-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathharden-os-debian.sh
143 lines (115 loc) · 3.63 KB
/
harden-os-debian.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
#!/bin/bash
# Exit immediately if a command exits with a non-zero status.
set -o nounset
# GLOBAL CONSTANTS
declare -r SCRIPT_AUTHOR="Cedric OBEJERO <[email protected]>"
declare -r SCRIPT_RELEASE="0.1.1"
declare -r SCRIPT_DATE="May 4th, 2023"
declare -r SCRIPT_PATH=$( cd $(dirname ${BASH_SOURCE[0]}) > /dev/null; pwd -P )
declare -r LOGDIR="/var/log/$(basename $0)"
declare -r LOGFILE="${LOGDIR}/setup.log"
# COMMON FUNCTIONS
function error() { echo -e "[\e[31m ERROR \e[0m]-$(date --rfc-3339=seconds)-$1" | tee -a ${LOGFILE}; }
function warn() { echo -e "[\e[33m WARNING \e[0m]-$(date --rfc-3339=seconds)-$1" | tee -a ${LOGFILE}; }
function info() { echo -e "[\e[32m INFO \e[0m]-$(date --rfc-3339=seconds)-$1" | tee -a ${LOGFILE}; }
function usage() {
cat <<EOF
Usage: $0
NAME
$(basename $0) - apply hardening rules upon system components
SYNOPSIS
$(basename $0) [OPTION]... [LEVEL]...
DESCRIPTION
Apply security rules and values to the kernel and system features. Accept only the
following values as security levels: Basics (1 as default), Secured (2) and Paranoid (3)
-l
Define security level to be applied, requiring integer values [1-3]
-h
Display current help information
-v
Display current release of the user command
AUTHOR
${SCRIPT_AUTHOR}
NOTES
$(basename $0) ${SCRIPT_RELEASE}
${SCRIPT_DATE}
EOF
}
function show_release() {
cat <<EOF
$(basename $0) ${SCRIPT_RELEASE} (${SCRIPT_DATE})
EOF
}
function check_root() {
if [[ "$(id -u)" -ne 0 ]]; then
echo "This script MUST be run as ROOT" >&2
exit 1
fi
}
function check_logfile() {
[ ! -d ${LOGDIR} ] && { mkdir ${LOGDIR}; chown root:root ${LOGDIR}; chmod 775 ${LOGDIR}; }
[ ! -f ${LOGFILE} ] && { touch ${LOGFILE}; chown root:root ${LOGFILE}; chmod 664 ${LOGFILE}; }
}
function check_level() {
if ! [[ $1 =~ ^[1-3]$ ]]; then
echo 'Required security level argument not valid' >&2;
echo 'Use option -h for more details';
exit 1
fi
}
function harden_os() {
info "Starting hardening local system..."
info "Applying Filesystem Configuration..."
# TODO - To be tested and completed with other FS
local -r -a L_DISABLEFS=("cramfs" "squashfs" "udf" "coda" "befs" "dlm" "f2fs" "freevxfs" "hfs" "hfsplus" "fat" "jffs2" )
for l_mname in ${L_DISABLEFS[@]}; do
info "Prevent ${l_mname} kernel module to be loaded on-demand"
if ! modprobe --show --verbose "$l_mname | grep --perl-regexp --quiet -- '^\h*install\/bin\/(true|false)'; then
echo -e "install $l_mname /bin/false" >> /etc/modprobe.d/"$l_mname".conf
fi
info "Unload ${lmname} from running system if loaded"
if ! lsmod | grep "$l_mname" > /dev/null 2>&1; then
modprobe -r "$l_mname"
fi
info "Prevent ${l_mname} from being loaded directly"
if ! grep -Pq -- "^\h*blacklist\h+$l_mname\b" /etc/modprobe.d/*; then
echo -e "blacklist $l_mname" >> /etc/modprobe.d/$l_mname".conf
fi
done
info "Closing Filesystem Configuration..."
}
function main() {
# the optional parameters string starting with ':' for silent errors snd h for help usage
local -r OPTS=':hvl:'
local LEVEL=1
while builtin getopts ${OPTS} opt "${@}"; do
case $opt in
h)
usage;
exit 0
;;
v)
show_release;
;;
l)
LEVEL=${OPTARG}
check_root
check_logfile
check_level ${OPTARG}
# harden_os
;;
:)
echo 'required argument not found for option -'${OPTARG} >&2;
echo 'Use option -h for more details';
exit 1
;;
*)
echo 'Unknown option - '${OPTARG} >&2;
usage;
exit 128
;;
esac
done
exit 0
}
main "$@"