108 lines
3.0 KiB
Bash
108 lines
3.0 KiB
Bash
#!/bin/bash
|
|
|
|
#Framework variables are read from hee
|
|
source $PROJECT_ROOT_PATH/Framework-ConfigFiles/FrameworkVars
|
|
|
|
#Boilerplate and support functions
|
|
|
|
for framework_include_file in ../Framework-Includes/*; do
|
|
source "$framework_include_file"
|
|
done
|
|
|
|
for project_include_file in ../Project-Includes/*; do
|
|
source "$project_include_file"
|
|
done
|
|
|
|
# Actual script logic starts here
|
|
|
|
|
|
# Sourced from
|
|
|
|
# https://complianceascode.readthedocs.io/en/latest/manual/developer/01_introduction.html
|
|
# https://github.com/ComplianceAsCode/content
|
|
# https://github.com/ComplianceAsCode
|
|
|
|
#apparmor
|
|
#enforcing
|
|
#enabled in bootloader config
|
|
|
|
#aide
|
|
|
|
#auditd
|
|
|
|
#disable auto mounting
|
|
#disable usb storage
|
|
|
|
|
|
#motd
|
|
#remote login warning banner
|
|
|
|
#Ensure time sync is working
|
|
#systemd-timesync
|
|
#ntp
|
|
#chrony
|
|
|
|
#password complexity
|
|
#password expiration warning
|
|
#password expiration time
|
|
#password hashing algo
|
|
|
|
#fix grub perms
|
|
|
|
if [ "$IS_RASPI" = 0 ] ; then
|
|
|
|
chown root:root /boot/grub/grub.cfg
|
|
chmod og-rwx /boot/grub/grub.cfg
|
|
chmod 0400 /boot/grub/grub.cfg
|
|
|
|
fi
|
|
|
|
|
|
#disable auto mounting
|
|
systemctl --now disable autofs || true
|
|
apt-get -y --purge remove autofs || true
|
|
|
|
#disable usb storage
|
|
curl --silent ${DL_ROOT}/ProjectCode/ConfigFiles/ModProbe/usb_storage.conf > /etc/modprobe.d/usb_storage.conf
|
|
curl --silent ${DL_ROOT}/ProjectCode/ConfigFiles/ModProbe/dccp.conf > /etc/modprobe.d/dccp.conf
|
|
curl --silent ${DL_ROOT}/ProjectCode/ConfigFiles/ModProbe/rds.conf > /etc/modprobe.d/rds.conf
|
|
curl --silent ${DL_ROOT}/ProjectCode/ConfigFiles/ModProbe/sctp.conf > /etc/modprobe.d/sctp.conf
|
|
curl --silent ${DL_ROOT}/ProjectCode/ConfigFiles/ModProbe/tipc.conf > /etc/modprobe.d/tipc.conf
|
|
curl --silent ${DL_ROOT}/ProjectCode/ConfigFiles/ModProbe/cramfs.conf > /etc/modprobe.d/cramfs.conf
|
|
curl --silent ${DL_ROOT}/ProjectCode/ConfigFiles/ModProbe/freevxfs.conf > /etc/modprobe.d/freevxfs.conf
|
|
curl --silent ${DL_ROOT}/ProjectCode/ConfigFiles/ModProbe/hfs.conf > /etc/modprobe.d/hfs.conf
|
|
curl --silent ${DL_ROOT}/ProjectCode/ConfigFiles/ModProbe/hfsplus.conf > /etc/modprobe.d/hfsplus.conf
|
|
curl --silent ${DL_ROOT}/ProjectCode/ConfigFiles/ModProbe/jffs2.conf > /etc/modprobe.d/jffs2.conf
|
|
curl --silent ${DL_ROOT}/ProjectCode/ConfigFiles/ModProbe/squashfs.conf > /etc/modprobe.d/squashfs.conf
|
|
curl --silent ${DL_ROOT}/ProjectCode/ConfigFiles/ModProbe/udf.conf > /etc/modprobe.d/udf.conf
|
|
|
|
#banners
|
|
|
|
curl --silent ${DL_ROOT}/ProjectCode/ConfigFiles/BANNERS/issue > /etc/issue
|
|
curl --silent ${DL_ROOT}/ProjectCode/ConfigFiles/BANNERS/issue.net > /etc/issue.net
|
|
curl --silent ${DL_ROOT}/ProjectCode/ConfigFiles/BANNERS/motd > /etc/motd
|
|
|
|
#Cron perms
|
|
|
|
if [ -f /etc/cron.deny ]; then
|
|
rm /etc/cron.deny || true
|
|
fi
|
|
|
|
touch /etc/cron.allow
|
|
chmod g-wx,o-rwx /etc/cron.allow
|
|
chown root:root /etc/cron.allow
|
|
|
|
chmod og-rwx /etc/crontab
|
|
chmod og-rwx /etc/cron.hourly/
|
|
chmod og-rwx /etc/cron.daily/
|
|
chmod og-rwx /etc/cron.weekly/
|
|
chmod og-rwx /etc/cron.monthly/
|
|
chown root:root /etc/cron.d/
|
|
chmod og-rwx /etc/cron.d/
|
|
|
|
# At perms
|
|
|
|
rm -f /etc/at.deny || true
|
|
touch /etc/at.allow
|
|
chmod g-wx,o-rwx /etc/at.allow
|
|
chown root:root /etc/at.allow |