re-factoring into my shell script framework.

shifting away from invoking via curl and using a downloaded zip file or git clone.

ProjectCode/Modules/RandD/sslStackFromSource.sh

@@ -0,0 +1,81 @@
+#!/bin/bash
+
+#Made from instructions at https://www.tunetheweb.com/performance/http2/
+
+OPENSSL_URL_BASE="https://www.openssl.org/source/"
+OPENSSL_FILE="openssl-1.1.0h.tar.gz"
+
+NGHTTP_URL_BASE="https://github.com/nghttp2/nghttp2/releases/download/v1.31.0/"
+NGHTTP_FILE="nghttp2-1.31.0.tar.gz"
+
+APR_URL_BASE="http://mirrors.whoishostingthis.com/apache/apr/"
+APR_FILE="apr-1.6.3.tar.gz"
+
+APR_UTIL_URL_BASE="http://mirrors.whoishostingthis.com/apache/apr/"
+APR_UTIL_FILE="apr-util-1.6.1.tar.gz"
+
+APACHE_URL_BASE="http://mirrors.whoishostingthis.com/apache/httpd/"
+APACHE_FILE="httpd-2.4.33.tar.gz"
+
+CURL_URL_BASE="https://curl.haxx.se/download/"
+CURL_FILE="curl-7.60.0.tar.gz"
+
+
+#Download and install latest version of openssl
+wget $OPENSSL_URL_BASE/$OPENSSL_FILE
+tar xzf $OPENSSL_FILE
+cd openssl-1.1.0h 
+./config enable-weak-ssl-ciphers shared zlib-dynamic -DOPENSSL_TLS_SECURITY_LEVEL=0 --prefix=/usr/local/custom-ssl/openssl-1.1.0h ; make ; make install
+ln -s /usr/local/custom-ssl/openssl-1.1.0h /usr/local/openssl
+cd -
+
+#Download and install nghttp2 (needed for mod_http2).
+wget $NGHTTP_URL_BASE/$NGHTTP_FILE
+tar xzf $NGHTTP_FILE
+cd nghttp2-1.31.0 
+./configure --prefix=/usr/local/custom-ssl/nghttp ; make ; make install
+cd -
+
+#Updated ldconfig so curl build
+
+cat <<custom-ssl > /etc/ld.so.conf.d/custom-ssl.conf
+/usr/local/custom-ssl/openssl-1.1.0h/lib
+/usr/local/custom-ssl/nghttp/lib
+custom-ssl
+
+ldconfig
+
+#Download and install curl
+wget $CURL_URL_BASE/$CURL_FILE
+tar xzf curl-7.60.0.tar.gz
+cd curl-7.60.0
+./configure --prefix=/usr/local/custom-ssl/curl --with-nghttp2=/usr/local/custom-ssl/nghttp/ --with-ssl=/usr/local/custom-ssl/openssl-1.1.0h/ ; make ; make install
+cd -
+
+
+#Download and install latest apr
+wget $APR_URL_BASE/$APR_FILE
+tar xzf $APR_FILE
+cd apr-1.6.3 
+./configure --prefix=/usr/local/custom-ssl/apr ; make ; make install
+cd -
+
+#Download and install latest apr-util
+wget $APR_UTIL_URL_BASE/$APR_UTIL_FILE
+tar xzf apr-util-1.6.1.tar.gz
+cd apr-util-1.6.1 
+./configure --prefix=/usr/local/custom-ssl/apr-util --with-apr=/usr/local/custom-ssl/apr ; make; make install
+cd -
+
+#Download and install apache
+wget $APACHE_URL_BASE/$APACHE_FILE
+tar xzf httpd-2.4.33.tar.gz
+cd httpd-2.4.33
+cp -r ../apr-1.6.3 srclib/apr
+cp -r ../apr-util-1.6.1 srclib/apr-util
+./configure --prefix=/usr/local/custom-ssl/apache  --with-ssl=/usr/local/custom-ssl/openssl-1.1.0h/ --with-pcre=/usr/bin/pcre-config --enable-unique-id --enable-ssl --enable-so --with-included-apr --enable-http2 --with-nghttp2=/usr/local/custom-ssl/nghttp/
+make
+make install
+ln -s /usr/local/custom-ssl/apache /usr/local/apache
+cd -
+

ProjectCode/Modules/Security/secharden-2fa.sh

@@ -0,0 +1,10 @@
+#!/bin/bash
+
+
+#secharden-2fa
+#Coming very soon, 2fa for webmin/cockpit/ssh
+#libpam-google-authenticator
+
+#https://www.ogselfhosting.com/index.php/2024/03/21/enabling-2fa-for-cockpit/
+#https://webmin.com/docs/modules/webmin-configuration/#two-factor-authentication
+#https://www.digitalocean.com/community/tutorials/how-to-set-up-multi-factor-authentication-for-ssh-on-ubuntu-18-04

ProjectCode/Modules/Security/secharden-audit-agents.sh

@@ -0,0 +1,52 @@
+#!/bin/bash
+
+set -o errexit
+set -o nounset
+set -o pipefail
+set -o functrace
+
+export PS4='(${BASH_SOURCE}:${LINENO}): - [${SHLVL},${BASH_SUBSHELL},$?] $ '
+
+function error_out()
+{
+        echo "Bailing out. See above for reason...."
+        exit 1
+}
+
+function handle_failure() {
+  local lineno=$1
+  local fn=$2
+  local exitstatus=$3
+  local msg=$4
+  local lineno_fns=${0% 0}
+  if [[ "$lineno_fns" != "-1" ]] ; then
+    lineno="${lineno} ${lineno_fns}"
+  fi
+  echo "${BASH_SOURCE[0]}: Function: ${fn} Line Number : [${lineno}] Failed with status ${exitstatus}: $msg"
+}
+
+trap 'handle_failure "${BASH_LINENO[*]}" "$LINENO" "${FUNCNAME[*]:-script}" "$?" "$BASH_COMMAND"' ERR
+
+export DL_ROOT
+DL_ROOT="https://dl.knownelement.com/KNEL/FetchApply/"
+
+# Material herein Sourced from
+
+# https://cisofy.com/documentation/lynis/
+# https://jbcsec.com/configure-linux-ssh/
+# https://opensource.com/article/20/5/linux-security-lynis
+# https://forum.greenbone.net/t/ssh-authentication/13536
+
+# openvas
+
+#lynis
+
+#Auditd
+
+curl --silent ${DL_ROOT}/ConfigFiles/AudidD/auditd.conf > /etc/audit/auditd.conf
+
+# Systemd
+curl --silent ${DL_ROOT}/ConfigFiles/Systemd/journald.conf > /etc/systemd/journald.conf
+
+# logrotate
+curl --silent ${DL_ROOT}/ConfigFiles/Logrotate/logrotate.conf > /etc/logrotate.conf

ProjectCode/Modules/Security/secharden-auto-upgrade.sh

@@ -0,0 +1,3 @@
+#!/bin/bash
+
+# Sourced from https://wiki.debian.org/UnattendedUpgrades

ProjectCode/Modules/Security/secharden-scap-stig.sh

@@ -0,0 +1,133 @@
+#!/bin/bash
+
+set -o errexit
+set -o nounset
+set -o pipefail
+set -o functrace
+
+export PS4='(${BASH_SOURCE}:${LINENO}): - [${SHLVL},${BASH_SUBSHELL},$?] $ '
+
+function error_out()
+{
+        echo "Bailing out. See above for reason...."
+        exit 1
+}
+
+function handle_failure() {
+  local lineno=$1
+  local fn=$2
+  local exitstatus=$3
+  local msg=$4
+  local lineno_fns=${0% 0}
+  if [[ "$lineno_fns" != "-1" ]] ; then
+    lineno="${lineno} ${lineno_fns}"
+  fi
+  echo "${BASH_SOURCE[0]}: Function: ${fn} Line Number : [${lineno}] Failed with status ${exitstatus}: $msg"
+}
+
+trap 'handle_failure "${BASH_LINENO[*]}" "$LINENO" "${FUNCNAME[*]:-script}" "$?" "$BASH_COMMAND"' ERR
+
+function pi-detect()
+{
+echo Now running "$FUNCNAME"....
+if [ -f /sys/firmware/devicetree/base/model ] ; then
+export IS_RASPI="1"
+fi
+
+if [ ! -f /sys/firmware/devicetree/base/model ] ; then
+export IS_RASPI="0"
+fi
+echo Completed running "$FUNCNAME"
+}
+
+# Actual script logic starts here
+
+export DL_ROOT
+DL_ROOT="https://dl.knownelement.com/KNEL/FetchApply/"
+
+# Sourced from
+
+# https://complianceascode.readthedocs.io/en/latest/manual/developer/01_introduction.html
+# https://github.com/ComplianceAsCode/content
+# https://github.com/ComplianceAsCode
+
+#apparmor
+#enforcing
+#enabled in bootloader config
+
+#aide
+
+#auditd
+
+#disable auto mounting
+#disable usb storage
+
+
+#motd
+#remote login warning banner
+
+#Ensure time sync is working
+#systemd-timesync
+#ntp
+#chrony
+
+#password complexity
+#password expiration warning
+#password expiration time
+#password hashing algo
+
+#fix grub perms
+
+if [ "$IS_RASPI" = 0 ] ; then
+
+chown root:root /boot/grub/grub.cfg 
+chmod og-rwx /boot/grub/grub.cfg
+chmod 0400 /boot/grub/grub.cfg
+
+fi
+
+
+#disable auto mounting
+systemctl --now disable autofs  || true
+apt purge autofs || true
+
+#disable usb storage
+curl --silent ${DL_ROOT}/ConfigFiles/ModProbe/usb_storage.conf > /etc/modprobe.d/usb_storage.conf 
+curl --silent ${DL_ROOT}/ConfigFiles/ModProbe/dccp.conf > /etc/modprobe.d/dccp.conf
+curl --silent ${DL_ROOT}/ConfigFiles/ModProbe/rds.conf > /etc/modprobe.d/rds.conf
+curl --silent ${DL_ROOT}/ConfigFiles/ModProbe/sctp.conf > /etc/modprobe.d/sctp.conf
+curl --silent ${DL_ROOT}/ConfigFiles/ModProbe/tipc.conf > /etc/modprobe.d/tipc.conf
+curl --silent ${DL_ROOT}/ConfigFiles/ModProbe/cramfs.conf > /etc/modprobe.d/cramfs.conf
+curl --silent ${DL_ROOT}/ConfigFiles/ModProbe/freevxfs.conf > /etc/modprobe.d/freevxfs.conf
+curl --silent ${DL_ROOT}/ConfigFiles/ModProbe/hfs.conf > /etc/modprobe.d/hfs.conf
+curl --silent ${DL_ROOT}/ConfigFiles/ModProbe/hfsplus.conf > /etc/modprobe.d/hfsplus.conf
+curl --silent ${DL_ROOT}/ConfigFiles/ModProbe/jffs2.conf > /etc/modprobe.d/jffs2.conf
+curl --silent ${DL_ROOT}/ConfigFiles/ModProbe/squashfs.conf > /etc/modprobe.d/squashfs.conf
+curl --silent ${DL_ROOT}/ConfigFiles/ModProbe/udf.conf > /etc/modprobe.d/udf.conf
+
+#banners
+
+curl --silent ${DL_ROOT}/ConfigFiles/BANNERS/issue > /etc/issue
+curl --silent ${DL_ROOT}/ConfigFiles/BANNERS/issue.net > /etc/issue.net
+curl --silent ${DL_ROOT}/ConfigFiles/BANNERS/motd > /etc/motd
+
+#Cron perms
+rm /etc/cron.deny || true
+touch /etc/cron.allow
+chmod g-wx,o-rwx /etc/cron.allow
+chown root:root /etc/cron.allow
+
+chmod og-rwx /etc/crontab
+chmod og-rwx /etc/cron.hourly/
+chmod og-rwx /etc/cron.daily/
+chmod og-rwx /etc/cron.weekly/
+chmod og-rwx /etc/cron.monthly/
+chown root:root /etc/cron.d/
+chmod og-rwx /etc/cron.d/
+
+# At perms
+
+rm -f /etc/at.deny || true
+touch /etc/at.allow
+chmod g-wx,o-rwx /etc/at.allow
+chown root:root /etc/at.allow

ProjectCode/Modules/Security/secharden-ssh.sh

@@ -0,0 +1,13 @@
+#!/bin/bash
+
+curl --silent ${DL_ROOT}/ConfigFiles/SSH/Configs/tsys-sshd-config > /etc/ssh/sshd_config
+curl --silent ${DL_ROOT}/ConfigFiles/SSH/Configs/ssh-audit_hardening.conf > /etc/ssh/sshd_config.d/ssh-audit_hardening.conf
+
+# Perms on sshd_config 
+chmod og-rwx /etc/ssh/sshd_config
+chmod og-rwx /etc/ssh/sshd_config.d/*
+
+#todo
+
+# root login disabled
+# only strong mAC algos are used

ProjectCode/Modules/Security/secharden-wazuh.sh

@@ -0,0 +1,27 @@
+#!/bin/bash
+
+# We don't want to run this on the wazuh server, otherwise bad things happen...
+
+export TSYS_NSM_CHECK
+TSYS_NSM_CHECK="$(hostname |grep -c tsys-nsm ||true)"
+
+if [ "$TSYS_NSM_CHECK" -eq 0 ]; then
+
+    if [ -f /usr/share/keyrings/wazuh.gpg ]; then
+        rm -f /usr/share/keyrings/wazuh.gpg
+    fi
+
+curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | gpg --no-default-keyring --keyring gnupg-ring:/usr/share/keyrings/wazuh.gpg --import
+chmod 644 /usr/share/keyrings/wazuh.gpg
+echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages.wazuh.com/4.x/apt/ stable main" > /etc/apt/sources.list.d/wazuh.list
+apt-get update
+
+WAZUH_MANAGER="tsys-nsm.knel.net" apt-get -y install wazuh-agent
+
+systemctl daemon-reload
+systemctl enable wazuh-agent
+systemctl start wazuh-agent
+
+echo "wazuh-agent hold" | dpkg --set-selections
+
+fi