KNEL/KNELServerBuild
2
0
Fork 0
Code Pull Requests Actions Packages Releases 1 Activity

Compare commits

base: KNEL:5bbaff89e96ffd1401f0231ae627b668ecbaf734
Branches Tags
KNEL:main
KNEL:1.0
...
compare: KNEL:main
Branches Tags
KNEL:main
KNEL:1.0

20 Commits
5bbaff89e9 ... main

Author SHA1 Message Date
ReachableCEO
2930eeaf27 ssh pub key regression, need to use cat instead of curl 2025-07-29 13:54:39 -05:00
ReachableCEO
870540840c use the tailscale installer 2025-07-29 13:45:21 -05:00
ReachableCEO
5e2eaff55d typo 2025-07-29 13:42:14 -05:00
ReachableCEO
8f19c9fb6e kali corner case... 2025-07-29 13:32:53 -05:00
ReachableCEO
40ab4608e2 some minor ubuntu default cleanup 2025-07-17 23:04:40 -05:00
ReachableCEO
47ddb93fef Adding ansible-core to be able to run compliance as code playbooks 2025-07-16 09:37:11 -05:00
ReachableCEO
e73b81e229 . 2025-07-14 13:08:05 -05:00
ReachableCEO
39e37d0f76 . 2025-07-14 13:04:31 -05:00
ReachableCEO
31e66864ad . 2025-07-14 13:02:42 -05:00
ReachableCEO
0006eefcf1 . 2025-07-14 12:58:25 -05:00
ReachableCEO
abfaf765e6 . 2025-07-14 12:55:48 -05:00
ReachableCEO
1f2bd31380 . 2025-07-14 12:53:41 -05:00
ReachableCEO
93cea874a8 . 2025-07-14 12:50:48 -05:00
ReachableCEO
a898ebc59d . 2025-07-14 12:49:26 -05:00
ReachableCEO
78cc8cbcf3 . 2025-07-14 12:47:40 -05:00
ReachableCEO
495d0bb03b . 2025-07-14 12:46:53 -05:00
ReachableCEO
7a7d23f36c . 2025-07-14 12:42:22 -05:00
ReachableCEO
84f3ca3b0e . 2025-07-14 12:38:07 -05:00
ReachableCEO
f9f32612bb . 2025-07-14 12:37:04 -05:00
ReachableCEO
09063bfee4 case matters... 2025-07-14 12:36:03 -05:00
7 changed files with 139 additions and 87 deletions
Expand all files Collapse all files

6
ProjectCode/Modules/OAM/oam-librenms.sh
View File

@@ -1,7 +1,7 @@
#!/bin/bash #!/bin/bash
export PROJECT_ROOT_PATH export PROJECT_ROOT_PATH
PROJECT_ROOT_PATH="$(realpath ../../)" PROJECT_ROOT_PATH="$(realpath ../../../)"
#Framework variables are read from hee #Framework variables are read from hee
@@ -13,11 +13,11 @@ KNELShellFrameworkRoot="$GIT_VENDOR_PATH_ROOT/KNEL/KNELShellFramework"
source $KNELShellFrameworkRoot/Framework-ConfigFiles/FrameworkVars source $KNELShellFrameworkRoot/Framework-ConfigFiles/FrameworkVars
for framework_include_file in $KNELShellFrameworkRoot/framework-includes/*; do for framework_include_file in $KNELShellFrameworkRoot/Framework-Includes/*; do
source "$framework_include_file" source "$framework_include_file"
done done
for project_include_file in ../Project-Includes/*; do for project_include_file in ../../../Project-Includes/*; do
source "$project_include_file" source "$project_include_file"
done done

36
ProjectCode/Modules/Security/secharden-2fa.sh
View File

@@ -4,19 +4,35 @@
# Implements 2FA for SSH, Cockpit, and Webmin services # Implements 2FA for SSH, Cockpit, and Webmin services
# Uses Google Authenticator (TOTP) for time-based tokens # Uses Google Authenticator (TOTP) for time-based tokens
set -euo pipefail
# Source framework functions #####
# Script can be called from different contexts, so use absolute path resolution #Core framework functions...
SCRIPT_DIR="$(dirname "$(realpath "${BASH_SOURCE[0]}")")" #####
PROJECT_ROOT="$(dirname "$(dirname "$(dirname "$SCRIPT_DIR")")")"
# Set up framework variables expected by includes export PROJECT_ROOT_PATH
export PROJECT_ROOT_PATH="$PROJECT_ROOT" PROJECT_ROOT_PATH="$(realpath ../../../)"
source "$PROJECT_ROOT/Framework-Includes/PrettyPrint.sh" #Framework variables are read from hee
source "$PROJECT_ROOT/Framework-Includes/Logging.sh"
source "$PROJECT_ROOT/Framework-Includes/ErrorHandling.sh"
export GIT_VENDOR_PATH_ROOT
GIT_VENDOR_PATH_ROOT="$PROJECT_ROOT_PATH/vendor/git@git.knownelement.com/29418/"
export KNELShellFrameworkRoot
KNELShellFrameworkRoot="$GIT_VENDOR_PATH_ROOT/KNEL/KNELShellFramework"
source $KNELShellFrameworkRoot/Framework-ConfigFiles/FrameworkVars
for framework_include_file in $KNELShellFrameworkRoot/Framework-Includes/*; do
source "$framework_include_file"
done
for project_include_file in ../../../Project-Includes/*; do
source "$project_include_file"
done
#Framework variables are read from hee
source $KNELShellFrameworkRoot/Framework-ConfigFiles/FrameworkVars
# 2FA Configuration # 2FA Configuration
BACKUP_DIR="/root/backup/2fa" BACKUP_DIR="/root/backup/2fa"

2
ProjectCode/Modules/Security/secharden-audit-agents.sh
View File

@@ -17,7 +17,7 @@ KNELShellFrameworkRoot="$GIT_VENDOR_PATH_ROOT/KNEL/KNELShellFramework"
source $KNELShellFrameworkRoot/Framework-ConfigFiles/FrameworkVars source $KNELShellFrameworkRoot/Framework-ConfigFiles/FrameworkVars
for framework_include_file in $KNELShellFrameworkRoot/framework-includes/*; do for framework_include_file in $KNELShellFrameworkRoot/Framework-Includes/*; do
source "$framework_include_file" source "$framework_include_file"
done done

19
ProjectCode/Modules/Security/secharden-scap-stig.sh
View File

@@ -1,14 +1,16 @@
#!/bin/bash #!/bin/bash
#####
#########################################
#Core framework functions... #Core framework functions...
##### #########################################
export PROJECT_ROOT_PATH export PROJECT_ROOT_PATH
PROJECT_ROOT_PATH="$(realpath ../../)" PROJECT_ROOT_PATH="$(realpath ../../../)"
#Framework variables are read from hee #Framework variables are read from hee
export GIT_VENDOR_PATH_ROOT export GIT_VENDOR_PATH_ROOT
GIT_VENDOR_PATH_ROOT="$PROJECT_ROOT_PATH/vendor/git@git.knownelement.com/29418/" GIT_VENDOR_PATH_ROOT="$PROJECT_ROOT_PATH/vendor/git@git.knownelement.com/29418/"
@@ -17,17 +19,22 @@ KNELShellFrameworkRoot="$GIT_VENDOR_PATH_ROOT/KNEL/KNELShellFramework"
source $KNELShellFrameworkRoot/Framework-ConfigFiles/FrameworkVars source $KNELShellFrameworkRoot/Framework-ConfigFiles/FrameworkVars
for framework_include_file in $KNELShellFrameworkRoot/framework-includes/*; do for framework_include_file in $KNELShellFrameworkRoot/Framework-Includes/*; do
source "$framework_include_file" source "$framework_include_file"
done done
for project_include_file in ../Project-Includes/*; do for project_include_file in ../../../Project-Includes/*; do
source "$project_include_file" source "$project_include_file"
done done
# Actual script logic starts here #Framework variables are read from hee
source $KNELShellFrameworkRoot/Framework-ConfigFiles/FrameworkVars
#########################################
# Core script code begins here
#########################################
# Sourced from # Sourced from
# https://complianceascode.readthedocs.io/en/latest/manual/developer/01_introduction.html # https://complianceascode.readthedocs.io/en/latest/manual/developer/01_introduction.html

59
ProjectCode/Modules/Security/secharden-ssh.sh
View File

@@ -1,13 +1,13 @@
#!/bin/bash #!/bin/bash
##### #########################################
#Core framework functions... #Core framework functions...
##### #########################################
export PROJECT_ROOT_PATH export PROJECT_ROOT_PATH
PROJECT_ROOT_PATH="$(realpath ../)" PROJECT_ROOT_PATH="$(realpath ../../../)"
#Framework variables are read from hee #Framework variables are read from here
export GIT_VENDOR_PATH_ROOT export GIT_VENDOR_PATH_ROOT
@@ -18,16 +18,21 @@ KNELShellFrameworkRoot="$GIT_VENDOR_PATH_ROOT/KNEL/KNELShellFramework"
source $KNELShellFrameworkRoot/Framework-ConfigFiles/FrameworkVars source $KNELShellFrameworkRoot/Framework-ConfigFiles/FrameworkVars
for framework_include_file in $KNELShellFrameworkRoot/framework-includes/*; do for framework_include_file in $KNELShellFrameworkRoot/Framework-Includes/*; do
source "$framework_include_file" source "$framework_include_file"
done done
for project_include_file in ../Project-Includes/*; do for project_include_file in ../../../Project-Includes/*; do
source "$project_include_file" source "$project_include_file"
done done
#Framework variables are read from hee #Framework variables are read from hee
source $PROJECT_ROOT_PATH/Framework-ConfigFiles/FrameworkVars source $KNELShellFrameworkRoot/Framework-ConfigFiles/FrameworkVars
#########################################
# Core script code begins here
#########################################
export SUBODEV_CHECK export SUBODEV_CHECK
SUBODEV_CHECK="$(getent passwd | grep -c subodev || true)" SUBODEV_CHECK="$(getent passwd | grep -c subodev || true)"
@@ -46,30 +51,30 @@ SUBODEV_SSH_DIR="/home/subodev/.ssh"
if [ ! -d $ROOT_SSH_DIR ]; then if [ ! -d $ROOT_SSH_DIR ]; then
mkdir /root/.ssh/ mkdir /root/.ssh/
fi fi
curl --silent "${DL_ROOT}"/ProjectCode/ConfigFiles/SSH/AuthorizedKeys/root-ssh-authorized-keys >/root/.ssh/authorized_keys cat ../../ConfigFiles/SSH/AuthorizedKeys/root-ssh-authorized-keys >/root/.ssh/authorized_keys
chmod 400 /root/.ssh/authorized_keys chmod 400 /root/.ssh/authorized_keys
chown root: /root/.ssh/authorized_keys chown root: /root/.ssh/authorized_keys
if [ "$LOCALUSER_CHECK" -gt 0 ]; then if [ "$LOCALUSER_CHECK" -gt 0 ]; then
if [ ! -d $LOCALUSER_SSH_DIR ]; then if [ ! -d $LOCALUSER_SSH_DIR ]; then
mkdir -p /home/localuser/.ssh/ mkdir -p /home/localuser/.ssh/
fi fi
curl --silent "${DL_ROOT}"/ProjectCode/ConfigFiles/SSH/AuthorizedKeys/localuser-ssh-authorized-keys >/home/localuser/.ssh/authorized_keys && cat ../../ConfigFiles/SSH/AuthorizedKeys/localuser-ssh-authorized-keys >/home/localuser/.ssh/authorized_keys
chown localuser /home/localuser/.ssh/authorized_keys && chown localuser /home/localuser/.ssh/authorized_keys &&
chmod 400 /home/localuser/.ssh/authorized_keys chmod 400 /home/localuser/.ssh/authorized_keys
fi fi
if [ "$SUBODEV_CHECK" = 1 ]; then if [ "$SUBODEV_CHECK" = 1 ]; then
if [ ! -d $SUBODEV_SSH_DIR ]; then if [ ! -d $SUBODEV_SSH_DIR ]; then
mkdir /home/subodev/.ssh/ mkdir /home/subodev/.ssh/
fi fi
curl --silent "${DL_ROOT}"/ProjectCode/ConfigFiles/SSH/AuthorizedKeys/localuser-ssh-authorized-keys >/home/subodev/.ssh/authorized_keys && cat ../../ConfigFiles/SSH/AuthorizedKeys/localuser-ssh-authorized-keys >/home/subodev/.ssh/authorized_keys
chmod 400 /home/subodev/.ssh/authorized_keys && chmod 400 /home/subodev/.ssh/authorized_keys &&
chown subodev: /home/subodev/.ssh/authorized_keys chown subodev: /home/subodev/.ssh/authorized_keys
fi fi
@@ -77,9 +82,9 @@ fi
export DEV_WORKSTATION_CHECK export DEV_WORKSTATION_CHECK
DEV_WORKSTATION_CHECK="$(hostname | egrep -c 'subopi-dev|CharlesDevServer' || true)" DEV_WORKSTATION_CHECK="$(hostname | egrep -c 'subopi-dev|CharlesDevServer' || true)"
if [ "$DEV_WORKSTATION_CHECK" -eq 0 ]; then if [ "$DEV_WORKSTATION_CHECK" -eq 0 ]; then
cat ../../ConfigFiles/SSH/Configs/tsys-sshd-config >/etc/ssh/sshd_config cat ../../ConfigFiles/SSH/Configs/tsys-sshd-config >/etc/ssh/sshd_config
fi fi
@@ -89,8 +94,8 @@ export UBUNTU_CHECK
UBUNTU_CHECK="$(distro | grep -c Ubuntu||true)" UBUNTU_CHECK="$(distro | grep -c Ubuntu||true)"
if [ "$UBUNTU_CHECK" -ne 1 ]; then if [ "$UBUNTU_CHECK" -ne 1 ]; then
cat ../../ConfigFiles/SSH/Configs/ssh-audit-hardening.conf >/etc/ssh/sshd_config.d/ssh-audit_hardening.conf cat ../../ConfigFiles/SSH/Configs/ssh-audit-hardening.conf >/etc/ssh/sshd_config.d/ssh-audit_hardening.conf
chmod og-rwx /etc/ssh/sshd_config.d/* chmod og-rwx /etc/ssh/sshd_config.d/*
fi fi
# Perms on sshd_config # Perms on sshd_config

19
ProjectCode/Modules/Security/secharden-wazuh.sh
View File

@@ -1,13 +1,13 @@
#!/bin/bash #!/bin/bash
##### #########################################
#Core framework functions... #Core framework functions...
##### #########################################
export PROJECT_ROOT_PATH export PROJECT_ROOT_PATH
PROJECT_ROOT_PATH="$(realpath ../../)" PROJECT_ROOT_PATH="$(realpath ../../../)"
#Framework variables are read from hee #Framework variables are read from here
export GIT_VENDOR_PATH_ROOT export GIT_VENDOR_PATH_ROOT
GIT_VENDOR_PATH_ROOT="$PROJECT_ROOT_PATH/vendor/git@git.knownelement.com/29418/" GIT_VENDOR_PATH_ROOT="$PROJECT_ROOT_PATH/vendor/git@git.knownelement.com/29418/"
@@ -17,14 +17,21 @@ KNELShellFrameworkRoot="$GIT_VENDOR_PATH_ROOT/KNEL/KNELShellFramework"
source $KNELShellFrameworkRoot/Framework-ConfigFiles/FrameworkVars source $KNELShellFrameworkRoot/Framework-ConfigFiles/FrameworkVars
for framework_include_file in $KNELShellFrameworkRoot/framework-includes/*; do for framework_include_file in $KNELShellFrameworkRoot/Framework-Includes/*; do
source "$framework_include_file" source "$framework_include_file"
done done
for project_include_file in ../Project-Includes/*; do for project_include_file in ../../../Project-Includes/*; do
source "$project_include_file" source "$project_include_file"
done done
#Framework variables are read from hee
source $KNELShellFrameworkRoot/Framework-ConfigFiles/FrameworkVars
#########################################
# Core script code begins here
#########################################
# We don't want to run this on the wazuh server, otherwise bad things happen... # We don't want to run this on the wazuh server, otherwise bad things happen...

85
ProjectCode/SetupNewSystem.sh
View File

@@ -4,6 +4,7 @@
#Core framework functions... #Core framework functions...
##### #####
export PROJECT_ROOT_PATH export PROJECT_ROOT_PATH
PROJECT_ROOT_PATH="$(realpath ../)" PROJECT_ROOT_PATH="$(realpath ../)"
@@ -18,7 +19,7 @@ KNELShellFrameworkRoot="$GIT_VENDOR_PATH_ROOT/KNEL/KNELShellFramework"
source $KNELShellFrameworkRoot/Framework-ConfigFiles/FrameworkVars source $KNELShellFrameworkRoot/Framework-ConfigFiles/FrameworkVars
for framework_include_file in $KNELShellFrameworkRoot/framework-includes/*; do for framework_include_file in $KNELShellFrameworkRoot/Framework-Includes/*; do
source "$framework_include_file" source "$framework_include_file"
done done
@@ -34,6 +35,9 @@ done
apt-get -y install git sudo dmidecode curl apt-get -y install git sudo dmidecode curl
export UBUNTU_CHECK
UBUNTU_CHECK="$(distro | grep -c Ubuntu || true)"
export IS_PHYSICAL_HOST export IS_PHYSICAL_HOST
IS_PHYSICAL_HOST="$(/usr/sbin/dmidecode -t System | grep -c Dell || true)" IS_PHYSICAL_HOST="$(/usr/sbin/dmidecode -t System | grep -c Dell || true)"
@@ -94,8 +98,7 @@ function global-installPackages() {
# Setup tailscale # Setup tailscale
curl -fsSL https://pkgs.tailscale.com/stable/debian/bookworm.noarmor.gpg | sudo tee /usr/share/keyrings/tailscale-archive-keyring.gpg >/dev/null curl -fsSL https://tailscale.com/install.sh | sh
curl -fsSL https://pkgs.tailscale.com/stable/debian/bookworm.tailscale-keyring.list | sudo tee /etc/apt/sources.list.d/tailscale.list
# #
#Patch the system #Patch the system
@@ -105,18 +108,16 @@ function global-installPackages() {
#Remove stuff we don't want #Remove stuff we don't want
export UBUNTU_CHECK export DEBIAN_FRONTEND="noninteractive" \
UBUNTU_CHECK="$(distro | grep -c Ubuntu || true)" && apt-get -qq --yes --purge \
remove \
if [ "$UBUNTU_CHECK" -eq 1 ]; then systemd-timesyncd \
apt-get --yes --purge remove chrony telnet inetutils-telnet chrony \
fi telnet \
inetutils-telnet \
if [ "$UBUNTU_CHECK" -eq 0 ]; then nano \
apt-get --yes --purge remove systemd-timesyncd chrony telnet inetutils-telnet multipath-tools \
fi || true
#export DEBIAN_FRONTEND="noninteractive" && apt-get -qq --yes -o Dpkg::Options::="--force-confold" --purge remove nano
# add stuff we want # add stuff we want
@@ -133,7 +134,6 @@ function global-installPackages() {
ncdu \ ncdu \
iftop \ iftop \
iotop \ iotop \
latencytop \
cockpit \ cockpit \
cockpit-bridge \ cockpit-bridge \
cockpit-doc \ cockpit-doc \
@@ -143,7 +143,6 @@ function global-installPackages() {
cockpit-sosreport \ cockpit-sosreport \
cockpit-storaged \ cockpit-storaged \
cockpit-system \ cockpit-system \
cockpit-tests \
cockpit-ws \ cockpit-ws \
nethogs \ nethogs \
sysstat \ sysstat \
@@ -156,6 +155,7 @@ function global-installPackages() {
vim \ vim \
command-not-found \ command-not-found \
lldpd \ lldpd \
ansible-core \
net-tools \ net-tools \
dos2unix \ dos2unix \
gpg \ gpg \
@@ -206,6 +206,12 @@ function global-installPackages() {
apt -y install qemu-guest-agent apt -y install qemu-guest-agent
fi fi
if [[ $KALI_CHECK -eq 0 ]];then
DEBIAN_FRONTEND="noninteractive" apt-get -qq --yes -o Dpkg::Options::="--force-confold" install \
latencytop \
cockpit-tests
fi
if [[ $IS_PHYSICAL_HOST -gt 0 ]]; then if [[ $IS_PHYSICAL_HOST -gt 0 ]]; then
export DEBIAN_FRONTEND="noninteractive" && apt-get -qq --yes -o Dpkg::Options::="--force-confold" install \ export DEBIAN_FRONTEND="noninteractive" && apt-get -qq --yes -o Dpkg::Options::="--force-confold" install \
i7z \ i7z \
@@ -345,7 +351,7 @@ function global-postPackageConfiguration() {
function secharden-ssh() { function secharden-ssh() {
print_info "Now running $FUNCNAME" print_info "Now running $FUNCNAME"
cd ./Modules/Security cd ./Modules/Security || exit
bash ./secharden-ssh.sh bash ./secharden-ssh.sh
cd - cd -
@@ -354,7 +360,33 @@ function secharden-ssh() {
function secharden-wazuh() { function secharden-wazuh() {
print_info "Now running $FUNCNAME" print_info "Now running $FUNCNAME"
bash ./Modules/Security/secharden-wazuh.sh cd ./Modules/Security || exit
bash ./secharden-wazuh.sh
cd -
print_info "Completed running $FUNCNAME"
}
function secharden-2fa() {
print_info "Now running $FUNCNAME"
cd ./Modules/Security || exit
bash ./secharden-2fa.sh
cd -
print_info "Completed running $FUNCNAME"
}
function secharden-scap-stig() {
print_info "Now running $FUNCNAME"
cd ./Modules/Security || exit
bash ./secharden-scap-stig.sh
cd -
print_info "Completed running $FUNCNAME"
}
function secharden-agents() {
print_info "Now running $FUNCNAME"
cd ./Modules/Security || exit
bash ./secharden-audit-agents.sh
cd -
print_info "Completed running $FUNCNAME" print_info "Completed running $FUNCNAME"
} }
@@ -364,23 +396,8 @@ function secharden-auto-upgrades() {
print_info "Completed running $FUNCNAME" print_info "Completed running $FUNCNAME"
} }
function secharden-2fa() {
print_info "Now running $FUNCNAME"
bash ./Modules/Security/secharden-2fa.sh
print_info "Completed running $FUNCNAME"
}
function secharden-agents() {
print_info "Now running $FUNCNAME"
#curl --silent ${DL_ROOT}/Modules/Security/secharden-audit-agents.sh|$(which bash)
print_info "Completed running $FUNCNAME"
}
function secharden-scap-stig() {
print_info "Now running $FUNCNAME"
bash ./Modules/Security/secharden-scap-stig.sh
print_info "Completed running $FUNCNAME"
}
#################################################################################################### ####################################################################################################
# Authentication # Authentication