Now it's all microservices, I hope the fad persists.
This commit is contained in:
83
harden
83
harden
@@ -102,8 +102,9 @@ function install_packages {
|
||||
# The check_dependencies function will check if the dependencies defined in a local array are not installed
|
||||
# and store the ones that are indeed absent in another local array.
|
||||
# Then it will install the packages that are missing by invoking the install_packages function.
|
||||
function check_dependencies {
|
||||
local dependencies=(fuse-overlayfs dbus-user-session uidmap slirp4netns docker-compose systemd-container htop curl git sudo vim ssh wget fail2ban) # Declare dependencies as a local array
|
||||
function check_dependencies { # systemd-container is for machinectl
|
||||
local dependencies=(fuse-overlayfs dbus-user-session uidmap slirp4netns systemd-container htop curl git sudo vim ssh wget fail2ban) # Declare dependencies as a local array
|
||||
# local dependencies=(fuse-overlayfs dbus-user-session uidmap slirp4netns docker-compose systemd-container htop curl git sudo vim ssh wget fail2ban) # Declare dependencies as a local array
|
||||
# local dependencies=(fuse-overlayfs dbus-user-session uidmap slirp4netns docker-compose dnsutils htop curl git sudo vim ssh wget fail2ban) # Declare dependencies as a local array
|
||||
#> see what to do with name differences between distros if any <#
|
||||
local missing_dependencies=() # Declare missing_dependencies as a local array
|
||||
@@ -234,7 +235,8 @@ function firewallInit {
|
||||
sudo ufw allow 22100/tcp # Allow ssh connections on port 22100
|
||||
;;
|
||||
firewalld)
|
||||
sudo systemctl enable --now firewalld # Enable the firewall on boot and start it
|
||||
sudo systemctl enable firewalld # Enable the firewall on boot and start it
|
||||
# sudo systemctl enable --now firewalld # Enable the firewall on boot and start it
|
||||
sudo firewall-cmd --permanent --add-port=22100/tcp # Allow ssh connections on port 22100
|
||||
;;
|
||||
*)
|
||||
@@ -303,8 +305,40 @@ EOF
|
||||
# ##sudo docker network create --driver bridge -o "com.docker.network.bridge.enable_icc"="false" dockerNetworkNoICC
|
||||
# Get all arguments passed to the function and store them in the dockerImages array
|
||||
local dockerImages=("$@")
|
||||
# Using -f instead of -e to check if the file exists AND that it is a regular file
|
||||
[[ -f /root/docker-compose.yml ]] && sudo mv /root/docker-compose.yml /home/secdep/docker-compose.yml
|
||||
[[ -f /home/admin/docker-compose.yml ]] && sudo mv /home/admin/docker-compose.yml /home/secdep/docker-compose.yml
|
||||
[[ -f /home/ec2-user/docker-compose.yml ]] && sudo mv /home/ec2-user/docker-compose.yml /home/secdep/docker-compose.yml
|
||||
[[ -f /home/centos/docker-compose.yml ]] && sudo mv /home/centos/docker-compose.yml /home/secdep/docker-compose.yml
|
||||
[[ -f /home/fedora/docker-compose.yml ]] && sudo mv /home/fedora/docker-compose.yml /home/secdep/docker-compose.yml
|
||||
[[ -f /home/ubuntu/docker-compose.yml ]] && sudo mv /home/ubuntu/docker-compose.yml /home/secdep/docker-compose.yml
|
||||
# Not running chown in time? only when there is an if before
|
||||
sudo chown secdep:secdep /home/secdep/docker-compose.yml
|
||||
# [[ -f /home/secdep/docker-compose.yml ]] && sudo chown secdep:secdep /home/secdep/docker-compose.yml
|
||||
# Since FileDeployment does not work and we used ScriptFileDeployment which automatically makes the file executable
|
||||
# we need to make sure the file is not executable
|
||||
# Not running chmod in time? only when there is an if before
|
||||
sudo chmod -x /home/secdep/docker-compose.yml
|
||||
# [[ -f /home/secdep/docker-compose.yml ]] && sudo chmod -x /home/secdep/docker-compose.yml
|
||||
# Make sure docker is disabled after
|
||||
# having installed docker-compose, to make sure
|
||||
# only rootless docker is used
|
||||
sudo systemctl disable --now docker.service docker.socket
|
||||
sudo machinectl shell secdep@ /bin/bash -c 'curl -SL https://github.com/docker/compose/releases/download/v2.20.3/docker-compose-linux-x86_64 -o /home/secdep/bin/docker-compose'
|
||||
sudo machinectl shell secdep@ /bin/bash -c 'chmod +x /home/secdep/bin/docker-compose'
|
||||
# Check if there is a docker-compose.yml file in the user's home directory and run it if there is
|
||||
sudo -u secdep bash -c '[[ -f "$HOME/docker-compose.yml" ]] && docker-compose -f "$HOME/docker-compose.yml" up -d'
|
||||
sudo machinectl shell secdep@ "$(which bash)" -c 'DOCKER_HOST=unix:///run/user/$UID/docker.sock /home/secdep/bin/docker-compose -f /home/secdep/docker-compose.yml up -d'
|
||||
# sudo machinectl shell secdep@ /bin/bash -c 'DOCKER_HOST=unix:///run/user/$UID/docker.sock docker-compose -f /home/secdep/docker-compose.yml up -d'
|
||||
# sudo machinectl shell secdep@ /bin/bash -c '[[ -f "$HOME/docker-compose.yml" ]] && docker-compose -f "$HOME/docker-compose.yml" up -d'
|
||||
# sudo -u secdep bash -c '[[ -f "$HOME/docker-compose.yml" ]] && docker-compose -f "$HOME/docker-compose.yml" up -d'
|
||||
# Portainer is a docker image that provides a web interface for docker
|
||||
# which will be installed and run on port 9000 by default to make it easier to manage docker
|
||||
# CMD1="docker volume create portainer_data # Create a docker volume for portainer"
|
||||
# CMD2="docker run -d -p 9000:9000 --name=portainer --restart=unless-stopped -v /home/secdep/.docker/run/docker.sock:/home/secdep/.docker/run/docker.sock -v portainer_data:/data portainer/portainer-ce"
|
||||
# CMD2="docker run -d -p 8000:8000 -p 9000:9000 --name=portainer --restart=always -v /$XDG_RUNTIME_DIR/docker.sock:/var/run/docker.sock -v ~/.local/share/docker/volumes:/var/lib/docker/volumes -v portainer_data:/data portainer/portainer-ce"
|
||||
# sudo -u secdep bash -c "$CMD1" # Create a docker volume for portainer
|
||||
# sudo -u secdep bash -c "$CMD2" # Run portainer
|
||||
# sudo machinectl shell secdep@ /bin/bash -c "docker run -d -p 8000:8000 -p 9000:9000 --name=portainer --restart=always -v /$XDG_RUNTIME_DIR/docker.sock:/var/run/docker.sock -v ~/.local/share/docker/volumes:/var/lib/docker/volumes -v portainer_data:/data portainer/portainer-ce"
|
||||
# Check if the dockerImages array is empty and return 0 if it is
|
||||
[[ "${#dockerImages[@]}" -eq 0 ]] && return 0
|
||||
# Loop through the dockerImages array
|
||||
@@ -408,25 +442,42 @@ CapabilityBoundingSet=CAP_AUDIT_READ CAP_DAC_READ_SEARCH CAP_NET_ADMIN CAP_NET_R
|
||||
EOF
|
||||
)
|
||||
printf "%s" "$HARDEN_FAIL2BAN_SERVICE" | sudo tee /etc/systemd/system/fail2ban.service.d/override.conf
|
||||
sudo systemctl enable --now fail2ban
|
||||
sudo systemctl enable fail2ban
|
||||
# sudo systemctl enable --now fail2ban
|
||||
printf "%s" "LogLevel VERBOSE" | sudo tee -a /etc/ssh/sshd_config
|
||||
#sudo systemctl restart sshd
|
||||
}
|
||||
|
||||
function restartServices {
|
||||
# for service in "${services[@]}"; do
|
||||
# sudo systemctl restart "$service"
|
||||
# done
|
||||
function enableServices {
|
||||
for service in "${services[@]}"; do
|
||||
sudo systemctl restart "$service"
|
||||
done
|
||||
# command -v ufw >/dev/null 2>&1 && currentFirewall="ufw" || currentFirewall="firewalld"
|
||||
whereis ufw | grep -q /ufw && currentFirewall="ufw" || currentFirewall="firewalld"
|
||||
|
||||
if [[ "$currentFirewall" == "ufw" ]]; then
|
||||
echo "You should enable ufw"
|
||||
# sudo ufw enable
|
||||
# sudo systemctl enable --now ufw
|
||||
elif [[ "$currentFirewall" == "firewalld" ]]; then
|
||||
sudo firewall-cmd --reload
|
||||
else
|
||||
printf "%s" "Unsupported firewall"
|
||||
exit 1
|
||||
fi
|
||||
# With the if block it doesn't error out at firewalld check
|
||||
# For ufw
|
||||
# Enable the firewall
|
||||
# Enable and start the firewall on boot
|
||||
[[ "$currentFirewall" == "ufw" ]] && sudo ufw enable && sudo systemctl enable --now ufw
|
||||
# [[ "$currentFirewall" == "ufw" ]] && sudo ufw enable && sudo systemctl enable --now ufw
|
||||
# [[ "$currentFirewall" == "ufw" ]] && sudo ufw enable && sudo systemctl enable ufw
|
||||
# Getting stuck at sudo ufw enable?
|
||||
# [[ "$currentFirewall" == "ufw" ]] && sudo systemctl enable ufw
|
||||
# [[ "$currentFirewall" == "ufw" ]] && echo "You should enable ufw"
|
||||
# For firewalld
|
||||
# Reload the firewall
|
||||
[[ "$currentFirewall" == "firewalld" ]] && sudo firewall-cmd --reload
|
||||
sudo systemctl disable --now docker.service docker.socket
|
||||
# [[ "$currentFirewall" == "firewalld" ]] && sudo firewall-cmd --reload
|
||||
# sudo systemctl disable --now docker.service docker.socket
|
||||
# sudo systemctl disable --now docker
|
||||
# Make sure docker is disabled after
|
||||
# installing docker-compose, to make sure
|
||||
@@ -450,10 +501,11 @@ function main {
|
||||
# Else exit with error code 1
|
||||
## [[ $# -gt 0 ]] && dockerInit "$@" || exit 1
|
||||
dockerInit "$@" || exit 1
|
||||
restartServices || exit 1
|
||||
enableServices || exit 1
|
||||
printf "%s" "Script finished" # Output message to the user
|
||||
printf "%s" "Now rebooting" # Output message to the user
|
||||
sudo reboot
|
||||
printf "%s" "You should reboot" # Output message to the user
|
||||
# printf "%s" "Now rebooting" # Output message to the user
|
||||
# sudo reboot
|
||||
}
|
||||
|
||||
# # The am_i_root function will check if the user is root and exit if they are not.
|
||||
@@ -467,4 +519,5 @@ function main {
|
||||
# Call the main function
|
||||
main "$@"
|
||||
|
||||
# exit 1 # The right and proper way to exit a script
|
||||
exit 0 # The right and proper way to exit a script
|
||||
|
||||
Reference in New Issue
Block a user