miaou
/
miaou-server
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
provisioning tool for building opinionated architecture
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
77 Commits
1 Branch
7 Tags
642 KiB
Tree: c7163547db
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'c7163547db'
${ noResults }
miaou-server/lib/harden.sh

294 lines
8.8 KiB
Raw Normal View History

second commit
7 months ago
change debian-bash to miaou-bash
7 months ago
second commit
7 months ago
change debian-bash to miaou-bash
7 months ago
second commit
7 months ago
fix harden sudo ln timezone
6 months ago
fix timezone
6 months ago
second commit
7 months ago
change debian-bash to miaou-bash
7 months ago
second commit
7 months ago
resolver gateway tail instead of head
7 months ago
second commit
7 months ago
change debian-bash to miaou-bash
7 months ago
second commit
7 months ago
change debian-bash to miaou-bash
7 months ago
second commit
7 months ago
change debian-bash to miaou-bash
7 months ago
second commit
7 months ago
  1. #!/bin/bash
  3. ### FUNCTIONS
  4. ### ---------
  6. function prepare_config_hardened() {
  7. mkdir -p "$HARDEN_CONFIGDIR"
  8. }
  10. function pubkey_authorize() {
  11. local PREFIX="harden:pubkey:authorize"
  13. if [[ ! -d $HOME/.ssh ]]; then
  14. echo -n "create .ssh folder for the first time ..."
  15. mkdir -m 700 ~/.ssh
  16. PREFIX="" echo "OK"
  17. else
  18. local security_issue_in_ssh_folder
  19. security_issue_in_ssh_folder=$(find "$HOME/.ssh" -perm -go=r | wc -l)
  20. if [[ $security_issue_in_ssh_folder -gt 0 ]]; then
  21. echo -n "force security in .ssh folder for <$CURRENT_USER> ..."
  22. chmod -R u+rwX,go-rwx "/home/$CURRENT_USER/.ssh"
  23. PREFIX="" echo "OK"
  24. else
  25. echo "security in .ssh folder for <$CURRENT_USER> approved!"
  26. fi
  27. fi
  29. pubkey_value=$(yq ".authorized.pubkey" "$HARDEN_CONFIGFILE")
  30. if [[ ! -f /home/$CURRENT_USER/.ssh/authorized_keys ]]; then
  31. echo -n "authorized_keys first time ..."
  32. PREFIX="" echo "$pubkey_value" >"$HOME/.ssh/authorized_keys"
  33. chmod u+rw,go-rwx "/home/$CURRENT_USER/.ssh/authorized_keys"
  34. PREFIX="" echo "OK"
  35. else
  36. if ! grep -q "^$pubkey_value" "/home/$CURRENT_USER/.ssh/authorized_keys"; then
  37. echo -n "pubkey <$CURRENT_USER> appended to <.ssh/authorized_keys> ..."
  38. echo "$pubkey_value" >>"$HOME/.ssh/authorized_keys"
  39. PREFIX="" echo "OK"
  40. else
  41. echo "pubkey <$CURRENT_USER> already authorized!"
  42. fi
  43. fi
  44. }
  46. function sudoers() {
  47. local PREFIX="harden:sudoers"
  48. if [[ -d /etc/sudoers.d ]]; then
  49. echo -n "add $CURRENT_USER and no more ..."
  51. sudo env current_user="$CURRENT_USER" tera -e --env-key env --env-only -o /etc/sudoers -t "$MIAOU_BASEDIR/templates/hardened/sudoers.j2" >/dev/null
  53. rm /etc/sudoers.d -rf
  54. grep -Eq "^debian" /etc/passwd && userdel -rf debian
  55. grep -Eq "^sudo" /etc/group && groupdel sudo
  56. passwd -dq root
  57. passwd -dq "$CURRENT_USER"
  59. PREFIX="" echo "OK"
  60. else
  61. echo "sudo authorized for <$CURRENT_USER> only!"
  62. fi
  63. }
  65. function sshd() {
  66. local PREFIX="harden:sshd"
  67. if [[ ! -f /etc/ssh/sshd_config ]]; then
  68. sudo apt install -y openssh-server
  69. else
  70. echo "sshd already installed!"
  71. fi
  73. if ! grep -Eq "^Port 2222" /etc/ssh/sshd_config; then
  74. echo -n "replacing sshd ..."
  76. sudo env current_user="$CURRENT_USER" tera -e --env-key env --env-only -o /etc/ssh/sshd_config -t "$MIAOU_BASEDIR/templates/hardened/sshd_config.j2" >/dev/null
  77. sudo systemctl restart sshd
  79. PREFIX="" echo "OK"
  80. else
  81. echo "already done!"
  82. fi
  83. }
  85. function prepare_proxy() {
  86. local PREFIX="harden:proxy"
  88. if ! grep -Eq "^precedence ::ffff:0:0/96.*" /etc/gai.conf; then
  89. echo "prefer ipv4 ..."
  90. sudo /opt/miaou-bash/tools/append_or_replace "^precedence ::ffff:0:0/96.*" "precedence ::ffff:0:0/96 100" /etc/gai.conf
  91. echo "OK"
  92. else
  93. echo "ipv4 already prefered!"
  94. fi
  96. if ! grep -Eq "^net.ipv4.ip_forward=1" /etc/sysctl.conf; then
  97. echo "allow forwarding from kernel ..."
  98. sudo /opt/miaou-bash/tools/append_or_replace "^net.ipv4.ip_forward=1.*" "net.ipv4.ip_forward=1" /etc/sysctl.conf
  99. sudo sysctl -p
  100. echo "OK"
  101. else
  102. echo "kernel forwarding already allowed!"
  103. fi
  104. }
  106. function set_current_user {
  107. local PREFIX="harden:environment"
  109. CURRENT_USER=$(id -un)
  110. echo "current user is <$CURRENT_USER>"
  111. }
  113. function load_configuration {
  114. local PREFIX="harden:configuration:load"
  116. if [[ ! -f "$HARDEN_CONFIGFILE" ]]; then
  117. echo "configuration requires further details ..."
  118. cp "$MIAOU_BASEDIR/templates/hardened/hardened.yaml.sample" "$HARDEN_CONFIGFILE"
  119. echo "OK"
  120. fi
  122. editor "$HARDEN_CONFIGFILE"
  123. }
  125. function check_configuration {
  126. local PREFIX="harden:configuration:check"
  128. check_yaml_defined_value "$HARDEN_CONFIGFILE" 'authorized.pubkey'
  129. check_yaml_defined_value "$HARDEN_CONFIGFILE" 'alert.to'
  130. check_yaml_defined_value "$HARDEN_CONFIGFILE" 'alert.from'
  131. check_yaml_defined_value "$HARDEN_CONFIGFILE" 'alert.smtp.server'
  132. }
  134. function set_timezone_if_defined {
  135. local PREFIX="harden:timezone"
  136. timezone=$(yq ".timezone" "$HARDEN_CONFIGFILE")
  137. if [[ "$timezone" != null ]]; then
  138. if ! grep -q "$timezone" /etc/timezone; then
  139. if [[ -f "/usr/share/zoneinfo/$timezone" ]]; then
  140. echo "set timezone to $timezone ..."
  141. sudo ln -fs "/usr/share/zoneinfo/$timezone" /etc/localtime
  142. sudo dpkg-reconfigure -f noninteractive tzdata
  143. echo OK
  144. else
  145. echoerr "unkown timezone: <$timezone>, please edit <$HARDEN_CONFIGFILE> and change to a correct value" && exit 98
  146. fi
  147. else
  148. echo "timezone <$timezone> already set!"
  149. fi
  150. fi
  151. }
  153. function mailer_alert() {
  154. local PREFIX="harden:mailer"
  156. if [[ ! -f /etc/msmtprc ]]; then
  157. for i in exim4-config libevent-2.1-7 libgnutls-dane0 libunbound8; do
  158. if dpkg -l "$i" 2>/dev/null | grep -q ^ii && echo 'installed'; then
  159. echo "purging package <$i> ..."
  160. apt purge -y "$i"
  161. echo "OK"
  162. fi
  163. done
  165. echo "installing <msmtp> ..."
  166. sudo /opt/miaou-bash/tools/idem_apt_install msmtp msmtp-mta mailutils bsd-mailx
  167. echo "OK"
  169. echo "configuring </etc/aliases>"
  170. sudo env current_user="$CURRENT_USER" tera -e --env-key env -o /etc/aliases -t "$MIAOU_BASEDIR/templates/hardened/mailer/aliases.j2" "$HARDEN_CONFIGDIR/hardened.yaml" >/dev/null
  171. echo "OK"
  173. # populate environment variable with fqdn
  174. fqdn=$(hostname -f)
  176. echo "configuring </etc/mail.rc>"
  177. sudo env current_user="$CURRENT_USER" fqdn="$fqdn" tera -e --env-key env -o /etc/mail.rc -t "$MIAOU_BASEDIR/templates/hardened/mailer/mail.rc.j2" "$HARDEN_CONFIGDIR/hardened.yaml" >/dev/null
  178. echo "OK"
  180. echo "generating </etc/msmtprc> configuration file ..."
  181. sudo env fqdn="$fqdn" tera -e --env-key env -o /etc/msmtprc -t "$MIAOU_BASEDIR/templates/hardened/mailer/msmtprc.j2" "$HARDEN_CONFIGDIR/hardened.yaml" >/dev/null
  182. sudo chown root:msmtp /etc/msmtprc
  183. sudo chmod 640 /etc/msmtprc
  184. echo "OK"
  185. else
  186. echo "mailer <msmtp> already configured!"
  187. fi
  189. }
  191. function alert_at_boot() {
  192. local PREFIX="harden:alert:boot"
  193. if ! systemctl is-enabled --quiet on_startup.service 2>/dev/null; then
  194. echo "installing <on_startup.service> on systemd..."
  195. sudo cp "$MIAOU_BASEDIR/templates/hardened/systemd/on_startup.service" /etc/systemd/system/on_startup.service
  196. sudo systemctl daemon-reload
  197. sudo systemctl enable on_startup.service
  198. REBOOT=true
  199. echo "OK"
  200. else
  201. echo "systemd <on_startup.service> already enabled!"
  202. fi
  203. }
  205. function show_reboot_on_purpose() {
  206. if "$REBOOT"; then
  207. PREFIX="harden:reboot" echowarn "we recommend reboot on purpose, Reboot NOW?"
  208. else
  209. PREFIX="harden" echo "success"
  210. fi
  211. }
  213. function disable_systemd_resolved() {
  214. PREFIX="harden:systemd:resolved"
  215. if file /etc/resolv.conf | grep -q /run/systemd/resolve/stub-resolv.conf; then
  216. echo "disabling systemd-resolved..."
  217. sudo systemctl stop systemd-resolved.service
  218. sudo systemctl disable systemd-resolved.service
  219. sudo rm /etc/resolv.conf
  220. sudo tee /etc/resolv.conf &>/dev/null <<EOF
  221. nameserver 1.1.1.1
  222. EOF
  223. echo "OK"
  224. else
  225. echo "systemd-resolved already disabled!"
  226. fi
  227. }
  229. function alert_at_ssh_password() {
  230. local PREFIX="harden:alert:ssh:password"
  231. if ! grep -Eq "^session optional pam_exec.so /usr/local/bin/alert_ssh_password.sh" /etc/pam.d/sshd; then
  232. echo "installing alert_at_ssh_password..."
  233. sudo cp "$MIAOU_BASEDIR/templates/hardened/pam/alert_ssh_password.sh" /usr/local/bin/
  234. sudo chmod 700 /usr/local/bin/alert_ssh_password.sh
  235. sudo /opt/miaou-bash/tools/append_or_replace "^session optional pam_exec.so /usr/local/bin/alert_ssh_password.sh" "session optional pam_exec.so /usr/local/bin/alert_ssh_password.sh" /etc/pam.d/sshd
  236. echo "OK"
  237. else
  238. echo "alert_at_ssh_password already enabled!"
  239. fi
  240. }
  242. function customize_motd {
  243. local PREFIX="harden:motd:customize"
  244. if [[ ! -f /etc/update-motd.d/80-users ]]; then
  245. echo "customizing motd..."
  246. sudo /opt/miaou-bash/tools/idem_apt_install figlet lsb-release
  247. sudo rm -f /etc/motd
  248. sudo mkdir -p /etc/update-motd.d
  249. sudo rm -f /etc/update-motd.d/*
  250. sudo cp "$MIAOU_BASEDIR"/templates/hardened/motd/* /etc/update-motd.d/
  251. sudo chmod +x /etc/update-motd.d/*
  252. echo "OK"
  253. else
  254. echo "motd already customized!"
  255. fi
  256. }
  258. ### CONSTANTS
  259. ### ---------
  261. MIAOU_BASEDIR=$(readlink -f "$(dirname "$0")/..")
  262. readonly HARDEN_CONFIGDIR="$HOME/.config/hardened"
  263. readonly HARDEN_CONFIGFILE="$HARDEN_CONFIGDIR/hardened.yaml"
  265. ### MAIN
  266. ### ----
  268. # shellcheck source=/dev/null
  269. . "$MIAOU_BASEDIR/lib/functions.sh"
  270. miaou_init
  272. REBOOT=false
  273. PREFIX="harden"
  274. : $PREFIX
  276. sudo_required
  277. install_miaou_bash
  278. install_mandatory_commands
  279. prepare_config_hardened
  280. set_current_user
  281. check_configuration 2>/dev/null || load_configuration
  282. check_configuration
  283. pubkey_authorize
  284. sshd
  285. prepare_proxy
  286. prepare_nftables
  287. disable_systemd_resolved
  288. set_timezone_if_defined
  289. mailer_alert
  290. alert_at_boot
  291. alert_at_ssh_password
  292. customize_motd
  294. show_reboot_on_purpose