LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Non-*NIX Forums > General
User Name
Password
General This forum is for non-technical general discussion which can include both Linux and non-Linux topics. Have fun!

Notices


Reply
  Search this Thread
Old 08-10-2017, 12:24 PM   #1
justmy2cents
Member
 
Registered: May 2017
Location: U.S.
Distribution: Un*x
Posts: 237
Blog Entries: 2

Rep: Reputation: Disabled
Standard Operating Environment: setup script revision


Disclaimer : I am not an expert in security. I offer no guarantee that by running this script your security will be foolproof or that you will never be cracked.
Code:
#!/bin/bash
#Standard Operating Environment Setup Script
#Prompts user for nessesary information, then downloads user's .deb packages (optional)
rfkill block 0pyth0
echo; cat<< END
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
END
  echo; read -p "Do you have any .deb packages you would like to install? [Y/n]: " choice1  #install pre-downloaded .deb packages
  if [[ ${choice1^^} == 'Y' ]]; then
  until [ -d "$var_1" ]; do read -p "Enter /path/to/.deb_packages: " var_1; done
  dpkg -i $var_1/*.deb
  else :
fi; clear
  until [ -d "$var_2" ]; do read -p "Enter /path/to/templates: " var_2; done
  config_dir=$(basename "$var_2")
  read -p "Enter a basename for your user accounts: " var_3
  until  [ \( "$choice2" = "Y" \) -o \( "$choice2" = "n" \) ]; do
  read -p "Is this a live session? If so you must login as root through the GUI if you haven't done so already [Y/n/abort]: " choice2
  if  [[ $choice2 = "Y" ]]
  then read -p "Enter the name of the default live account: " live ; pkill -u $live ; userdel -f $live ; rm -rf /home/$live #remove default live account
  elif  [[ $choice2 = "n" ]]
  then break
  elif [[ $choice2 = "abort" ]]; then exit
fi; done

#Setting up user environments
adduser $var_3\0 #maintainer
adduser $var_3\1 #admin
adduser $var_3\2 #user
adduser --force-badname ADMahn #decoy account
adduser $var_3\0 sudo
echo /home/*/ ~/ | xargs -n 1 cp -r $var_2 #copying the folder which contains the templates to every home directory
find /home/$var_3\0/$config_dir -mindepth 1 -maxdepth 1 -exec mv -t /home/$var_3\0 -- {} + #extracting templates from specified folder
find /home/$var_3\1/$config_dir -mindepth 1 -maxdepth 1 -exec mv -t /home/$var_3\1 -- {} +
find /home/$var_3\2/$config_dir -mindepth 1 -maxdepth 1 -exec mv -t /home/$var_3\2 -- {} +
find /root/$config_dir -mindepth 1 -maxdepth 1 -exec mv -t ~/ -- {} +           

#Core hardening system changes
hexchars="0123456789ABCDEF"
end=$( for i in {1..10} ; do echo -n ${hexchars:$(( $RANDOM % 16 )):1} ; done | sed -e 's/\(..\)/:\1/g' )
newmac=00$end
wlan0=$(ip link|awk -F: '/2: /{print$2}')
ifconfig $wlan0 hw ether $newmac #spoof MAC address
hostnamectl set-hostname mycomm1 #change default hostname
mv ~/.sudoers /etc/sudoers ; rm -rf ~/.mozilla ; find /home \( -name .sudoers -o -name .sysctl.conf -o -name .ssh_config -o -name .issue.net \) -execdir shred -fuz {} \;
mv ~/.sysctl.conf /etc/sysctl.conf ; sysctl -p #prevent source routing of incoming packets and log malformed IPs
mv ~/.issue.net /etc/issue.net #ssh warning login banner
mv ~/.ssh_config /etc/ssh/ssh_config #ssh hardening
chown -R $var_3\0:$var_3\0 /home/$var_3\0/ ; chown -R $var_3\1:$var_3\1 /home/$var_3\1/ ; chown -R $var_3\2:$var_3\2 /home/$var_3\2/ #change owner back to the orginal
find / -perm -4000 -execdir chmod go-x {} \; ; find / -perm -2000 -execdir chmod go-x {} \; #subract the x bit on go for all setuid/setgid programs 
chmod go+x /usr/bin/sudo #reimplement the execute bit for certain setuid programs so they work properly; add YOUR setuid programs here that need this! 
groupadd group333 ; usermod -a -G group333 $var_3\1 ; dpkg-statoverride --update --add root group333 4750 /bin/su #shadow user with su powers

echo "nameserver 208.67.222.222" > /etc/resolv.conf ; echo "nameserver 208.67.220.220" >> /etc/resolv.conf #use OpenDNS servers
echo "order bind,hosts" > /etc/host.conf ; echo "nospoof on" >> /etc/host.conf #prevent ip spoofing
echo "root:          ${var_3}1@localhost" >> /etc/aliases #send root mail to specified address
echo "none /run/shm tmpfs ro,noexec,nosuid,nodev 0 0" > /etc/fstab #lock down shared memory
echo "tmpfs /tmp tmpfs rw,noexec,nosuid,nodev 0 0" >> /etc/fstab #lock down /tmp to protect kernel from shared memory 
echo "DPkg::Pre-Invoke{\"mount -o remount,exec /tmp\";};" > /etc/apt/apt.conf #remount /tmp rw upon package install so you can install software from repositories
echo "DPkg::Post-Invoke {\"mount -o remount,rw,noexec,nosuid,nodev /tmp\";};" >> /etc/apt/apt.conf

chattr +i /etc/resolv.conf #write protecting resolv.conf so the OpenDNS entries dont get overwritten
sed -r '/^tty1$/! s/^/#/' /etc/securetty > securetty2 ; mv securetty2 /etc/securetty ; chown root:root /etc/securetty; #disable uneeded terminals
chmod 0600 /etc/securetty /etc/hosts.allow /etc/sysctl.conf /etc/group /home/*/.rhosts /etc/hosts.equiv /etc/network/interfaces
chmod go-rx /home/* /home/*/.mozilla ; chmod 400 /etc/sudoers
sed 's/1/0/g' /etc/default/irqbalance > irqbalance2 ; mv irqbalance2 /etc/default/irqbalance #prevent hardware interrupts in threads
service ssh restart ; systemctl disable sshd.service > /dev/null 2>&1 ; systemctl stop sshd.service #disables ssh
passwd ; chsh #changing the root password then locking the account
dpkg-reconfigure -plow unattended-upgrades #enables automatic security updates
mount -a

#Acid wash
#bleachbit -c adobe_reader.cache adobe_reader.mru adobe_reader.tmp amsn.cache amsn.chat_logs amule.logs #amule.tmp apt.autoclean apt.autoremove apt.clean apt.package_lists \
#audacious.cache audacious.log audacious.mru bash.history beagle.cache beagle.index beagle.logs chromium.cache #chromium.cookies chromium.current_session \
#chromium.dom chromium.form_history chromium.history chromium.passwords chromium.search_engines chromium.vacuum #d4x.history deepscan.backup deepscan.ds_store \
#deepscan.thumbs_db deepscan.tmp easytag.history easytag.logs elinks.history emesene.cache emesene.logs #epiphany.cache epiphany.cookies epiphany.passwords \
#epiphany.places evolution.cache exaile.cache exaile.downloaded_podcasts exaile.log filezilla.mru #firefox.backup firefox.cache firefox.cookies \
#firefox.crash_reports firefox.dom firefox.download_history firefox.forms firefox.passwords #firefox.session_restore firefox.site_preferences firefox.url_history \
#firefox.vacuum flash.cache flash.cookies gedit.recent_documents gftp.cache gftp.logs gimp.tmp #gl-117.debug_logs gnome.run gnome.search_history \
#google_chrome.cache google_chrome.cookies google_chrome.dom google_chrome.form_history google_chrome.history #google_chrome.passwords \
#google_chrome.search_engines google_chrome.session google_chrome.vacuum google_earth.temporary_files #google_toolbar.search_history gpodder.cache gpodder.vacuum \
#gwenview.recent_documents hippo_opensim_viewer.cache hippo_opensim_viewer.logs java.cache kde.cache #kde.recent_documents kde.tmp konqueror.cookies \
#konqueror.current_session konqueror.url_history libreoffice.cache libreoffice.history liferea.cache #liferea.cookies liferea.vacuum links2.history \
#midnightcommander.history miro.cache miro.logs nautilus.history nexuiz.cache octave.history #openofficeorg.cache openofficeorg.recent_documents opera.cache \
#opera.cookies opera.current_session opera.dom opera.download_history opera.passwords opera.search_history #opera.url_history pidgin.cache pidgin.logs \
#realplayer.cookies realplayer.history realplayer.logs recoll.index rhythmbox.cache screenlets.logs #seamonkey.cache seamonkey.chat_logs seamonkey.cookies \
#seamonkey.download_history seamonkey.history secondlife_viewer.Cache secondlife_viewer.Logs skype.chat_logs #skype.installers sqlite3.history system.cache \
#system.clipboard system.custom system.desktop_entry system.free_disk_space system.localizations system.memory #system.recent_documents system.rotated_logs \
#system.tmp system.trash thumbnails.cache thunderbird.cache thunderbird.cookies thunderbird.index #thunderbird.passwords thunderbird.vacuum \
#transmission.blocklists transmission.torrents tremulous.cache vim.history vlc.mru vuze.backup_files vuze.cache #vuze.logs vuze.tmp warzone2100.logs wine.tmp \
#winetricks.temporary_files x11.debug_logs xchat.logs xine.cache yum.clean_all yum.vacuum 
killall xfce4-session #logout
S.O.E. version 0.9, is a community effort to develop a script that will maximize the security of the various Ubuntu based Linux systems! It utilizes every known technique found on various Ubuntu server hardening websites.. Interested? Great! But in order run it you'll need to copy the templates in my blog post, and then put those in a folder which you'll specify when the script prompts for it. Easy as pie!

Suggestions: If I missed something that you would like to see added that would benefit the security of the script provided, or even if you have general improvements to the code then please feel free to drop a comet down below!

Future Updates: Iptables hardening, and possible automatic setup of OpenVPN, AppArmor and a VM based firewall (running ipFire) in the works...

Dependencies: Bleachbit (optional but recommended)

Bug fixes of the day: Made the built-in macchanger reliable

Major Bugs: If you're running Linux on a read-only media then comet out the line below as it will stop you from connecting to the internet.. Methods of workarounds are in progress..

Code:
echo "nameserver 208.67.222.222" > /etc/resolv.conf ; echo "nameserver 208.67.220.220" >> /etc/resolv.conf #use OpenDNS servers

Last edited by justmy2cents; 08-22-2017 at 12:07 PM.
 
Old 08-10-2017, 05:57 PM   #2
astrogeek
Moderator
 
Registered: Oct 2008
Distribution: Slackware [64]-X.{0|1|2|37|-current} ::12<=X<=15, FreeBSD_12{.0|.1}
Posts: 6,258
Blog Entries: 24

Rep: Reputation: 4193Reputation: 4193Reputation: 4193Reputation: 4193Reputation: 4193Reputation: 4193Reputation: 4193Reputation: 4193Reputation: 4193Reputation: 4193Reputation: 4193
Thanks for sharing your code!

As this post is of a more general nature and does not pose a specific programming question it is being moved to the General forum where it will have more general exposure.

I would also suggest making use of your LQ blog space as an excellent means of sharing your code! There you can post and update code examples in a format not constrained by question forum posting guidelines. A continuously revised series of articles (i.e. blog posts) based on your idea for a Standard Operating Environment would be a valuable resource!
 
Old 08-10-2017, 06:51 PM   #3
ntubski
Senior Member
 
Registered: Nov 2005
Distribution: Debian, Arch
Posts: 3,774

Rep: Reputation: 2081Reputation: 2081Reputation: 2081Reputation: 2081Reputation: 2081Reputation: 2081Reputation: 2081Reputation: 2081Reputation: 2081Reputation: 2081Reputation: 2081
Quote:
Originally Posted by justmy2cents View Post
Is there anything in this script that you can see that needs improvement?
It's currently a wall of text. Just like English benefits from being split up into paragraphs, code is easier to read when split into logical sections with whitespace.
 
Old 08-13-2017, 06:08 PM   #4
justmy2cents
Member
 
Registered: May 2017
Location: U.S.
Distribution: Un*x
Posts: 237

Original Poster
Blog Entries: 2

Rep: Reputation: Disabled
@astrogeek Thanks Ill do that for my Hydra bash-based password manager (after I pretty-print it), but for now ill get replace the current SOE code with the new one (so it wont take up space), and so it gets more recognition...

@ntubski Fantatsic idea thank you! I'm new to the best practices of scripting so I apologize that I havent done that already.. I just heard of beautifiers and ill definitely also make use of those later on..

@world Vastly improved the code. Enabled automatic security updates. Got rid of the macchanger dependency and embedded a short snippet in the script that functions the same.. Also made the script universal so now everyone who uses a ubuntu derivative should be able to run it, and keep their current desktop environment (i.e. it no longer deletes everything). My plans are to make this work exceptionally well on Xubuntu, Ubuntu, and Linux Mint... I have to check which directories exists in which of the *buntus so that I can make the appropriate conditionals... To run this script you need to copy the templates in my blog post, and put them in a folder and then specify that folder when the script prompts you to do so.. The script now should work both on installed OSes and live OSes.. It's far from perfect but it's constantly being improved.. P.S. please report bugs!

Last edited by justmy2cents; 08-16-2017 at 07:58 PM.
 
Old 08-14-2017, 10:25 AM   #5
justmy2cents
Member
 
Registered: May 2017
Location: U.S.
Distribution: Un*x
Posts: 237

Original Poster
Blog Entries: 2

Rep: Reputation: Disabled
Code:
echo "root:          $var_3\1@localhost" >> /etc/aliases #send root mail to specified address
Can someone tell me how to escape the 1? It supposed to say user1, but this results in user\1...

Last edited by justmy2cents; 08-14-2017 at 10:33 AM.
 
Old 08-14-2017, 12:40 PM   #6
ntubski
Senior Member
 
Registered: Nov 2005
Distribution: Debian, Arch
Posts: 3,774

Rep: Reputation: 2081Reputation: 2081Reputation: 2081Reputation: 2081Reputation: 2081Reputation: 2081Reputation: 2081Reputation: 2081Reputation: 2081Reputation: 2081Reputation: 2081
Quote:
Originally Posted by justmy2cents View Post
Code:
echo "root:          $var_3\1@localhost" >> /etc/aliases #send root mail to specified address
Can someone tell me how to escape the 1? It supposed to say user1, but this results in user\1...
Try
Code:
${var_3}1
 
Old 08-14-2017, 02:31 PM   #7
justmy2cents
Member
 
Registered: May 2017
Location: U.S.
Distribution: Un*x
Posts: 237

Original Poster
Blog Entries: 2

Rep: Reputation: Disabled
@Ntubski Thanks man!
 
Old 08-16-2017, 01:57 PM   #8
justmy2cents
Member
 
Registered: May 2017
Location: U.S.
Distribution: Un*x
Posts: 237

Original Poster
Blog Entries: 2

Rep: Reputation: Disabled
Does anyone know why this line wont work?
Code:
chattr +i /etc/resolv.conf #write protecting resolv.conf so the OpenDNS entries dont get overwritten
It's executed in a live environment and think that's the problem, but not sure.. It gives the error message: "Operation not supported while reading flags on /etc/resolv.conf" (but it will say that for any file I try to do this on)..

Last edited by justmy2cents; 08-16-2017 at 02:02 PM.
 
Old 08-16-2017, 03:54 PM   #9
astrogeek
Moderator
 
Registered: Oct 2008
Distribution: Slackware [64]-X.{0|1|2|37|-current} ::12<=X<=15, FreeBSD_12{.0|.1}
Posts: 6,258
Blog Entries: 24

Rep: Reputation: 4193Reputation: 4193Reputation: 4193Reputation: 4193Reputation: 4193Reputation: 4193Reputation: 4193Reputation: 4193Reputation: 4193Reputation: 4193Reputation: 4193
If your file is on read-only media then that would be a problem, but I think would result in a more specific error message.

In the general case for all files this may be more applicable...

From man chattr:

Code:
  A file with the `i' attribute cannot be modified: it cannot be deleted or renamed, no link can  be  cre‐
  ated  to  this  file and no data can be written to the file.  Only the superuser or a process possessing
  the CAP_LINUX_IMMUTABLE capability can set or clear this attribute.
 
Old 08-16-2017, 07:54 PM   #10
justmy2cents
Member
 
Registered: May 2017
Location: U.S.
Distribution: Un*x
Posts: 237

Original Poster
Blog Entries: 2

Rep: Reputation: Disabled
No you're right, I guess it doesn't work on read-only media, as it works on installed OSes, or even while running the read-only media and executing the command on a file thats on a plugged in USB.. Another error message was: "Inappropriate ioctl for device while reading flags on test". Do you know of any ways around this? Maybe capabilities? I only heard of it as a "more secure" alternative to setuid, but not really sure what it is...

Last edited by justmy2cents; 08-18-2017 at 05:46 PM.
 
Old 09-01-2017, 01:48 AM   #11
justmy2cents
Member
 
Registered: May 2017
Location: U.S.
Distribution: Un*x
Posts: 237

Original Poster
Blog Entries: 2

Rep: Reputation: Disabled
test
 
Old 09-01-2017, 02:08 AM   #12
justmy2cents
Member
 
Registered: May 2017
Location: U.S.
Distribution: Un*x
Posts: 237

Original Poster
Blog Entries: 2

Rep: Reputation: Disabled
Closing this thread and transfering all continous changes to my blog... Also will upload my password manager Hydra there, which I think is the most secure password manager yet as it encrypts the password database with a 10 character passphrase, then again with a 8192-bit RSA key, and then obfuscates it among 999 other similarly encrypted files.. However you do need pwgen to use it, and it comes with pre-genrerated completly random passwords, that you cannot change (well shouldnt)... They RSA private key itself has 2010 character passphrase, and revocation certificate is generated to revoke this key should you need to... Also disreguard the "Major bug" in my orginal post, unless it does affect you...

Last edited by justmy2cents; 09-01-2017 at 03:07 AM.
 
Old 09-01-2017, 02:46 AM   #13
justmy2cents
Member
 
Registered: May 2017
Location: U.S.
Distribution: Un*x
Posts: 237

Original Poster
Blog Entries: 2

Rep: Reputation: Disabled
typo
 
Old 09-01-2017, 08:09 AM   #14
ntubski
Senior Member
 
Registered: Nov 2005
Distribution: Debian, Arch
Posts: 3,774

Rep: Reputation: 2081Reputation: 2081Reputation: 2081Reputation: 2081Reputation: 2081Reputation: 2081Reputation: 2081Reputation: 2081Reputation: 2081Reputation: 2081Reputation: 2081
Quote:
Originally Posted by justmy2cents View Post
They RSA private key itself has 2010 character passphrase,
Um, how do you expect anyone to enter such a long passphrase?
 
Old 09-01-2017, 06:54 PM   #15
justmy2cents
Member
 
Registered: May 2017
Location: U.S.
Distribution: Un*x
Posts: 237

Original Poster
Blog Entries: 2

Rep: Reputation: Disabled
Because you unlock an encypted file (that you choose) which stores it, and then copy and paste it when you want to unlock your password database. Which reminds me (I forgot to put this in my blog, i'll add it now) that once you do this you'll need to clear the clipboard with bleachbit and then update all the file's modification dates using the touch command (you set an alias to do that).. But this is secure because that file that stores that 2010 character long passcode (I call it the metakey-passcode) is obfuscated among 999 other similar looking encrypted files, each encrypted with a completly random 10-digit passphrase..

Last edited by justmy2cents; 09-01-2017 at 07:37 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Linux based Standard Operating Environment (SOE) imaging server mdronis Linux - Desktop 3 09-10-2012 01:15 PM
Non-standard file system, environment variables and bash script wael_h Slackware 3 03-12-2012 11:52 AM
Linux based Standard Operating Environment (SOE) imaging mdronis Linux - Server 2 11-18-2010 04:59 AM
svn restore directory to a revision also removing files not part of revision Four Linux - Software 1 03-03-2009 04:18 PM

LinuxQuestions.org > Forums > Non-*NIX Forums > General

All times are GMT -5. The time now is 05:56 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration