KNEL/FetchApply
2
0
Fork 0
Code Pull Requests Actions Packages Releases 1 Activity

all the bug squashing and some sec ops

Browse Source
This commit is contained in:
Charles N Wyble
2025-06-27 10:16:36 -05:00
parent dc40896af0
commit 23cba4713b
4 changed files with 121 additions and 31 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
ConfigFiles/SNMP/snmp-sudo.conf
View File

@ -1 +1 @@
Debian-snmp ALL = NOPASSWD: /bin/cat Debian-snmp ALL = NOPASSWD: /bin/cat

70
Modules/Security/secharden-scap-stig.sh
View File

@ -1,8 +1,78 @@
#!/bin/bash #!/bin/bash
set -o errexit
set -o nounset
set -o pipefail
set -o functrace
export PS4='(${BASH_SOURCE}:${LINENO}): - [${SHLVL},${BASH_SUBSHELL},$?] $ '
function error_out()
{
echo "Bailing out. See above for reason...."
exit 1
}
function handle_failure() {
local lineno=$1
local fn=$2
local exitstatus=$3
local msg=$4
local lineno_fns=${0% 0}
if [[ "$lineno_fns" != "-1" ]] ; then
lineno="${lineno} ${lineno_fns}"
fi
echo "${BASH_SOURCE[0]}: Function: ${fn} Line Number : [${lineno}] Failed with status ${exitstatus}: $msg"
}
trap 'handle_failure "${BASH_LINENO[*]}" "$LINENO" "${FUNCNAME[*]:-script}" "$?" "$BASH_COMMAND"' ERR
export DL_ROOT
DL_ROOT="https://dl.knownelement.com/KNEL/FetchApply/"
# Sourced from # Sourced from
# https://complianceascode.readthedocs.io/en/latest/manual/developer/01_introduction.html # https://complianceascode.readthedocs.io/en/latest/manual/developer/01_introduction.html
# https://github.com/ComplianceAsCode/content # https://github.com/ComplianceAsCode/content
# https://github.com/ComplianceAsCode # https://github.com/ComplianceAsCode
#apparmor
#enforcing
#enabled in bootloader config
#aide
#auditd
#disable auto mounting
#disable usb storage
#motd
#remote login warning banner
#Ensure time sync is working
#systemd-timesync
#ntp
#chrony
#password complexity
#password expiration warning
#password expiration time
#password hashing algo
#fix grub perms
chown root:root /boot/grub/grub.cfg
chmod og-rwx /boot/grub/grub.cfg
#disable auto mounting
systemctl --now disable autofs || true
apt purge autofs || true
#disable usb storage
curl --silent ${DL_ROOT}/ConfigFiles/ModProbe/usb_storage.conf > /etc/modprobe.d/usb_storage.conf && rmmod usb-storage
#banners
curl --silent ${DL_ROOT}/ConfigFiles/BANNERS/issue > /etc/issue
curl --silent ${DL_ROOT}/ConfigFiles/BANNERS/issue.net > /etc/issue.net
curl --silent ${DL_ROOT}/ConfigFiles/BANNERS/motd > /etc/motd

11
Modules/Security/secharden-ssh.sh
View File

@ -7,3 +7,14 @@ ip6tables -I INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --s
service netfilter-persistent save service netfilter-persistent save
# Perms on sshd_config
# X11 forwarding disabled
# MaxAuthTries set to 4 or less
# login disabled
# only strong mAC algos are used
# idle timeout
# login grace time
# ssh access is limited
# ssh warning banner is configured
# allowtcpforwarding is disabled
# maxstartups is configured

69
SetupNewSystem.sh
View File

@ -2,10 +2,33 @@
# Standard strict mode and error handling boilderplate... # Standard strict mode and error handling boilderplate...
set -e set -o errexit
set -o nounset
set -o pipefail set -o pipefail
set -o functrace set -o functrace
export PS4='(${BASH_SOURCE}:${LINENO}): - [${SHLVL},${BASH_SUBSHELL},$?] $ '
function error_out()
{
echo "Bailing out. See above for reason...."
exit 1
}
function handle_failure() {
local lineno=$1
local fn=$2
local exitstatus=$3
local msg=$4
local lineno_fns=${0% 0}
if [[ "$lineno_fns" != "-1" ]] ; then
lineno="${lineno} ${lineno_fns}"
fi
echo "${BASH_SOURCE[0]}: Function: ${fn} Line Number : [${lineno}] Failed with status ${exitstatus}: $msg"
}
trap 'handle_failure "${BASH_LINENO[*]}" "$LINENO" "${FUNCNAME[*]:-script}" "$?" "$BASH_COMMAND"' ERR
# Start actual script logic here... # Start actual script logic here...
################# #################
@ -32,19 +55,6 @@ function error_out()
exit 1 exit 1
} }
function handle_failure() {
local lineno=$1
local fn=$2
local exitstatus=$3
local msg=$4
local lineno_fns=${0% 0}
if [[ "$lineno_fns" != "-1" ]] ; then
lineno="${lineno} ${lineno_fns}"
fi
echo "${BASH_SOURCE[0]}: Function: ${fn} Line Number : [${lineno}] Failed with status ${exitstatus}: $msg"
}
trap 'handle_failure "${BASH_LINENO[*]}" "$LINENO" "${FUNCNAME[*]:-script}" "$?" "$BASH_COMMAND"' ERR
function PreflightCheck() function PreflightCheck()
{ {
@ -268,15 +278,14 @@ export VIRT_TYPE
VIRT_TYPE="$(virt-what)" VIRT_TYPE="$(virt-what)"
export IS_VIRT_GUEST export IS_VIRT_GUEST
VIRT_GUEST="$(echo "$VIRT_TYPE"|egrep -c 'hyperv|kvm' ||true )" IS_VIRT_GUEST="$(echo "$VIRT_TYPE"|egrep -c 'hyperv|kvm' ||true )"
export VIRT_GUEST export IS_KVM_GUEST
VIRT_GUEST="$(echo "$VIRT_TYPE"|egrep 'hyperv|kvm' ||true )" IS_KVM_GUEST="$(echo "$VIRT_TYPE"|grep -c 'kvm' || true)"
export KVM_GUEST
KVM_GUEST="$(echo "$VIRT_TYPE"|grep 'kvm' || true)"
if [[ $KVM_GUEST = 1 ]]; then
if [[ $IS_KVM_GUEST = 1 ]]; then
apt -y install qemu-guest-agent apt -y install qemu-guest-agent
fi fi
@ -343,11 +352,11 @@ if [ "$IS_RASPI" -eq 1 ] ; then
curl --silent ${DL_ROOT}/ConfigFiles/SNMP/snmpd-rpi.conf > /etc/snmp/snmpd.conf curl --silent ${DL_ROOT}/ConfigFiles/SNMP/snmpd-rpi.conf > /etc/snmp/snmpd.conf
fi fi
if [ "$IS_PHYSICAL_HOST" -eq 1 ] ; then if [ "$IS_PHYSICAL_HOST" = 1 ] ; then
curl --silent ${DL_ROOT}/ConfigFiles/SNMP/snmpd-physicalhost.conf > /etc/snmp/snmpd.conf curl --silent ${DL_ROOT}/ConfigFiles/SNMP/snmpd-physicalhost.conf > /etc/snmp/snmpd.conf
fi fi
if [ "$IS_VIRT_GUEST" -eq 1 ] ; then if [ "$IS_VIRT_GUEST" = 1 ] ; then
curl --silent ${DL_ROOT}/ConfigFiles/SNMP/snmpd.conf > /etc/snmp/snmpd.conf curl --silent ${DL_ROOT}/ConfigFiles/SNMP/snmpd.conf > /etc/snmp/snmpd.conf
fi fi
@ -356,13 +365,13 @@ systemctl daemon-reload && systemctl restart snmpd && /etc/init.d/snmpd restart
systemctl stop rsyslog systemctl stop rsyslog
systemctl start rsyslog systemctl start rsyslog
if [ "$KALI_CHECK" -eq 0 ]; then if [ "$KALI_CHECK" = 0 ]; then
curl --silent ${DL_ROOT}/ConfigFiles/NTP/ntp.conf > /etc/ntpsec/ntp.conf curl --silent ${DL_ROOT}/ConfigFiles/NTP/ntp.conf > /etc/ntp.conf
systemctl restart ntp systemctl restart ntp
fi fi
if [ "$KALI_CHECK" -eq 1 ]; then if [ "$KALI_CHECK" = 1 ]; then
curl --silent ${DL_ROOT}/ConfigFiles/NTP/ntp.conf > /etc/ntp.conf curl --silent ${DL_ROOT}/ConfigFiles/NTP/ntp.conf > /etc/ntpsec/ntp.conf
systemctl restart ntpsec.service systemctl restart ntpsec.service
fi fi
@ -384,7 +393,7 @@ cpupower frequency-set --governor performance
fi fi
if [ "$VIRT_GUEST" = 1 ]; then if [ "$IS_VIRT_GUEST" = 1 ]; then
tuned-adm profile virtual-guest tuned-adm profile virtual-guest
fi fi
@ -432,7 +441,7 @@ echo Now running "$FUNCNAME"
echo Completed running "$FUNCNAME" echo Completed running "$FUNCNAME"
} }
function secharden-audit-agents() function secharden-agents()
{ {
echo Now running "$FUNCNAME" echo Now running "$FUNCNAME"
#curl --silent ${DL_ROOT}/Modules/Security/secharden-audit-agents.sh|$(which bash) #curl --silent ${DL_ROOT}/Modules/Security/secharden-audit-agents.sh|$(which bash)
@ -472,9 +481,9 @@ global-postPackageConfiguration
secharden-ssh secharden-ssh
secharden-wazuh secharden-wazuh
secharden-scap-stig
#secharden-agents
#secharden-auto-upgrades #secharden-auto-upgrades
#secharden-audit-agents
#secharden-2fa #secharden-2fa
#secharden-scap-stig
#auth-cloudron-ldap #auth-cloudron-ldap