re-factoring into my shell script framework.

shifting away from invoking via curl and using a downloaded zip file or git clone.

ProjectCode/Modules/Security/secharden-2fa.sh

@@ -0,0 +1,10 @@
+#!/bin/bash
+
+
+#secharden-2fa
+#Coming very soon, 2fa for webmin/cockpit/ssh
+#libpam-google-authenticator
+
+#https://www.ogselfhosting.com/index.php/2024/03/21/enabling-2fa-for-cockpit/
+#https://webmin.com/docs/modules/webmin-configuration/#two-factor-authentication
+#https://www.digitalocean.com/community/tutorials/how-to-set-up-multi-factor-authentication-for-ssh-on-ubuntu-18-04

ProjectCode/Modules/Security/secharden-audit-agents.sh

@@ -0,0 +1,52 @@
+#!/bin/bash
+
+set -o errexit
+set -o nounset
+set -o pipefail
+set -o functrace
+
+export PS4='(${BASH_SOURCE}:${LINENO}): - [${SHLVL},${BASH_SUBSHELL},$?] $ '
+
+function error_out()
+{
+        echo "Bailing out. See above for reason...."
+        exit 1
+}
+
+function handle_failure() {
+  local lineno=$1
+  local fn=$2
+  local exitstatus=$3
+  local msg=$4
+  local lineno_fns=${0% 0}
+  if [[ "$lineno_fns" != "-1" ]] ; then
+    lineno="${lineno} ${lineno_fns}"
+  fi
+  echo "${BASH_SOURCE[0]}: Function: ${fn} Line Number : [${lineno}] Failed with status ${exitstatus}: $msg"
+}
+
+trap 'handle_failure "${BASH_LINENO[*]}" "$LINENO" "${FUNCNAME[*]:-script}" "$?" "$BASH_COMMAND"' ERR
+
+export DL_ROOT
+DL_ROOT="https://dl.knownelement.com/KNEL/FetchApply/"
+
+# Material herein Sourced from
+
+# https://cisofy.com/documentation/lynis/
+# https://jbcsec.com/configure-linux-ssh/
+# https://opensource.com/article/20/5/linux-security-lynis
+# https://forum.greenbone.net/t/ssh-authentication/13536
+
+# openvas
+
+#lynis
+
+#Auditd
+
+curl --silent ${DL_ROOT}/ConfigFiles/AudidD/auditd.conf > /etc/audit/auditd.conf
+
+# Systemd
+curl --silent ${DL_ROOT}/ConfigFiles/Systemd/journald.conf > /etc/systemd/journald.conf
+
+# logrotate
+curl --silent ${DL_ROOT}/ConfigFiles/Logrotate/logrotate.conf > /etc/logrotate.conf

ProjectCode/Modules/Security/secharden-auto-upgrade.sh

@@ -0,0 +1,3 @@
+#!/bin/bash
+
+# Sourced from https://wiki.debian.org/UnattendedUpgrades

ProjectCode/Modules/Security/secharden-scap-stig.sh

@@ -0,0 +1,133 @@
+#!/bin/bash
+
+set -o errexit
+set -o nounset
+set -o pipefail
+set -o functrace
+
+export PS4='(${BASH_SOURCE}:${LINENO}): - [${SHLVL},${BASH_SUBSHELL},$?] $ '
+
+function error_out()
+{
+        echo "Bailing out. See above for reason...."
+        exit 1
+}
+
+function handle_failure() {
+  local lineno=$1
+  local fn=$2
+  local exitstatus=$3
+  local msg=$4
+  local lineno_fns=${0% 0}
+  if [[ "$lineno_fns" != "-1" ]] ; then
+    lineno="${lineno} ${lineno_fns}"
+  fi
+  echo "${BASH_SOURCE[0]}: Function: ${fn} Line Number : [${lineno}] Failed with status ${exitstatus}: $msg"
+}
+
+trap 'handle_failure "${BASH_LINENO[*]}" "$LINENO" "${FUNCNAME[*]:-script}" "$?" "$BASH_COMMAND"' ERR
+
+function pi-detect()
+{
+echo Now running "$FUNCNAME"....
+if [ -f /sys/firmware/devicetree/base/model ] ; then
+export IS_RASPI="1"
+fi
+
+if [ ! -f /sys/firmware/devicetree/base/model ] ; then
+export IS_RASPI="0"
+fi
+echo Completed running "$FUNCNAME"
+}
+
+# Actual script logic starts here
+
+export DL_ROOT
+DL_ROOT="https://dl.knownelement.com/KNEL/FetchApply/"
+
+# Sourced from
+
+# https://complianceascode.readthedocs.io/en/latest/manual/developer/01_introduction.html
+# https://github.com/ComplianceAsCode/content
+# https://github.com/ComplianceAsCode
+
+#apparmor
+#enforcing
+#enabled in bootloader config
+
+#aide
+
+#auditd
+
+#disable auto mounting
+#disable usb storage
+
+
+#motd
+#remote login warning banner
+
+#Ensure time sync is working
+#systemd-timesync
+#ntp
+#chrony
+
+#password complexity
+#password expiration warning
+#password expiration time
+#password hashing algo
+
+#fix grub perms
+
+if [ "$IS_RASPI" = 0 ] ; then
+
+chown root:root /boot/grub/grub.cfg 
+chmod og-rwx /boot/grub/grub.cfg
+chmod 0400 /boot/grub/grub.cfg
+
+fi
+
+
+#disable auto mounting
+systemctl --now disable autofs  || true
+apt purge autofs || true
+
+#disable usb storage
+curl --silent ${DL_ROOT}/ConfigFiles/ModProbe/usb_storage.conf > /etc/modprobe.d/usb_storage.conf 
+curl --silent ${DL_ROOT}/ConfigFiles/ModProbe/dccp.conf > /etc/modprobe.d/dccp.conf
+curl --silent ${DL_ROOT}/ConfigFiles/ModProbe/rds.conf > /etc/modprobe.d/rds.conf
+curl --silent ${DL_ROOT}/ConfigFiles/ModProbe/sctp.conf > /etc/modprobe.d/sctp.conf
+curl --silent ${DL_ROOT}/ConfigFiles/ModProbe/tipc.conf > /etc/modprobe.d/tipc.conf
+curl --silent ${DL_ROOT}/ConfigFiles/ModProbe/cramfs.conf > /etc/modprobe.d/cramfs.conf
+curl --silent ${DL_ROOT}/ConfigFiles/ModProbe/freevxfs.conf > /etc/modprobe.d/freevxfs.conf
+curl --silent ${DL_ROOT}/ConfigFiles/ModProbe/hfs.conf > /etc/modprobe.d/hfs.conf
+curl --silent ${DL_ROOT}/ConfigFiles/ModProbe/hfsplus.conf > /etc/modprobe.d/hfsplus.conf
+curl --silent ${DL_ROOT}/ConfigFiles/ModProbe/jffs2.conf > /etc/modprobe.d/jffs2.conf
+curl --silent ${DL_ROOT}/ConfigFiles/ModProbe/squashfs.conf > /etc/modprobe.d/squashfs.conf
+curl --silent ${DL_ROOT}/ConfigFiles/ModProbe/udf.conf > /etc/modprobe.d/udf.conf
+
+#banners
+
+curl --silent ${DL_ROOT}/ConfigFiles/BANNERS/issue > /etc/issue
+curl --silent ${DL_ROOT}/ConfigFiles/BANNERS/issue.net > /etc/issue.net
+curl --silent ${DL_ROOT}/ConfigFiles/BANNERS/motd > /etc/motd
+
+#Cron perms
+rm /etc/cron.deny || true
+touch /etc/cron.allow
+chmod g-wx,o-rwx /etc/cron.allow
+chown root:root /etc/cron.allow
+
+chmod og-rwx /etc/crontab
+chmod og-rwx /etc/cron.hourly/
+chmod og-rwx /etc/cron.daily/
+chmod og-rwx /etc/cron.weekly/
+chmod og-rwx /etc/cron.monthly/
+chown root:root /etc/cron.d/
+chmod og-rwx /etc/cron.d/
+
+# At perms
+
+rm -f /etc/at.deny || true
+touch /etc/at.allow
+chmod g-wx,o-rwx /etc/at.allow
+chown root:root /etc/at.allow

ProjectCode/Modules/Security/secharden-ssh.sh

@@ -0,0 +1,13 @@
+#!/bin/bash
+
+curl --silent ${DL_ROOT}/ConfigFiles/SSH/Configs/tsys-sshd-config > /etc/ssh/sshd_config
+curl --silent ${DL_ROOT}/ConfigFiles/SSH/Configs/ssh-audit_hardening.conf > /etc/ssh/sshd_config.d/ssh-audit_hardening.conf
+
+# Perms on sshd_config 
+chmod og-rwx /etc/ssh/sshd_config
+chmod og-rwx /etc/ssh/sshd_config.d/*
+
+#todo
+
+# root login disabled
+# only strong mAC algos are used

ProjectCode/Modules/Security/secharden-wazuh.sh

@@ -0,0 +1,27 @@
+#!/bin/bash
+
+# We don't want to run this on the wazuh server, otherwise bad things happen...
+
+export TSYS_NSM_CHECK
+TSYS_NSM_CHECK="$(hostname |grep -c tsys-nsm ||true)"
+
+if [ "$TSYS_NSM_CHECK" -eq 0 ]; then
+
+    if [ -f /usr/share/keyrings/wazuh.gpg ]; then
+        rm -f /usr/share/keyrings/wazuh.gpg
+    fi
+
+curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | gpg --no-default-keyring --keyring gnupg-ring:/usr/share/keyrings/wazuh.gpg --import
+chmod 644 /usr/share/keyrings/wazuh.gpg
+echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages.wazuh.com/4.x/apt/ stable main" > /etc/apt/sources.list.d/wazuh.list
+apt-get update
+
+WAZUH_MANAGER="tsys-nsm.knel.net" apt-get -y install wazuh-agent
+
+systemctl daemon-reload
+systemctl enable wazuh-agent
+systemctl start wazuh-agent
+
+echo "wazuh-agent hold" | dpkg --set-selections
+
+fi