Proper Horizon SPICE Console Fix, Windows Update Fix, Added VcXsrv, & Set APT Mirror/Proxy

ops_stations/ops_from_code.yaml

@@ -38,6 +38,12 @@ parameters:
     default: view_only_password
     hidden: true
 
+  package_proxy:
+    type: string
+    label: the URL for the package cache
+    default: "http://pkg-cache.bbh.cyberschool.army.mil:3142"
+    hidden: true
+
 resources:
   rand_string:
     type: OS::Heat::RandomString
@@ -126,9 +132,15 @@ resources:
             Start-Service sshd
             Set-Service -Name sshd -StartupType Automatic
 
-            #----Disable Windows Updates
-            set-service wuauserv -startuptype disabled
-            stop-service wuauserv
+            #----Disable Windows Updates (the "official" Microsoft way)
+            $cmd = @()
+            $cmd += 'New-Item "HKLM:\SOFTWARE\Policies\Microsoft\Windows" -Name "WindowsUpdate"'
+            $cmd += 'New-Item "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" -Name "AU"'
+            $cmd += 'New-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" -Name "NoAutoUpdate" -Type Dword -Value "1"'
+            foreach($c in $cmd) {
+              Write-Host $c
+              Invoke-Expression $c
+            }
 
             #----Update PowerShell Help
             Update-Help -Force
@@ -152,7 +164,7 @@ resources:
             Disable-LocalUser -Name "admin"
 
             #----Rename computer
-            Rename-computer -newname "WinOpsStation"
+            Rename-computer -newname "win-ops"
 
             #----Set TimeZone to EST
             Set-TimeZone "Eastern Standard Time"
@@ -168,6 +180,10 @@ resources:
             #-----Install tightvnc as service with regular connection and view only connection
             choco install tightvnc -y --installArguments 'SERVER_REGISTER_AS_SERVICe=1 SET_ACCEPTRFBCONNECTIONS=1 VALUE_OF_ACCEPTRFBCONNECTIONS=1 SET_ALWAYSSHARED=1 VALUE_OF_ALWAYSSHARED=1 SET_DISCONNECTACTION=+1 VALUE_OF_DISCONNECTACTION=1 SET_USECONTROLAUTHENTICATION=1 VALUE_OF_USECONTROLAUTHENTICATION=1 SET_USEVNCAUTHENTICATION=1 VALUE_OF_USEVNCAUTHENTICATION=1  SET_CONTROLPASSWORD=1 VALUE_OF_CONTROLPASSWORD=$pass SET_PASSWORD=1 VALUE_OF_PASSWORD=$vncpass SET_VIEWONLYPASSWORD=1 VALUE_OF_VIEWONLYPASSWORD=$vncviewpass'
 
+            #----- Install VcXsrv & PuTTY for X connections to Windows
+            choco install vcxsrv putty -y
+            reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /V VcXsrv /D "C:\Progra~1\VcXsrv\vcxsrv.exe :0 -multiwindow -clipboard -wgl"
+
             exit 1001
           params:
             $user: { get_param: username }
@@ -216,7 +232,7 @@ resources:
           template: linux_opstation_RAND
           params:
             RAND: { get_resource: rand_string }
-      image: deb_10_xfce
+      image: ubuntu_18.04
       flavor: cy.xlarge
       networks:
         - port: { get_resource: linux_opstation_port }
@@ -245,8 +261,8 @@ resources:
 
             export DEBIAN_FRONTEND=noninteractive
 
-            echo "domain kinetic" > /etc/resolv.conf
-            echo "search kinetic" >>/etc/resolv.conf
+            echo "domain vta" > /etc/resolv.conf
+            echo "search vta" >>/etc/resolv.conf
             echo "nameserver $domain" >>/etc/resolv.conf
 
             # ----- ENABLE SUDO NOPASSWD
@@ -266,6 +282,10 @@ resources:
             usermod -aG sudo $user
             echo "$user:$pass" | chpasswd
 
+            # enable APT proxy/mirror to speed things up
+            echo 'Acquire::http { Proxy "$packageproxy"; }' >> /etc/apt/apt.conf.d/00aptproxy
+            sed -i 's/nova.clouds.archive.ubuntu.com/atl.mirrors.clouvider.net/g' /etc/apt/sources.list
+
             # ----- updates
 
             apt-get update -y
@@ -353,6 +373,11 @@ resources:
                 bash "$f" -H
             done
 
+            # Blank Horizon SPICE console fix (can remove upon transition to VNC)
+            echo "X-GNOME-Autostart-enabled=false" > /etc/xdg/autostart/spice-vdagent.desktop
+            echo "X-GNOME-Autostart-enabled=false" > /usr/share/gdm/autostart/LoginWindow/spice-vdagent.desktop
+            systemctl stop spice-vdagent
+            systemctl disable spice-vdagent
 
             reboot
 
@@ -362,6 +387,7 @@ resources:
             $vncpass: { get_param: vncpass }
             $vncviewpass: { get_param: view_only_password }
             $domain: { get_param: domain}
+            $packageproxy: { get_param: package_proxy }
   # ----- Linux Analyst Workstation Configuration End ----- #
 
 

ops_stations/ops_from_snap.yaml

@@ -10,6 +10,11 @@ parameters:
     default: 10.50.255.254
     hidden: false
 
+  package_proxy:
+    type: string
+    label: the URL for the package cache
+    default: "http://pkg-cache.bbh.cyberschool.army.mil:3142"
+
   username:
     type: string
     label: User Name
@@ -113,12 +118,36 @@ resources:
         str_replace:
           template: |
             #ps1_sysnative
+
+            #### Purge at next image cycle ####
+            #---- Install VcXsrv & PuTTY for remote X connections
+            choco install vcxsrv putty -y
+            reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /V VcXsrv /D "C:\Progra~1\VcXsrv\vcxsrv.exe :0 -multiwindow -clipboard -wgl"
+
+            #---- Restore Security Health panel (to allow turning off AV)
+            Add-AppxPackage -Register -DisableDevelopmentMode "C:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\AppXManifest.xml"
+
+            #----Disable Windows Updates (the "official" Microsoft way)
+            $cmd = @()
+            $cmd += 'New-Item "HKLM:\SOFTWARE\Policies\Microsoft\Windows" -Name "WindowsUpdate"'
+            $cmd += 'New-Item "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" -Name "AU"'
+            $cmd += 'New-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" -Name "NoAutoUpdate" -Type Dword -Value "1"'
+            foreach($c in $cmd) {
+              Write-Host $c
+              Invoke-Expression $c
+            }
+            ####
+
             if ("$user" -ne "student"){
               New-LocalUser -Name "$user" -Password (ConvertTo-SecureString -AsPlaintext -String "$pass" -Force)
               Add-LocalGroupMember -Group "Administrators" -Member "$user"
               #Remove-LocalUser -Name "student"
             }
+
+            #### Purge at next image cycle ####
             Rename-Computer win-ops
+            ####
+
             exit 1001  
           params:
             $user: { get_param: username }
@@ -178,8 +207,14 @@ resources:
         str_replace:
           template: |
             #!/bin/bash
-            echo blacklist qxl > /etc/modprobe.d/qxl.conf
-            update-initramfs -u
+
+            #------ Purge at next image cycle
+            # SPICE driver fix
+            echo "X-GNOME-Autostart-enabled=false" | tee /etc/xdg/autostart/spice-vdagent.desktop /usr/share/gdm/autostart/LoginWindow/spice-vdagent.desktop > /dev/null
+            systemctl stop spice-vdagent
+            systemctl disable spice-vdagent
+            #
+
             if [[ "$user" != "student" ]]
               then
                 useradd -m -U -s /bin/bash $user
@@ -187,16 +222,24 @@ resources:
                 echo "$user:$pass" | chpasswd
                 #userdel -r student
             fi
+
             hostnamectl set-hostname lin-ops
+
+            #------ Purge at next image cycle
+            echo 'Acquire::http { Proxy "$packageproxy"; }' >> /etc/apt/apt.conf.d/00aptproxy
+            sed -i 's/nova.clouds.archive.ubuntu.com/atl.mirrors.clouvider.net/g' /etc/apt/sources.list
             apt-get update -y 
-            apt-get install gcc-multilib -y
-            apt-get install mingw-w64 mingw-w64-common mingw-w64-i686-dev mingw-w64-tools mingw-w64-tools mingw-w64-x86-64-dev -y
+            apt-get install gcc-multilib mingw-w64 mingw-w64-common mingw-w64-i686-dev mingw-w64-tools mingw-w64-tools mingw-w64-x86-64-dev john eom -y
+            runuser -l student -c 'pip install lxml requests'
+            #
+            
           params:
             $user: { get_param: username }
             $pass: { get_param: password }
             $vncpass: { get_param: vncpass }
             $vncviewpass: { get_param: view_only_password }
             $domain: { get_param: domain}
+            $packageproxy: { get_param: package_proxy }
   # ----- Linux Analyst Workstation Configuration End ----- #
 
 

ops_stations/scripts/sec_linux_setup.sh

 #!/bin/bash
 DEBIAN_FRONTEND=noninteractive
 
-pkg_array=({bison,build-essential,checkinstall,curl,dirmngr,docker,docker-compose,dnsutils,ethtool,firefox,flex,ftp,gcc,gdebi,gdb,git,gvfs-bin,install,iptables-dev,libdumbnet-dev,libnet1-dev,libnetfilter-queue-dev,libpcap-dev,libpcre3-dev,libqt5scripttools5,libqt5webkit5,libssl1.0.0,locate,lsof,make,netcat,nginx,nmap,openvpn,p0f,proftpd,proxychains,pv,python3,python3-pip,python-pip,software-properties-common,scapy,tcpdump,telnet,tigervnc-standalone-server,tmux,traceroute,wireshark,xrdp,zlib1g-dev})
+pkg_array=({bison,build-essential,checkinstall,curl,dirmngr,docker,docker-compose,dnsutils,ethtool,eom,firefox,flex,ftp,gcc,gcc-multilib,gdebi,gdb,git,gvfs-bin,install,iptables-dev,john,libdumbnet-dev,libnet1-dev,libnetfilter-queue-dev,libpcap-dev,libpcre3-dev,libqt5scripttools5,libqt5webkit5,libssl1.0.0,locate,lsof,make,mingw-w64,mingw-w64-common,mingw-w64-i686-dev,mingw-w64-tools,mingw-w64-x86-64-dev,netcat,nginx,nmap,openvpn,p0f,proftpd,proxychains,pv,python3,python3-pip,python-pip,software-properties-common,scapy,tcpdump,telnet,tigervnc-standalone-server,tmux,traceroute,wireshark,xrdp,zlib1g-dev})
 for x in ${pkg_array[@]}; do apt-get install -y $x; done
+
+runuser -l student -c 'pip install lxml requests'