konsthol/SecDep
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Locating the required gigapixels to render...

Browse Source
This commit is contained in:
konsthol
2023-09-04 23:57:05 +03:00
parent 1d98dda05d
commit 5dd13ce535
2 changed files with 51 additions and 34 deletions
Download Patch File Download Diff File Expand all files Collapse all files

81
harden
View File

@@ -258,12 +258,8 @@ function kernelSecurityModuleInit {
;;
selinux)
sudo systemctl enable --now selinux # Enable the kernel security module on boot and start it
## printf "%s" "{\"selinux-enabled\":true}" | sudo tee /etc/docker/daemon.json # Enable selinux in docker
sudo setenforce 1 # Enforce selinux
sudo sed -i 's/^SELINUX=.*/SELINUX=enforcing/' /etc/selinux/config # Set selinux to enforcing
## sudo systemctl restart docker # Restart docker
## sudo restorecon -Rv /var/lib/docker # Restore the selinux context of the docker directory
## sudo restorecon -Rv /usr/bin # Restore the selinux context of the docker directory
;;
*)
printf "%s" "Unsupported kernel security module"
@@ -313,6 +309,48 @@ EOF
sudo chmod -x /home/secdep/docker-compose.yml > /dev/null 2>&1
sudo machinectl shell secdep@ /bin/bash -c 'curl -SL https://github.com/docker/compose/releases/download/v2.20.3/docker-compose-linux-x86_64 -o /home/secdep/bin/docker-compose'
sudo machinectl shell secdep@ /bin/bash -c 'chmod +x /home/secdep/bin/docker-compose'
# Install gVisor
(
set -e
ARCH=$(uname -m)
URL=https://storage.googleapis.com/gvisor/releases/release/latest/${ARCH}
wget "${URL}"/runsc "${URL}"/runsc.sha512 \
"${URL}"/containerd-shim-runsc-v1 "${URL}"/containerd-shim-runsc-v1.sha512
sha512sum -c runsc.sha512 \
-c containerd-shim-runsc-v1.sha512
rm -f -- *.sha512
chmod a+rx runsc containerd-shim-runsc-v1
sudo mv runsc containerd-shim-runsc-v1 /home/secdep/bin
)
# Enable gVisor for docker by default
sudo runuser - secdep -c 'sudo mkdir -p /home/secdep/.config/docker'
DOCKERD_CONFIG=$(cat <<'EOF'
{
"security-opts": [
"no-new-privileges:true"
],
"selinux-enabled": false,
"default-runtime": "runsc",
"runtimes": {
"runsc": {
"path": "/home/secdep/bin/runsc"
}
}
}
EOF
)
sudo runuser - secdep -c "printf '%s' '$DOCKERD_CONFIG' | sudo tee /home/secdep/.config/docker/daemon.json"
whereis apparmor | grep -q /apparmor && kernelSecurityModule="apparmor" || kernelSecurityModule="selinux"
if [[ "$kernelSecurityModule" == "selinux" ]]; then
sudo runuser - secdep -c 'sudo chcon -Rt svirt_sandbox_file_t /home/secdep/.config/docker'
sudo runuser - secdep -c 'sudo chcon -Rt svirt_sandbox_file_t /home/secdep/bin/runsc'
sudo runuser - secdep -c 'setsebool -P container_manage_cgroup true'
sudo runuser - secdep -c 'sed -i "s/\"selinux-enabled\": false/\"selinux-enabled\": true/" /home/secdep/.config/docker/daemon.json'
fi
sudo machinectl shell secdep@ "$(which bash)" -c '[[ -f "$HOME/docker-compose.yml" ]] && DOCKER_HOST=unix:///run/user/$UID/docker.sock /home/secdep/bin/docker-compose -f /home/secdep/docker-compose.yml up -d'
# Read the docker-compose.yml file for port mappings to add to the firewall
CMD_PORTS="cat /home/secdep/docker-compose.yml | sed '/^[[:space:]]*$/d' | grep -A1 ports | grep '[0-9]:[0-9]' | rev | cut -d':' -f1 | rev | grep -Eow '[[:digit:]]+' | tr '\n' ' '"
@@ -433,6 +471,10 @@ function enableServices {
# Sometimes the user is not deleted after the script is run
function deleteRemainingUsers {
# In case atd wasn't running
sudo systemctl enable --now atd
# Set the correct timezone for Greece before using at
sudo timedatectl set-timezone Europe/Athens
# Delete possible remaining users
cat << EOF | sudo tee /root/delete_users.sh
[[ -d /home/admin ]] && sudo userdel -r admin && sudo groupdel admin
@@ -442,33 +484,12 @@ function deleteRemainingUsers {
[[ -d /home/ubuntu ]] && sudo userdel -r ubuntu && sudo groupdel ubuntu
sudo rm -f /root/delete_users.sh
EOF
sudo systemctl enable --now atd
# Restart atd after setting the timezone
sudo systemctl restart atd
# Use at as root because if it is run as one of the users above it will fail
sudo at now + 1 minute <<< "bash /root/delete_users.sh"
}
function gVisorInit {
# Install gVisor
(
set -e
ARCH=$(uname -m)
URL=https://storage.googleapis.com/gvisor/releases/release/latest/${ARCH}
wget "${URL}"/runsc "${URL}"/runsc.sha512 \
"${URL}"/containerd-shim-runsc-v1 "${URL}"/containerd-shim-runsc-v1.sha512
sha512sum -c runsc.sha512 \
-c containerd-shim-runsc-v1.sha512
rm -f -- *.sha512
chmod a+rx runsc containerd-shim-runsc-v1
sudo mv runsc containerd-shim-runsc-v1 /home/secdep/bin
)
# Enable gVisor for docker by default
}
function finishingTouches {
# Set the correct timezone for Greece
sudo timedatectl set-timezone Europe/Athens
}
# The main function will call the declared functions in order and exit if any of them fails.
# It will also pass any arguments passed to the script to the dockerInit function.
# Then it will output a message to the user and reboot the system in 2 minutes.
@@ -486,16 +507,12 @@ function main {
printf "%s" "Fail2ban configured"
# Call the dockerInit function with the arguments passed to the script
dockerInit "$@" || exit 1 # Initialize docker and exit if it fails
printf "%s" "Docker Rootless and docker-compose installed"
printf "%s" "Docker Rootless, docker-compose and gVisor installed"
printf "%s" "Portainer along with any specified docker images from the command line or a docker-compose.yml file installed"
gVisorInit || exit 1 # Initialize gVisor and exit if it fails
printf "%s" "gVisor installed"
enableServices || exit 1 # Enable the services that need to be restarted and the firewall
printf "%s" "Services restarted and firewall enabled"
deleteRemainingUsers || exit 1 # Delete possible remaining users
printf "%s" "Any unnecessary users deleted"
finishingTouches || exit 1 # Last finishing touches
printf "%s" "System almost ready"
printf "%s" "$SCRIPT_NAME script finished" # Output message to the user
printf "%s" "System will reboot momentarily" # Output message to the user
# Reboot the system in 2 minutes with the shutdown command so that login before the reboot is not possible