meyerast/DECSEraser
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update before refactor (DOES NOT WORK)

Browse Source
This commit is contained in:
meyerast
2026-03-25 16:01:58 -04:00
parent 930c0277ab
commit dfb68b378f
2 changed files with 129 additions and 58 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
README.md
View File

@@ -17,16 +17,16 @@
## Logging ## Logging
|Info|Location|Log To:|Implemented?|Data|Notes| |Info|Location|Log To:|Implemented?|Data|Notes|
|-|-|-|-|-|-| |-|-|-|-|-|-|
|User|Script Input|Ticket<br>Logfile|No|Username<br>|Probably can implement as part of the kerb auth| |User|- Script Input|- Ticket<br>- Logfile|No|- Username|Probably can implement as part of the kerb auth|
|Wipe Details|Script Input|Ticket<br>Logfile|No|Erase Level<br>Device Type<br>Device|| |Wipe Details|- Script Input|- Ticket<br>- Logfile|No|- Erase Level<br>- Device Type<br>- Device||
|Script Output|Terminal Output|Logfile|No|All script output|Via transcribing or output redirection| |Script Output|- Terminal Output|- Logfile|No|- All script output|Via transcribing or output redirection|
|Machine Data|Registry|Ticket<br>Logfile|No|Machine Name<br>Domain|HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ComputerName<br>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters| |Machine Data|- Registry|- Ticket<br>- Logfile|No|- Machine Name<br>- Domain|HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ComputerName<br><br>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters|
|Local Users|Registry<br>Filesystem|Logfile|No|Local User List|HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList<br>c:/Users| |Local Users|- Registry<br>- Filesystem|- Logfile|No|- Local User List|HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList<br><br>c:/Users|
|Domain Users|Registry<br>Filesystem|Ticket<br>Logfile|No|Domain User List|HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList<br>c:/Users| |Domain Users|- Registry<br>- Filesystem|- Ticket<br>- Logfile|No|- Domain User List|HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList<br><br>c:/Users|
|Last Logged On User|Registry|Ticket<br>Logfile|No|Username|HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI| |Last Logged On User|- Registry|- Ticket<br>- Logfile|No|- Username|HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI|
|Storage Info|Other|Ticket<br>Logfile|No|Serial Number<br>SMART Data|smartctl| |Storage Info|- Other|- Ticket<br>- Logfile|No|- Serial Number<br>- SMART Data|smartctl|
|System Info|Registry|Logfile|No|Manufacturer<br>Model|HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\BIOS<br>Can't actually be done offline| |System Info|- Registry|- Logfile|No|- Manufacturer<br>- Model|HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\BIOS<br>Can't actually be done offline|
|Misc|Misc|Ticket<br>Logfile|No|Current Time/Date|| |Misc|- Misc|- Ticket<br>- Logfile|No|- Current Time<br>- Date||

163
erase_drive.sh
View File

@@ -1,60 +1,114 @@
#!/bin/bash #!/bin/bash
#!/usr/bin/env bash #!/usr/bin/env bash
get_netid () { ## Get NetID
netid= ## Mount \\reinstallbackups
echo "Enter netid: " ## Start logging
read netid ## Get Ticket Number (optional)
while [[ $netid =~ ^\s*$ ]]; ### Check if Directory with Ticket Number exists
do #### Warn User if it doesn't
echo "Your netid cannot be blank. Enter netid: " ##
read netid
done exec 3>&1 1>"$LOGFILE" 2>&1
clear
cleanup () {
echo "SPECIAL EXIT"
pcie_disable
trap - INT
kill -INT "$$"
} }
get_ticket_number () { trap cleanup SIGINT
ticket_number=
echo "Enter ticket number: "
read ticket_number
echo $ticket_number
clear
}
confirm_message () { confirm_message () {
local typed= local typed=
while [[ ! $typed = "$2" ]]; while [[ ! $typed = "$2" ]];
do do
echo $1 echo "$1"
read typed read -r typed
done done
} }
get_netid () {
netid=
while [[ $netid =~ ^\s*$ ]];
do
echo "Enter netid: "
read -r netid
if [[ $netid =~ ^\s*$ ]];
then
echo "Your netid cannot be blank. Enter netid: "
else
authenticate_egr
fi
done
clear
}
authenticate_egr (){
kinit "$netid"
local ret_value="$?"
if [[ ! $ret_value = "0" ]]
then
netid=
case $ret_value in
"1")
echo "Error when authenticating. Please see above issue, and try again."
;;
*)
echo "Unspecified error."
;;
esac
fi
}
get_ticket () {
ticket_number=
echo "Enter ticket number: "
read -r ticket_number
if [[ ! $ticket_number =~ ^\s*$ ]];
then
local ret_value=$(ls | grep -q -E "^$ticket_number"; echo $?)
if [[ ! $ret_value = "0" ]];
then
printf "WARNING: Backup does not exist in \\\\reinstallbackups\reinstallbackups\\$ticket_number!\n"
fi
else
sleep 1
fi
}
mount_drive () {
sleep 1
}
get_eraselevel () { get_eraselevel () {
eraselevel= eraselevel=
echo "What level of erase are you performing on the drive? (0 = baseline, 1 = secure erase, 2 = decommission):" echo "What level of erase are you performing on the drive? (0 = baseline, 1 = secure erase, 2 = decommission):"
echo "Type 'help' for an explanation of each level." echo "Type 'help' for an explanation of each level."
read eraselevel read -r eraselevel
while [[ ! $eraselevel = "0" ]] && [[ ! $eraselevel = "1" ]] && [[ ! $eraselevel = "2" ]]; while [[ ! $eraselevel = "0" ]] && [[ ! $eraselevel = "1" ]] && [[ ! $eraselevel = "2" ]];
do do
if [[ $eraselevel = "help" ]]; if [[ $eraselevel = "help" ]];
then then
echo "Level 0 / Baseline: clears the partitions of the drive. Data can still be recovered but this is the optimal level for simple reuse." echo "Level 0 / Baseline: clears the partitions of the drive. Data can still be recovered but this is the optimal level for simple reuse."
echo "Level 1 / Secure Erase: HDD: Scrambles the data on the drive over 3 passes. SSD: Sends a signal to the drive to forget the encryption key, making it unreadable." echo "Level 1 / Secure Erase: HDD: Scrambles the data on the drive over 3 passes. SSD: Sends a signal to the drive to forget the encryption key, making it unread -rable."
echo "Level 2 / decommission: Scrambles the data on the drive over 7 passes. Afterward, put the drive in the bin near the Hardware office to have it destroyed." echo "Level 2 / decommission: Scrambles the data on the drive over 7 passes. Afterward, put the drive in the bin near the Hardware office to have it destroyed."
else else
echo "Invalid level, correct values can be 0, 1, or 2" echo "Invalid level, correct values can be 0, 1, or 2"
fi fi
read eraselevel read -r eraselevel
done done
} }
get_devicetype () { get_devicetype () {
devicetype= devicetype=
echo "What is the device type? (HDD_SATA, SSD_NVME, SSD_SATA):" echo "What is the device type? (0 = HDD_SATA, 1 = SSD_NVME, 2 = SSD_SATA):"
echo "Type 'help' for an explanation of each type." echo "Type 'help' for an explanation of each type."
read devicetype read -r devicetype
while [[ ! $devicetype = "HDD_SATA" ]] && [[ ! $devicetype = "SSD_NVME" ]] && [[ ! $devicetype = "SSD_SATA" ]]; while [[ ! $devicetype = "0" ]] && [[ ! $devicetype = "1" ]] && [[ ! $devicetype = "2" ]];
do do
if [[ $devicetype = "help" ]]; if [[ $devicetype = "help" ]];
then then
@@ -62,10 +116,27 @@ get_devicetype () {
echo "SSD_SATA: Solid State drive on a SATA connection. Typically 2.5 in." echo "SSD_SATA: Solid State drive on a SATA connection. Typically 2.5 in."
echo "SSD_NVME: Solid State drive on a M.2 connection. Looks like a small PCB." echo "SSD_NVME: Solid State drive on a M.2 connection. Looks like a small PCB."
else else
echo "Invalid type, correct values can be HDD_SATA, SSD_NVME, SSD_SATA" echo "Invalid type, correct values can be 0 = HDD_SATA, 1 = SSD_NVME, 2 = SSD_SATA."
fi fi
read devicetype read -r devicetype
done done
case $devicetype in
"0")
devicetype="HDD_SATA"
;;
"1")
devicetype="SSD_NVME"
;;
"2")
devicetype="SSD_SATA"
;;
*)
echo "Unspecified error."
;;
esac
} }
get_device () { get_device () {
@@ -90,7 +161,7 @@ get_device () {
} }
verify_device (){ verify_device (){
read device read -r device
while [[ ! $device =~ ^sd[a-z]$ ]] && [[ ! $device =~ ^nvme0n[0-9]$ ]]; while [[ ! $device =~ ^sd[a-z]$ ]] && [[ ! $device =~ ^nvme0n[0-9]$ ]];
do do
if [[ $device = "help" ]]; if [[ $device = "help" ]];
@@ -101,7 +172,7 @@ verify_device (){
else else
echo "Invalid format, device should follow naming conventions. (i.e. sd{a-z}, nvme0n{0-9})" echo "Invalid format, device should follow naming conventions. (i.e. sd{a-z}, nvme0n{0-9})"
fi fi
read device read -r device
done done
if [[ $devicetype = "HDD_SATA" ]] || [[ $devicetype = "SSD_SATA" ]]; if [[ $devicetype = "HDD_SATA" ]] || [[ $devicetype = "SSD_SATA" ]];
then then
@@ -130,7 +201,7 @@ verify_device (){
erase_device_lv0 () { erase_device_lv0 () {
echo "Wiping partition tables of ${devicetype} : ${device}." echo "Wiping partition tables of ${devicetype} : ${device}."
ret_value=$(sgdisk -g -Z /dev/$device &> /dev/null; echo $?) local ret_value=$(sgdisk -g -Z /dev/"$device" &> /dev/null; echo $?)
if [[ ! $ret_value = "0" ]] if [[ ! $ret_value = "0" ]]
then then
@@ -140,7 +211,7 @@ erase_device_lv0 () {
;; ;;
"2") "2")
echo "An error occurred while reading the partition table." echo "An error occurred while read -ring the partition table."
;; ;;
"3") "3")
@@ -152,7 +223,7 @@ erase_device_lv0 () {
;; ;;
"5") "5")
echo "An error occurred while reading standard input." echo "An error occurred while read -ring standard input."
;; ;;
"8") "8")
@@ -164,7 +235,7 @@ erase_device_lv0 () {
;; ;;
esac esac
else else
echo "Partition tables wiped. Device is ready for reuse." echo "Partition tables wiped. Device is read -ry for reuse."
fi fi
} }
@@ -177,7 +248,7 @@ erase_device_lv1 () {
echo "Running 3-Pass DOD Short on ${devicetype} : ${device}." echo "Running 3-Pass DOD Short on ${devicetype} : ${device}."
echo "This may take a while!" echo "This may take a while!"
ret_value=$(nwipe -m dodshort --autonuke --nogui /dev/$device &> /dev/null; echo $?) local ret_value=$(nwipe -m dodshort --autonuke --nogui /dev/"$device" &> /dev/null; echo $?)
if [[ ! $ret_value = "0" ]] if [[ ! $ret_value = "0" ]]
then then
@@ -199,7 +270,7 @@ erase_device_lv1 () {
echo "Setting security pass to NULL." echo "Setting security pass to NULL."
#Set the password of the drive to NULL #Set the password of the drive to NULL
ret_value=$(hdparm --user-master m --security-set-pass NULL /dev/$device &> /dev/null; echo $?) local ret_value=$(hdparm --user-master m --security-set-pass NULL /dev/"$device" &> /dev/null; echo $?)
if [[ ! $ret_value = "0" ]]; if [[ ! $ret_value = "0" ]];
then then
@@ -210,7 +281,7 @@ erase_device_lv1 () {
fi fi
#Attempt a secure erase. #Attempt a secure erase.
ret_value=$(hdparm --user-master m --security-erase-enhanced NULL /dev/$device &> /dev/null; echo $?) local ret_value=$(hdparm --user-master m --security-erase-enhanced NULL /dev/"$device" &> /dev/null; echo $?)
if [[ ! $ret_value = "0" ]]; if [[ ! $ret_value = "0" ]];
then then
@@ -220,7 +291,7 @@ erase_device_lv1 () {
echo "Attempting normal erase instead." echo "Attempting normal erase instead."
#Attempt a secure erase, less enhanced. #Attempt a secure erase, less enhanced.
ret_value=$(hdparm --user-master m --security-erase NULL /dev/$device &> /dev/null; echo $?) local ret_value=$(hdparm --user-master m --security-erase NULL /dev/"$device" &> /dev/null; echo $?)
if [[ ! $ret_value = "0" ]]; if [[ ! $ret_value = "0" ]];
then then
@@ -233,13 +304,13 @@ erase_device_lv1 () {
then then
echo "Running nvme_cli format on ${devicetype} : ${device}." echo "Running nvme_cli format on ${devicetype} : ${device}."
#Erase using nvme cli to send secure erase command to drop the crypto stuff. #Erase using nvme cli to send secure erase command to drop the crypto stuff.
ret_value=$(nvme format --force -r -s 2 /dev/$device &> /dev/null; echo $?) local ret_value=$(nvme format --force -r -s 2 /dev/"$device" &> /dev/null; echo $?)
if [[ ! $ret_value = "0" ]] if [[ ! $ret_value = "0" ]]
then then
echo "Failed to cryptographically erase drive, blanket erasing instead." echo "Failed to cryptographically erase drive, blanket erasing instead."
#Sad, can't do it. Blank out drive instead using the drive controller. #Sad, can't do it. Blank out drive instead using the drive controller.
ret_value=$(nvme format --force -r -s 1 /dev/$device &> /dev/null; echo $?) local ret_value=$(nvme format --force -r -s 1 /dev/"$device" &> /dev/null; echo $?)
if [[ ! $ret_value = "0" ]] if [[ ! $ret_value = "0" ]]
then then
@@ -260,7 +331,7 @@ erase_device_lv2 () {
echo "Running 7-Pass DOD on ${devicetype} : ${device}." echo "Running 7-Pass DOD on ${devicetype} : ${device}."
echo "This may take a while!" echo "This may take a while!"
ret_value=$(nwipe -m dod --autonuke --nogui /dev/$device &> /dev/null; echo $?) local ret_value=$(nwipe -m dod --autonuke --nogui /dev/"$device" &> /dev/null; echo $?)
if [[ ! $ret_value = "0" ]] if [[ ! $ret_value = "0" ]]
then then
@@ -314,19 +385,20 @@ pcie_enable (){
sleep 5 sleep 5
} }
#Remove the PCIe NVMe reader #Remove the PCIe NVMe read -rer
pcie_disable (){ pcie_disable (){
echo 1 > /sys/bus/pci/devices/0000:02:00.0/remove echo 1 > /sys/bus/pci/devices/0000:02:00.0/remove
echo "Disabled PCIe card." echo "Disabled PCIe card."
} }
main (){ main (){
# get_netid get_netid
# get_ticket_number get_ticket_number
check_backup
echo "By running this script, you are confirming that it has been two weeks past the date written on the slip attached to the storage device. DO NOT erase the device before two weeks have passed." echo "By running this script, you are confirming that it has been two weeks past the date written on the slip attached to the storage device. DO NOT erase the device before two weeks have passed."
confirm_message "Please type 'confirm' to acknowledge you have read this and that it has been two weeks." "confirm" confirm_message "Please type 'confirm' to acknowledge you have read -r this and that it has been two weeks." "confirm"
get_eraselevel #sets $eraselevel to 0-2 based on how to erase. Higher levels include lower levels. get_eraselevel #sets $eraselevel to 0-2 based on how to erase. Higher levels include lower levels.
get_devicetype #sets $devicetype to HDD_SATA/SSD_SATA/SSD_NVME get_devicetype #sets $devicetype to HDD_SATA/SSD_SATA/SSD_NVME
@@ -338,8 +410,7 @@ main (){
if [[ $eraselevel = "1" ]] || [[ $eraselevel = "2" ]]; if [[ $eraselevel = "1" ]] || [[ $eraselevel = "2" ]];
then then
local randomconf local randomconf=$(shuf -i 10000-99999 -n 1)
randomconf=$(shuf -i 10000-99999 -n 1)
confirm_message "This level is destructive and irreversible. Please type ${randomconf} to continue" "${randomconf}" confirm_message "This level is destructive and irreversible. Please type ${randomconf} to continue" "${randomconf}"
else else
confirm_message "Please type 'confirm' to begin." "confirm" confirm_message "Please type 'confirm' to begin." "confirm"