derp, helper method rename

README.md

@@ -35,8 +35,9 @@ That's where SecDep comes in 💪. With SecDep, you can manage your virtual mach
     - [x] SSH hardening
     - [x] Firewall installation and configuration (UFW or firewalld)
     - [ ] Fail2ban installation and configuration
-    - [x] Kernel Security Module installation and configuration (AppArmor or SELinux)
+    - [x] Kernel Security Module installation (AppArmor or SELinux)
     - [x] Docker Rootless installation
+    - [ ] gVisor installation and integration with Docker
 - [x] Docker deployment during hardening
     - [x] Single docker-compose file deployment
     - [x] Pulling of multiple docker images

harden

@@ -369,28 +369,19 @@ EOF
     done
 }
 
-# The selinuxConfig function will set up and configure selinux with sane defaults.
-# function selinuxConfig {
-#     # Set the selinux boolean to allow docker to use the network
-#     sudo setsebool -P docker_connect_any 1
-# }
-
-# Fix banaction ufw with iptables
-# Does not always persist after reboot.
 function configureFail2ban {
 FAIL2BAN_LOCAL=$(cat <<'EOF'
 [Definition]
-logtarget = /var/log/fail2ban/fail2ban.log
 allowipv6 = auto
 EOF
 )
-printf "%s" "$FAIL2BAN_LOCAL" | sudo tee /etc/fail2ban/fail2ban.local
+printf "%s\n" "$FAIL2BAN_LOCAL" | sudo tee /etc/fail2ban/fail2ban.local
 FAIL2BAN_SSH_JAIL_LOCAL=$(cat <<'EOF'
 [sshd]
-backend = systemd
 enabled = true
 filter = sshd
-banaction = ufw
+banaction = iptables
+backend = systemd
 maxretry = 3
 # 3 failed attempts in 600 seconds = 10 minutes
 findtime = 1d
@@ -400,38 +391,21 @@ EOF
 )
 FAIL2BAN_JAIL_LOCAL=$(cat <<'EOF'
 [DEFAULT]
-backend = systemd
 bantime = 1d
 EOF
 )
-printf "%s" "$FAIL2BAN_JAIL_LOCAL" | sudo tee /etc/fail2ban/jail.local
-printf "%s" "$FAIL2BAN_SSH_JAIL_LOCAL" | sudo tee /etc/fail2ban/jail.d/sshd.local
+printf "%s\n" "$FAIL2BAN_JAIL_LOCAL" | sudo tee /etc/fail2ban/jail.local
+sudo rm -f /etc/fail2ban/jail.d/*
+printf "%s\n" "$FAIL2BAN_SSH_JAIL_LOCAL" | sudo tee /etc/fail2ban/jail.d/sshd.local
 FAIL2BAN_FILTER=$(cat <<'EOF'
 [Definition]
 failregex = ^.*DROP_.*SRC=<ADDR> DST=.*$
 journalmatch = _TRANSPORT=kernel
 EOF
 )
-printf "%s" "$FAIL2BAN_FILTER" | sudo tee /etc/fail2ban/filter.d/fwdrop.local
-HARDEN_FAIL2BAN_SERVICE=$(cat <<'EOF'
-[Service]
-PrivateDevices=yes
-PrivateTmp=yes
-ProtectHome=read-only
-ProtectSystem=strict
-ReadWritePaths=-/var/run/fail2ban
-ReadWritePaths=-/var/lib/fail2ban
-ReadWritePaths=-/var/log/fail2ban
-ReadWritePaths=-/var/spool/postfix/maildrop
-ReadWritePaths=/run/xtables.lock
-CapabilityBoundingSet=CAP_AUDIT_READ CAP_DAC_READ_SEARCH CAP_NET_ADMIN CAP_NET_RAW
-EOF
-)
-sudo mkdir -p /etc/systemd/system/fail2ban.service.d
-printf "%s" "$HARDEN_FAIL2BAN_SERVICE" | sudo tee /etc/systemd/system/fail2ban.service.d/override.conf
-sudo systemctl daemon-reload
+printf "%s\n" "$FAIL2BAN_FILTER" | sudo tee /etc/fail2ban/filter.d/fwdrop.local
 sudo systemctl enable --now fail2ban
-printf "%s" "LogLevel VERBOSE" | sudo tee -a /etc/ssh/sshd_config
+printf "%s\n" "LogLevel VERBOSE" | sudo tee -a /etc/ssh/sshd_config
 }
 
 function enableServices {
@@ -473,6 +447,28 @@ EOF
     sudo at now + 1 minute <<< "bash /root/delete_users.sh"
 }
 
+function gVisorInit {
+    # Install gVisor
+    (
+    set -e
+    ARCH=$(uname -m)
+    URL=https://storage.googleapis.com/gvisor/releases/release/latest/${ARCH}
+    wget "${URL}"/runsc "${URL}"/runsc.sha512 \
+    "${URL}"/containerd-shim-runsc-v1 "${URL}"/containerd-shim-runsc-v1.sha512
+    sha512sum -c runsc.sha512 \
+    -c containerd-shim-runsc-v1.sha512
+    rm -f -- *.sha512
+    chmod a+rx runsc containerd-shim-runsc-v1
+    sudo mv runsc containerd-shim-runsc-v1 /home/secdep/bin
+    )
+    # Enable gVisor for docker by default
+}
+
+function finishingTouches {
+    # Set the correct timezone for Greece
+    sudo timedatectl set-timezone Europe/Athens
+}
+
 # The main function will call the declared functions in order and exit if any of them fails.
 # It will also pass any arguments passed to the script to the dockerInit function.
 # Then it will output a message to the user and reboot the system in 2 minutes.
@@ -488,14 +484,21 @@ function main {
     printf "%s" "Kernel security module initialized"
     configureFail2ban || exit 1                     # Initialize fail2ban and exit if it fails
     printf "%s" "Fail2ban configured"
-#    selinuxConfig       # Configure selinux
     # Call the dockerInit function with the arguments passed to the script
     dockerInit "$@" || exit 1                       # Initialize docker and exit if it fails
-    enableServices || exit 1
-    deleteRemainingUsers || exit 1
+    printf "%s" "Docker Rootless and docker-compose installed"
+    printf "%s" "Portainer along with any specified docker images from the command line or a docker-compose.yml file installed"
+    gVisorInit || exit 1                            # Initialize gVisor and exit if it fails
+    printf "%s" "gVisor installed"
+    enableServices || exit 1                        # Enable the services that need to be restarted and the firewall
+    printf "%s" "Services restarted and firewall enabled"
+    deleteRemainingUsers || exit 1                  # Delete possible remaining users
+    printf "%s" "Any unnecessary users deleted"
+    finishingTouches || exit 1                      # Last finishing touches
+    printf "%s" "System almost ready"
 	printf "%s" "$SCRIPT_NAME script finished"      # Output message to the user
 	printf "%s" "System will reboot momentarily"    # Output message to the user
-    # Reboot the system in 2 minutes
+    # Reboot the system in 2 minutes with the shutdown command so that login before the reboot is not possible
     sudo shutdown -r +2
 }