LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   General (https://www.linuxquestions.org/questions/general-10/)
-   -   Standard Operating Environment: setup script revision (https://www.linuxquestions.org/questions/general-10/standard-operating-environment-setup-script-revision-4175611687/)

justmy2cents 08-10-2017 12:24 PM
Standard Operating Environment: setup script revision
 
Disclaimer : I am not an expert in security. I offer no guarantee that by running this script your security will be foolproof or that you will never be cracked.
Code:
#!/bin/bash
#Standard Operating Environment Setup Script
#Prompts user for nessesary information, then downloads user's .deb packages (optional)
rfkill block 0pyth0
echo; cat<< END
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
END
  echo; read -p "Do you have any .deb packages you would like to install? [Y/n]: " choice1  #install pre-downloaded .deb packages
  if [[ ${choice1^^} == 'Y' ]]; then
  until [ -d "$var_1" ]; do read -p "Enter /path/to/.deb_packages: " var_1; done
  dpkg -i $var_1/*.deb
  else :
fi; clear
  until [ -d "$var_2" ]; do read -p "Enter /path/to/templates: " var_2; done
  config_dir=$(basename "$var_2")
  read -p "Enter a basename for your user accounts: " var_3
  until  [ \( "$choice2" = "Y" \) -o \( "$choice2" = "n" \) ]; do
  read -p "Is this a live session? If so you must login as root through the GUI if you haven't done so already [Y/n/abort]: " choice2
  if  [[ $choice2 = "Y" ]]
  then read -p "Enter the name of the default live account: " live ; pkill -u $live ; userdel -f $live ; rm -rf /home/$live #remove default live account
  elif  [[ $choice2 = "n" ]]
  then break
  elif [[ $choice2 = "abort" ]]; then exit
fi; done

#Setting up user environments
adduser $var_3\0 #maintainer
adduser $var_3\1 #admin
adduser $var_3\2 #user
adduser --force-badname ADMahn #decoy account
adduser $var_3\0 sudo
echo /home/*/ ~/ | xargs -n 1 cp -r $var_2 #copying the folder which contains the templates to every home directory
find /home/$var_3\0/$config_dir -mindepth 1 -maxdepth 1 -exec mv -t /home/$var_3\0 -- {} + #extracting templates from specified folder
find /home/$var_3\1/$config_dir -mindepth 1 -maxdepth 1 -exec mv -t /home/$var_3\1 -- {} +
find /home/$var_3\2/$config_dir -mindepth 1 -maxdepth 1 -exec mv -t /home/$var_3\2 -- {} +
find /root/$config_dir -mindepth 1 -maxdepth 1 -exec mv -t ~/ -- {} +         

#Core hardening system changes
hexchars="0123456789ABCDEF"
end=$( for i in {1..10} ; do echo -n ${hexchars:$(( $RANDOM % 16 )):1} ; done | sed -e 's/\(..\)/:\1/g' )
newmac=00$end
wlan0=$(ip link|awk -F: '/2: /{print$2}')
ifconfig $wlan0 hw ether $newmac #spoof MAC address
hostnamectl set-hostname mycomm1 #change default hostname
mv ~/.sudoers /etc/sudoers ; rm -rf ~/.mozilla ; find /home \( -name .sudoers -o -name .sysctl.conf -o -name .ssh_config -o -name .issue.net \) -execdir shred -fuz {} \;
mv ~/.sysctl.conf /etc/sysctl.conf ; sysctl -p #prevent source routing of incoming packets and log malformed IPs
mv ~/.issue.net /etc/issue.net #ssh warning login banner
mv ~/.ssh_config /etc/ssh/ssh_config #ssh hardening
chown -R $var_3\0:$var_3\0 /home/$var_3\0/ ; chown -R $var_3\1:$var_3\1 /home/$var_3\1/ ; chown -R $var_3\2:$var_3\2 /home/$var_3\2/ #change owner back to the orginal
find / -perm -4000 -execdir chmod go-x {} \; ; find / -perm -2000 -execdir chmod go-x {} \; #subract the x bit on go for all setuid/setgid programs
chmod go+x /usr/bin/sudo #reimplement the execute bit for certain setuid programs so they work properly; add YOUR setuid programs here that need this!
groupadd group333 ; usermod -a -G group333 $var_3\1 ; dpkg-statoverride --update --add root group333 4750 /bin/su #shadow user with su powers

echo "nameserver 208.67.222.222" > /etc/resolv.conf ; echo "nameserver 208.67.220.220" >> /etc/resolv.conf #use OpenDNS servers
echo "order bind,hosts" > /etc/host.conf ; echo "nospoof on" >> /etc/host.conf #prevent ip spoofing
echo "root:          ${var_3}1@localhost" >> /etc/aliases #send root mail to specified address
echo "none /run/shm tmpfs ro,noexec,nosuid,nodev 0 0" > /etc/fstab #lock down shared memory
echo "tmpfs /tmp tmpfs rw,noexec,nosuid,nodev 0 0" >> /etc/fstab #lock down /tmp to protect kernel from shared memory
echo "DPkg::Pre-Invoke{\"mount -o remount,exec /tmp\";};" > /etc/apt/apt.conf #remount /tmp rw upon package install so you can install software from repositories
echo "DPkg::Post-Invoke {\"mount -o remount,rw,noexec,nosuid,nodev /tmp\";};" >> /etc/apt/apt.conf

chattr +i /etc/resolv.conf #write protecting resolv.conf so the OpenDNS entries dont get overwritten
sed -r '/^tty1$/! s/^/#/' /etc/securetty > securetty2 ; mv securetty2 /etc/securetty ; chown root:root /etc/securetty; #disable uneeded terminals
chmod 0600 /etc/securetty /etc/hosts.allow /etc/sysctl.conf /etc/group /home/*/.rhosts /etc/hosts.equiv /etc/network/interfaces
chmod go-rx /home/* /home/*/.mozilla ; chmod 400 /etc/sudoers
sed 's/1/0/g' /etc/default/irqbalance > irqbalance2 ; mv irqbalance2 /etc/default/irqbalance #prevent hardware interrupts in threads
service ssh restart ; systemctl disable sshd.service > /dev/null 2>&1 ; systemctl stop sshd.service #disables ssh
passwd ; chsh #changing the root password then locking the account
dpkg-reconfigure -plow unattended-upgrades #enables automatic security updates
mount -a

#Acid wash
#bleachbit -c adobe_reader.cache adobe_reader.mru adobe_reader.tmp amsn.cache amsn.chat_logs amule.logs #amule.tmp apt.autoclean apt.autoremove apt.clean apt.package_lists \
#audacious.cache audacious.log audacious.mru bash.history beagle.cache beagle.index beagle.logs chromium.cache #chromium.cookies chromium.current_session \
#chromium.dom chromium.form_history chromium.history chromium.passwords chromium.search_engines chromium.vacuum #d4x.history deepscan.backup deepscan.ds_store \
#deepscan.thumbs_db deepscan.tmp easytag.history easytag.logs elinks.history emesene.cache emesene.logs #epiphany.cache epiphany.cookies epiphany.passwords \
#epiphany.places evolution.cache exaile.cache exaile.downloaded_podcasts exaile.log filezilla.mru #firefox.backup firefox.cache firefox.cookies \
#firefox.crash_reports firefox.dom firefox.download_history firefox.forms firefox.passwords #firefox.session_restore firefox.site_preferences firefox.url_history \
#firefox.vacuum flash.cache flash.cookies gedit.recent_documents gftp.cache gftp.logs gimp.tmp #gl-117.debug_logs gnome.run gnome.search_history \
#google_chrome.cache google_chrome.cookies google_chrome.dom google_chrome.form_history google_chrome.history #google_chrome.passwords \
#google_chrome.search_engines google_chrome.session google_chrome.vacuum google_earth.temporary_files #google_toolbar.search_history gpodder.cache gpodder.vacuum \
#gwenview.recent_documents hippo_opensim_viewer.cache hippo_opensim_viewer.logs java.cache kde.cache #kde.recent_documents kde.tmp konqueror.cookies \
#konqueror.current_session konqueror.url_history libreoffice.cache libreoffice.history liferea.cache #liferea.cookies liferea.vacuum links2.history \
#midnightcommander.history miro.cache miro.logs nautilus.history nexuiz.cache octave.history #openofficeorg.cache openofficeorg.recent_documents opera.cache \
#opera.cookies opera.current_session opera.dom opera.download_history opera.passwords opera.search_history #opera.url_history pidgin.cache pidgin.logs \
#realplayer.cookies realplayer.history realplayer.logs recoll.index rhythmbox.cache screenlets.logs #seamonkey.cache seamonkey.chat_logs seamonkey.cookies \
#seamonkey.download_history seamonkey.history secondlife_viewer.Cache secondlife_viewer.Logs skype.chat_logs #skype.installers sqlite3.history system.cache \
#system.clipboard system.custom system.desktop_entry system.free_disk_space system.localizations system.memory #system.recent_documents system.rotated_logs \
#system.tmp system.trash thumbnails.cache thunderbird.cache thunderbird.cookies thunderbird.index #thunderbird.passwords thunderbird.vacuum \
#transmission.blocklists transmission.torrents tremulous.cache vim.history vlc.mru vuze.backup_files vuze.cache #vuze.logs vuze.tmp warzone2100.logs wine.tmp \
#winetricks.temporary_files x11.debug_logs xchat.logs xine.cache yum.clean_all yum.vacuum
killall xfce4-session #logout
S.O.E. version 0.9, is a community effort to develop a script that will maximize the security of the various Ubuntu based Linux systems! It utilizes every known technique found on various Ubuntu server hardening websites.. Interested? Great! But in order run it you'll need to copy the templates in my blog post, and then put those in a folder which you'll specify when the script prompts for it. Easy as pie!

Suggestions: If I missed something that you would like to see added that would benefit the security of the script provided, or even if you have general improvements to the code then please feel free to drop a comet down below!

Future Updates: Iptables hardening, and possible automatic setup of OpenVPN, AppArmor and a VM based firewall (running ipFire) in the works...

Dependencies: Bleachbit (optional but recommended)

Bug fixes of the day: Made the built-in macchanger reliable

Major Bugs: If you're running Linux on a read-only media then comet out the line below as it will stop you from connecting to the internet.. Methods of workarounds are in progress..

Code:
echo "nameserver 208.67.222.222" > /etc/resolv.conf ; echo "nameserver 208.67.220.220" >> /etc/resolv.conf #use OpenDNS servers

astrogeek 08-10-2017 05:57 PM
Thanks for sharing your code!

As this post is of a more general nature and does not pose a specific programming question it is being moved to the General forum where it will have more general exposure.

I would also suggest making use of your LQ blog space as an excellent means of sharing your code! There you can post and update code examples in a format not constrained by question forum posting guidelines. A continuously revised series of articles (i.e. blog posts) based on your idea for a Standard Operating Environment would be a valuable resource!

ntubski 08-10-2017 06:51 PM
Quote:
Originally Posted by justmy2cents (Post 5746773)
Is there anything in this script that you can see that needs improvement?
It's currently a wall of text. Just like English benefits from being split up into paragraphs, code is easier to read when split into logical sections with whitespace.

justmy2cents 08-13-2017 06:08 PM
@astrogeek Thanks Ill do that for my Hydra bash-based password manager (after I pretty-print it), but for now ill get replace the current SOE code with the new one (so it wont take up space), and so it gets more recognition...

@ntubski Fantatsic idea thank you! I'm new to the best practices of scripting so I apologize that I havent done that already.. I just heard of beautifiers and ill definitely also make use of those later on..

@world Vastly improved the code. Enabled automatic security updates. Got rid of the macchanger dependency and embedded a short snippet in the script that functions the same.. Also made the script universal so now everyone who uses a ubuntu derivative should be able to run it, and keep their current desktop environment (i.e. it no longer deletes everything). My plans are to make this work exceptionally well on Xubuntu, Ubuntu, and Linux Mint... I have to check which directories exists in which of the *buntus so that I can make the appropriate conditionals... To run this script you need to copy the templates in my blog post, and put them in a folder and then specify that folder when the script prompts you to do so.. The script now should work both on installed OSes and live OSes.. It's far from perfect but it's constantly being improved.. P.S. please report bugs!

justmy2cents 08-14-2017 10:25 AM
Code:
echo "root:          $var_3\1@localhost" >> /etc/aliases #send root mail to specified address
Can someone tell me how to escape the 1? It supposed to say user1, but this results in user\1...

ntubski 08-14-2017 12:40 PM
Quote:
Originally Posted by justmy2cents (Post 5748158)
Code:
echo "root:          $var_3\1@localhost" >> /etc/aliases #send root mail to specified address
Can someone tell me how to escape the 1? It supposed to say user1, but this results in user\1...
Try
Code:
${var_3}1

justmy2cents 08-14-2017 02:31 PM
@Ntubski Thanks man!

justmy2cents 08-16-2017 01:57 PM
Does anyone know why this line wont work?
Code:
chattr +i /etc/resolv.conf #write protecting resolv.conf so the OpenDNS entries dont get overwritten
It's executed in a live environment and think that's the problem, but not sure.. It gives the error message: "Operation not supported while reading flags on /etc/resolv.conf" (but it will say that for any file I try to do this on)..

astrogeek 08-16-2017 03:54 PM
If your file is on read-only media then that would be a problem, but I think would result in a more specific error message.

In the general case for all files this may be more applicable...

From man chattr:

Code:
  A file with the `i' attribute cannot be modified: it cannot be deleted or renamed, no link can  be  cre‐
  ated  to  this  file and no data can be written to the file.  Only the superuser or a process possessing
  the CAP_LINUX_IMMUTABLE capability can set or clear this attribute.

justmy2cents 08-16-2017 07:54 PM
No you're right, I guess it doesn't work on read-only media, as it works on installed OSes, or even while running the read-only media and executing the command on a file thats on a plugged in USB.. Another error message was: "Inappropriate ioctl for device while reading flags on test". Do you know of any ways around this? Maybe capabilities? I only heard of it as a "more secure" alternative to setuid, but not really sure what it is...

justmy2cents 09-01-2017 01:48 AM
test

justmy2cents 09-01-2017 02:08 AM
Closing this thread and transfering all continous changes to my blog... Also will upload my password manager Hydra there, which I think is the most secure password manager yet as it encrypts the password database with a 10 character passphrase, then again with a 8192-bit RSA key, and then obfuscates it among 999 other similarly encrypted files.. However you do need pwgen to use it, and it comes with pre-genrerated completly random passwords, that you cannot change (well shouldnt)... They RSA private key itself has 2010 character passphrase, and revocation certificate is generated to revoke this key should you need to... Also disreguard the "Major bug" in my orginal post, unless it does affect you...

justmy2cents 09-01-2017 02:46 AM
typo

ntubski 09-01-2017 08:09 AM
Quote:
Originally Posted by justmy2cents (Post 5754380)
They RSA private key itself has 2010 character passphrase,
Um, how do you expect anyone to enter such a long passphrase?

justmy2cents 09-01-2017 06:54 PM
Because you unlock an encypted file (that you choose) which stores it, and then copy and paste it when you want to unlock your password database. Which reminds me (I forgot to put this in my blog, i'll add it now) that once you do this you'll need to clear the clipboard with bleachbit and then update all the file's modification dates using the touch command (you set an alias to do that).. But this is secure because that file that stores that 2010 character long passcode (I call it the metakey-passcode) is obfuscated among 999 other similar looking encrypted files, each encrypted with a completly random 10-digit passphrase..


All times are GMT -5. The time now is 08:09 PM.