From 7d3c8a3dfe1874c6065b12acb984574e5afcf4ea Mon Sep 17 00:00:00 2001 From: konsthol Date: Tue, 29 Aug 2023 00:50:21 +0300 Subject: [PATCH] Now it's all microservices, I hope the fad persists. --- harden | 83 ++++++++++++++++++++++++++++++++++++++--------- secdep.py | 96 +++++++++++++++++++++++++++++++++++-------------------- 2 files changed, 130 insertions(+), 49 deletions(-) diff --git a/harden b/harden index 032a6ac..24716b9 100755 --- a/harden +++ b/harden @@ -102,8 +102,9 @@ function install_packages { # The check_dependencies function will check if the dependencies defined in a local array are not installed # and store the ones that are indeed absent in another local array. # Then it will install the packages that are missing by invoking the install_packages function. -function check_dependencies { - local dependencies=(fuse-overlayfs dbus-user-session uidmap slirp4netns docker-compose systemd-container htop curl git sudo vim ssh wget fail2ban) # Declare dependencies as a local array +function check_dependencies { # systemd-container is for machinectl + local dependencies=(fuse-overlayfs dbus-user-session uidmap slirp4netns systemd-container htop curl git sudo vim ssh wget fail2ban) # Declare dependencies as a local array + # local dependencies=(fuse-overlayfs dbus-user-session uidmap slirp4netns docker-compose systemd-container htop curl git sudo vim ssh wget fail2ban) # Declare dependencies as a local array # local dependencies=(fuse-overlayfs dbus-user-session uidmap slirp4netns docker-compose dnsutils htop curl git sudo vim ssh wget fail2ban) # Declare dependencies as a local array #> see what to do with name differences between distros if any <# local missing_dependencies=() # Declare missing_dependencies as a local array @@ -234,7 +235,8 @@ function firewallInit { sudo ufw allow 22100/tcp # Allow ssh connections on port 22100 ;; firewalld) - sudo systemctl enable --now firewalld # Enable the firewall on boot and start it + sudo systemctl enable firewalld # Enable the firewall on boot and start it + # sudo systemctl enable --now firewalld # Enable the firewall on boot and start it sudo firewall-cmd --permanent --add-port=22100/tcp # Allow ssh connections on port 22100 ;; *) @@ -303,8 +305,40 @@ EOF # ##sudo docker network create --driver bridge -o "com.docker.network.bridge.enable_icc"="false" dockerNetworkNoICC # Get all arguments passed to the function and store them in the dockerImages array local dockerImages=("$@") + # Using -f instead of -e to check if the file exists AND that it is a regular file + [[ -f /root/docker-compose.yml ]] && sudo mv /root/docker-compose.yml /home/secdep/docker-compose.yml + [[ -f /home/admin/docker-compose.yml ]] && sudo mv /home/admin/docker-compose.yml /home/secdep/docker-compose.yml + [[ -f /home/ec2-user/docker-compose.yml ]] && sudo mv /home/ec2-user/docker-compose.yml /home/secdep/docker-compose.yml + [[ -f /home/centos/docker-compose.yml ]] && sudo mv /home/centos/docker-compose.yml /home/secdep/docker-compose.yml + [[ -f /home/fedora/docker-compose.yml ]] && sudo mv /home/fedora/docker-compose.yml /home/secdep/docker-compose.yml + [[ -f /home/ubuntu/docker-compose.yml ]] && sudo mv /home/ubuntu/docker-compose.yml /home/secdep/docker-compose.yml + # Not running chown in time? only when there is an if before + sudo chown secdep:secdep /home/secdep/docker-compose.yml + # [[ -f /home/secdep/docker-compose.yml ]] && sudo chown secdep:secdep /home/secdep/docker-compose.yml + # Since FileDeployment does not work and we used ScriptFileDeployment which automatically makes the file executable + # we need to make sure the file is not executable + # Not running chmod in time? only when there is an if before + sudo chmod -x /home/secdep/docker-compose.yml + # [[ -f /home/secdep/docker-compose.yml ]] && sudo chmod -x /home/secdep/docker-compose.yml + # Make sure docker is disabled after + # having installed docker-compose, to make sure + # only rootless docker is used + sudo systemctl disable --now docker.service docker.socket + sudo machinectl shell secdep@ /bin/bash -c 'curl -SL https://github.com/docker/compose/releases/download/v2.20.3/docker-compose-linux-x86_64 -o /home/secdep/bin/docker-compose' + sudo machinectl shell secdep@ /bin/bash -c 'chmod +x /home/secdep/bin/docker-compose' # Check if there is a docker-compose.yml file in the user's home directory and run it if there is - sudo -u secdep bash -c '[[ -f "$HOME/docker-compose.yml" ]] && docker-compose -f "$HOME/docker-compose.yml" up -d' + sudo machinectl shell secdep@ "$(which bash)" -c 'DOCKER_HOST=unix:///run/user/$UID/docker.sock /home/secdep/bin/docker-compose -f /home/secdep/docker-compose.yml up -d' + # sudo machinectl shell secdep@ /bin/bash -c 'DOCKER_HOST=unix:///run/user/$UID/docker.sock docker-compose -f /home/secdep/docker-compose.yml up -d' + # sudo machinectl shell secdep@ /bin/bash -c '[[ -f "$HOME/docker-compose.yml" ]] && docker-compose -f "$HOME/docker-compose.yml" up -d' + # sudo -u secdep bash -c '[[ -f "$HOME/docker-compose.yml" ]] && docker-compose -f "$HOME/docker-compose.yml" up -d' + # Portainer is a docker image that provides a web interface for docker + # which will be installed and run on port 9000 by default to make it easier to manage docker + # CMD1="docker volume create portainer_data # Create a docker volume for portainer" + # CMD2="docker run -d -p 9000:9000 --name=portainer --restart=unless-stopped -v /home/secdep/.docker/run/docker.sock:/home/secdep/.docker/run/docker.sock -v portainer_data:/data portainer/portainer-ce" + # CMD2="docker run -d -p 8000:8000 -p 9000:9000 --name=portainer --restart=always -v /$XDG_RUNTIME_DIR/docker.sock:/var/run/docker.sock -v ~/.local/share/docker/volumes:/var/lib/docker/volumes -v portainer_data:/data portainer/portainer-ce" + # sudo -u secdep bash -c "$CMD1" # Create a docker volume for portainer + # sudo -u secdep bash -c "$CMD2" # Run portainer + # sudo machinectl shell secdep@ /bin/bash -c "docker run -d -p 8000:8000 -p 9000:9000 --name=portainer --restart=always -v /$XDG_RUNTIME_DIR/docker.sock:/var/run/docker.sock -v ~/.local/share/docker/volumes:/var/lib/docker/volumes -v portainer_data:/data portainer/portainer-ce" # Check if the dockerImages array is empty and return 0 if it is [[ "${#dockerImages[@]}" -eq 0 ]] && return 0 # Loop through the dockerImages array @@ -408,25 +442,42 @@ CapabilityBoundingSet=CAP_AUDIT_READ CAP_DAC_READ_SEARCH CAP_NET_ADMIN CAP_NET_R EOF ) printf "%s" "$HARDEN_FAIL2BAN_SERVICE" | sudo tee /etc/systemd/system/fail2ban.service.d/override.conf -sudo systemctl enable --now fail2ban +sudo systemctl enable fail2ban +# sudo systemctl enable --now fail2ban printf "%s" "LogLevel VERBOSE" | sudo tee -a /etc/ssh/sshd_config #sudo systemctl restart sshd } -function restartServices { - # for service in "${services[@]}"; do - # sudo systemctl restart "$service" - # done +function enableServices { + for service in "${services[@]}"; do + sudo systemctl restart "$service" + done # command -v ufw >/dev/null 2>&1 && currentFirewall="ufw" || currentFirewall="firewalld" whereis ufw | grep -q /ufw && currentFirewall="ufw" || currentFirewall="firewalld" + + if [[ "$currentFirewall" == "ufw" ]]; then + echo "You should enable ufw" + # sudo ufw enable + # sudo systemctl enable --now ufw + elif [[ "$currentFirewall" == "firewalld" ]]; then + sudo firewall-cmd --reload + else + printf "%s" "Unsupported firewall" + exit 1 + fi + # With the if block it doesn't error out at firewalld check # For ufw # Enable the firewall # Enable and start the firewall on boot - [[ "$currentFirewall" == "ufw" ]] && sudo ufw enable && sudo systemctl enable --now ufw + # [[ "$currentFirewall" == "ufw" ]] && sudo ufw enable && sudo systemctl enable --now ufw + # [[ "$currentFirewall" == "ufw" ]] && sudo ufw enable && sudo systemctl enable ufw + # Getting stuck at sudo ufw enable? + # [[ "$currentFirewall" == "ufw" ]] && sudo systemctl enable ufw + # [[ "$currentFirewall" == "ufw" ]] && echo "You should enable ufw" # For firewalld # Reload the firewall - [[ "$currentFirewall" == "firewalld" ]] && sudo firewall-cmd --reload - sudo systemctl disable --now docker.service docker.socket + # [[ "$currentFirewall" == "firewalld" ]] && sudo firewall-cmd --reload + # sudo systemctl disable --now docker.service docker.socket # sudo systemctl disable --now docker # Make sure docker is disabled after # installing docker-compose, to make sure @@ -450,10 +501,11 @@ function main { # Else exit with error code 1 ## [[ $# -gt 0 ]] && dockerInit "$@" || exit 1 dockerInit "$@" || exit 1 - restartServices || exit 1 + enableServices || exit 1 printf "%s" "Script finished" # Output message to the user - printf "%s" "Now rebooting" # Output message to the user - sudo reboot + printf "%s" "You should reboot" # Output message to the user + # printf "%s" "Now rebooting" # Output message to the user + # sudo reboot } # # The am_i_root function will check if the user is root and exit if they are not. @@ -467,4 +519,5 @@ function main { # Call the main function main "$@" +# exit 1 # The right and proper way to exit a script exit 0 # The right and proper way to exit a script diff --git a/secdep.py b/secdep.py index 1d28353..5fd8edf 100755 --- a/secdep.py +++ b/secdep.py @@ -36,6 +36,8 @@ from libcloud.compute.types import Provider from libcloud.compute.providers import get_driver from libcloud.compute.base import NodeAuthSSHKey from libcloud.compute.deployment import ScriptDeployment, MultiStepDeployment, ScriptFileDeployment +# FileDeployment not working for some reason +# from libcloud.compute.deployment import ScriptDeployment, MultiStepDeployment, ScriptFileDeployment, FileDeployment from azure.identity import ClientSecretCredential from azure.mgmt.resource import ResourceManagementClient from azure.mgmt.network import NetworkManagementClient @@ -73,8 +75,10 @@ parser.add_argument('-v', '--version', help='Show secdep\'s version', action='st parser.add_argument('-P', '--provider', help='Cloud provider', choices=['gce', 'azure', 'aws']) parser.add_argument('-a', '--action', help='Action to perform on a single provider with -P PROVIDER or all instances. Valid options are delete[all] start[all] stop[all] reboot[all]', choices=action_choices, metavar='ACTION') parser.add_argument('-c', '--create', help='Create an instance', action='store_true') -parser.add_argument('-dc', '--docker-compose', help='Run the docker-compose.yml file', action='store_true') -parser.add_argument('-dep', '--deploy', help='Docker images to deploy', type=str, nargs='*', default=None, required=False) +# --docker_compose is not named --docker-compose because of the way argparse works +parser.add_argument('-dc', '--docker_compose', help='Run the docker-compose.yml file', action='store_true') +# action='append' is used to allow the user to check if --deploy was used even without any arguments +parser.add_argument('-dep', '--deploy', help='Docker images to deploy', type=str, nargs='*', default=None, required=False, action='append') parser.add_argument('-I', '--listimages', help='List images', action='store_true') parser.add_argument('-S', '--listsizes', help='List sizes', action='store_true') parser.add_argument('-G', '--listlocations', help='List locations', action='store_true') @@ -1025,13 +1029,18 @@ def create_node(provider, name=None, location=None, size=None, image=None, confi if existIn == False: driver.ex_create_firewall(name="allow-all-inbound", allowed=[{"IPProtocol": "tcp", "ports": ["0-65534"]},{"IPProtocol": "udp", "ports": ["0-65534"]}], network='default', direction='INGRESS', priority=1000, source_service_accounts=sa_scopes, target_service_accounts=sa_scopes) if args.deploy: - actualDeployScript = ScriptFileDeployment(script_file=SECDEP_DEPLOY_SCRIPT, args=args.deploy, name="harden", delete=True) - if os.path.exists(SECDEP_DOCKER_COMPOSE) and args.docker-compose: - sendDockerCompose = FileDeployment(SECDEP_DOCKER_COMPOSE, target="/home/secdep") + # After using action=append the args.deploy is a list of lists, so we need to get the first element of the first list + actualDeployScript = ScriptFileDeployment(script_file=SECDEP_DEPLOY_SCRIPT, args=args.deploy[0], name="harden", delete=True) + if os.path.exists(SECDEP_DOCKER_COMPOSE) and args.docker_compose: + # sendDockerCompose = FileDeployment(SECDEP_DOCKER_COMPOSE, target="/home/secdep") + sendDockerCompose = ScriptFileDeployment(script_file=SECDEP_DOCKER_COMPOSE, name="docker-compose.yml", delete=False) msd = MultiStepDeployment([sendDockerCompose, actualDeployScript]) node = driver.deploy_node(name=name, image=image, size=size, location=location, ex_service_accounts=sa_scopes, ex_metadata=metadata, deploy=msd, ssh_key=SECDEP_SSH_PRIVATE_KEY, ssh_username="secdep") else: node = driver.deploy_node(name=name, image=image, size=size, location=location, ex_service_accounts=sa_scopes, ex_metadata=metadata, deploy=actualDeployScript, ssh_key=SECDEP_SSH_PRIVATE_KEY, ssh_username="secdep") + # console.print('[bold white]harden stdout: %s[/bold white]' % (sendDockerCompose.stdout)) + # console.print('[bold red]harden stderr: %s[/bold red]' % (sendDockerCompose.stderr)) + # console.print('[bold white]harden exit_code: %s[/bold white]' % (sendDockerCompose.exit_status)) console.print('[bold white]harden stdout: %s[/bold white]' % (actualDeployScript.stdout)) console.print('[bold red]harden stderr: %s[/bold red]' % (actualDeployScript.stderr)) console.print('[bold white]harden exit_code: %s[/bold white]' % (actualDeployScript.exit_status)) @@ -1087,13 +1096,18 @@ def create_node(provider, name=None, location=None, size=None, image=None, confi network_client.security_rules.begin_create_or_update(res_group.name, sec_group.name,"allowAllOutbound", SecurityRule(protocol='*', source_address_prefix='*', destination_address_prefix='*', access='Allow', direction='Outbound', description='Allow all', source_port_range='*', destination_port_range='*', priority=4096, name="allowAll")) # Create the node if args.deploy: - actualDeployScript = ScriptFileDeployment(script_file=SECDEP_DEPLOY_SCRIPT, args=args.deploy, name="harden", delete=True) - if os.path.exists(SECDEP_DOCKER_COMPOSE) and args.docker-compose: - sendDockerCompose = FileDeployment(SECDEP_DOCKER_COMPOSE, target="/home/secdep") + # After using action=append the args.deploy is a list of lists, so we need to get the first element of the first list + actualDeployScript = ScriptFileDeployment(script_file=SECDEP_DEPLOY_SCRIPT, args=args.deploy[0], name="harden", delete=True) + if os.path.exists(SECDEP_DOCKER_COMPOSE) and args.docker_compose: + # sendDockerCompose = FileDeployment(SECDEP_DOCKER_COMPOSE, target="/home/secdep") + sendDockerCompose = ScriptFileDeployment(script_file=SECDEP_DOCKER_COMPOSE, name="docker-compose.yml", delete=False) msd = MultiStepDeployment([sendDockerCompose, actualDeployScript]) node = driver.deploy_node(name=name, size=size, image=image, location=location, auth=auth, ex_user_name="secdep", ex_resource_group=res_group.name, ex_use_managed_disks=True, ex_nic=newnic, ex_os_disk_delete=True, deploy=msd, ssh_key=SECDEP_SSH_PRIVATE_KEY, ssh_username="secdep") else: node = driver.deploy_node(name=name, size=size, image=image, location=location, auth=auth, ex_user_name="secdep", ex_resource_group=res_group.name, ex_use_managed_disks=True, ex_nic=newnic, ex_os_disk_delete=True, deploy=actualDeployScript, ssh_key=SECDEP_SSH_PRIVATE_KEY, ssh_username="secdep") + # console.print('[bold white]harden stdout: %s[/bold white]' % (sendDockerCompose.stdout)) + # console.print('[bold red]harden stderr: %s[/bold red]' % (sendDockerCompose.stderr)) + # console.print('[bold white]harden exit_code: %s[/bold white]' % (sendDockerCompose.exit_status)) console.print('[bold white]harden stdout: %s[/bold white]' % (actualDeployScript.stdout)) console.print('[bold red]harden stderr: %s[/bold red]' % (actualDeployScript.stderr)) console.print('[bold white]harden exit_code: %s[/bold white]' % (actualDeployScript.exit_status)) @@ -1127,14 +1141,13 @@ def create_node(provider, name=None, location=None, size=None, image=None, confi sudo chown secdep:secdep /home/secdep -R sudo chmod 700 /home/secdep /home/secdep/.ssh sudo chmod 600 /home/secdep/.ssh/authorized_keys''' - ## Last two lines don't work - ## sudo printf "%s\n" "secdep ALL=(ALL) NOPASSWD:ALL" > "/etc/sudoers.d/secdepRules" - ## sudo chmod 0440 "/etc/sudoers.d/secdepRules"''' deploy = ScriptDeployment(script=SCRIPT, name="initialization.sh", delete=True) if args.deploy: - actualDeployScript = ScriptFileDeployment(script_file=SECDEP_DEPLOY_SCRIPT, args=args.deploy, name="harden", delete=True) - if os.path.exists(SECDEP_DOCKER_COMPOSE) and args.docker-compose: - sendDockerCompose = FileDeployment(SECDEP_DOCKER_COMPOSE, target="/home/secdep") + # After using action=append the args.deploy is a list of lists, so we need to get the first element of the first list + actualDeployScript = ScriptFileDeployment(script_file=SECDEP_DEPLOY_SCRIPT, args=args.deploy[0], name="harden", delete=True) + if os.path.exists(SECDEP_DOCKER_COMPOSE) and args.docker_compose: + # sendDockerCompose = FileDeployment(SECDEP_DOCKER_COMPOSE, target="/home/secdep") + sendDockerCompose = ScriptFileDeployment(script_file=SECDEP_DOCKER_COMPOSE, name="docker-compose.yml", delete=False) msd = MultiStepDeployment([deploy, sendDockerCompose, actualDeployScript]) else: msd = MultiStepDeployment([deploy, actualDeployScript]) @@ -1142,6 +1155,9 @@ def create_node(provider, name=None, location=None, size=None, image=None, confi console.print('[bold white]deploy stdout: %s[/bold white]' % (deploy.stdout)) console.print('[bold red]deploy stderr: %s[/bold red]' % (deploy.stderr)) console.print('[bold white]deploy exit_code: %s[/bold white]' % (deploy.exit_status)) + # console.print('[bold white]harden stdout: %s[/bold white]' % (sendDockerCompose.stdout)) + # console.print('[bold red]harden stderr: %s[/bold red]' % (sendDockerCompose.stderr)) + # console.print('[bold white]harden exit_code: %s[/bold white]' % (sendDockerCompose.exit_status)) console.print('[bold white]harden stdout: %s[/bold white]' % (actualDeployScript.stdout)) console.print('[bold red]harden stderr: %s[/bold red]' % (actualDeployScript.stderr)) console.print('[bold white]harden exit_code: %s[/bold white]' % (actualDeployScript.exit_status)) @@ -1169,13 +1185,18 @@ def create_node(provider, name=None, location=None, size=None, image=None, confi if existIn == False: driver.ex_create_firewall(name="allow-all-inbound", allowed=[{"IPProtocol": "tcp", "ports": ["0-65534"]},{"IPProtocol": "udp", "ports": ["0-65534"]}], network='default', direction='INGRESS', priority=1000, source_service_accounts=sa_scopes, target_service_accounts=sa_scopes) if args.deploy: - actualDeployScript = ScriptFileDeployment(script_file=SECDEP_DEPLOY_SCRIPT, args=args.deploy, name="harden", delete=True) - if os.path.exists(SECDEP_DOCKER_COMPOSE) and args.docker-compose: - sendDockerCompose = FileDeployment(SECDEP_DOCKER_COMPOSE, target="/home/secdep") + # After using action=append the args.deploy is a list of lists, so we need to get the first element of the first list + actualDeployScript = ScriptFileDeployment(script_file=SECDEP_DEPLOY_SCRIPT, args=args.deploy[0], name="harden", delete=True) + if os.path.exists(SECDEP_DOCKER_COMPOSE) and args.docker_compose: + # sendDockerCompose = FileDeployment(SECDEP_DOCKER_COMPOSE, target="/home/secdep") + sendDockerCompose = ScriptFileDeployment(script_file=SECDEP_DOCKER_COMPOSE, name="docker-compose.yml", delete=False) msd = MultiStepDeployment([sendDockerCompose, actualDeployScript]) node = driver.deploy_node(name=name, image=image, size=size, location=location, ex_service_accounts=sa_scopes, ex_metadata=metadata, deploy=msd, ssh_key=SECDEP_SSH_PRIVATE_KEY, ssh_username="secdep") else: node = driver.deploy_node(name=name, image=image, size=size, location=location, ex_service_accounts=sa_scopes, ex_metadata=metadata, deploy=actualDeployScript, ssh_key=SECDEP_SSH_PRIVATE_KEY, ssh_username="secdep") + # console.print('[bold white]harden stdout: %s[/bold white]' % (sendDockerCompose.stdout)) + # console.print('[bold red]harden stderr: %s[/bold red]' % (sendDockerCompose.stderr)) + # console.print('[bold white]harden exit_code: %s[/bold white]' % (sendDockerCompose.exit_status)) console.print('[bold white]harden stdout: %s[/bold white]' % (actualDeployScript.stdout)) console.print('[bold red]harden stderr: %s[/bold red]' % (actualDeployScript.stderr)) console.print('[bold white]harden exit_code: %s[/bold white]' % (actualDeployScript.exit_status)) @@ -1231,13 +1252,18 @@ def create_node(provider, name=None, location=None, size=None, image=None, confi network_client.security_rules.begin_create_or_update(res_group.name, sec_group.name,"allowAllOutbound", SecurityRule(protocol='*', source_address_prefix='*', destination_address_prefix='*', access='Allow', direction='Outbound', description='Allow all', source_port_range='*', destination_port_range='*', priority=4096, name="allowAll")) # Create the node if args.deploy: - actualDeployScript = ScriptFileDeployment(script_file=SECDEP_DEPLOY_SCRIPT, args=args.deploy, name="harden", delete=True) - if os.path.exists(SECDEP_DOCKER_COMPOSE) and args.docker-compose: - sendDockerCompose = FileDeployment(SECDEP_DOCKER_COMPOSE, target="/home/secdep") + # After using action=append the args.deploy is a list of lists, so we need to get the first element of the first list + actualDeployScript = ScriptFileDeployment(script_file=SECDEP_DEPLOY_SCRIPT, args=args.deploy[0], name="harden", delete=True) + if os.path.exists(SECDEP_DOCKER_COMPOSE) and args.docker_compose: + # sendDockerCompose = FileDeployment(SECDEP_DOCKER_COMPOSE, target="/home/secdep") + sendDockerCompose = ScriptFileDeployment(script_file=SECDEP_DOCKER_COMPOSE, name="docker-compose.yml", delete=False) msd = MultiStepDeployment([sendDockerCompose, actualDeployScript]) node = driver.deploy_node(name=name, size=size, image=image, location=location, auth=auth, ex_user_name="secdep", ex_resource_group=res_group.name, ex_use_managed_disks=True, ex_nic=newnic, ex_os_disk_delete=True, deploy=msd, ssh_key=SECDEP_SSH_PRIVATE_KEY, ssh_username="secdep") else: node = driver.deploy_node(name=name, size=size, image=image, location=location, auth=auth, ex_user_name="secdep", ex_resource_group=res_group.name, ex_use_managed_disks=True, ex_nic=newnic, ex_os_disk_delete=True, deploy=actualDeployScript, ssh_key=SECDEP_SSH_PRIVATE_KEY, ssh_username="secdep") + # console.print('[bold white]harden stdout: %s[/bold white]' % (sendDockerCompose.stdout)) + # console.print('[bold red]harden stderr: %s[/bold red]' % (sendDockerCompose.stderr)) + # console.print('[bold white]harden exit_code: %s[/bold white]' % (sendDockerCompose.exit_status)) console.print('[bold white]harden stdout: %s[/bold white]' % (actualDeployScript.stdout)) console.print('[bold red]harden stderr: %s[/bold red]' % (actualDeployScript.stderr)) console.print('[bold white]harden exit_code: %s[/bold white]' % (actualDeployScript.exit_status)) @@ -1261,24 +1287,23 @@ def create_node(provider, name=None, location=None, size=None, image=None, confi sudo useradd -G sudo -s /bin/bash -m secdep sudo echo "secdep:secdeppass" | sudo chpasswd sudo mkdir -p /home/secdep/.ssh - [[ -e /root/.ssh/authorized_keys ]] && sudo cp /root/.ssh/authorized_keys /home/secdep/.ssh/authorized_keys - [[ -e /home/admin/.ssh/authorized_keys ]] && sudo cp /home/admin/.ssh/authorized_keys /home/secdep/.ssh/authorized_keys - [[ -e /home/ec2-user/.ssh/authorized_keys ]] && sudo cp /home/ec2-user/.ssh/authorized_keys /home/secdep/.ssh/authorized_keys - [[ -e /home/centos/.ssh/authorized_keys ]] && sudo cp /home/centos/.ssh/authorized_keys /home/secdep/.ssh/authorized_keys - [[ -e /home/fedora/.ssh/authorized_keys ]] && sudo cp /home/fedora/.ssh/authorized_keys /home/secdep/.ssh/authorized_keys - [[ -e /home/ubuntu/.ssh/authorized_keys ]] && sudo cp /home/ubuntu/.ssh/authorized_keys /home/secdep/.ssh/authorized_keys + [[ -f /root/.ssh/authorized_keys ]] && sudo cp /root/.ssh/authorized_keys /home/secdep/.ssh/authorized_keys + [[ -f /home/admin/.ssh/authorized_keys ]] && sudo cp /home/admin/.ssh/authorized_keys /home/secdep/.ssh/authorized_keys + [[ -f /home/ec2-user/.ssh/authorized_keys ]] && sudo cp /home/ec2-user/.ssh/authorized_keys /home/secdep/.ssh/authorized_keys + [[ -f /home/centos/.ssh/authorized_keys ]] && sudo cp /home/centos/.ssh/authorized_keys /home/secdep/.ssh/authorized_keys + [[ -f /home/fedora/.ssh/authorized_keys ]] && sudo cp /home/fedora/.ssh/authorized_keys /home/secdep/.ssh/authorized_keys + [[ -f /home/ubuntu/.ssh/authorized_keys ]] && sudo cp /home/ubuntu/.ssh/authorized_keys /home/secdep/.ssh/authorized_keys sudo chmod 755 /home sudo chown secdep:secdep /home/secdep -R sudo chmod 700 /home/secdep /home/secdep/.ssh sudo chmod 600 /home/secdep/.ssh/authorized_keys''' - ## Last two lines don't work - ## sudo printf "%s\n" "secdep ALL=(ALL) NOPASSWD:ALL" > "/etc/sudoers.d/secdepRules" - ## sudo chmod 0440 "/etc/sudoers.d/secdepRules"''' deploy = ScriptDeployment(script=SCRIPT, name="initialization.sh", delete=True) if args.deploy: - actualDeployScript = ScriptFileDeployment(script_file=SECDEP_DEPLOY_SCRIPT, args=args.deploy, name="harden", delete=True) - if os.path.exists(SECDEP_DOCKER_COMPOSE) and args.docker-compose: - sendDockerCompose = FileDeployment(SECDEP_DOCKER_COMPOSE, target="/home/secdep") + # After using action=append the args.deploy is a list of lists, so we need to get the first element of the first list + actualDeployScript = ScriptFileDeployment(script_file=SECDEP_DEPLOY_SCRIPT, args=args.deploy[0], name="harden", delete=True) + if os.path.exists(SECDEP_DOCKER_COMPOSE) and args.docker_compose: + # sendDockerCompose = FileDeployment(SECDEP_DOCKER_COMPOSE, target="/home/secdep") + sendDockerCompose = ScriptFileDeployment(script_file=SECDEP_DOCKER_COMPOSE, name="docker-compose.yml", delete=False) msd = MultiStepDeployment([deploy, sendDockerCompose, actualDeployScript]) else: msd = MultiStepDeployment([deploy, actualDeployScript]) @@ -1286,6 +1311,9 @@ def create_node(provider, name=None, location=None, size=None, image=None, confi console.print('[bold white]deploy stdout: %s[/bold white]' % (deploy.stdout)) console.print('[bold red]deploy stderr: %s[/bold red]' % (deploy.stderr)) console.print('[bold white]deploy exit_code: %s[/bold white]' % (deploy.exit_status)) + # console.print('[bold white]harden stdout: %s[/bold white]' % (sendDockerCompose.stdout)) + # console.print('[bold red]harden stderr: %s[/bold red]' % (sendDockerCompose.stderr)) + # console.print('[bold white]harden exit_code: %s[/bold white]' % (sendDockerCompose.exit_status)) console.print('[bold white]harden stdout: %s[/bold white]' % (actualDeployScript.stdout)) console.print('[bold red]harden stderr: %s[/bold red]' % (actualDeployScript.stderr)) console.print('[bold white]harden exit_code: %s[/bold white]' % (actualDeployScript.exit_status)) @@ -1582,7 +1610,7 @@ if args.listlocations and args.provider: if args.create: assert args.provider is not None, "Provider must be specified for node creation" # If -c or --create is passed, call the create_node function - create_node(args.provider, args.name, args.region, args.size, args.image, args.yes, args.deploy) + create_node(args.provider, args.name, args.region, args.size, args.image, args.yes, args.deploy[0]) exit(0) if args.list: if args.print: @@ -1603,7 +1631,7 @@ if args.ssh: if args.image or args.size or args.name or args.region or args.yes or args.deploy and not args.create: console.print("Image, size, name, region, yes and deploy parameters [u]only[/u] go along with the create flag", style="bold red") exit(0) -if args.docker-compose and not args.deploy: +if args.docker_compose and not args.deploy: console.print("Docker compose [u]only[/u] goes along with the deploy flag", style="bold red") exit(0) if args.print and not args.list or args.listimages or args.listsizes or args.listlocations: