Standard Operating Environment: setup script revision
Disclaimer : I am not an expert in security. I offer no guarantee that by running this script your security will be foolproof or that you will never be cracked.
Code:
#!/bin/bash Suggestions: If I missed something that you would like to see added that would benefit the security of the script provided, or even if you have general improvements to the code then please feel free to drop a comet down below! Future Updates: Iptables hardening, and possible automatic setup of OpenVPN, AppArmor and a VM based firewall (running ipFire) in the works... Dependencies: Bleachbit (optional but recommended) Bug fixes of the day: Made the built-in macchanger reliable Major Bugs: If you're running Linux on a read-only media then comet out the line below as it will stop you from connecting to the internet.. Methods of workarounds are in progress.. Code:
echo "nameserver 208.67.222.222" > /etc/resolv.conf ; echo "nameserver 208.67.220.220" >> /etc/resolv.conf #use OpenDNS servers |
Thanks for sharing your code!
As this post is of a more general nature and does not pose a specific programming question it is being moved to the General forum where it will have more general exposure. I would also suggest making use of your LQ blog space as an excellent means of sharing your code! There you can post and update code examples in a format not constrained by question forum posting guidelines. A continuously revised series of articles (i.e. blog posts) based on your idea for a Standard Operating Environment would be a valuable resource! |
Quote:
|
@astrogeek Thanks Ill do that for my Hydra bash-based password manager (after I pretty-print it), but for now ill get replace the current SOE code with the new one (so it wont take up space), and so it gets more recognition...
@ntubski Fantatsic idea thank you! I'm new to the best practices of scripting so I apologize that I havent done that already.. I just heard of beautifiers and ill definitely also make use of those later on.. @world Vastly improved the code. Enabled automatic security updates. Got rid of the macchanger dependency and embedded a short snippet in the script that functions the same.. Also made the script universal so now everyone who uses a ubuntu derivative should be able to run it, and keep their current desktop environment (i.e. it no longer deletes everything). My plans are to make this work exceptionally well on Xubuntu, Ubuntu, and Linux Mint... I have to check which directories exists in which of the *buntus so that I can make the appropriate conditionals... To run this script you need to copy the templates in my blog post, and put them in a folder and then specify that folder when the script prompts you to do so.. The script now should work both on installed OSes and live OSes.. It's far from perfect but it's constantly being improved.. P.S. please report bugs! |
Code:
echo "root: $var_3\1@localhost" >> /etc/aliases #send root mail to specified address |
Quote:
Code:
${var_3}1 |
@Ntubski Thanks man!
|
Does anyone know why this line wont work?
Code:
chattr +i /etc/resolv.conf #write protecting resolv.conf so the OpenDNS entries dont get overwritten |
If your file is on read-only media then that would be a problem, but I think would result in a more specific error message.
In the general case for all files this may be more applicable... From man chattr: Code:
A file with the `i' attribute cannot be modified: it cannot be deleted or renamed, no link can be cre‐ |
No you're right, I guess it doesn't work on read-only media, as it works on installed OSes, or even while running the read-only media and executing the command on a file thats on a plugged in USB.. Another error message was: "Inappropriate ioctl for device while reading flags on test". Do you know of any ways around this? Maybe capabilities? I only heard of it as a "more secure" alternative to setuid, but not really sure what it is...
|
test
|
Closing this thread and transfering all continous changes to my blog... Also will upload my password manager Hydra there, which I think is the most secure password manager yet as it encrypts the password database with a 10 character passphrase, then again with a 8192-bit RSA key, and then obfuscates it among 999 other similarly encrypted files.. However you do need pwgen to use it, and it comes with pre-genrerated completly random passwords, that you cannot change (well shouldnt)... They RSA private key itself has 2010 character passphrase, and revocation certificate is generated to revoke this key should you need to... Also disreguard the "Major bug" in my orginal post, unless it does affect you...
|
typo
|
Quote:
|
Because you unlock an encypted file (that you choose) which stores it, and then copy and paste it when you want to unlock your password database. Which reminds me (I forgot to put this in my blog, i'll add it now) that once you do this you'll need to clear the clipboard with bleachbit and then update all the file's modification dates using the touch command (you set an alias to do that).. But this is secure because that file that stores that 2010 character long passcode (I call it the metakey-passcode) is obfuscated among 999 other similar looking encrypted files, each encrypted with a completly random 10-digit passphrase..
|
All times are GMT -5. The time now is 08:09 PM. |