KNEL/FetchApply
2
0
Fork 0
Code Pull Requests Actions Packages Releases 1 Activity

ok. i think this is the last of the regressions.

Browse Source
This commit is contained in:
Charles N Wyble - admin
2025-07-02 18:06:26 -05:00
parent d76613c0dc
commit f06d8b1fe5
2 changed files with 219 additions and 250 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
ProjectCode/Modules/Security/secharden-ssh.sh
View File

@ -1,24 +1,14 @@
#!/bin/bash #!/bin/bash
#Framework variables are read from hee
source "$FRAMEWORK_CONFIGS_FULL_PATH"/FrameworkVars
#Boilerplate and support functions for framework_include_file in ../../../Framework-Includes/*; do
FrameworkIncludeFiles="$(ls -1 --color=none "$FRAMEWORK_INCLUDES_FULL_PATH"/*)" source "$framework_include_file"
IFS=$'\n\t'
for file in "${FrameworkIncludeFiles[@]}"; do
. "$file"
done done
unset IFS
for project_include_file in ../../../Project-Includes/*; do
ProjectIncludeFiles="$(ls -1 --color=none "$PROJECT_INCLUDES_FULL_PATH"/*)" source "$project_include_file"
IFS=$'\n\t'
for file in "${ProjectIncludeFiles[@]}"; do
. "$file"
done done
unset IFS
export SUBODEV_CHECK export SUBODEV_CHECK
SUBODEV_CHECK="$(getent passwd|grep -c subodev || true)" SUBODEV_CHECK="$(getent passwd|grep -c subodev || true)"

427
ProjectCode/SetupNewSystem.sh
View File

@ -10,7 +10,6 @@ PROJECT_ROOT_PATH="$(realpath ../)"
#Framework variables are read from hee #Framework variables are read from hee
source $PROJECT_ROOT_PATH/Framework-ConfigFiles/FrameworkVars source $PROJECT_ROOT_PATH/Framework-ConfigFiles/FrameworkVars
for framework_include_file in ../Framework-Includes/*; do for framework_include_file in ../Framework-Includes/*; do
source "$framework_include_file" source "$framework_include_file"
done done
@ -28,274 +27,264 @@ done
apt-get -y install git sudo dmidecode curl apt-get -y install git sudo dmidecode curl
export IS_PHYSICAL_HOST export IS_PHYSICAL_HOST
IS_PHYSICAL_HOST="$(/usr/sbin/dmidecode -t System|grep -c Dell ||true)" IS_PHYSICAL_HOST="$(/usr/sbin/dmidecode -t System | grep -c Dell || true)"
export SUBODEV_CHECK export SUBODEV_CHECK
SUBODEV_CHECK="$(getent passwd|grep -c subodev || true)" SUBODEV_CHECK="$(getent passwd | grep -c subodev || true)"
export LOCALUSER_CHECK export LOCALUSER_CHECK
LOCALUSER_CHECK="$(getent passwd|grep -c localuser || true)" LOCALUSER_CHECK="$(getent passwd | grep -c localuser || true)"
export DL_ROOT export DL_ROOT
DL_ROOT="https://dl.knownelement.com/KNEL/FetchApply/" DL_ROOT="https://dl.knownelement.com/KNEL/FetchApply/"
####################### #######################
# Support functions # Support functions
####################### #######################
function global-oam() function global-oam() {
{ print_info "Now running "$FUNCNAME"...."
print_info "Now running "$FUNCNAME"...."
cat ./scripts/up2date.sh > /usr/local/bin/up2date.sh && chmod +x /usr/local/bin/up2date.sh cat ./scripts/up2date.sh >/usr/local/bin/up2date.sh && chmod +x /usr/local/bin/up2date.sh
cd Modules/OAM || exit cd Modules/OAM || exit
bash ./oam-librenms.sh bash ./oam-librenms.sh
cd - || exit cd - || exit
print_info "Completed running "$FUNCNAME"" print_info "Completed running "$FUNCNAME""
} }
function global-systemServiceConfigurationFiles() function global-systemServiceConfigurationFiles() {
{ print_info "Now running "$FUNCNAME"...."
print_info "Now running "$FUNCNAME"...."
curl --silent ${DL_ROOT}/ProjectCode/ConfigFiles/ZSH/tsys-zshrc >/etc/zshrc
curl --silent ${DL_ROOT}/ProjectCode/ConfigFiles/SMTP/aliases >/etc/aliases
curl --silent ${DL_ROOT}/ProjectCode/ConfigFiles/Syslog/rsyslog.conf >/etc/rsyslog.conf
curl --silent ${DL_ROOT}/ProjectCode/ConfigFiles/ZSH/tsys-zshrc > /etc/zshrc newaliases
curl --silent ${DL_ROOT}/ProjectCode/ConfigFiles/SMTP/aliases > /etc/aliases
curl --silent ${DL_ROOT}/ProjectCode/ConfigFiles/Syslog/rsyslog.conf > /etc/rsyslog.conf
print_info "Completed running "$FUNCNAME""
newaliases
print_info "Completed running "$FUNCNAME""
} }
function global-installPackages() function global-installPackages() {
{ print_info "Now running "$FUNCNAME"...."
print_info "Now running "$FUNCNAME"...."
# Setup webmin repo, used for RBAC/2fa PAM
# Setup webmin repo, used for RBAC/2fa PAM curl https://raw.githubusercontent.com/webmin/webmin/master/webmin-setup-repo.sh >/tmp/webmin-setup.sh
sh /tmp/webmin-setup.sh -f && rm -f /tmp/webmin-setup.sh
curl https://raw.githubusercontent.com/webmin/webmin/master/webmin-setup-repo.sh > /tmp/webmin-setup.sh # Setup lynis repo, used for sec ops/compliance
sh /tmp/webmin-setup.sh -f && rm -f /tmp/webmin-setup.sh
# Setup lynis repo, used for sec ops/compliance if [ -f /etc/apt/trusted.gpg.d/cisofy-software-public.gpg ]; then
rm -f /etc/apt/trusted.gpg.d/cisofy-software-public.gpg
fi
if [ -f /etc/apt/trusted.gpg.d/cisofy-software-public.gpg ]; then curl -fsSL https://packages.cisofy.com/keys/cisofy-software-public.key | sudo gpg --dearmor -o /etc/apt/trusted.gpg.d/cisofy-software-public.gpg
rm -f /etc/apt/trusted.gpg.d/cisofy-software-public.gpg echo "deb [arch=amd64,arm64 signed-by=/etc/apt/trusted.gpg.d/cisofy-software-public.gpg] https://packages.cisofy.com/community/lynis/deb/ stable main" | sudo tee /etc/apt/sources.list.d/cisofy-lynis.list
fi
curl -fsSL https://packages.cisofy.com/keys/cisofy-software-public.key | sudo gpg --dearmor -o /etc/apt/trusted.gpg.d/cisofy-software-public.gpg # Setup tailscale
echo "deb [arch=amd64,arm64 signed-by=/etc/apt/trusted.gpg.d/cisofy-software-public.gpg] https://packages.cisofy.com/community/lynis/deb/ stable main" | sudo tee /etc/apt/sources.list.d/cisofy-lynis.list
# Setup tailscale curl -fsSL https://pkgs.tailscale.com/stable/debian/bookworm.noarmor.gpg | sudo tee /usr/share/keyrings/tailscale-archive-keyring.gpg >/dev/null
curl -fsSL https://pkgs.tailscale.com/stable/debian/bookworm.tailscale-keyring.list | sudo tee /etc/apt/sources.list.d/tailscale.list
curl -fsSL https://pkgs.tailscale.com/stable/debian/bookworm.noarmor.gpg | sudo tee /usr/share/keyrings/tailscale-archive-keyring.gpg >/dev/null #
curl -fsSL https://pkgs.tailscale.com/stable/debian/bookworm.tailscale-keyring.list | sudo tee /etc/apt/sources.list.d/tailscale.list #Patch the system
#
# /usr/local/bin/up2date.sh
#Patch the system
#
/usr/local/bin/up2date.sh #Remove stuff we don't want
#Remove stuff we don't want apt-get --yes --purge remove systemd-timesyncd chrony telnet inetutils-telnet
apt-get --yes --purge remove systemd-timesyncd chrony telnet inetutils-telnet #export DEBIAN_FRONTEND="noninteractive" && apt-get -qq --yes -o Dpkg::Options::="--force-confold" --purge remove nano
#export DEBIAN_FRONTEND="noninteractive" && apt-get -qq --yes -o Dpkg::Options::="--force-confold" --purge remove nano # add stuff we want
# add stuff we want print_info ""Now installing all the packages...""
print_info ""Now installing all the packages..."" DEBIAN_FRONTEND="noninteractive" apt-get -qq --yes -o Dpkg::Options::="--force-confold" install \
virt-what \
auditd \
audispd-plugins \
aide \
htop \
dstat \
snmpd \
ncdu \
iftop \
acct \
nethogs \
sysstat \
ngrep \
lsb-release \
screen \
tailscale \
tmux \
vim \
command-not-found \
lldpd \
net-tools \
dos2unix \
gpg \
molly-guard \
lshw \
fzf \
ripgrep \
sudo \
mailutils \
clamav \
sl \
rsyslog \
logwatch \
git \
net-tools \
tshark \
tcpdump \
lynis \
glances \
zsh \
zsh-autosuggestions \
zsh-syntax-highlighting \
fonts-powerline \
webmin \
usermin \
iotop \
ntpsec \
ntpsec-ntpdate \
tuned \
cockpit \
iptables \
netfilter-persistent \
iptables-persistent \
pflogsumm \
postfix
DEBIAN_FRONTEND="noninteractive" apt-get -qq --yes -o Dpkg::Options::="--force-confold" install \ export KALI_CHECK
virt-what \ KALI_CHECK="$(distro | grep -c kali || true)"
auditd \
audispd-plugins \
aide \
htop \
dstat \
snmpd \
ncdu \
iftop \
acct \
nethogs \
sysstat \
ngrep \
lsb-release \
screen \
tailscale \
tmux \
vim \
command-not-found \
lldpd \
net-tools \
dos2unix \
gpg \
molly-guard \
lshw \
fzf \
ripgrep \
sudo \
mailutils \
clamav \
sl \
rsyslog \
logwatch \
git \
net-tools \
tshark \
tcpdump \
lynis \
glances \
zsh \
zsh-autosuggestions \
zsh-syntax-highlighting \
fonts-powerline \
webmin \
usermin \
iotop \
ntpsec \
ntpsec-ntpdate \
tuned \
cockpit \
iptables \
netfilter-persistent \
iptables-persistent \
pflogsumm \
postfix
export KALI_CHECK export VIRT_TYPE
KALI_CHECK="$(distro |grep -c kali ||true)" VIRT_TYPE="$(virt-what)"
export VIRT_TYPE export IS_VIRT_GUEST
VIRT_TYPE="$(virt-what)" IS_VIRT_GUEST="$(echo "$VIRT_TYPE" | egrep -c 'hyperv|kvm' || true)"
export IS_VIRT_GUEST export IS_KVM_GUEST
IS_VIRT_GUEST="$(echo "$VIRT_TYPE"|egrep -c 'hyperv|kvm' ||true )" IS_KVM_GUEST="$(echo "$VIRT_TYPE" | grep -c 'kvm' || true)"
export IS_KVM_GUEST if [[ $IS_KVM_GUEST = 1 ]]; then
IS_KVM_GUEST="$(echo "$VIRT_TYPE"|grep -c 'kvm' || true)"
if [[ $IS_KVM_GUEST = 1 ]]; then
apt -y install qemu-guest-agent apt -y install qemu-guest-agent
fi fi
if [[ $IS_PHYSICAL_HOST -gt 0 ]]; then if [[ $IS_PHYSICAL_HOST -gt 0 ]]; then
export DEBIAN_FRONTEND="noninteractive" && apt-get -qq --yes -o Dpkg::Options::="--force-confold" install \ export DEBIAN_FRONTEND="noninteractive" && apt-get -qq --yes -o Dpkg::Options::="--force-confold" install \
i7z \ i7z \
thermald \ thermald \
cpufrequtils \ cpufrequtils \
linux-cpupower linux-cpupower
# power-profiles-daemon # power-profiles-daemon
fi fi
print_info "Completed running "$FUNCNAME"" print_info "Completed running "$FUNCNAME""
} }
function global-postPackageConfiguration() function global-postPackageConfiguration() {
{
print_info "Now running "$FUNCNAME"" print_info "Now running "$FUNCNAME""
systemctl --now enable auditd systemctl --now enable auditd
systemctl stop postfix systemctl stop postfix
curl --silent ${DL_ROOT}/ProjectCode/ConfigFiles/SMTP/postfix_generic> /etc/postfix/generic curl --silent ${DL_ROOT}/ProjectCode/ConfigFiles/SMTP/postfix_generic >/etc/postfix/generic
postmap /etc/postfix/generic postmap /etc/postfix/generic
postconf -e "inet_protocols = ipv4" postconf -e "inet_protocols = ipv4"
postconf -e "inet_interfaces = 127.0.0.1" postconf -e "inet_interfaces = 127.0.0.1"
postconf -e "mydestination= 127.0.0.1" postconf -e "mydestination= 127.0.0.1"
postconf -e "relayhost = tsys-cloudron.knel.net" postconf -e "relayhost = tsys-cloudron.knel.net"
postconf -e "smtp_generic_maps = hash:/etc/postfix/generic" postconf -e "smtp_generic_maps = hash:/etc/postfix/generic"
# smtp_generic_maps = hash:/etc/postfix/generic # smtp_generic_maps = hash:/etc/postfix/generic
systemctl restart postfix systemctl restart postfix
#This is under test/dev and may fail #This is under test/dev and may fail
echo "hi from root to root" | mail -s "hi directly to root from $(hostname)" root echo "hi from root to root" | mail -s "hi directly to root from $(hostname)" root
chsh -s $(which zsh) root chsh -s $(which zsh) root
if [ "$LOCALUSER_CHECK" -gt 0 ]; then if [ "$LOCALUSER_CHECK" -gt 0 ]; then
chsh -s "$(which zsh)" localuser chsh -s "$(which zsh)" localuser
fi fi
if [ "$SUBODEV_CHECK" -gt 0 ]; then if [ "$SUBODEV_CHECK" -gt 0 ]; then
chsh -s "$(which zsh)" subodev chsh -s "$(which zsh)" subodev
fi fi
###Post package deployment bits ###Post package deployment bits
curl --silent ${DL_ROOT}/ProjectCode/ConfigFiles/DHCP/dhclient.conf > /etc/dhcp/dhclient.conf curl --silent ${DL_ROOT}/ProjectCode/ConfigFiles/DHCP/dhclient.conf >/etc/dhcp/dhclient.conf
systemctl stop snmpd && /etc/init.d/snmpd stop systemctl stop snmpd && /etc/init.d/snmpd stop
cat ./ConfigFiles/SNMP/snmp-sudo.conf > /etc/sudoers.d/Debian-snmp cat ./ConfigFiles/SNMP/snmp-sudo.conf >/etc/sudoers.d/Debian-snmp
sed -i "s|-Lsd|-LS6d|" /lib/systemd/system/snmpd.service sed -i "s|-Lsd|-LS6d|" /lib/systemd/system/snmpd.service
pi-detect pi-detect
if [ "$IS_RASPI" = 1 ] ; then if [ "$IS_RASPI" = 1 ]; then
cat ./ConfigFiles/SNMP/snmpd-rpi.conf > /etc/snmp/snmpd.conf cat ./ConfigFiles/SNMP/snmpd-rpi.conf >/etc/snmp/snmpd.conf
fi fi
if [ "$IS_PHYSICAL_HOST" = 1 ] ; then if [ "$IS_PHYSICAL_HOST" = 1 ]; then
cat ./ConfigFiles/SNMP/snmpd-physicalhost.conf > /etc/snmp/snmpd.conf cat ./ConfigFiles/SNMP/snmpd-physicalhost.conf >/etc/snmp/snmpd.conf
fi fi
if [ "$IS_VIRT_GUEST" = 1 ] ; then if [ "$IS_VIRT_GUEST" = 1 ]; then
cat ./ConfigFiles/SNMP/snmpd.conf > /etc/snmp/snmpd.conf cat ./ConfigFiles/SNMP/snmpd.conf >/etc/snmp/snmpd.conf
fi fi
systemctl daemon-reload && systemctl restart snmpd && /etc/init.d/snmpd restart systemctl daemon-reload && systemctl restart snmpd && /etc/init.d/snmpd restart
systemctl stop rsyslog systemctl stop rsyslog
systemctl start rsyslog systemctl start rsyslog
if [ "$KALI_CHECK" = 0 ]; then if [ "$KALI_CHECK" = 0 ]; then
cat ./ConfigFiles/NTP/ntp.conf > /etc/ntpsec/ntp.conf cat ./ConfigFiles/NTP/ntp.conf >/etc/ntpsec/ntp.conf
systemctl restart ntpsec.service systemctl restart ntpsec.service
fi fi
if [ "$KALI_CHECK" = 1 ]; then if [ "$KALI_CHECK" = 1 ]; then
cat ./ConfigFiles/NTP/ntp.conf > /etc/ntpsec/ntp.conf cat ./ConfigFiles/NTP/ntp.conf >/etc/ntpsec/ntp.conf
systemctl restart ntpsec.service systemctl restart ntpsec.service
fi fi
systemctl stop postfix systemctl stop postfix
systemctl start postfix systemctl start postfix
/usr/sbin/accton on /usr/sbin/accton on
if [ "$IS_PHYSICAL_HOST" -gt 0 ]; then
cpufreq-set -r -g performance
cpupower frequency-set --governor performance
if [ "$IS_PHYSICAL_HOST" -gt 0 ]; then # Potentially merge the below if needed.
cpufreq-set -r -g performance # power-profiles-daemon
cpupower frequency-set --governor performance # powerprofilesctl set performance
#tsys1# systemctl enable power-profiles-daemon
#tsys1# systemctl start power-profiles-daemon
# Potentially merge the below if needed. fi
# power-profiles-daemon
# powerprofilesctl set performance
#tsys1# systemctl enable power-profiles-daemon
#tsys1# systemctl start power-profiles-daemon
fi if [ "$IS_VIRT_GUEST" = 1 ]; then
if [ "$IS_VIRT_GUEST" = 1 ]; then
tuned-adm profile virtual-guest tuned-adm profile virtual-guest
fi fi
print_info "Completed running "$FUNCNAME"" print_info "Completed running "$FUNCNAME""
} }
#################################################################################################### ####################################################################################################
# Run various modules # Run various modules
#################################################################################################### ####################################################################################################
@ -306,71 +295,61 @@ print_info "Completed running "$FUNCNAME""
# SSH # SSH
function secharden-ssh() function secharden-ssh() {
{ print_info "Now running "$FUNCNAME""
print_info "Now running "$FUNCNAME""
cd ./Modules/Security cd ./Modules/Security
bash ./secharden-ssh.sh bash ./secharden-ssh.sh
cd - cd -
print_info "Completed running "$FUNCNAME"" print_info "Completed running "$FUNCNAME""
} }
function secharden-wazuh() function secharden-wazuh() {
{ print_info "Now running "$FUNCNAME""
print_info "Now running "$FUNCNAME"" bash ./Modules/Security/secharden-wazuh.sh
bash ./Modules/Security/secharden-wazuh.sh print_info "Completed running "$FUNCNAME""
print_info "Completed running "$FUNCNAME""
} }
function secharden-auto-upgrades() function secharden-auto-upgrades() {
{ print_info "Now running "$FUNCNAME""
print_info "Now running "$FUNCNAME"" #curl --silent ${DL_ROOT}/Modules/Security/secharden-ssh.sh|$(which bash)
#curl --silent ${DL_ROOT}/Modules/Security/secharden-ssh.sh|$(which bash) print_info "Completed running "$FUNCNAME""
print_info "Completed running "$FUNCNAME""
} }
function secharden-2fa() function secharden-2fa() {
{ print_info "Now running "$FUNCNAME""
print_info "Now running "$FUNCNAME"" #curl --silent ${DL_ROOT}/Modules/Security/secharden-2fa.sh|$(which bash)
#curl --silent ${DL_ROOT}/Modules/Security/secharden-2fa.sh|$(which bash) print_info "Completed running "$FUNCNAME""
print_info "Completed running "$FUNCNAME""
} }
function secharden-agents() function secharden-agents() {
{ print_info "Now running "$FUNCNAME""
print_info "Now running "$FUNCNAME"" #curl --silent ${DL_ROOT}/Modules/Security/secharden-audit-agents.sh|$(which bash)
#curl --silent ${DL_ROOT}/Modules/Security/secharden-audit-agents.sh|$(which bash) print_info "Completed running "$FUNCNAME""
print_info "Completed running "$FUNCNAME""
} }
function secharden-scap-stig() {
function secharden-scap-stig() print_info "Now running "$FUNCNAME""
{ bash ./Modules/Security/secharden-scap-stig.sh
print_info "Now running "$FUNCNAME"" print_info "Completed running "$FUNCNAME""
bash ./Modules/Security/secharden-scap-stig.sh
print_info "Completed running "$FUNCNAME""
} }
#################################################################################################### ####################################################################################################
# Authentication # Authentication
#################################################################################################### ####################################################################################################
function auth-cloudron-ldap() function auth-cloudron-ldap() {
{ print_info "Now running "$FUNCNAME""
print_info "Now running "$FUNCNAME"" #curl --silent ${DL_ROOT}/Modules/Auth/auth-cloudron-ldap.sh|$(which bash)
#curl --silent ${DL_ROOT}/Modules/Auth/auth-cloudron-ldap.sh|$(which bash) print_info "Completed running "$FUNCNAME""
print_info "Completed running "$FUNCNAME""
} }
#################################################################################################### ####################################################################################################
# RUn the various functions in the correct order # RUn the various functions in the correct order
#################################################################################################### ####################################################################################################
echo > $LOGFILENAME echo >$LOGFILENAME
print_info "Execution starting at $CURRENT_TIMESTAMP..." print_info "Execution starting at $CURRENT_TIMESTAMP..."