diff --git a/usr/share/archboot/base/etc/syslog-ng.conf b/usr/share/archboot/base/etc/syslog-ng.conf index 453eb48a1..d15891d55 100644 --- a/usr/share/archboot/base/etc/syslog-ng.conf +++ b/usr/share/archboot/base/etc/syslog-ng.conf @@ -1,9 +1,11 @@ +@version: 3.0 # # /etc/syslog-ng.conf # options { - sync (0); + stats_freq (0); + flush_lines (0); time_reopen (10); log_fifo_size (1000); long_hostnames(off); @@ -21,24 +23,24 @@ source src { file("/proc/kmsg"); }; -destination authlog { file("/var/log/auth.log"); }; -destination syslog { file("/var/log/syslog.log"); }; -destination cron { file("/var/log/crond.log"); }; -destination daemon { file("/var/log/daemon.log"); }; -destination kernel { file("/var/log/kernel.log"); }; -destination lpr { file("/var/log/lpr.log"); }; -destination user { file("/var/log/user.log"); }; -destination uucp { file("/var/log/uucp.log"); }; -destination mail { file("/var/log/mail.log"); }; -destination news { file("/var/log/news.log"); }; -destination ppp { file("/var/log/ppp.log"); }; -#destination debug { file("/var/log/debug.log"); }; -destination messages { file("/var/log/messages.log"); }; -destination errors { file("/var/log/errors.log"); }; -destination everything { file("/var/log/everything.log"); }; -destination iptables { file("/var/log/iptables.log"); }; -destination acpid { file("/var/log/acpid.log"); }; -destination console { usertty("root"); }; +destination d_authlog { file("/var/log/auth.log"); }; +destination d_syslog { file("/var/log/syslog.log"); }; +destination d_cron { file("/var/log/crond.log"); }; +destination d_daemon { file("/var/log/daemon.log"); }; +destination d_kernel { file("/var/log/kernel.log"); }; +destination d_lpr { file("/var/log/lpr.log"); }; +destination d_user { file("/var/log/user.log"); }; +destination d_uucp { file("/var/log/uucp.log"); }; +destination d_mail { file("/var/log/mail.log"); }; +destination d_news { file("/var/log/news.log"); }; +destination d_ppp { file("/var/log/ppp.log"); }; +destination d_debug { file("/var/log/debug.log"); }; +destination d_messages { file("/var/log/messages.log"); }; +destination d_errors { file("/var/log/errors.log"); }; +destination d_everything { file("/var/log/everything.log"); }; +destination d_iptables { file("/var/log/iptables.log"); }; +destination d_acpid { file("/var/log/acpid.log"); }; +destination d_console { usertty("root"); }; # Log everything to vc12 destination console_all { file("/dev/vc/12"); }; @@ -56,7 +58,7 @@ filter f_user { facility(user); }; filter f_uucp { facility(cron); }; filter f_news { facility(news); }; filter f_ppp { facility(local2); }; -#filter f_debug { not facility(auth, authpriv, news, mail); }; +filter f_debug { not facility(auth, authpriv, news, mail); }; filter f_messages { level(info..warn) and not facility(auth, authpriv, mail, news, cron) and not program(syslog-ng) and not filter(f_iptables); }; filter f_everything { level(debug..emerg) and not facility(auth, authpriv); }; filter f_emergency { level(emerg); }; @@ -65,27 +67,27 @@ filter f_notice { level(notice); }; filter f_warn { level(warn); }; filter f_crit { level(crit); }; filter f_err { level(err); }; -filter f_iptables { match("IN=.*OUT="); }; -filter f_acpid { match("acpid"); }; +filter f_iptables { match("IN=" value("MESSAGE")) and match("OUT=" value("MESSAGE")); }; +filter f_acpid { program("acpid"); }; -log { source(src); filter(f_acpid); destination(acpid); flags(final); }; -log { source(src); filter(f_authpriv); destination(authlog); }; -log { source(src); filter(f_syslog); destination(syslog); }; -log { source(src); filter(f_cron); destination(cron); }; -log { source(src); filter(f_daemon); destination(daemon); }; -log { source(src); filter(f_kernel); destination(kernel); }; -log { source(src); filter(f_lpr); destination(lpr); }; -log { source(src); filter(f_mail); destination(mail); }; -log { source(src); filter(f_news); destination(news); }; -log { source(src); filter(f_ppp); destination(ppp); }; -log { source(src); filter(f_user); destination(user); }; -log { source(src); filter(f_uucp); destination(uucp); }; -#log { source(src); filter(f_debug); destination(debug); }; -log { source(src); filter(f_messages); destination(messages); }; -log { source(src); filter(f_err); destination(errors); }; -log { source(src); filter(f_emergency); destination(console); }; -log { source(src); filter(f_everything); destination(everything); }; -log { source(src); filter(f_iptables); destination(iptables); }; +log { source(src); filter(f_acpid); destination(d_acpid); }; +log { source(src); filter(f_authpriv); destination(d_authlog); }; +log { source(src); filter(f_syslog); destination(d_syslog); }; +log { source(src); filter(f_cron); destination(d_cron); }; +log { source(src); filter(f_daemon); destination(d_daemon); }; +log { source(src); filter(f_kernel); destination(d_kernel); }; +log { source(src); filter(f_lpr); destination(d_lpr); }; +log { source(src); filter(f_mail); destination(d_mail); }; +log { source(src); filter(f_news); destination(d_news); }; +log { source(src); filter(f_ppp); destination(d_ppp); }; +log { source(src); filter(f_user); destination(d_user); }; +log { source(src); filter(f_uucp); destination(d_uucp); }; +#log { source(src); filter(f_debug); destination(d_debug); }; +log { source(src); filter(f_messages); destination(d_messages); }; +log { source(src); filter(f_err); destination(d_errors); }; +log { source(src); filter(f_emergency); destination(d_console); }; +log { source(src); filter(f_everything); destination(d_everything); }; +log { source(src); filter(f_iptables); destination(d_iptables); }; # Log everything to vc12 log { source(src); destination(console_all); }; diff --git a/usr/share/archboot/wireless/etc/wpa_supplicant.conf b/usr/share/archboot/wireless/etc/wpa_supplicant.conf index ec8b0eeb3..43e81a16d 100644 --- a/usr/share/archboot/wireless/etc/wpa_supplicant.conf +++ b/usr/share/archboot/wireless/etc/wpa_supplicant.conf @@ -135,6 +135,11 @@ fast_reauth=1 # in most cases. #driver_param="field=value" +# Country code +# The ISO/IEC alpha2 country code for the country in which this device is +# currently operating. +#country=US + # Maximum lifetime for PMKSA in seconds; default 43200 #dot11RSNAConfigPMKLifetime=43200 # Threshold for reauthentication (percentage of PMK lifetime); default 70 @@ -142,6 +147,57 @@ fast_reauth=1 # Timeout for security association negotiation in seconds; default 60 #dot11RSNAConfigSATimeout=60 +# Wi-Fi Protected Setup (WPS) parameters + +# Universally Unique IDentifier (UUID; see RFC 4122) of the device +# If not configured, UUID will be generated based on the local MAC address. +#uuid=12345678-9abc-def0-1234-56789abcdef0 + +# Device Name +# User-friendly description of device; up to 32 octets encoded in UTF-8 +#device_name=Wireless Client + +# Manufacturer +# The manufacturer of the device (up to 64 ASCII characters) +#manufacturer=Company + +# Model Name +# Model of the device (up to 32 ASCII characters) +#model_name=cmodel + +# Model Number +# Additional device description (up to 32 ASCII characters) +#model_number=123 + +# Serial Number +# Serial number of the device (up to 32 characters) +#serial_number=12345 + +# Primary Device Type +# Used format: -- +# categ = Category as an integer value +# OUI = OUI and type octet as a 4-octet hex-encoded value; 0050F204 for +# default WPS OUI +# subcateg = OUI-specific Sub Category as an integer value +# Examples: +# 1-0050F204-1 (Computer / PC) +# 1-0050F204-2 (Computer / Server) +# 5-0050F204-1 (Storage / NAS) +# 6-0050F204-1 (Network Infrastructure / AP) +#device_type=1-0050F204-1 + +# OS Version +# 4-octet operating system version number (hex string) +#os_version=01020300 + +# Credential processing +# 0 = process received credentials internally (default) +# 1 = do not process received credentials; just pass them over ctrl_iface to +# external program(s) +# 2 = process received credentials internally and pass them over ctrl_iface +# to external program(s) +#wps_cred_processing=0 + # network block # # Each network (usually AP's sharing the same SSID) is configured as a separate @@ -206,11 +262,12 @@ fast_reauth=1 # # key_mgmt: list of accepted authenticated key management protocols # WPA-PSK = WPA pre-shared key (this requires 'psk' field) -# WPA-EAP = WPA using EAP authentication (this can use an external -# program, e.g., Xsupplicant, for IEEE 802.1X EAP Authentication +# WPA-EAP = WPA using EAP authentication # IEEE8021X = IEEE 802.1X using EAP authentication and (optionally) dynamically # generated WEP keys # NONE = WPA is not used; plaintext or static WEP could be used +# WPA-PSK-SHA256 = Like WPA-PSK but using stronger SHA256-based algorithms +# WPA-EAP-SHA256 = Like WPA-EAP but using stronger SHA256-based algorithms # If not set, this defaults to: WPA-PSK WPA-EAP # # auth_alg: list of allowed IEEE 802.11 authentication algorithms @@ -274,6 +331,9 @@ fast_reauth=1 # 1 = enabled #peerkey=1 # +# wpa_ptk_rekey: Maximum lifetime for PTK in seconds. This can be used to +# enforce rekeying of PTK to mitigate some attacks against TKIP deficiencies. +# # Following fields are only used with internal EAP implementation. # eap: space-separated list of accepted EAP methods # MD5 = EAP-MD5 (unsecure and does not generate keying material -> @@ -292,10 +352,19 @@ fast_reauth=1 # If not set, all compiled in methods are allowed. # # identity: Identity string for EAP +# This field is also used to configure user NAI for +# EAP-PSK/PAX/SAKE/GPSK. # anonymous_identity: Anonymous identity string for EAP (to be used as the # unencrypted identity with EAP types that support different tunnelled # identity, e.g., EAP-TTLS) -# password: Password string for EAP +# password: Password string for EAP. This field can include either the +# plaintext password (using ASCII or hex string) or a NtPasswordHash +# (16-byte MD4 hash of password) in hash:<32 hex digits> format. +# NtPasswordHash can only be used when the password is for MSCHAPv2 or +# MSCHAP (EAP-MSCHAPv2, EAP-TTLS/MSCHAPv2, EAP-TTLS/MSCHAP, LEAP). +# EAP-PSK (128-bit PSK), EAP-PAX (128-bit PSK), and EAP-SAKE (256-bit +# PSK) is also configured using this field. For EAP-GPSK, this is a +# variable length PSK. # ca_cert: File path to CA certificate file (PEM/DER). This file can have one # or more trusted CA certificates. If ca_cert and ca_path are not # included, server certificate will not be verified. This is insecure and @@ -376,6 +445,15 @@ fast_reauth=1 # fragmented. # sim_min_num_chal=3 can be used to configure EAP-SIM to require three # challenges (by default, it accepts 2 or 3) +# result_ind=1 can be used to enable EAP-SIM and EAP-AKA to use +# protected result indication. +# 'crypto_binding' option can be used to control PEAPv0 cryptobinding +# behavior: +# * 0 = do not use cryptobinding (default) +# * 1 = use cryptobinding if server supports it +# * 2 = require cryptobinding +# EAP-WSC (WPS) uses following options: pin= or +# pbc=1. # phase2: Phase2 (inner authentication with TLS tunnel) parameters # (string with field-value pairs, e.g., "auth=MSCHAPV2" for EAP-PEAP or # "autheap=MSCHAPV2 autheap=MD5" for EAP-TTLS) @@ -402,22 +480,6 @@ fast_reauth=1 # interface used for EAPOL. The default value is suitable for most # cases. # -# EAP-PSK variables: -# eappsk: 16-byte (128-bit, 32 hex digits) pre-shared key in hex format -# nai: user NAI -# -# EAP-PAX variables: -# eappsk: 16-byte (128-bit, 32 hex digits) pre-shared key in hex format -# -# EAP-SAKE variables: -# eappsk: 32-byte (256-bit, 64 hex digits) pre-shared key in hex format -# (this is concatenation of Root-Secret-A and Root-Secret-B) -# nai: user NAI (PEERID) -# -# EAP-GPSK variables: -# eappsk: Pre-shared key in hex format (at least 128 bits, i.e., 32 hex digits) -# nai: user NAI (ID_Client) -# # EAP-FAST variables: # pac_file: File path for the PAC entries. wpa_supplicant will need to be able # to create this file and write updates to it when PAC is being @@ -425,8 +487,18 @@ fast_reauth=1 # working directory may change when wpa_supplicant is run in the # background. Alternatively, a named configuration blob can be used by # setting this to blob:// -# phase1: fast_provisioning=1 option enables in-line provisioning of EAP-FAST -# credentials (PAC) +# phase1: fast_provisioning option can be used to enable in-line provisioning +# of EAP-FAST credentials (PAC): +# 0 = disabled, +# 1 = allow unauthenticated provisioning, +# 2 = allow authenticated provisioning, +# 3 = allow both unauthenticated and authenticated provisioning +# fast_max_pac_list_len= option can be used to set the maximum +# number of PAC entries to store in a PAC list (default: 10) +# fast_pac_format=binary option can be used to select binary format for +# storing PAC entries in order to save some space (the default +# text format uses about 2.5 times the size of minimal binary +# format) # # wpa_supplicant supports number of "EAP workarounds" to work around # interoperability issues with incorrectly behaving authentication servers. @@ -463,6 +535,17 @@ network={ priority=2 } +# WPA-Personal(PSK) with TKIP and enforcement for frequent PTK rekeying +network={ + ssid="example" + proto=WPA + key_mgmt=WPA-PSK + pairwise=TKIP + group=TKIP + psk="not so secure passphrase" + wpa_ptk_rekey=600 +} + # Only WPA-EAP is used. Both CCMP and TKIP is accepted. An AP that used WEP104 # or WEP40 as the group cipher will not be accepted. network={ @@ -573,9 +656,9 @@ network={ ssid="eap-psk-test" key_mgmt=WPA-EAP eap=PSK - identity="eap_psk_user" - eappsk=06b4be19da289f475aa46a33cb793029 - nai="eap_psk_user@example.com" + anonymous_identity="eap_psk_user" + password=06b4be19da289f475aa46a33cb793029 + identity="eap_psk_user@example.com" } @@ -604,6 +687,15 @@ network={ password="foobar" } +# EAP-IKEv2 using shared secrets for both server and peer authentication +network={ + ssid="ikev2-example" + key_mgmt=WPA-EAP + eap=IKEV2 + identity="user" + password="foobar" +} + # EAP-FAST with WPA (WPA or WPA2) network={ ssid="eap-fast-test"