forked from konstruktoid/hardening
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathubuntu.sh
194 lines (173 loc) · 3.9 KB
/
ubuntu.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
#!/bin/bash
# shellcheck disable=1090
# shellcheck disable=2009
# shellcheck disable=2034
set -u -o pipefail
if ! ps -p $$ | grep -si bash; then
echo "Sorry, this script requires bash."
exit 1
fi
if ! [ -x "$(command -v systemctl)" ]; then
echo "systemctl required. Exiting."
exit 1
fi
function main {
clear
REQUIREDPROGS='arp dig ping w'
REQFAILED=0
for p in $REQUIREDPROGS; do
if ! command -v "$p" >/dev/null 2>&1; then
echo "$p is required."
REQFAILED=1
fi
done
if [ $REQFAILED = 1 ]; then
apt-get -qq update
apt-get -qq install bind9-dnsutils iputils-ping net-tools procps --no-install-recommends
fi
ARPBIN="$(command -v arp)"
DIGBIN="$(command -v dig)"
PINGBIN="$(command -v ping)"
WBIN="$(command -v w)"
WHOBIN="$(command -v who)"
LXC="0"
if resolvectl status >/dev/null 2>&1; then
SERVERIP="$(ip route get "$(resolvectl status |\
grep -E 'DNS (Server:|Servers:)' | tail -n1 |\
awk '{print $NF}')" | grep -Eo '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+' |\
tail -n1)"
else
SERVERIP="$(ip route get "$(grep '^nameserver' /etc/resolv.conf |\
tail -n1 | awk '{print $NF}')" |\
grep -Eo '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+' | tail -n1)"
fi
if grep -qE 'container=lxc|container=lxd' /proc/1/environ; then
LXC="1"
fi
if grep -s "AUTOFILL='Y'" ./ubuntu.cfg; then
USERIP="$($WHOBIN | awk '{print $NF}' | tr -d '()' |\
grep -E '^[0-9]' | head -n1)"
if [[ "$USERIP" =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
ADMINIP="$USERIP"
else
ADMINIP="$(hostname -I | sed -E 's/\.[0-9]+ /.0\/24 /g')"
fi
sed -i "s/FW_ADMIN='/FW_ADMIN='$ADMINIP /" ./ubuntu.cfg
sed -i "s/SSH_GRPS='/SSH_GRPS='$(id "$($WBIN -ih | awk '{print $1}' | head -n1)" -ng) /" ./ubuntu.cfg
sed -i "s/CHANGEME=''/CHANGEME='$(date +%s)'/" ./ubuntu.cfg
sed -i "s/VERBOSE='N'/VERBOSE='Y'/" ./ubuntu.cfg
fi
source ./ubuntu.cfg
readonly ADDUSER
readonly ADMINEMAIL
readonly ARPBIN
readonly AUDITDCONF
readonly AUDITD_MODE
readonly AUDITD_RULES
readonly AUDITRULES
readonly AUTOFILL
readonly CHANGEME
readonly COMMONACCOUNT
readonly COMMONAUTH
readonly COMMONPASSWD
readonly COREDUMPCONF
readonly DEFAULTGRUB
readonly DISABLEFS
readonly DISABLEMOD
readonly DISABLENET
readonly FAILLOCKCONF
readonly FW_ADMIN
readonly JOURNALDCONF
readonly KEEP_SNAPD
readonly LIMITSCONF
readonly LOGINDCONF
readonly LOGINDEFS
readonly LOGROTATE
readonly LOGROTATE_CONF
readonly LXC
readonly NTPSERVERPOOL
readonly PAMLOGIN
readonly PSADCONF
readonly PSADDL
readonly RESOLVEDCONF
readonly RKHUNTERCONF
readonly RSYSLOGCONF
readonly SECURITYACCESS
readonly SERVERIP
readonly SSHDFILE
readonly SSHFILE
readonly SSH_GRPS
readonly SSH_PORT
readonly SYSCTL
readonly SYSCTL_CONF
readonly SYSTEMCONF
readonly TIMEDATECTL
readonly TIMESYNCD
readonly UFWDEFAULT
readonly USERADD
readonly USERCONF
readonly VERBOSE
readonly WBIN
for s in ./scripts/*; do
[[ -f $s ]] || break
source "$s"
done
f_pre
f_kernel
f_firewall
f_disablenet
f_disablefs
f_disablemod
f_systemdconf
f_resolvedconf
f_logindconf
f_journalctl
f_timesyncd
f_fstab
f_prelink
f_aptget_configure
f_aptget
f_hosts
f_issue
f_sudo
f_logindefs
f_sysctl
f_limitsconf
f_adduser
f_rootaccess
f_package_install
f_psad
f_coredump
f_usbguard
f_postfix
f_apport
f_motdnews
f_rkhunter
f_sshconfig
f_sshdconfig
f_password
f_cron
f_ctrlaltdel
f_auditd
f_aide
f_rhosts
f_users
f_lockroot
f_package_remove
f_suid
f_restrictcompilers
f_umask
f_path
f_aa_enforce
f_aide_post
f_aide_timer
f_aptget_noexec
f_aptget_clean
f_systemddelta
f_post
f_checkreboot
echo
}
LOGFILE="hardening-$(hostname --short)-$(date +%y%m%d).log"
echo "[HARDENING LOG - $(hostname --fqdn) - $(LANG=C date)]" >> "$LOGFILE"
main "$@" | tee -a "$LOGFILE"