konsthol/SecDep
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

This should work until december 2013.

Browse Source
This commit is contained in:
konsthol
2023-09-02 00:21:20 +03:00
parent e2a1a81b52
commit 45ed5e89c1
1 changed files with 14 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

34
harden
View File

@@ -315,27 +315,23 @@ EOF
[[ -f /home/centos/docker-compose.yml ]] && sudo mv /home/centos/docker-compose.yml /home/secdep/docker-compose.yml [[ -f /home/centos/docker-compose.yml ]] && sudo mv /home/centos/docker-compose.yml /home/secdep/docker-compose.yml
[[ -f /home/fedora/docker-compose.yml ]] && sudo mv /home/fedora/docker-compose.yml /home/secdep/docker-compose.yml [[ -f /home/fedora/docker-compose.yml ]] && sudo mv /home/fedora/docker-compose.yml /home/secdep/docker-compose.yml
[[ -f /home/ubuntu/docker-compose.yml ]] && sudo mv /home/ubuntu/docker-compose.yml /home/secdep/docker-compose.yml [[ -f /home/ubuntu/docker-compose.yml ]] && sudo mv /home/ubuntu/docker-compose.yml /home/secdep/docker-compose.yml
# Not running chown in time? only when there is an if before # Since FileDeployment does not work and we used ScriptFileDeployment which might make the file owned by another user
sudo chown secdep:secdep /home/secdep/docker-compose.yml # we need to make sure the file is owned by the secdep user.
# [[ -f /home/secdep/docker-compose.yml ]] && sudo chown secdep:secdep /home/secdep/docker-compose.yml # When using [[ -f /home/secdep/docker-compose.yml ]] && sudo chown secdep:secdep /home/secdep/docker-compose.yml
# it doesn't get executed somehow so we'll send the "no such file or directory" error to /dev/null
sudo chown secdep:secdep /home/secdep/docker-compose.yml > /dev/null 2>&1
# Since FileDeployment does not work and we used ScriptFileDeployment which automatically makes the file executable # Since FileDeployment does not work and we used ScriptFileDeployment which automatically makes the file executable
# we need to make sure the file is not executable # we need to make sure the file is not executable.
# Not running chmod in time? only when there is an if before # when using [[ -f /home/secdep/docker-compose.yml ]] && sudo chmod -x /home/secdep/docker-compose.yml
sudo chmod -x /home/secdep/docker-compose.yml # it doesn't get executed somehow so we'll send the "no such file or directory" error to /dev/null
# [[ -f /home/secdep/docker-compose.yml ]] && sudo chmod -x /home/secdep/docker-compose.yml sudo chmod -x /home/secdep/docker-compose.yml > /dev/null 2>&1
# Make sure docker is disabled after
# having installed docker-compose, to make sure
# only rootless docker is used
# sudo systemctl disable --now docker.service docker.socket
sudo machinectl shell secdep@ /bin/bash -c 'curl -SL https://github.com/docker/compose/releases/download/v2.20.3/docker-compose-linux-x86_64 -o /home/secdep/bin/docker-compose' sudo machinectl shell secdep@ /bin/bash -c 'curl -SL https://github.com/docker/compose/releases/download/v2.20.3/docker-compose-linux-x86_64 -o /home/secdep/bin/docker-compose'
sudo machinectl shell secdep@ /bin/bash -c 'chmod +x /home/secdep/bin/docker-compose' sudo machinectl shell secdep@ /bin/bash -c 'chmod +x /home/secdep/bin/docker-compose'
# Check if there is a docker-compose.yml file in the user's home directory and run it if there is ## No immediate way to check if the docker-compose.yml file exists and is readable
sudo machinectl shell secdep@ "$(which bash)" -c 'DOCKER_HOST=unix:///run/user/$UID/docker.sock /home/secdep/bin/docker-compose -f /home/secdep/docker-compose.yml up -d' ## so we'll just try to run it and if it doesn't exist or is not readable it will error out
sudo machinectl shell secdep@ "$(which bash)" -c '[[ -f "$HOME/docker-compose.yml" ]] && DOCKER_HOST=unix:///run/user/$UID/docker.sock /home/secdep/bin/docker-compose -f /home/secdep/docker-compose.yml up -d'
# Read the docker-compose.yml file for port mappings to add to the firewall # Read the docker-compose.yml file for port mappings to add to the firewall
## Check if we can use docker-compose config for that unless we have no access to the output CMD_PORTS="cat /home/secdep/docker-compose.yml | sed '/^[[:space:]]*$/d' | grep -A1 ports | grep '[0-9]:[0-9]' | rev | cut -d':' -f1 | rev | grep -Eow '[[:digit:]]+' | tr '\n' ' '"
# sudo machinectl shell secdep@ "$(which bash)" -c 'DOCKER_HOST=unix:///run/user/$UID/docker.sock /home/secdep/bin/docker-compose -f /home/secdep/docker-compose.yml config'
# [[ -f /home/secdep/docker-compose.yml ]] && sudo PORTS="$(grep '[0-9]:[0-9]' /home/secdep/docker-compose.yml | rev | cut -d':' -f1 | rev | grep -Eow '[[:digit:]]+' | tr '\n' ' ')" || PORTS=""
CMD_PORTS="cat /home/secdep/docker-compose.yml | grep -A1 ports | grep '[0-9]:[0-9]' | rev | cut -d':' -f1 | rev | grep -Eow '[[:digit:]]+' | tr '\n' ' '"
sudo -E runuser - secdep -c "$CMD_PORTS" > /dev/null 2>&1 && PORTS="$(sudo -E runuser - secdep -c "$CMD_PORTS")" || PORTS="" sudo -E runuser - secdep -c "$CMD_PORTS" > /dev/null 2>&1 && PORTS="$(sudo -E runuser - secdep -c "$CMD_PORTS")" || PORTS=""
# Loop through the ports in the PORTS variable # Loop through the ports in the PORTS variable
if [[ -n "$PORTS" ]]; then if [[ -n "$PORTS" ]]; then
@@ -355,9 +351,6 @@ EOF
esac esac
done done
fi fi
# sudo machinectl shell secdep@ /bin/bash -c 'DOCKER_HOST=unix:///run/user/$UID/docker.sock docker-compose -f /home/secdep/docker-compose.yml up -d'
# sudo machinectl shell secdep@ /bin/bash -c '[[ -f "$HOME/docker-compose.yml" ]] && docker-compose -f "$HOME/docker-compose.yml" up -d'
# sudo -u secdep bash -c '[[ -f "$HOME/docker-compose.yml" ]] && docker-compose -f "$HOME/docker-compose.yml" up -d'
# Portainer is a docker image that provides a web interface for docker # Portainer is a docker image that provides a web interface for docker
# which will be installed and run on port 9000 by default to make it easier to manage docker # which will be installed and run on port 9000 by default to make it easier to manage docker
# CMD1="docker volume create portainer_data # Create a docker volume for portainer" # CMD1="docker volume create portainer_data # Create a docker volume for portainer"
@@ -524,6 +517,7 @@ function enableServices {
# only rootless docker is used # only rootless docker is used
} }
# Sometimes the user is not deleted after the script is run
function deleteRemainingUsers { function deleteRemainingUsers {
# Delete possible remaining users # Delete possible remaining users
cat << EOF | sudo tee /root/delete_users.sh cat << EOF | sudo tee /root/delete_users.sh