Now it's all microservices, I hope the fad persists.
This commit is contained in:
83
harden
83
harden
@@ -102,8 +102,9 @@ function install_packages {
|
||||
# The check_dependencies function will check if the dependencies defined in a local array are not installed
|
||||
# and store the ones that are indeed absent in another local array.
|
||||
# Then it will install the packages that are missing by invoking the install_packages function.
|
||||
function check_dependencies {
|
||||
local dependencies=(fuse-overlayfs dbus-user-session uidmap slirp4netns docker-compose systemd-container htop curl git sudo vim ssh wget fail2ban) # Declare dependencies as a local array
|
||||
function check_dependencies { # systemd-container is for machinectl
|
||||
local dependencies=(fuse-overlayfs dbus-user-session uidmap slirp4netns systemd-container htop curl git sudo vim ssh wget fail2ban) # Declare dependencies as a local array
|
||||
# local dependencies=(fuse-overlayfs dbus-user-session uidmap slirp4netns docker-compose systemd-container htop curl git sudo vim ssh wget fail2ban) # Declare dependencies as a local array
|
||||
# local dependencies=(fuse-overlayfs dbus-user-session uidmap slirp4netns docker-compose dnsutils htop curl git sudo vim ssh wget fail2ban) # Declare dependencies as a local array
|
||||
#> see what to do with name differences between distros if any <#
|
||||
local missing_dependencies=() # Declare missing_dependencies as a local array
|
||||
@@ -234,7 +235,8 @@ function firewallInit {
|
||||
sudo ufw allow 22100/tcp # Allow ssh connections on port 22100
|
||||
;;
|
||||
firewalld)
|
||||
sudo systemctl enable --now firewalld # Enable the firewall on boot and start it
|
||||
sudo systemctl enable firewalld # Enable the firewall on boot and start it
|
||||
# sudo systemctl enable --now firewalld # Enable the firewall on boot and start it
|
||||
sudo firewall-cmd --permanent --add-port=22100/tcp # Allow ssh connections on port 22100
|
||||
;;
|
||||
*)
|
||||
@@ -303,8 +305,40 @@ EOF
|
||||
# ##sudo docker network create --driver bridge -o "com.docker.network.bridge.enable_icc"="false" dockerNetworkNoICC
|
||||
# Get all arguments passed to the function and store them in the dockerImages array
|
||||
local dockerImages=("$@")
|
||||
# Using -f instead of -e to check if the file exists AND that it is a regular file
|
||||
[[ -f /root/docker-compose.yml ]] && sudo mv /root/docker-compose.yml /home/secdep/docker-compose.yml
|
||||
[[ -f /home/admin/docker-compose.yml ]] && sudo mv /home/admin/docker-compose.yml /home/secdep/docker-compose.yml
|
||||
[[ -f /home/ec2-user/docker-compose.yml ]] && sudo mv /home/ec2-user/docker-compose.yml /home/secdep/docker-compose.yml
|
||||
[[ -f /home/centos/docker-compose.yml ]] && sudo mv /home/centos/docker-compose.yml /home/secdep/docker-compose.yml
|
||||
[[ -f /home/fedora/docker-compose.yml ]] && sudo mv /home/fedora/docker-compose.yml /home/secdep/docker-compose.yml
|
||||
[[ -f /home/ubuntu/docker-compose.yml ]] && sudo mv /home/ubuntu/docker-compose.yml /home/secdep/docker-compose.yml
|
||||
# Not running chown in time? only when there is an if before
|
||||
sudo chown secdep:secdep /home/secdep/docker-compose.yml
|
||||
# [[ -f /home/secdep/docker-compose.yml ]] && sudo chown secdep:secdep /home/secdep/docker-compose.yml
|
||||
# Since FileDeployment does not work and we used ScriptFileDeployment which automatically makes the file executable
|
||||
# we need to make sure the file is not executable
|
||||
# Not running chmod in time? only when there is an if before
|
||||
sudo chmod -x /home/secdep/docker-compose.yml
|
||||
# [[ -f /home/secdep/docker-compose.yml ]] && sudo chmod -x /home/secdep/docker-compose.yml
|
||||
# Make sure docker is disabled after
|
||||
# having installed docker-compose, to make sure
|
||||
# only rootless docker is used
|
||||
sudo systemctl disable --now docker.service docker.socket
|
||||
sudo machinectl shell secdep@ /bin/bash -c 'curl -SL https://github.com/docker/compose/releases/download/v2.20.3/docker-compose-linux-x86_64 -o /home/secdep/bin/docker-compose'
|
||||
sudo machinectl shell secdep@ /bin/bash -c 'chmod +x /home/secdep/bin/docker-compose'
|
||||
# Check if there is a docker-compose.yml file in the user's home directory and run it if there is
|
||||
sudo -u secdep bash -c '[[ -f "$HOME/docker-compose.yml" ]] && docker-compose -f "$HOME/docker-compose.yml" up -d'
|
||||
sudo machinectl shell secdep@ "$(which bash)" -c 'DOCKER_HOST=unix:///run/user/$UID/docker.sock /home/secdep/bin/docker-compose -f /home/secdep/docker-compose.yml up -d'
|
||||
# sudo machinectl shell secdep@ /bin/bash -c 'DOCKER_HOST=unix:///run/user/$UID/docker.sock docker-compose -f /home/secdep/docker-compose.yml up -d'
|
||||
# sudo machinectl shell secdep@ /bin/bash -c '[[ -f "$HOME/docker-compose.yml" ]] && docker-compose -f "$HOME/docker-compose.yml" up -d'
|
||||
# sudo -u secdep bash -c '[[ -f "$HOME/docker-compose.yml" ]] && docker-compose -f "$HOME/docker-compose.yml" up -d'
|
||||
# Portainer is a docker image that provides a web interface for docker
|
||||
# which will be installed and run on port 9000 by default to make it easier to manage docker
|
||||
# CMD1="docker volume create portainer_data # Create a docker volume for portainer"
|
||||
# CMD2="docker run -d -p 9000:9000 --name=portainer --restart=unless-stopped -v /home/secdep/.docker/run/docker.sock:/home/secdep/.docker/run/docker.sock -v portainer_data:/data portainer/portainer-ce"
|
||||
# CMD2="docker run -d -p 8000:8000 -p 9000:9000 --name=portainer --restart=always -v /$XDG_RUNTIME_DIR/docker.sock:/var/run/docker.sock -v ~/.local/share/docker/volumes:/var/lib/docker/volumes -v portainer_data:/data portainer/portainer-ce"
|
||||
# sudo -u secdep bash -c "$CMD1" # Create a docker volume for portainer
|
||||
# sudo -u secdep bash -c "$CMD2" # Run portainer
|
||||
# sudo machinectl shell secdep@ /bin/bash -c "docker run -d -p 8000:8000 -p 9000:9000 --name=portainer --restart=always -v /$XDG_RUNTIME_DIR/docker.sock:/var/run/docker.sock -v ~/.local/share/docker/volumes:/var/lib/docker/volumes -v portainer_data:/data portainer/portainer-ce"
|
||||
# Check if the dockerImages array is empty and return 0 if it is
|
||||
[[ "${#dockerImages[@]}" -eq 0 ]] && return 0
|
||||
# Loop through the dockerImages array
|
||||
@@ -408,25 +442,42 @@ CapabilityBoundingSet=CAP_AUDIT_READ CAP_DAC_READ_SEARCH CAP_NET_ADMIN CAP_NET_R
|
||||
EOF
|
||||
)
|
||||
printf "%s" "$HARDEN_FAIL2BAN_SERVICE" | sudo tee /etc/systemd/system/fail2ban.service.d/override.conf
|
||||
sudo systemctl enable --now fail2ban
|
||||
sudo systemctl enable fail2ban
|
||||
# sudo systemctl enable --now fail2ban
|
||||
printf "%s" "LogLevel VERBOSE" | sudo tee -a /etc/ssh/sshd_config
|
||||
#sudo systemctl restart sshd
|
||||
}
|
||||
|
||||
function restartServices {
|
||||
# for service in "${services[@]}"; do
|
||||
# sudo systemctl restart "$service"
|
||||
# done
|
||||
function enableServices {
|
||||
for service in "${services[@]}"; do
|
||||
sudo systemctl restart "$service"
|
||||
done
|
||||
# command -v ufw >/dev/null 2>&1 && currentFirewall="ufw" || currentFirewall="firewalld"
|
||||
whereis ufw | grep -q /ufw && currentFirewall="ufw" || currentFirewall="firewalld"
|
||||
|
||||
if [[ "$currentFirewall" == "ufw" ]]; then
|
||||
echo "You should enable ufw"
|
||||
# sudo ufw enable
|
||||
# sudo systemctl enable --now ufw
|
||||
elif [[ "$currentFirewall" == "firewalld" ]]; then
|
||||
sudo firewall-cmd --reload
|
||||
else
|
||||
printf "%s" "Unsupported firewall"
|
||||
exit 1
|
||||
fi
|
||||
# With the if block it doesn't error out at firewalld check
|
||||
# For ufw
|
||||
# Enable the firewall
|
||||
# Enable and start the firewall on boot
|
||||
[[ "$currentFirewall" == "ufw" ]] && sudo ufw enable && sudo systemctl enable --now ufw
|
||||
# [[ "$currentFirewall" == "ufw" ]] && sudo ufw enable && sudo systemctl enable --now ufw
|
||||
# [[ "$currentFirewall" == "ufw" ]] && sudo ufw enable && sudo systemctl enable ufw
|
||||
# Getting stuck at sudo ufw enable?
|
||||
# [[ "$currentFirewall" == "ufw" ]] && sudo systemctl enable ufw
|
||||
# [[ "$currentFirewall" == "ufw" ]] && echo "You should enable ufw"
|
||||
# For firewalld
|
||||
# Reload the firewall
|
||||
[[ "$currentFirewall" == "firewalld" ]] && sudo firewall-cmd --reload
|
||||
sudo systemctl disable --now docker.service docker.socket
|
||||
# [[ "$currentFirewall" == "firewalld" ]] && sudo firewall-cmd --reload
|
||||
# sudo systemctl disable --now docker.service docker.socket
|
||||
# sudo systemctl disable --now docker
|
||||
# Make sure docker is disabled after
|
||||
# installing docker-compose, to make sure
|
||||
@@ -450,10 +501,11 @@ function main {
|
||||
# Else exit with error code 1
|
||||
## [[ $# -gt 0 ]] && dockerInit "$@" || exit 1
|
||||
dockerInit "$@" || exit 1
|
||||
restartServices || exit 1
|
||||
enableServices || exit 1
|
||||
printf "%s" "Script finished" # Output message to the user
|
||||
printf "%s" "Now rebooting" # Output message to the user
|
||||
sudo reboot
|
||||
printf "%s" "You should reboot" # Output message to the user
|
||||
# printf "%s" "Now rebooting" # Output message to the user
|
||||
# sudo reboot
|
||||
}
|
||||
|
||||
# # The am_i_root function will check if the user is root and exit if they are not.
|
||||
@@ -467,4 +519,5 @@ function main {
|
||||
# Call the main function
|
||||
main "$@"
|
||||
|
||||
# exit 1 # The right and proper way to exit a script
|
||||
exit 0 # The right and proper way to exit a script
|
||||
|
||||
96
secdep.py
96
secdep.py
@@ -36,6 +36,8 @@ from libcloud.compute.types import Provider
|
||||
from libcloud.compute.providers import get_driver
|
||||
from libcloud.compute.base import NodeAuthSSHKey
|
||||
from libcloud.compute.deployment import ScriptDeployment, MultiStepDeployment, ScriptFileDeployment
|
||||
# FileDeployment not working for some reason
|
||||
# from libcloud.compute.deployment import ScriptDeployment, MultiStepDeployment, ScriptFileDeployment, FileDeployment
|
||||
from azure.identity import ClientSecretCredential
|
||||
from azure.mgmt.resource import ResourceManagementClient
|
||||
from azure.mgmt.network import NetworkManagementClient
|
||||
@@ -73,8 +75,10 @@ parser.add_argument('-v', '--version', help='Show secdep\'s version', action='st
|
||||
parser.add_argument('-P', '--provider', help='Cloud provider', choices=['gce', 'azure', 'aws'])
|
||||
parser.add_argument('-a', '--action', help='Action to perform on a single provider with -P PROVIDER or all instances. Valid options are delete[all] start[all] stop[all] reboot[all]', choices=action_choices, metavar='ACTION')
|
||||
parser.add_argument('-c', '--create', help='Create an instance', action='store_true')
|
||||
parser.add_argument('-dc', '--docker-compose', help='Run the docker-compose.yml file', action='store_true')
|
||||
parser.add_argument('-dep', '--deploy', help='Docker images to deploy', type=str, nargs='*', default=None, required=False)
|
||||
# --docker_compose is not named --docker-compose because of the way argparse works
|
||||
parser.add_argument('-dc', '--docker_compose', help='Run the docker-compose.yml file', action='store_true')
|
||||
# action='append' is used to allow the user to check if --deploy was used even without any arguments
|
||||
parser.add_argument('-dep', '--deploy', help='Docker images to deploy', type=str, nargs='*', default=None, required=False, action='append')
|
||||
parser.add_argument('-I', '--listimages', help='List images', action='store_true')
|
||||
parser.add_argument('-S', '--listsizes', help='List sizes', action='store_true')
|
||||
parser.add_argument('-G', '--listlocations', help='List locations', action='store_true')
|
||||
@@ -1025,13 +1029,18 @@ def create_node(provider, name=None, location=None, size=None, image=None, confi
|
||||
if existIn == False:
|
||||
driver.ex_create_firewall(name="allow-all-inbound", allowed=[{"IPProtocol": "tcp", "ports": ["0-65534"]},{"IPProtocol": "udp", "ports": ["0-65534"]}], network='default', direction='INGRESS', priority=1000, source_service_accounts=sa_scopes, target_service_accounts=sa_scopes)
|
||||
if args.deploy:
|
||||
actualDeployScript = ScriptFileDeployment(script_file=SECDEP_DEPLOY_SCRIPT, args=args.deploy, name="harden", delete=True)
|
||||
if os.path.exists(SECDEP_DOCKER_COMPOSE) and args.docker-compose:
|
||||
sendDockerCompose = FileDeployment(SECDEP_DOCKER_COMPOSE, target="/home/secdep")
|
||||
# After using action=append the args.deploy is a list of lists, so we need to get the first element of the first list
|
||||
actualDeployScript = ScriptFileDeployment(script_file=SECDEP_DEPLOY_SCRIPT, args=args.deploy[0], name="harden", delete=True)
|
||||
if os.path.exists(SECDEP_DOCKER_COMPOSE) and args.docker_compose:
|
||||
# sendDockerCompose = FileDeployment(SECDEP_DOCKER_COMPOSE, target="/home/secdep")
|
||||
sendDockerCompose = ScriptFileDeployment(script_file=SECDEP_DOCKER_COMPOSE, name="docker-compose.yml", delete=False)
|
||||
msd = MultiStepDeployment([sendDockerCompose, actualDeployScript])
|
||||
node = driver.deploy_node(name=name, image=image, size=size, location=location, ex_service_accounts=sa_scopes, ex_metadata=metadata, deploy=msd, ssh_key=SECDEP_SSH_PRIVATE_KEY, ssh_username="secdep")
|
||||
else:
|
||||
node = driver.deploy_node(name=name, image=image, size=size, location=location, ex_service_accounts=sa_scopes, ex_metadata=metadata, deploy=actualDeployScript, ssh_key=SECDEP_SSH_PRIVATE_KEY, ssh_username="secdep")
|
||||
# console.print('[bold white]harden stdout: %s[/bold white]' % (sendDockerCompose.stdout))
|
||||
# console.print('[bold red]harden stderr: %s[/bold red]' % (sendDockerCompose.stderr))
|
||||
# console.print('[bold white]harden exit_code: %s[/bold white]' % (sendDockerCompose.exit_status))
|
||||
console.print('[bold white]harden stdout: %s[/bold white]' % (actualDeployScript.stdout))
|
||||
console.print('[bold red]harden stderr: %s[/bold red]' % (actualDeployScript.stderr))
|
||||
console.print('[bold white]harden exit_code: %s[/bold white]' % (actualDeployScript.exit_status))
|
||||
@@ -1087,13 +1096,18 @@ def create_node(provider, name=None, location=None, size=None, image=None, confi
|
||||
network_client.security_rules.begin_create_or_update(res_group.name, sec_group.name,"allowAllOutbound", SecurityRule(protocol='*', source_address_prefix='*', destination_address_prefix='*', access='Allow', direction='Outbound', description='Allow all', source_port_range='*', destination_port_range='*', priority=4096, name="allowAll"))
|
||||
# Create the node
|
||||
if args.deploy:
|
||||
actualDeployScript = ScriptFileDeployment(script_file=SECDEP_DEPLOY_SCRIPT, args=args.deploy, name="harden", delete=True)
|
||||
if os.path.exists(SECDEP_DOCKER_COMPOSE) and args.docker-compose:
|
||||
sendDockerCompose = FileDeployment(SECDEP_DOCKER_COMPOSE, target="/home/secdep")
|
||||
# After using action=append the args.deploy is a list of lists, so we need to get the first element of the first list
|
||||
actualDeployScript = ScriptFileDeployment(script_file=SECDEP_DEPLOY_SCRIPT, args=args.deploy[0], name="harden", delete=True)
|
||||
if os.path.exists(SECDEP_DOCKER_COMPOSE) and args.docker_compose:
|
||||
# sendDockerCompose = FileDeployment(SECDEP_DOCKER_COMPOSE, target="/home/secdep")
|
||||
sendDockerCompose = ScriptFileDeployment(script_file=SECDEP_DOCKER_COMPOSE, name="docker-compose.yml", delete=False)
|
||||
msd = MultiStepDeployment([sendDockerCompose, actualDeployScript])
|
||||
node = driver.deploy_node(name=name, size=size, image=image, location=location, auth=auth, ex_user_name="secdep", ex_resource_group=res_group.name, ex_use_managed_disks=True, ex_nic=newnic, ex_os_disk_delete=True, deploy=msd, ssh_key=SECDEP_SSH_PRIVATE_KEY, ssh_username="secdep")
|
||||
else:
|
||||
node = driver.deploy_node(name=name, size=size, image=image, location=location, auth=auth, ex_user_name="secdep", ex_resource_group=res_group.name, ex_use_managed_disks=True, ex_nic=newnic, ex_os_disk_delete=True, deploy=actualDeployScript, ssh_key=SECDEP_SSH_PRIVATE_KEY, ssh_username="secdep")
|
||||
# console.print('[bold white]harden stdout: %s[/bold white]' % (sendDockerCompose.stdout))
|
||||
# console.print('[bold red]harden stderr: %s[/bold red]' % (sendDockerCompose.stderr))
|
||||
# console.print('[bold white]harden exit_code: %s[/bold white]' % (sendDockerCompose.exit_status))
|
||||
console.print('[bold white]harden stdout: %s[/bold white]' % (actualDeployScript.stdout))
|
||||
console.print('[bold red]harden stderr: %s[/bold red]' % (actualDeployScript.stderr))
|
||||
console.print('[bold white]harden exit_code: %s[/bold white]' % (actualDeployScript.exit_status))
|
||||
@@ -1127,14 +1141,13 @@ def create_node(provider, name=None, location=None, size=None, image=None, confi
|
||||
sudo chown secdep:secdep /home/secdep -R
|
||||
sudo chmod 700 /home/secdep /home/secdep/.ssh
|
||||
sudo chmod 600 /home/secdep/.ssh/authorized_keys'''
|
||||
## Last two lines don't work
|
||||
## sudo printf "%s\n" "secdep ALL=(ALL) NOPASSWD:ALL" > "/etc/sudoers.d/secdepRules"
|
||||
## sudo chmod 0440 "/etc/sudoers.d/secdepRules"'''
|
||||
deploy = ScriptDeployment(script=SCRIPT, name="initialization.sh", delete=True)
|
||||
if args.deploy:
|
||||
actualDeployScript = ScriptFileDeployment(script_file=SECDEP_DEPLOY_SCRIPT, args=args.deploy, name="harden", delete=True)
|
||||
if os.path.exists(SECDEP_DOCKER_COMPOSE) and args.docker-compose:
|
||||
sendDockerCompose = FileDeployment(SECDEP_DOCKER_COMPOSE, target="/home/secdep")
|
||||
# After using action=append the args.deploy is a list of lists, so we need to get the first element of the first list
|
||||
actualDeployScript = ScriptFileDeployment(script_file=SECDEP_DEPLOY_SCRIPT, args=args.deploy[0], name="harden", delete=True)
|
||||
if os.path.exists(SECDEP_DOCKER_COMPOSE) and args.docker_compose:
|
||||
# sendDockerCompose = FileDeployment(SECDEP_DOCKER_COMPOSE, target="/home/secdep")
|
||||
sendDockerCompose = ScriptFileDeployment(script_file=SECDEP_DOCKER_COMPOSE, name="docker-compose.yml", delete=False)
|
||||
msd = MultiStepDeployment([deploy, sendDockerCompose, actualDeployScript])
|
||||
else:
|
||||
msd = MultiStepDeployment([deploy, actualDeployScript])
|
||||
@@ -1142,6 +1155,9 @@ def create_node(provider, name=None, location=None, size=None, image=None, confi
|
||||
console.print('[bold white]deploy stdout: %s[/bold white]' % (deploy.stdout))
|
||||
console.print('[bold red]deploy stderr: %s[/bold red]' % (deploy.stderr))
|
||||
console.print('[bold white]deploy exit_code: %s[/bold white]' % (deploy.exit_status))
|
||||
# console.print('[bold white]harden stdout: %s[/bold white]' % (sendDockerCompose.stdout))
|
||||
# console.print('[bold red]harden stderr: %s[/bold red]' % (sendDockerCompose.stderr))
|
||||
# console.print('[bold white]harden exit_code: %s[/bold white]' % (sendDockerCompose.exit_status))
|
||||
console.print('[bold white]harden stdout: %s[/bold white]' % (actualDeployScript.stdout))
|
||||
console.print('[bold red]harden stderr: %s[/bold red]' % (actualDeployScript.stderr))
|
||||
console.print('[bold white]harden exit_code: %s[/bold white]' % (actualDeployScript.exit_status))
|
||||
@@ -1169,13 +1185,18 @@ def create_node(provider, name=None, location=None, size=None, image=None, confi
|
||||
if existIn == False:
|
||||
driver.ex_create_firewall(name="allow-all-inbound", allowed=[{"IPProtocol": "tcp", "ports": ["0-65534"]},{"IPProtocol": "udp", "ports": ["0-65534"]}], network='default', direction='INGRESS', priority=1000, source_service_accounts=sa_scopes, target_service_accounts=sa_scopes)
|
||||
if args.deploy:
|
||||
actualDeployScript = ScriptFileDeployment(script_file=SECDEP_DEPLOY_SCRIPT, args=args.deploy, name="harden", delete=True)
|
||||
if os.path.exists(SECDEP_DOCKER_COMPOSE) and args.docker-compose:
|
||||
sendDockerCompose = FileDeployment(SECDEP_DOCKER_COMPOSE, target="/home/secdep")
|
||||
# After using action=append the args.deploy is a list of lists, so we need to get the first element of the first list
|
||||
actualDeployScript = ScriptFileDeployment(script_file=SECDEP_DEPLOY_SCRIPT, args=args.deploy[0], name="harden", delete=True)
|
||||
if os.path.exists(SECDEP_DOCKER_COMPOSE) and args.docker_compose:
|
||||
# sendDockerCompose = FileDeployment(SECDEP_DOCKER_COMPOSE, target="/home/secdep")
|
||||
sendDockerCompose = ScriptFileDeployment(script_file=SECDEP_DOCKER_COMPOSE, name="docker-compose.yml", delete=False)
|
||||
msd = MultiStepDeployment([sendDockerCompose, actualDeployScript])
|
||||
node = driver.deploy_node(name=name, image=image, size=size, location=location, ex_service_accounts=sa_scopes, ex_metadata=metadata, deploy=msd, ssh_key=SECDEP_SSH_PRIVATE_KEY, ssh_username="secdep")
|
||||
else:
|
||||
node = driver.deploy_node(name=name, image=image, size=size, location=location, ex_service_accounts=sa_scopes, ex_metadata=metadata, deploy=actualDeployScript, ssh_key=SECDEP_SSH_PRIVATE_KEY, ssh_username="secdep")
|
||||
# console.print('[bold white]harden stdout: %s[/bold white]' % (sendDockerCompose.stdout))
|
||||
# console.print('[bold red]harden stderr: %s[/bold red]' % (sendDockerCompose.stderr))
|
||||
# console.print('[bold white]harden exit_code: %s[/bold white]' % (sendDockerCompose.exit_status))
|
||||
console.print('[bold white]harden stdout: %s[/bold white]' % (actualDeployScript.stdout))
|
||||
console.print('[bold red]harden stderr: %s[/bold red]' % (actualDeployScript.stderr))
|
||||
console.print('[bold white]harden exit_code: %s[/bold white]' % (actualDeployScript.exit_status))
|
||||
@@ -1231,13 +1252,18 @@ def create_node(provider, name=None, location=None, size=None, image=None, confi
|
||||
network_client.security_rules.begin_create_or_update(res_group.name, sec_group.name,"allowAllOutbound", SecurityRule(protocol='*', source_address_prefix='*', destination_address_prefix='*', access='Allow', direction='Outbound', description='Allow all', source_port_range='*', destination_port_range='*', priority=4096, name="allowAll"))
|
||||
# Create the node
|
||||
if args.deploy:
|
||||
actualDeployScript = ScriptFileDeployment(script_file=SECDEP_DEPLOY_SCRIPT, args=args.deploy, name="harden", delete=True)
|
||||
if os.path.exists(SECDEP_DOCKER_COMPOSE) and args.docker-compose:
|
||||
sendDockerCompose = FileDeployment(SECDEP_DOCKER_COMPOSE, target="/home/secdep")
|
||||
# After using action=append the args.deploy is a list of lists, so we need to get the first element of the first list
|
||||
actualDeployScript = ScriptFileDeployment(script_file=SECDEP_DEPLOY_SCRIPT, args=args.deploy[0], name="harden", delete=True)
|
||||
if os.path.exists(SECDEP_DOCKER_COMPOSE) and args.docker_compose:
|
||||
# sendDockerCompose = FileDeployment(SECDEP_DOCKER_COMPOSE, target="/home/secdep")
|
||||
sendDockerCompose = ScriptFileDeployment(script_file=SECDEP_DOCKER_COMPOSE, name="docker-compose.yml", delete=False)
|
||||
msd = MultiStepDeployment([sendDockerCompose, actualDeployScript])
|
||||
node = driver.deploy_node(name=name, size=size, image=image, location=location, auth=auth, ex_user_name="secdep", ex_resource_group=res_group.name, ex_use_managed_disks=True, ex_nic=newnic, ex_os_disk_delete=True, deploy=msd, ssh_key=SECDEP_SSH_PRIVATE_KEY, ssh_username="secdep")
|
||||
else:
|
||||
node = driver.deploy_node(name=name, size=size, image=image, location=location, auth=auth, ex_user_name="secdep", ex_resource_group=res_group.name, ex_use_managed_disks=True, ex_nic=newnic, ex_os_disk_delete=True, deploy=actualDeployScript, ssh_key=SECDEP_SSH_PRIVATE_KEY, ssh_username="secdep")
|
||||
# console.print('[bold white]harden stdout: %s[/bold white]' % (sendDockerCompose.stdout))
|
||||
# console.print('[bold red]harden stderr: %s[/bold red]' % (sendDockerCompose.stderr))
|
||||
# console.print('[bold white]harden exit_code: %s[/bold white]' % (sendDockerCompose.exit_status))
|
||||
console.print('[bold white]harden stdout: %s[/bold white]' % (actualDeployScript.stdout))
|
||||
console.print('[bold red]harden stderr: %s[/bold red]' % (actualDeployScript.stderr))
|
||||
console.print('[bold white]harden exit_code: %s[/bold white]' % (actualDeployScript.exit_status))
|
||||
@@ -1261,24 +1287,23 @@ def create_node(provider, name=None, location=None, size=None, image=None, confi
|
||||
sudo useradd -G sudo -s /bin/bash -m secdep
|
||||
sudo echo "secdep:secdeppass" | sudo chpasswd
|
||||
sudo mkdir -p /home/secdep/.ssh
|
||||
[[ -e /root/.ssh/authorized_keys ]] && sudo cp /root/.ssh/authorized_keys /home/secdep/.ssh/authorized_keys
|
||||
[[ -e /home/admin/.ssh/authorized_keys ]] && sudo cp /home/admin/.ssh/authorized_keys /home/secdep/.ssh/authorized_keys
|
||||
[[ -e /home/ec2-user/.ssh/authorized_keys ]] && sudo cp /home/ec2-user/.ssh/authorized_keys /home/secdep/.ssh/authorized_keys
|
||||
[[ -e /home/centos/.ssh/authorized_keys ]] && sudo cp /home/centos/.ssh/authorized_keys /home/secdep/.ssh/authorized_keys
|
||||
[[ -e /home/fedora/.ssh/authorized_keys ]] && sudo cp /home/fedora/.ssh/authorized_keys /home/secdep/.ssh/authorized_keys
|
||||
[[ -e /home/ubuntu/.ssh/authorized_keys ]] && sudo cp /home/ubuntu/.ssh/authorized_keys /home/secdep/.ssh/authorized_keys
|
||||
[[ -f /root/.ssh/authorized_keys ]] && sudo cp /root/.ssh/authorized_keys /home/secdep/.ssh/authorized_keys
|
||||
[[ -f /home/admin/.ssh/authorized_keys ]] && sudo cp /home/admin/.ssh/authorized_keys /home/secdep/.ssh/authorized_keys
|
||||
[[ -f /home/ec2-user/.ssh/authorized_keys ]] && sudo cp /home/ec2-user/.ssh/authorized_keys /home/secdep/.ssh/authorized_keys
|
||||
[[ -f /home/centos/.ssh/authorized_keys ]] && sudo cp /home/centos/.ssh/authorized_keys /home/secdep/.ssh/authorized_keys
|
||||
[[ -f /home/fedora/.ssh/authorized_keys ]] && sudo cp /home/fedora/.ssh/authorized_keys /home/secdep/.ssh/authorized_keys
|
||||
[[ -f /home/ubuntu/.ssh/authorized_keys ]] && sudo cp /home/ubuntu/.ssh/authorized_keys /home/secdep/.ssh/authorized_keys
|
||||
sudo chmod 755 /home
|
||||
sudo chown secdep:secdep /home/secdep -R
|
||||
sudo chmod 700 /home/secdep /home/secdep/.ssh
|
||||
sudo chmod 600 /home/secdep/.ssh/authorized_keys'''
|
||||
## Last two lines don't work
|
||||
## sudo printf "%s\n" "secdep ALL=(ALL) NOPASSWD:ALL" > "/etc/sudoers.d/secdepRules"
|
||||
## sudo chmod 0440 "/etc/sudoers.d/secdepRules"'''
|
||||
deploy = ScriptDeployment(script=SCRIPT, name="initialization.sh", delete=True)
|
||||
if args.deploy:
|
||||
actualDeployScript = ScriptFileDeployment(script_file=SECDEP_DEPLOY_SCRIPT, args=args.deploy, name="harden", delete=True)
|
||||
if os.path.exists(SECDEP_DOCKER_COMPOSE) and args.docker-compose:
|
||||
sendDockerCompose = FileDeployment(SECDEP_DOCKER_COMPOSE, target="/home/secdep")
|
||||
# After using action=append the args.deploy is a list of lists, so we need to get the first element of the first list
|
||||
actualDeployScript = ScriptFileDeployment(script_file=SECDEP_DEPLOY_SCRIPT, args=args.deploy[0], name="harden", delete=True)
|
||||
if os.path.exists(SECDEP_DOCKER_COMPOSE) and args.docker_compose:
|
||||
# sendDockerCompose = FileDeployment(SECDEP_DOCKER_COMPOSE, target="/home/secdep")
|
||||
sendDockerCompose = ScriptFileDeployment(script_file=SECDEP_DOCKER_COMPOSE, name="docker-compose.yml", delete=False)
|
||||
msd = MultiStepDeployment([deploy, sendDockerCompose, actualDeployScript])
|
||||
else:
|
||||
msd = MultiStepDeployment([deploy, actualDeployScript])
|
||||
@@ -1286,6 +1311,9 @@ def create_node(provider, name=None, location=None, size=None, image=None, confi
|
||||
console.print('[bold white]deploy stdout: %s[/bold white]' % (deploy.stdout))
|
||||
console.print('[bold red]deploy stderr: %s[/bold red]' % (deploy.stderr))
|
||||
console.print('[bold white]deploy exit_code: %s[/bold white]' % (deploy.exit_status))
|
||||
# console.print('[bold white]harden stdout: %s[/bold white]' % (sendDockerCompose.stdout))
|
||||
# console.print('[bold red]harden stderr: %s[/bold red]' % (sendDockerCompose.stderr))
|
||||
# console.print('[bold white]harden exit_code: %s[/bold white]' % (sendDockerCompose.exit_status))
|
||||
console.print('[bold white]harden stdout: %s[/bold white]' % (actualDeployScript.stdout))
|
||||
console.print('[bold red]harden stderr: %s[/bold red]' % (actualDeployScript.stderr))
|
||||
console.print('[bold white]harden exit_code: %s[/bold white]' % (actualDeployScript.exit_status))
|
||||
@@ -1582,7 +1610,7 @@ if args.listlocations and args.provider:
|
||||
if args.create:
|
||||
assert args.provider is not None, "Provider must be specified for node creation"
|
||||
# If -c or --create is passed, call the create_node function
|
||||
create_node(args.provider, args.name, args.region, args.size, args.image, args.yes, args.deploy)
|
||||
create_node(args.provider, args.name, args.region, args.size, args.image, args.yes, args.deploy[0])
|
||||
exit(0)
|
||||
if args.list:
|
||||
if args.print:
|
||||
@@ -1603,7 +1631,7 @@ if args.ssh:
|
||||
if args.image or args.size or args.name or args.region or args.yes or args.deploy and not args.create:
|
||||
console.print("Image, size, name, region, yes and deploy parameters [u]only[/u] go along with the create flag", style="bold red")
|
||||
exit(0)
|
||||
if args.docker-compose and not args.deploy:
|
||||
if args.docker_compose and not args.deploy:
|
||||
console.print("Docker compose [u]only[/u] goes along with the deploy flag", style="bold red")
|
||||
exit(0)
|
||||
if args.print and not args.list or args.listimages or args.listsizes or args.listlocations:
|
||||
|
||||
Reference in New Issue
Block a user