Locating the required gigapixels to render...

README.md

@@ -34,10 +34,10 @@ That's where SecDep comes in 💪. With SecDep, you can manage your virtual mach
 - [x] Hardening during creation
     - [x] SSH hardening
     - [x] Firewall installation and configuration (UFW or firewalld)
-    - [ ] Fail2ban installation and configuration
+    - [x] Fail2ban installation and configuration
     - [x] Kernel Security Module installation (AppArmor or SELinux)
     - [x] Docker Rootless installation
-    - [ ] gVisor installation and integration with Docker
+    - [ ] gVisor installation and integration with Docker Rootless
 - [x] Docker deployment during hardening
     - [x] Single docker-compose file deployment
     - [x] Pulling of multiple docker images

harden

@@ -258,12 +258,8 @@ function kernelSecurityModuleInit {
         ;;
         selinux)
             sudo systemctl enable --now selinux # Enable the kernel security module on boot and start it
-##            printf "%s" "{\"selinux-enabled\":true}" | sudo tee /etc/docker/daemon.json # Enable selinux in docker
             sudo setenforce 1 # Enforce selinux
             sudo sed -i 's/^SELINUX=.*/SELINUX=enforcing/' /etc/selinux/config # Set selinux to enforcing
- ##           sudo systemctl restart docker # Restart docker
- ##           sudo restorecon -Rv /var/lib/docker # Restore the selinux context of the docker directory
- ##           sudo restorecon -Rv /usr/bin # Restore the selinux context of the docker directory
         ;;
         *)
             printf "%s" "Unsupported kernel security module"
@@ -313,6 +309,48 @@ EOF
     sudo chmod -x /home/secdep/docker-compose.yml > /dev/null 2>&1
     sudo machinectl shell secdep@ /bin/bash -c 'curl -SL https://github.com/docker/compose/releases/download/v2.20.3/docker-compose-linux-x86_64 -o /home/secdep/bin/docker-compose'
     sudo machinectl shell secdep@ /bin/bash -c 'chmod +x /home/secdep/bin/docker-compose'
+
+    # Install gVisor
+    (
+    set -e
+    ARCH=$(uname -m)
+    URL=https://storage.googleapis.com/gvisor/releases/release/latest/${ARCH}
+    wget "${URL}"/runsc "${URL}"/runsc.sha512 \
+    "${URL}"/containerd-shim-runsc-v1 "${URL}"/containerd-shim-runsc-v1.sha512
+    sha512sum -c runsc.sha512 \
+    -c containerd-shim-runsc-v1.sha512
+    rm -f -- *.sha512
+    chmod a+rx runsc containerd-shim-runsc-v1
+    sudo mv runsc containerd-shim-runsc-v1 /home/secdep/bin
+    )
+    # Enable gVisor for docker by default
+    sudo runuser - secdep -c 'sudo mkdir -p /home/secdep/.config/docker'
+    DOCKERD_CONFIG=$(cat <<'EOF'
+{
+"security-opts": [
+"no-new-privileges:true"
+],
+"selinux-enabled": false,
+"default-runtime": "runsc",
+"runtimes": {
+"runsc": {
+"path": "/home/secdep/bin/runsc"
+}
+}
+}
+EOF
+)
+    sudo runuser - secdep -c "printf '%s' '$DOCKERD_CONFIG' | sudo tee /home/secdep/.config/docker/daemon.json"
+
+    whereis apparmor | grep -q /apparmor && kernelSecurityModule="apparmor" || kernelSecurityModule="selinux"
+    if [[ "$kernelSecurityModule" == "selinux" ]]; then
+        sudo runuser - secdep -c 'sudo chcon -Rt svirt_sandbox_file_t /home/secdep/.config/docker'
+        sudo runuser - secdep -c 'sudo chcon -Rt svirt_sandbox_file_t /home/secdep/bin/runsc'
+        sudo runuser - secdep -c 'setsebool -P container_manage_cgroup true'
+        sudo runuser - secdep -c 'sed -i "s/\"selinux-enabled\": false/\"selinux-enabled\": true/" /home/secdep/.config/docker/daemon.json'
+    fi
+
+
     sudo machinectl shell secdep@ "$(which bash)" -c '[[ -f "$HOME/docker-compose.yml" ]] && DOCKER_HOST=unix:///run/user/$UID/docker.sock /home/secdep/bin/docker-compose -f /home/secdep/docker-compose.yml up -d'
     # Read the docker-compose.yml file for port mappings to add to the firewall
     CMD_PORTS="cat /home/secdep/docker-compose.yml | sed '/^[[:space:]]*$/d' | grep -A1 ports | grep '[0-9]:[0-9]' | rev | cut -d':' -f1 | rev | grep -Eow '[[:digit:]]+' | tr '\n' ' '"
@@ -433,6 +471,10 @@ function enableServices {
 
 # Sometimes the user is not deleted after the script is run
 function deleteRemainingUsers {
+    # In case atd wasn't running
+    sudo systemctl enable --now atd
+    # Set the correct timezone for Greece before using at
+    sudo timedatectl set-timezone Europe/Athens
     # Delete possible remaining users
     cat << EOF | sudo tee /root/delete_users.sh
 [[ -d /home/admin ]] && sudo userdel -r admin && sudo groupdel admin
@@ -442,33 +484,12 @@ function deleteRemainingUsers {
 [[ -d /home/ubuntu ]] && sudo userdel -r ubuntu && sudo groupdel ubuntu
 sudo rm -f /root/delete_users.sh
 EOF
-    sudo systemctl enable --now atd
+    # Restart atd after setting the timezone
+    sudo systemctl restart atd
     # Use at as root because if it is run as one of the users above it will fail
     sudo at now + 1 minute <<< "bash /root/delete_users.sh"
 }
 
-function gVisorInit {
-    # Install gVisor
-    (
-    set -e
-    ARCH=$(uname -m)
-    URL=https://storage.googleapis.com/gvisor/releases/release/latest/${ARCH}
-    wget "${URL}"/runsc "${URL}"/runsc.sha512 \
-    "${URL}"/containerd-shim-runsc-v1 "${URL}"/containerd-shim-runsc-v1.sha512
-    sha512sum -c runsc.sha512 \
-    -c containerd-shim-runsc-v1.sha512
-    rm -f -- *.sha512
-    chmod a+rx runsc containerd-shim-runsc-v1
-    sudo mv runsc containerd-shim-runsc-v1 /home/secdep/bin
-    )
-    # Enable gVisor for docker by default
-}
-
-function finishingTouches {
-    # Set the correct timezone for Greece
-    sudo timedatectl set-timezone Europe/Athens
-}
-
 # The main function will call the declared functions in order and exit if any of them fails.
 # It will also pass any arguments passed to the script to the dockerInit function.
 # Then it will output a message to the user and reboot the system in 2 minutes.
@@ -486,16 +507,12 @@ function main {
     printf "%s" "Fail2ban configured"
     # Call the dockerInit function with the arguments passed to the script
     dockerInit "$@" || exit 1                       # Initialize docker and exit if it fails
-    printf "%s" "Docker Rootless and docker-compose installed"
+    printf "%s" "Docker Rootless, docker-compose and gVisor installed"
     printf "%s" "Portainer along with any specified docker images from the command line or a docker-compose.yml file installed"
-    gVisorInit || exit 1                            # Initialize gVisor and exit if it fails
-    printf "%s" "gVisor installed"
     enableServices || exit 1                        # Enable the services that need to be restarted and the firewall
     printf "%s" "Services restarted and firewall enabled"
     deleteRemainingUsers || exit 1                  # Delete possible remaining users
     printf "%s" "Any unnecessary users deleted"
-    finishingTouches || exit 1                      # Last finishing touches
-    printf "%s" "System almost ready"
 	printf "%s" "$SCRIPT_NAME script finished"      # Output message to the user
 	printf "%s" "System will reboot momentarily"    # Output message to the user
     # Reboot the system in 2 minutes with the shutdown command so that login before the reboot is not possible