KNEL/FetchApply
2
0
Fork 0
Code Pull Requests Actions Packages Releases 1 Activity
Files
cf68f49b174777d0d3f0295a3591a01d5f982b95
FetchApply/SetupNewSystem.sh
Charles N Wyble cf68f49b17 odds and ends
2025-06-25 12:10:25 -05:00

447 lines
11 KiB
Bash
Raw Blame History

#!/usr/bin/bash
# Standard strict mode and error handling boilderplate...
set -e
set -o pipefail
set -o functrace
# Start actual script logic here...
#################
#Global variables
#################
export SUBODEV_CHECK
SUBODEV_CHECK="$(getent passwd|grep -c subodev || true)"
export LOCALUSER_CHECK
LOCALUSER_CHECK="$(getent passwd|grep -c localuser || true)"
export DL_ROOT
DL_ROOT="https://dl.knownelement.com/KNEL/FetchApply/"
#######################
# Support functions
#######################
function error_out()
{
echo "Bailing out. See above for reason...."
exit 1
}
function handle_failure() {
local lineno=$1
local fn=$2
local exitstatus=$3
local msg=$4
local lineno_fns=${0% 0}
if [[ "$lineno_fns" != "-1" ]] ; then
lineno="${lineno} ${lineno_fns}"
fi
echo "${BASH_SOURCE[0]}: Function: ${fn} Line Number : [${lineno}] Failed with status ${exitstatus}: $msg"
}
trap 'handle_failure "${BASH_LINENO[*]}" "$LINENO" "${FUNCNAME[*]:-script}" "$?" "$BASH_COMMAND"' ERR
function PreflightCheck()
{
export curr_user="$USER"
export user_check
user_check="$(echo "$curr_user" | grep -c root)"
if [ $user_check -ne 1 ]; then
echo "Must run as root."
error_out
fi
#Your additional stuff here...
echo "All checks passed...."
}
function pi-detect()
{
echo Now running "$FUNCNAME"....
if [ -f /sys/firmware/devicetree/base/model ] ; then
export IS_RASPI="1"
fi
if [ ! -f /sys/firmware/devicetree/base/model ] ; then
export IS_RASPI="0"
fi
echo Completed running "$FUNCNAME"
}
function global-oam()
{
echo Now running "$FUNCNAME"....
curl --silent ${DL_ROOT}/scripts/distro > /usr/local/bin/distro && chmod +x /usr/local/bin/distro
curl --silent ${DL_ROOT}/scripts/up2date.sh > /usr/local/bin/up2date.sh && chmod +x /usr/local/bin/up2date.sh
echo "Setting up librenms agent..."
rm -rf /usr/local/librenms-agent || true
curl --silent ${DL_ROOT}/Agents/librenms.tar.gz > /usr/local/librenms.tar.gz
cd /usr/local && tar xfz librenms.tar.gz && rm -f /usr/local/librenms.tar.gz
echo Completed running "$FUNCNAME"
}
function global-systemServiceConfigurationFiles()
{
echo Now running "$FUNCNAME"....
curl --silent ${DL_ROOT}/ConfigFiles/ZSH/tsys-zshrc > /etc/zshrc
curl --silent ${DL_ROOT}/ConfigFiles/SMTP/aliases > /etc/aliases
curl --silent ${DL_ROOT}/ConfigFiles/Syslog/rsyslog.conf > /etc/rsyslog.conf
curl --silent ${DL_ROOT}/ConfigFiles/SSH/Configs/tsys-sshd-config > /etc/ssh/sshd_config
curl --silent ${DL_ROOT}/ConfigFiles/SSH/Configs/ssh-audit_hardening.conf > /etc/ssh/sshd_config.d/ssh-audit_hardening.conf
export ROOT_SSH_DIR="/root/.ssh"
export LOCALUSER_SSH_DIR="/home/localuser/.ssh"
export SUBODEV_SSH_DIR="/home/subodev/.ssh"
if [ ! -d $ROOT_SSH_DIR ]; then
mkdir /root/.ssh/
fi
curl --silent ${DL_ROOT}/ConfigFiles/SSH/AuthorizedKeys/root-ssh-authorized-keys > /root/.ssh/authorized_keys
chmod 400 /root/.ssh/authorized_keys
chown root: /root/.ssh/authorized_keys
if [ "$LOCALUSER_CHECK" = 1 ]; then
if [ ! -d $LOCALUSER_SSH_DIR ]; then
mkdir -p /home/localuser/.ssh/
fi
curl --silent ${DL_ROOT}/ConfigFiles/SSH/AuthorizedKeys/localuser-ssh-authorized-keys > /home/localuser/.ssh/authorized_keys \
&& chown localuser /home/localuser/.ssh/authorized_keys \
&& chmod 400 /home/localuser/.ssh/authorized_keys
fi
if [ "$SUBODEV_CHECK" = 1 ]; then
if [ ! -d $SUBODEV_SSH_DIR ]; then
mkdir /home/subodev/.ssh/
fi
curl --silent ${DL_ROOT}/ConfigFiles/SSH/AuthorizedKeys/localuser-ssh-authorized-keys > /home/subodev/.ssh/authorized_keys \
&& chmod 400 /home/subodev/.ssh/authorized_keys \
&& chown subodev: /home/subodev/.ssh/authorized_keys
fi
newaliases
echo Completed running "$FUNCNAME"
}
function global-installPackages()
{
echo Now running "$FUNCNAME"....
# Setup webmin repo, used for RBAC/2fa PAM
curl https://raw.githubusercontent.com/webmin/webmin/master/webmin-setup-repo.sh > /tmp/webmin-setup.sh
sh /tmp/webmin-setup.sh -f && rm -f /tmp/webmin-setup.sh
# Setup lynis repo, used for sec ops/compliance
echo "deb https://packages.cisofy.com/community/lynis/deb/ stable main" > /etc/apt/sources.list.d/cisofy-lynis.list
curl --silent --insecure -s https://packages.cisofy.com/keys/cisofy-software-public.key | apt-key add -
# Setup tailscale
curl -fsSL https://pkgs.tailscale.com/stable/debian/bookworm.noarmor.gpg | sudo tee /usr/share/keyrings/tailscale-archive-keyring.gpg >/dev/null
curl -fsSL https://pkgs.tailscale.com/stable/debian/bookworm.tailscale-keyring.list | sudo tee /etc/apt/sources.list.d/tailscale.list
#
#Patch the system
#
/usr/local/bin/up2date.sh
#Remove stuff we don't want
#export DEBIAN_FRONTEND="noninteractive" && apt-get -qq --yes -o Dpkg::Options::="--force-confold" --purge remove nano
# add stuff we want
echo "Now installing all the packages..."
DEBIAN_FRONTEND="noninteractive" apt-get -qq --yes -o Dpkg::Options::="--force-confold" install \
virt-what \
htop \
dstat \
snmpd \
ncdu \
iftop \
acct \
nethogs \
sysstat \
ngrep \
lsb-release \
screen \
tailscale \
tmux \
vim \
command-not-found \
lldpd \
net-tools \
dos2unix \
gpg \
molly-guard \
fail2ban \
lshw \
sudo \
mailutils \
clamav \
sl \
rsyslog \
logwatch \
git \
rsync \
net-tools \
tshark \
tcpdump \
lynis \
glances \
zsh \
zsh-autosuggestions \
zsh-syntax-highlighting \
fonts-powerline \
webmin \
usermin \
iotop \
tuned \
cockpit \
iptables \
netfilter-persistent \
iptables-persistent \
postfix \
telnet
export KALI_CHECK
KALI_CHECK="$(distro |grep -c kali ||true)"
if [ "$KALI_CHECK" = 0 ]; then
export DEBIAN_FRONTEND="noninteractive" ; apt-get -qq --yes -o Dpkg::Options::="--force-confold" install \
ntpdate \
ntp
fi
if [ "$KALI_CHECK" = 1 ]; then
export DEBIAN_FRONTEND="noninteractive" ; apt-get -qq --yes -o Dpkg::Options::="--force-confold" install \
ntpsec-ntpdate \
ntpsec
fi
export VIRT_TYPE
VIRT_TYPE="$(virt-what)"
export VIRT_GUEST
VIRT_GUEST="$(echo "$VIRT_TYPE"|egrep 'hyperv|kvm' ||true )"
export KVM_GUEST
KVM_GUEST="$(echo "$VIRT_TYPE"|grep 'kvm' || true)"
if [[ $KVM_GUEST = 1 ]]; then
apt -y install qemu-guest-agent
fi
export PHYSICAL_HOST
PHYSICAL_HOST="$(dmidecode -t System|grep -c Dell ||true)"
if [[ $PHYSICAL_HOST -gt 0 ]]; then
export DEBIAN_FRONTEND="noninteractive" && apt-get -qq --yes -o Dpkg::Options::="--force-confold" install \
i7z \
thermald \
cpupower
# power-profiles-daemon
fi
echo Completed running "$FUNCNAME"
}
function global-postPackageConfiguration()
{
echo Now running "$FUNCNAME"
apt-file update
systemctl stop postfix
curl --silent ${DL_ROOT}/ConfigFiles/SMTP/postfix_generic> /etc/postfix/generic
dos2unix /etc/postfix/generic
postmap /etc/postfix/generic
postconf -e "inet_protocols = ipv4"
postconf -e "inet_interfaces = 127.0.0.1"
postconf -e "mydestination= 127.0.0.1"
postconf -e "relayhost = tsys-cloudron.knel.net"
postconf -e "smtp_generic_maps = hash:/etc/postfix/generic"
# smtp_generic_maps = hash:/etc/postfix/generic
systemctl restart postfix
#This is under test/dev and may fail
echo "hi from root to root" | mail -s "hi directly to root from $(hostname)" root
chsh -s $(which zsh) root
if [ "$LOCALUSER_CHECK" = 1 ]; then
chsh -s "$(which zsh)" localuser
fi
if [ "$SUBODEV_CHECK" = 1 ]; then
chsh -s "$(which zsh)" localuser
fi
###Post package deployment bits
curl --silent ${DL_ROOT}/ConfigFiles/DHCP/dhclient.conf > /etc/dhcp/dhclient.conf
systemctl stop snmpd && /etc/init.d/snmpd stop
curl --silent ${DL_ROOT}/ConfigFiles/SNMP/snmp-sudo.conf > /etc/sudoers.d/Debian-snmp
sed -i "s|-Lsd|-LS6d|" /lib/systemd/system/snmpd.service
pi-detect
if [ $IS_RASPI = 1 ] ; then
curl --silent ${DL_ROOT}/ConfigFiles/SNMP/snmpd-rpi.conf > /etc/snmp/snmpd.conf
fi
if [ $IS_RASPI != 1 ] ; then
curl --silent ${DL_ROOT}/ConfigFiles/SNMP/snmpd.conf > /etc/snmp/snmpd.conf
fi
systemctl daemon-reload && systemctl restart snmpd && /etc/init.d/snmpd restart
systemctl stop rsyslog
systemctl start rsyslog
logger "hi hi from $(hostname)"
if [ "$KALI_CHECK" -eq 0 ]; then
curl --silent ${DL_ROOT}/ConfigFiles/NTP/ntp.conf > /etc/ntpsec/ntp.conf
systemctl restart ntp
fi
if [ "$KALI_CHECK" -eq 1 ]; then
curl --silent ${DL_ROOT}/ConfigFiles/NTP/ntp.conf > /etc/ntp.conf
systemctl restart ntpsec.service
fi
systemctl stop postfix
systemctl start postfix
/usr/sbin/accton on
#if [ $PHYSICAL_HOST -gt 0 ]; then
# power-profiles-daemon
# powerprofilesctl set performance
#tsys1# systemctl enable power-profiles-daemon
#tsys1# systemctl start power-profiles-daemon
#fi
if [ "$VIRT_GUEST" = 1 ]; then
tuned-adm profile virtual-guest
fi
echo Completed running "$FUNCNAME"
}
####################################################################################################
# Run various modules
####################################################################################################
####################################################################################################
# Security Hardening
####################################################################################################
# SSH
function secharden-ssh()
{
echo Now running "$FUNCNAME"
curl --silent ${DL_ROOT}/Modules/Security/secharden-ssh.sh|$(which bash)
echo Completed running "$FUNCNAME"
}
function secharden-auto-upgrades()
{
echo Now running "$FUNCNAME"
#curl --silent ${DL_ROOT}/Modules/Security/secharden-ssh.sh|$(which bash)
echo Completed running "$FUNCNAME"
}
function secharden-2fa()
{
echo Now running "$FUNCNAME"
#curl --silent ${DL_ROOT}/Modules/Security/secharden-2fa.sh|$(which bash)
echo Completed running "$FUNCNAME"
}
function secharden-audit-agents()
{
echo Now running "$FUNCNAME"
#curl --silent ${DL_ROOT}/Modules/Security/secharden-audit-agents.sh|$(which bash)
echo Completed running "$FUNCNAME"
}
function secharden-scap-stig()
{
echo Now running "$FUNCNAME"
#curl --silent ${DL_ROOT}/Modules/Security/secharden-scap-stig.sh|$(which bash)
echo Completed running "$FUNCNAME"
}
####################################################################################################
# Authentication
####################################################################################################
function auth-cloudron-ldap()
{
echo Now running "$FUNCNAME"
#curl --silent ${DL_ROOT}/Modules/Auth/auth-cloudron-ldap.sh|$(which bash)
echo Completed running "$FUNCNAME"
}
####################################################################################################
# RUn the various functions in the correct order
####################################################################################################
PreflightCheck
global-oam
global-installPackages
global-systemServiceConfigurationFiles
global-postPackageConfiguration
secharden-ssh
#secharden-2fa
#secharden-auto-upgrades
#secharden-audit-agents
#secharden-scap-stig
#auth-cloudron-ldap
View Git Blame Copy Permalink