nosuid" || $4!~"nodev") {$4=$4",nosuid,
 
 echo -e "\nvm-boot-protect installed!\n"
 
-bash ./configure-sudo-prompt
+#bash ./configure-sudo-prompt
 exit 0