konsthol/SecDep
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

REALLY FUCKING FIXED

Browse Source
This commit is contained in:
konsthol
2023-09-01 20:05:34 +03:00
parent 35aba11739
commit e2a1a81b52
1 changed files with 14 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
harden
View File

@@ -19,7 +19,7 @@ trap 'printf "Error on line %d with signal %s" "$LINENO" "$?"' ERR # Exit on err
trap 'printf "Interrupted on line %d with signal %s" "$LINENO" "$?"' INT SIGHUP SIGINT SIGTERM trap 'printf "Interrupted on line %d with signal %s" "$LINENO" "$?"' INT SIGHUP SIGINT SIGTERM
# Get script name using parameter expansion to not spawn a new subprocess # Get script name using parameter expansion to not spawn a new subprocess
##SCRIPT_NAME="${0##*/}" SCRIPT_NAME="${0##*/}"
# We will be using printf instead of echo because it is more standardised. # We will be using printf instead of echo because it is more standardised.
# Also we will be using the test command's functionality as # Also we will be using the test command's functionality as
@@ -164,7 +164,8 @@ function getCorrectFirewall {
distro="$(get_distro)" # Get the distribution name distro="$(get_distro)" # Get the distribution name
case "$distro" in # Use case to check for the distribution name case "$distro" in # Use case to check for the distribution name
"Ubuntu" | "Debian GNU/Linux") # If the distribution is Ubuntu or Debian "Ubuntu" | "Debian GNU/Linux") # If the distribution is Ubuntu or Debian
echo 'debconf debconf/frontend select Noninteractive' | sudo debconf-set-selections printf "%s" 'debconf debconf/frontend select Noninteractive' | sudo debconf-set-selections
# echo 'debconf debconf/frontend select Noninteractive' | sudo debconf-set-selections
export DEBIAN_FRONTEND=noninteractive export DEBIAN_FRONTEND=noninteractive
export NEEDRESTART_MODE=a export NEEDRESTART_MODE=a
export DEBIAN_PRIORITY=critical export DEBIAN_PRIORITY=critical
@@ -199,7 +200,8 @@ function getCorrectKernelSecurityModule {
printf "%s" "apparmor" # Output apparmor printf "%s" "apparmor" # Output apparmor
;; ;;
"Debian GNU/Linux") # If the distribution is Debian "Debian GNU/Linux") # If the distribution is Debian
echo 'debconf debconf/frontend select Noninteractive' | sudo debconf-set-selections printf "%s" 'debconf debconf/frontend select Noninteractive' | sudo debconf-set-selections
# echo 'debconf debconf/frontend select Noninteractive' | sudo debconf-set-selections
export DEBIAN_FRONTEND=noninteractive export DEBIAN_FRONTEND=noninteractive
export NEEDRESTART_MODE=a export NEEDRESTART_MODE=a
export DEBIAN_PRIORITY=critical export DEBIAN_PRIORITY=critical
@@ -333,7 +335,7 @@ EOF
## Check if we can use docker-compose config for that unless we have no access to the output ## Check if we can use docker-compose config for that unless we have no access to the output
# sudo machinectl shell secdep@ "$(which bash)" -c 'DOCKER_HOST=unix:///run/user/$UID/docker.sock /home/secdep/bin/docker-compose -f /home/secdep/docker-compose.yml config' # sudo machinectl shell secdep@ "$(which bash)" -c 'DOCKER_HOST=unix:///run/user/$UID/docker.sock /home/secdep/bin/docker-compose -f /home/secdep/docker-compose.yml config'
# [[ -f /home/secdep/docker-compose.yml ]] && sudo PORTS="$(grep '[0-9]:[0-9]' /home/secdep/docker-compose.yml | rev | cut -d':' -f1 | rev | grep -Eow '[[:digit:]]+' | tr '\n' ' ')" || PORTS="" # [[ -f /home/secdep/docker-compose.yml ]] && sudo PORTS="$(grep '[0-9]:[0-9]' /home/secdep/docker-compose.yml | rev | cut -d':' -f1 | rev | grep -Eow '[[:digit:]]+' | tr '\n' ' ')" || PORTS=""
CMD_PORTS="grep '[0-9]:[0-9]' /home/secdep/docker-compose.yml | rev | cut -d':' -f1 | rev | grep -Eow '[[:digit:]]+' | tr '\n' ' '" CMD_PORTS="cat /home/secdep/docker-compose.yml | grep -A1 ports | grep '[0-9]:[0-9]' | rev | cut -d':' -f1 | rev | grep -Eow '[[:digit:]]+' | tr '\n' ' '"
sudo -E runuser - secdep -c "$CMD_PORTS" > /dev/null 2>&1 && PORTS="$(sudo -E runuser - secdep -c "$CMD_PORTS")" || PORTS="" sudo -E runuser - secdep -c "$CMD_PORTS" > /dev/null 2>&1 && PORTS="$(sudo -E runuser - secdep -c "$CMD_PORTS")" || PORTS=""
# Loop through the ports in the PORTS variable # Loop through the ports in the PORTS variable
if [[ -n "$PORTS" ]]; then if [[ -n "$PORTS" ]]; then
@@ -540,12 +542,17 @@ EOF
# The main function will call the check_dependencies function and exit if it fails. # The main function will call the check_dependencies function and exit if it fails.
# It will also output a message to the user to let them know that the script has finished. # It will also output a message to the user to let them know that the script has finished.
function main { function main {
printf "%s" "$SCRIPT_NAME started"
check_dependencies || exit 1 # Check dependencies and exit if it fails check_dependencies || exit 1 # Check dependencies and exit if it fails
printf "%s" "Dependencies installed"
hardenSSH || exit 1 # Harden ssh and exit if it fails hardenSSH || exit 1 # Harden ssh and exit if it fails
printf "%s" "SSH hardened"
firewallInit || exit 1 # Initialize the firewall and exit if it fails firewallInit || exit 1 # Initialize the firewall and exit if it fails
printf "%s" "Firewall initialized"
kernelSecurityModuleInit || exit 1 # Initialize the kernel security module and exit if it fails kernelSecurityModuleInit || exit 1 # Initialize the kernel security module and exit if it fails
printf "%s" "Kernel security module initialized"
configureFail2ban || exit 1 # Initialize fail2ban and exit if it fails configureFail2ban || exit 1 # Initialize fail2ban and exit if it fails
## I should probably delete this one dockerInit || exit 1 # Initialize docker and exit if it fails printf "%s" "Fail2ban configured"
# apparmorConfig # Configure apparmor # apparmorConfig # Configure apparmor
# apparmorProfiles # Create apparmor profiles for all docker images # apparmorProfiles # Create apparmor profiles for all docker images
# selinuxConfig # Configure selinux # selinuxConfig # Configure selinux
@@ -553,12 +560,11 @@ function main {
# Call the dockerInit function with the arguments passed to the script # Call the dockerInit function with the arguments passed to the script
# Else exit with error code 1 # Else exit with error code 1
## [[ $# -gt 0 ]] && dockerInit "$@" || exit 1 ## [[ $# -gt 0 ]] && dockerInit "$@" || exit 1
dockerInit "$@" || exit 1 dockerInit "$@" || exit 1 # Initialize docker and exit if it fails
enableServices || exit 1 enableServices || exit 1
deleteRemainingUsers || exit 1 deleteRemainingUsers || exit 1
printf "%s" "Script finished" # Output message to the user printf "%s" "$SCRIPT_NAME finished" # Output message to the user
printf "%s" "You should reboot" # Output message to the user printf "%s" "You should reboot" # Output message to the user
# printf "%s" "Now rebooting" # Output message to the user
# sudo reboot # sudo reboot
} }
@@ -573,5 +579,4 @@ function main {
# Call the main function # Call the main function
main "$@" main "$@"
# exit 1 # The right and proper way to exit a script
exit 0 # The right and proper way to exit a script exit 0 # The right and proper way to exit a script