Beyond
After rooting
Cron
root@sandworm:~/Cleanup# cat clean_c.sh
#!/bin/bash
/bin/rm -r /opt/crates
/bin/cp -rp /root/Cleanup/crates /opt/
/usr/bin/chmod u+s /opt/tipnet/target/debug/tipnet
root@sandworm:~/Cleanup# crontab -l
# Edit this file to introduce tasks to be run by cron.
#
# Each task to run has to be defined through a single line
# indicating with different fields when the task will be run
# and what command to run for the task
#
# To define the time you can provide concrete values for
# minute (m), hour (h), day of month (dom), month (mon),
# and day of week (dow) or use '*' in these fields (for 'any').
#
# Notice that tasks will be started based on the cron's system
# daemon's notion of time and timezones.
#
# Output of the crontab jobs (including errors) is sent through
# email to the user the crontab file belongs to (unless redirected).
#
# For example, you can run a backup of all your user accounts
# at 5 a.m every week with:
# 0 5 * * 1 tar -zcf /var/backups/home.tgz /home/
#
# For more information see the manual pages of crontab(5) and cron(8)
#
# m h dom mon dow command
*/2 * * * * cd /opt/tipnet && /bin/echo "e" | /bin/sudo -u atlas /usr/bin/cargo run --offline
*/2 * * * * sleep 10 && /root/Cleanup/clean_c.sh
*/5 * * * * /bin/bash /root/Cleanup/clean.shHome
root@sandworm:~/Cleanup# ll
total 36
drwxr-xr-x 4 root root 4096 may 5 08:59 ./
drwx------ 7 root root 4096 jun 7 15:19 ../
-rw-r--r-- 1 root atlas 611 may 4 17:26 admin.json
-rwxr-xr-x 1 root root 125 may 4 17:28 clean_c.sh*
-rwxr-xr-x 1 root root 170 may 4 17:28 clean.sh*
drwxr-xr-x 3 root atlas 4096 may 4 17:26 crates/
-rw-r--r-- 1 root root 279 may 4 17:35 firejail-flask.service
drwxr-xr-x 5 root atlas 4096 may 4 15:50 tipnet/
-rw-r--r-- 1 root atlas 727 may 5 08:59 webapp.profileclean_c.sh
root@sandworm:~/Cleanup# cat clean_c.sh
#!/bin/bash
/bin/rm -r /opt/crates
/bin/cp -rp /root/Cleanup/crates /opt/
/usr/bin/chmod u+s /opt/tipnet/target/debug/tipnetclean.sh
root@sandworm:~/Cleanup# cat clean.sh
#!/bin/bash
/bin/cp -p /root/Cleanup/webapp.profile /home/atlas/.config/firejail/
/bin/cp -p /root/Cleanup/admin.json /home/atlas/.config/httpie/sessions/localhost_5000/firejail-flask.service
root@sandworm:~/Cleanup# cat firejail-flask.service
[Unit]
Description=Firejail Flask Service
After=network.target
[Service]
Environment=FLASK_APP=SSA
User=atlas
WorkingDirectory=/var/www/html/SSA
ExecStart=/usr/local/bin/firejail --profile=webapp flask run
Restart=always
RemainAfterExit=no
[Install]
WantedBy=multi-user.targetwebapp.profile
root@sandworm:~/Cleanup# cat webapp.profile
noblacklist /var/run/mysqld/mysqld.sock
hostname sandworm
seccomp
noroot
allusers
caps.drop dac_override,fowner,setuid,setgid
seccomp.drop chmod,fchmod,setuid
private-tmp
private-opt none
private-dev
private-bin /usr/bin/python3,/usr/local/bin/gpg,/bin/bash,/usr/bin/flask,/usr/local/sbin/gpg,/usr/bin/groups,/usr/bin/base64,/usr/bin/lesspipe,/usr/bin/basename,/usr/bin/filename,/usr/bin/bash,/bin/sh,/usr/bin/ls,/usr/bin/cat,/usr/bin/id,/usr/local/libexec/scdaemon,/usr/local/bin/gpg-agent
#blacklist ${HOME}/.ssh
#blacklist /opt
blacklist /home/silentobserver
whitelist /var/www/html/SSA
read-write /var/www/html/SSA/SSA/submissions
noexec /var/www/html/SSA/SSA/submissions
read-only ${HOME}
read-write ${HOME}/.gnupg
root@sandworm:~/Cleanup# cat webapp.profile
noblacklist /var/run/mysqld/mysqld.sock
hostname sandworm
seccomp
noroot
allusers
caps.drop dac_override,fowner,setuid,setgid
seccomp.drop chmod,fchmod,setuid
private-tmp
private-opt none
private-dev
private-bin /usr/bin/python3,/usr/local/bin/gpg,/bin/bash,/usr/bin/flask,/usr/local/sbin/gpg,/usr/bin/groups,/usr/bin/base64,/usr/bin/lesspipe,/usr/bin/basename,/usr/bin/filename,/usr/bin/bash,/bin/sh,/usr/bin/ls,/usr/bin/cat,/usr/bin/id,/usr/local/libexec/scdaemon,/usr/local/bin/gpg-agent
#blacklist ${HOME}/.ssh
#blacklist /opt
blacklist /home/silentobserver
whitelist /var/www/html/SSA
read-write /var/www/html/SSA/SSA/submissions
noexec /var/www/html/SSA/SSA/submissions
read-only ${HOME}
read-write ${HOME}/.gnupg