Index: scripts/lockdown.sh =================================================================== diff -u -rb9654575709e02aecc01a01d246d7af578679387 -r01b9447a564c79628976078d442b8fa198adec97 --- scripts/lockdown.sh (.../lockdown.sh) (revision b9654575709e02aecc01a01d246d7af578679387) +++ scripts/lockdown.sh (.../lockdown.sh) (revision 01b9447a564c79628976078d442b8fa198adec97) @@ -20,28 +20,118 @@ # @details # This file sets up and verifies some of the SOM security. +# Number of problems detected with security. +NUM_PROBLEMS=0 + + +############################################################################ +# Debug output (warn). +# +# Globals: +# None +# Arguments: +# $1 Start text. +# $2 The purple text. +# Outputs: +# Warning text. +############################################################################ +function debug() { + echo -en "\033[0;34mDbg: \033[0m${1}\n" +} + +############################################################################ +# Green output (info). +# +# Globals: +# None +# Arguments: +# $1 Start text. +# $2 The green text. +# Outputs: +# Info text. +############################################################################ +function info() { + echo -en "\033[0;32mInfo: \033[0m${1}\n" +} + +############################################################################ +# Purple output (warn). +# +# Globals: +# None +# Arguments: +# $1 Start text. +# $2 The purple text. +# Outputs: +# Warning text. +############################################################################ +function warn() { + echo -en "\033[0;35mWarn: \033[0m${1}\n" +} + +############################################################################ +# Red output (error). +# +# Globals: +# None +# Arguments: +# $1 Start text. +# $2 The red text. +# Outputs: +# Error text. +############################################################################ +function error() { + echo -en "\033[0;31mError: \033[0m${1}\n" +} + +############################################################################ # Does the file contain a string? if # not, add a line at end. # If $1 not in $2 then append line $3 to end. +# +# Globals: +# None +# Arguments: # $1 What to look for. # $2 File name. # $3 What to add. +# Outputs: +# None +############################################################################ function appendIfMissing() { + # q for quiet, F for regular string match, not -x because not full line. # Done as one command because this is done remotely. grep -qF $1 $2 || echo $3 >> $2 } +############################################################################ # Remove all lines that contain $1 in file $2 then append $3. +# +# Globals: +# None +# Arguments: # $1 What to look for. # $2 File name. +# Outputs: +# None +############################################################################ function removeIfFound() { sed -i /${1}/d $2 } +############################################################################ # Turn on some ssh security. +# +# Globals: +# None +# Arguments: +# None +# Outputs: +# None +############################################################################ function secureSsh() { - local fileTarget="${PWD}/../../etc/ssh/sshd_config" + local fileTarget="/etc/ssh/sshd_config" # chown -R root.denali ${fileTarget} @@ -55,41 +145,70 @@ systemctl restart system-sshd.slice } +############################################################################ # Move the customers app files to the app users home directories, # changed the owner, and set the immutable attribute. +# +# Globals: +# None +# Arguments: +# None +# Outputs: +# None +############################################################################ function moveCustomerAppFiles() { # Move the files - mv ${PWD}/cloudsync ${PWD}/../cloudsync/ - mv ${PWD}/denali ${PWD}/../denali/ + mv ~/cloudsync /home/cloud/ + mv ~/denali /home/denali/ + mv ~/scripts /home/denali/ # Change the file owners. - chown -R cloudsync.cloudsync ${PWD}/../cloudsync - chmod -R o-rwx ${PWD}/../cloudsync - chown -R denali.denali ${PWD}/../denali - chmod -R o-rwx ${PWD}/../denali + chown -R cloud.cloud /home/cloud + chmod -R o-rwx /home/cloud + chown -R denali.denali /home/denali + chmod -R o-rwx /home/denali } +############################################################################ # Set all permissions for our users that # are not root. +# +# Globals: +# None +# Arguments: +# None +# Outputs: +# None +############################################################################ function setPermissionsCustomerAppFiles() { # Make sure the the other users have no access to these directories. - chmod -R o-rwx ${PWD}/../cloudsync - chmod -R o-rwx ${PWD}/../denali + chmod -R o-rwx /home/cloud + chmod -R o-rwx /home/denali + chmod u+rx /home/denali/denali # Give read-only access to denali by making the group owner. - mkdir -p ${PWD}/../../var/configuration/CloudSync - chown -R cloudsync.denali ${PWD}/../../var/configuration/CloudSync - chmod -R g-w,g+r,o-rwx ${PWD}/../../var/configuration/CloudSync + mkdir -p /var/configuration/CloudSync + chown -R cloud.denali /var/configuration/CloudSync + chmod -R g-w,g+r,o-rwx /var/configuration/CloudSync # Give read-only access to denali by making the group owner. - mkdir -p ${PWD}/../../media/sd-card/cloudsync - chown -R cloudsync.denali ${PWD}/../../media/sd-card/cloudsync - chmod -R g-w,g+r,o-rwx ${PWD}/../../media/sd-card/cloudsync + mkdir -p /media/sd-card/cloudsync + chown -R cloud.denali /media/sd-card/cloudsync + chmod -R u+rw,g+rw,o-rwx /media/sd-card/cloudsync + # Give read-write access to denali by making it the owner. + chown -R denali.denali /media/sd-card/log + chown -R denali.denali /media/sd-card/service + # Set the immutable attribute for all of the files. - chattr -R +i ${PWD}/../cloudsync/* - chattr -R +i ${PWD}/../denali/* + chattr -R +i /home/cloud/* + chattr -R +i /home/denali/* + + # Add Denali and Cloud to other user groups as needed. + usermod -a -G video denali + usermod -a -G input denali + usermod -a -G tty denali } function main() { @@ -100,7 +219,7 @@ setPermissionsCustomerAppFiles # Turn off root login in by ssh. - secureSsh +# secureSsh } # Running the main function