meyerast/DECSEraser
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update before refactor (DOES NOT WORK)

Browse Source
This commit is contained in:
meyerast
2026-03-25 16:01:58 -04:00
parent 930c0277ab
commit dfb68b378f
2 changed files with 129 additions and 58 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
README.md
View File

@@ -17,16 +17,16 @@
## Logging
|Info|Location|Log To:|Implemented?|Data|Notes|
|-|-|-|-|-|-|
|User|Script Input|Ticket<br>Logfile|No|Username<br>|Probably can implement as part of the kerb auth|
|Wipe Details|Script Input|Ticket<br>Logfile|No|Erase Level<br>Device Type<br>Device||
|Script Output|Terminal Output|Logfile|No|All script output|Via transcribing or output redirection|
|Machine Data|Registry|Ticket<br>Logfile|No|Machine Name<br>Domain|HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ComputerName<br>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters|
|Local Users|Registry<br>Filesystem|Logfile|No|Local User List|HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList<br>c:/Users|
|Domain Users|Registry<br>Filesystem|Ticket<br>Logfile|No|Domain User List|HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList<br>c:/Users|
|Last Logged On User|Registry|Ticket<br>Logfile|No|Username|HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI|
|Storage Info|Other|Ticket<br>Logfile|No|Serial Number<br>SMART Data|smartctl|
|System Info|Registry|Logfile|No|Manufacturer<br>Model|HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\BIOS<br>Can't actually be done offline|
|Misc|Misc|Ticket<br>Logfile|No|Current Time/Date||
|User|- Script Input|- Ticket<br>- Logfile|No|- Username|Probably can implement as part of the kerb auth|
|Wipe Details|- Script Input|- Ticket<br>- Logfile|No|- Erase Level<br>- Device Type<br>- Device||
|Script Output|- Terminal Output|- Logfile|No|- All script output|Via transcribing or output redirection|
|Machine Data|- Registry|- Ticket<br>- Logfile|No|- Machine Name<br>- Domain|HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ComputerName<br><br>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters|
|Local Users|- Registry<br>- Filesystem|- Logfile|No|- Local User List|HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList<br><br>c:/Users|
|Domain Users|- Registry<br>- Filesystem|- Ticket<br>- Logfile|No|- Domain User List|HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList<br><br>c:/Users|
|Last Logged On User|- Registry|- Ticket<br>- Logfile|No|- Username|HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI|
|Storage Info|- Other|- Ticket<br>- Logfile|No|- Serial Number<br>- SMART Data|smartctl|
|System Info|- Registry|- Logfile|No|- Manufacturer<br>- Model|HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\BIOS<br>Can't actually be done offline|
|Misc|- Misc|- Ticket<br>- Logfile|No|- Current Time<br>- Date||

163
erase_drive.sh
View File

@@ -1,60 +1,114 @@
#!/bin/bash
#!/usr/bin/env bash
get_netid () {
netid=
echo "Enter netid: "
read netid
while [[ $netid =~ ^\s*$ ]];
do
echo "Your netid cannot be blank. Enter netid: "
read netid
done
clear
}
## Get NetID
## Mount \\reinstallbackups
## Start logging
## Get Ticket Number (optional)
### Check if Directory with Ticket Number exists
#### Warn User if it doesn't
##
get_ticket_number () {
ticket_number=
echo "Enter ticket number: "
read ticket_number
echo $ticket_number
clear
exec 3>&1 1>"$LOGFILE" 2>&1
cleanup () {
echo "SPECIAL EXIT"
pcie_disable
trap - INT
kill -INT "$$"
}
trap cleanup SIGINT
confirm_message () {
local typed=
while [[ ! $typed = "$2" ]];
do
echo $1
read typed
echo "$1"
read -r typed
done
}
get_netid () {
netid=
while [[ $netid =~ ^\s*$ ]];
do
echo "Enter netid: "
read -r netid
if [[ $netid =~ ^\s*$ ]];
then
echo "Your netid cannot be blank. Enter netid: "
else
authenticate_egr
fi
done
clear
}
authenticate_egr (){
kinit "$netid"
local ret_value="$?"
if [[ ! $ret_value = "0" ]]
then
netid=
case $ret_value in
"1")
echo "Error when authenticating. Please see above issue, and try again."
;;
*)
echo "Unspecified error."
;;
esac
fi
}
get_ticket () {
ticket_number=
echo "Enter ticket number: "
read -r ticket_number
if [[ ! $ticket_number =~ ^\s*$ ]];
then
local ret_value=$(ls | grep -q -E "^$ticket_number"; echo $?)
if [[ ! $ret_value = "0" ]];
then
printf "WARNING: Backup does not exist in \\\\reinstallbackups\reinstallbackups\\$ticket_number!\n"
fi
else
sleep 1
fi
}
mount_drive () {
sleep 1
}
get_eraselevel () {
eraselevel=
echo "What level of erase are you performing on the drive? (0 = baseline, 1 = secure erase, 2 = decommission):"
echo "Type 'help' for an explanation of each level."
read eraselevel
read -r eraselevel
while [[ ! $eraselevel = "0" ]] && [[ ! $eraselevel = "1" ]] && [[ ! $eraselevel = "2" ]];
do
if [[ $eraselevel = "help" ]];
then
echo "Level 0 / Baseline: clears the partitions of the drive. Data can still be recovered but this is the optimal level for simple reuse."
echo "Level 1 / Secure Erase: HDD: Scrambles the data on the drive over 3 passes. SSD: Sends a signal to the drive to forget the encryption key, making it unreadable."
echo "Level 1 / Secure Erase: HDD: Scrambles the data on the drive over 3 passes. SSD: Sends a signal to the drive to forget the encryption key, making it unread -rable."
echo "Level 2 / decommission: Scrambles the data on the drive over 7 passes. Afterward, put the drive in the bin near the Hardware office to have it destroyed."
else
echo "Invalid level, correct values can be 0, 1, or 2"
fi
read eraselevel
read -r eraselevel
done
}
get_devicetype () {
devicetype=
echo "What is the device type? (HDD_SATA, SSD_NVME, SSD_SATA):"
echo "What is the device type? (0 = HDD_SATA, 1 = SSD_NVME, 2 = SSD_SATA):"
echo "Type 'help' for an explanation of each type."
read devicetype
while [[ ! $devicetype = "HDD_SATA" ]] && [[ ! $devicetype = "SSD_NVME" ]] && [[ ! $devicetype = "SSD_SATA" ]];
read -r devicetype
while [[ ! $devicetype = "0" ]] && [[ ! $devicetype = "1" ]] && [[ ! $devicetype = "2" ]];
do
if [[ $devicetype = "help" ]];
then
@@ -62,10 +116,27 @@ get_devicetype () {
echo "SSD_SATA: Solid State drive on a SATA connection. Typically 2.5 in."
echo "SSD_NVME: Solid State drive on a M.2 connection. Looks like a small PCB."
else
echo "Invalid type, correct values can be HDD_SATA, SSD_NVME, SSD_SATA"
echo "Invalid type, correct values can be 0 = HDD_SATA, 1 = SSD_NVME, 2 = SSD_SATA."
fi
read devicetype
read -r devicetype
done
case $devicetype in
"0")
devicetype="HDD_SATA"
;;
"1")
devicetype="SSD_NVME"
;;
"2")
devicetype="SSD_SATA"
;;
*)
echo "Unspecified error."
;;
esac
}
get_device () {
@@ -90,7 +161,7 @@ get_device () {
}
verify_device (){
read device
read -r device
while [[ ! $device =~ ^sd[a-z]$ ]] && [[ ! $device =~ ^nvme0n[0-9]$ ]];
do
if [[ $device = "help" ]];
@@ -101,7 +172,7 @@ verify_device (){
else
echo "Invalid format, device should follow naming conventions. (i.e. sd{a-z}, nvme0n{0-9})"
fi
read device
read -r device
done
if [[ $devicetype = "HDD_SATA" ]] || [[ $devicetype = "SSD_SATA" ]];
then
@@ -130,7 +201,7 @@ verify_device (){
erase_device_lv0 () {
echo "Wiping partition tables of ${devicetype} : ${device}."
ret_value=$(sgdisk -g -Z /dev/$device &> /dev/null; echo $?)
local ret_value=$(sgdisk -g -Z /dev/"$device" &> /dev/null; echo $?)
if [[ ! $ret_value = "0" ]]
then
@@ -140,7 +211,7 @@ erase_device_lv0 () {
;;
"2")
echo "An error occurred while reading the partition table."
echo "An error occurred while read -ring the partition table."
;;
"3")
@@ -152,7 +223,7 @@ erase_device_lv0 () {
;;
"5")
echo "An error occurred while reading standard input."
echo "An error occurred while read -ring standard input."
;;
"8")
@@ -164,7 +235,7 @@ erase_device_lv0 () {
;;
esac
else
echo "Partition tables wiped. Device is ready for reuse."
echo "Partition tables wiped. Device is read -ry for reuse."
fi
}
@@ -177,7 +248,7 @@ erase_device_lv1 () {
echo "Running 3-Pass DOD Short on ${devicetype} : ${device}."
echo "This may take a while!"
ret_value=$(nwipe -m dodshort --autonuke --nogui /dev/$device &> /dev/null; echo $?)
local ret_value=$(nwipe -m dodshort --autonuke --nogui /dev/"$device" &> /dev/null; echo $?)
if [[ ! $ret_value = "0" ]]
then
@@ -199,7 +270,7 @@ erase_device_lv1 () {
echo "Setting security pass to NULL."
#Set the password of the drive to NULL
ret_value=$(hdparm --user-master m --security-set-pass NULL /dev/$device &> /dev/null; echo $?)
local ret_value=$(hdparm --user-master m --security-set-pass NULL /dev/"$device" &> /dev/null; echo $?)
if [[ ! $ret_value = "0" ]];
then
@@ -210,7 +281,7 @@ erase_device_lv1 () {
fi
#Attempt a secure erase.
ret_value=$(hdparm --user-master m --security-erase-enhanced NULL /dev/$device &> /dev/null; echo $?)
local ret_value=$(hdparm --user-master m --security-erase-enhanced NULL /dev/"$device" &> /dev/null; echo $?)
if [[ ! $ret_value = "0" ]];
then
@@ -220,7 +291,7 @@ erase_device_lv1 () {
echo "Attempting normal erase instead."
#Attempt a secure erase, less enhanced.
ret_value=$(hdparm --user-master m --security-erase NULL /dev/$device &> /dev/null; echo $?)
local ret_value=$(hdparm --user-master m --security-erase NULL /dev/"$device" &> /dev/null; echo $?)
if [[ ! $ret_value = "0" ]];
then
@@ -233,13 +304,13 @@ erase_device_lv1 () {
then
echo "Running nvme_cli format on ${devicetype} : ${device}."
#Erase using nvme cli to send secure erase command to drop the crypto stuff.
ret_value=$(nvme format --force -r -s 2 /dev/$device &> /dev/null; echo $?)
local ret_value=$(nvme format --force -r -s 2 /dev/"$device" &> /dev/null; echo $?)
if [[ ! $ret_value = "0" ]]
then
echo "Failed to cryptographically erase drive, blanket erasing instead."
#Sad, can't do it. Blank out drive instead using the drive controller.
ret_value=$(nvme format --force -r -s 1 /dev/$device &> /dev/null; echo $?)
local ret_value=$(nvme format --force -r -s 1 /dev/"$device" &> /dev/null; echo $?)
if [[ ! $ret_value = "0" ]]
then
@@ -260,7 +331,7 @@ erase_device_lv2 () {
echo "Running 7-Pass DOD on ${devicetype} : ${device}."
echo "This may take a while!"
ret_value=$(nwipe -m dod --autonuke --nogui /dev/$device &> /dev/null; echo $?)
local ret_value=$(nwipe -m dod --autonuke --nogui /dev/"$device" &> /dev/null; echo $?)
if [[ ! $ret_value = "0" ]]
then
@@ -314,19 +385,20 @@ pcie_enable (){
sleep 5
}
#Remove the PCIe NVMe reader
#Remove the PCIe NVMe read -rer
pcie_disable (){
echo 1 > /sys/bus/pci/devices/0000:02:00.0/remove
echo "Disabled PCIe card."
}
main (){
# get_netid
# get_ticket_number
get_netid
get_ticket_number
check_backup
echo "By running this script, you are confirming that it has been two weeks past the date written on the slip attached to the storage device. DO NOT erase the device before two weeks have passed."
confirm_message "Please type 'confirm' to acknowledge you have read this and that it has been two weeks." "confirm"
confirm_message "Please type 'confirm' to acknowledge you have read -r this and that it has been two weeks." "confirm"
get_eraselevel #sets $eraselevel to 0-2 based on how to erase. Higher levels include lower levels.
get_devicetype #sets $devicetype to HDD_SATA/SSD_SATA/SSD_NVME
@@ -338,8 +410,7 @@ main (){
if [[ $eraselevel = "1" ]] || [[ $eraselevel = "2" ]];
then
local randomconf
randomconf=$(shuf -i 10000-99999 -n 1)
local randomconf=$(shuf -i 10000-99999 -n 1)
confirm_message "This level is destructive and irreversible. Please type ${randomconf} to continue" "${randomconf}"
else
confirm_message "Please type 'confirm' to begin." "confirm"