I'm just a grunt. Don't blame me for this awful PoS.
This commit is contained in:
13
harden
13
harden
@@ -54,7 +54,6 @@ function get_package_manager {
|
|||||||
"CentOS Linux" | "Fedora" | "Red Hat Enterprise Linux Server") # If the distribution is CentOS, Fedora or RHEL
|
"CentOS Linux" | "Fedora" | "Red Hat Enterprise Linux Server") # If the distribution is CentOS, Fedora or RHEL
|
||||||
printf "%s" "dnf" # Output dnf
|
printf "%s" "dnf" # Output dnf
|
||||||
;;
|
;;
|
||||||
|
|
||||||
"openSUSE Leap") # If the distribution is OpenSUSE
|
"openSUSE Leap") # If the distribution is OpenSUSE
|
||||||
printf "%s" "zypper" # Output zypper
|
printf "%s" "zypper" # Output zypper
|
||||||
;;
|
;;
|
||||||
@@ -185,7 +184,6 @@ function getCorrectFirewall {
|
|||||||
exit 1 # Exit with error code 1
|
exit 1 # Exit with error code 1
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
function getCorrectKernelSecurityModule {
|
function getCorrectKernelSecurityModule {
|
||||||
@@ -208,7 +206,6 @@ function getCorrectKernelSecurityModule {
|
|||||||
sudo dnf install selinux container-selinux -y # Install selinux
|
sudo dnf install selinux container-selinux -y # Install selinux
|
||||||
printf "%s" "selinux" # Output selinux
|
printf "%s" "selinux" # Output selinux
|
||||||
;;
|
;;
|
||||||
|
|
||||||
"openSUSE Leap") # If the distribution is OpenSUSE
|
"openSUSE Leap") # If the distribution is OpenSUSE
|
||||||
sudo zypper install -t pattern apparmor -y # Install apparmor
|
sudo zypper install -t pattern apparmor -y # Install apparmor
|
||||||
printf "%s" "apparmor" # Output apparmor
|
printf "%s" "apparmor" # Output apparmor
|
||||||
@@ -320,11 +317,13 @@ EOF
|
|||||||
rm -f -- *.sha512
|
rm -f -- *.sha512
|
||||||
chmod a+rx runsc containerd-shim-runsc-v1
|
chmod a+rx runsc containerd-shim-runsc-v1
|
||||||
sudo mv runsc containerd-shim-runsc-v1 /home/secdep/bin
|
sudo mv runsc containerd-shim-runsc-v1 /home/secdep/bin
|
||||||
|
sudo chown secdep:secdep /home/secdep/bin/runsc
|
||||||
|
sudo chown secdep:secdep /home/secdep/bin/containerd-shim-runsc-v1
|
||||||
)
|
)
|
||||||
# Enable gVisor for docker by default while hardening the docker daemon.json file
|
# Enable gVisor for docker by default while hardening the docker daemon.json file
|
||||||
# The no-new-privileges option will prevent the docker daemon from gaining new privileges
|
# The no-new-privileges option will prevent the docker daemon from gaining new privileges
|
||||||
# The runsc option --network=host and --ignore-cgroup will help with running runsc
|
# The runsc option --network=host and --ignore-cgroups=true will help with running runsc
|
||||||
# with rootless docker
|
# with rootless docker without much hassle
|
||||||
sudo runuser - secdep -c 'mkdir -p /home/secdep/.config/docker'
|
sudo runuser - secdep -c 'mkdir -p /home/secdep/.config/docker'
|
||||||
# "icc": false to disable inter-container communication, does not work without br_netfilter module loaded
|
# "icc": false to disable inter-container communication, does not work without br_netfilter module loaded
|
||||||
# and it is sometimes prohibited by the hosting provider
|
# and it is sometimes prohibited by the hosting provider
|
||||||
@@ -339,7 +338,9 @@ EOF
|
|||||||
"path": "/home/secdep/bin/runsc",
|
"path": "/home/secdep/bin/runsc",
|
||||||
"runtimeArgs": [
|
"runtimeArgs": [
|
||||||
"--network=host",
|
"--network=host",
|
||||||
"--ignore-cgroups"
|
"--ignore-cgroups=true",
|
||||||
|
"--overlay2 all:memory",
|
||||||
|
"--rootless"
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
Reference in New Issue
Block a user