Index: scripts/lockdown.sh =================================================================== diff -u -rf51f9ce154a6891cb5bfd133409430e6800f0166 -r1e9d99fa2087d302e69c616b5a2420e010abe164 --- scripts/lockdown.sh (.../lockdown.sh) (revision f51f9ce154a6891cb5bfd133409430e6800f0166) +++ scripts/lockdown.sh (.../lockdown.sh) (revision 1e9d99fa2087d302e69c616b5a2420e010abe164) @@ -1,142 +1,14 @@ #!/bin/bash -########################################################################### -# -# Copyright (c) 2023 Diality Inc. - All Rights Reserved. -# -# This is inpart based on scripts developed by Sunrise Labs Inc. -# -# THIS CODE MAY NOT BE COPIED OR REPRODUCED IN ANY FORM, IN PART OR IN -# WHOLE, WITHOUT THE EXPLICIT PERMISSION OF THE COPYRIGHT OWNER. -# -# @file start.sh -# -# @author (last) Philip Braica -# @date (last) 22-Mar-2023 -# @author (original) Philip Braica -# @date (original) 22-Mar-2023 -# -############################################################################ # @details # This file sets up and verifies some of the SOM security. -# Number of problems detected with security. -NUM_PROBLEMS=0 +source ./globals.sh - -############################################################################ -# Debug output (warn). -# -# Globals: -# None -# Arguments: -# $1 Start text. -# $2 The purple text. -# Outputs: -# Warning text. -############################################################################ -function debug() { - echo -en "\033[0;34mDbg: \033[0m${1}\n" -} - -############################################################################ -# Green output (info). -# -# Globals: -# None -# Arguments: -# $1 Start text. -# $2 The green text. -# Outputs: -# Info text. -############################################################################ -function info() { - echo -en "\033[0;32mInfo: \033[0m${1}\n" -} - -############################################################################ -# Purple output (warn). -# -# Globals: -# None -# Arguments: -# $1 Start text. -# $2 The purple text. -# Outputs: -# Warning text. -############################################################################ -function warn() { - echo -en "\033[0;35mWarn: \033[0m${1}\n" -} - -############################################################################ -# Red output (error). -# -# Globals: -# None -# Arguments: -# $1 Start text. -# $2 The red text. -# Outputs: -# Error text. -############################################################################ -function error() { - echo -en "\033[0;31mError: \033[0m${1}\n" -} - -############################################################################ -# Does the file contain a string? if -# not, add a line at end. -# If $1 not in $2 then append line $3 to end. -# -# Globals: -# None -# Arguments: -# $1 What to look for. -# $2 File name. -# $3 What to add. -# Outputs: -# None -############################################################################ -function appendIfMissing() { - - # q for quiet, F for regular string match, not -x because not full line. - # Done as one command because this is done remotely. - grep -qF $1 $2 || echo $3 >> $2 -} - -############################################################################ -# Remove all lines that contain $1 in file $2 then append $3. -# -# Globals: -# None -# Arguments: -# $1 What to look for. -# $2 File name. -# Outputs: -# None -############################################################################ -function removeIfFound() { - sed -i /${1}/d $2 -} - -############################################################################ -# Allow the denali app to run specific commands as root. -# -# Globals: -# None -# Arguments: -# None -# Outputs: -# None -############################################################################ -function updateSudoers() { - - # Allow the denali user to execute specific commands as root. - echo " +CONTENT_SUDOERS=" Defaults env_reset Defaults mail_badpass -Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin" +Defaults secure_path=\"/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin\" Defaults use_pty # User privilege specification @@ -181,91 +53,103 @@ denali ALL=(root) NOPASSWD: /bin/mkdir * denali ALL=(root) NOPASSWD: /usr/sbin/cryptsetup * denali ALL=(root) NOPASSWD: /sbin/mkfs.ext4 * -" > /etc/sudoers -} +" -############################################################################ -# Turn on IPTables Firewall security. -# -# Globals: -# None -# Arguments: -# None -# Outputs: -# None -############################################################################ -function secureIPTables() { - local fileTarget="/etc/iptables/iptables.rules" +CONTENT_IPTABLES=" +*filter - # Flush current iptable configuration. - iptables -F +# Set default chain policies +:INPUT DROP [0:0] +:FORWARD DROP [0:0] +:OUTPUT ACCEPT [0:0] - # Allow established connections to come input. - iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT +# Accept all connections via lo interface +-A INPUT -i lo -j ACCEPT +-A OUTPUT -o lo -j ACCEPT - # Localhost - iptables -A INPUT -i lo -j ACCEPT +# Accept SSH connections +-A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT +-A OUTPUT -p tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT - # SSH - iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT - iptables -A OUTPUT -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT +# Accept incoming VNC connections +# -A INPUT -p tcp --dport 5900 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT +# -A OUTPUT -p tcp --sport 5900 -m conntrack --ctstate ESTABLISHED -j ACCEPT - # Default Rules - iptables -A INPUT -j DROP - iptables -A FORWARD -j DROP - iptables -A OUTPUT -j ACCEPT +# Allow established inbound connections +-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT - iptables-save > $fileTarget +COMMIT +" + +CONTENT_SSHD_CONFIG=" +# $OpenBSD: sshd_config,v 1.102 2018/02/16 02:32:40 djm Exp $ + +# This is the sshd server system-wide configuration file. See +# sshd_config(5) for more information. + +# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin +LoginGraceTime 2m +PermitRootLogin no + +AuthorizedKeysFile .ssh/authorized_keys + +PasswordAuthentication no +PermitEmptyPasswords yes + +ChallengeResponseAuthentication yes + +UsePAM yes + +Compression no +ClientAliveInterval 15 +ClientAliveCountMax 4 + +Subsystem sftp /usr/libexec/sftp-server +" + + +# Allow the denali app to run specific commands as root. +function updateSudoers() { + # ----------------------------------------- Update Sudoers + post_log_dash " Update Sudoers " + local fileTarget="/etc/sudoers" + # Allow the denali user to execute specific commands as root. + echo "$CONTENT_SUDOERS" > $fileTarget } -############################################################################ + +# Turn on IPTables Firewall security. +function secureIPTables() { + # ----------------------------------------- Secure Iptables + post_log_dash " Secure Iptables " + local fileTarget="/etc/iptables/iptables.rules" + iptables -F + echo "$CONTENT_IPTABLES" > $fileTarget +} + + # Turn on some ssh security. -# -# Globals: -# None -# Arguments: -# None -# Outputs: -# None -############################################################################ function secureSsh() { - local fileTarget="/etc/ssh/sshd_config" + # ----------------------------------------- Secure SSH + post_log_dash " Secure SSH " + local fileTarget="/etc/ssh/sshd_config" - # + echo "$CONTENT_SSHD_CONFIG" > $fileTarget + chown -R root.denali ${fileTarget} chmod -R g+rw ${fileTarget} - # Remove add PermitRootLogin settings then add one to turn it off. - removeIfFound "PermitRootLogin" ${fileTarget} - appendIfMissing "PermitRootLogin" ${fileTarget} "PermitRootLogin no" - # Restart service on remote. systemctl restart system-sshd.slice } -############################################################################ -# Move the customers app files to the app users home directories, -# changed the owner, and set the immutable attribute. -# -# Globals: -# None -# Arguments: -# None -# Outputs: -# None -############################################################################ -function moveCustomerAppFiles() { - # Unset the immutable attribute for all of the files in case we - # are rerunning this script. - chattr -R -i /home/cloud/* +function secureDenali() { + # ----------------------------------------- Secure the denali + post_log_dash " Secure the denali " + # Unset the immutable attribute for all of the files in case we are rerunning this script. chattr -R -i /home/denali/* - # Move the files - if [ -d ~/cloudsync ]; then - rm -rf /home/cloud/cloudsync - mv ~/cloudsync /home/cloud/ - fi if [ -f ~/denali ]; then rm -f /home/denali/denali @@ -277,43 +161,66 @@ mv ~/scripts /home/denali/ fi - # Change the file owners. - chown -R cloud.cloud /home/cloud - chmod -R o-rwx /home/cloud chown -R denali.denali /home/denali chmod -R o-rwx /home/denali } -############################################################################ + +function secureCloudSync() { + # ----------------------------------------- Secure the CloudSync + post_log_dash " Secure the CloudSync " + # Unset the immutable attribute for all of the files in case we are rerunning this script. + chattr -R -i /home/cloud/* + + if [ -d ~/cloudsync ]; then + rm -rf /home/cloud/cloudsync + mv ~/cloudsync /home/cloud/ + fi + + chown -R cloud.cloud /home/cloud + chmod -R o-rwx /home/cloud +} + + # Set all permissions for our users that # are not root. -# -# Globals: -# None -# Arguments: -# None -# Outputs: -# None -############################################################################ function setPermissionsCustomerAppFiles() { + # ----------------------------------------- Secure the filesystem + post_log_dash " Secure the filesystem " - # Make sure the the other users have no access to these directories. + # TODO there seem to be some duplicate commands here to review later. + + # Make sure the other users have no access to these directories. chmod -R o-rwx /home/cloud chmod -R o-rwx /home/denali chmod u+rx /home/denali/denali # Give read-only access to denali by making the group owner. - mkdir -p /var/configuration/CloudSync - chown -R cloud.denali /var/configuration/CloudSync - chmod -R g-w,g+r,o-rwx /var/configuration/CloudSync + mkdir -p /var/configurations/CloudSync + chown -R cloud.denali /var/configurations/CloudSync + chmod -R g-w,g+r,o-rwx /var/configurations/CloudSync + # Give read-only access to cloud by making the group owner. + mkdir -p /var/configurations/treatment + chown -R denali.cloud /var/configurations/treatment + chmod -R g-w,g+r,o-rwx /var/configurations/treatment + + # Give read-only access to cloud by making the group owner. + mkdir -p /var/configurations/treatment/pending/ + chown -R denali.cloud /var/configurations/treatment/pending/ + chmod -R g-w,g+r,o-rwx /var/configurations/treatment/pending/ + + # Give read-only access to denali by making the group owner. mkdir -p /media/sd-card/cloudsync chown -R cloud.denali /media/sd-card/cloudsync chmod -R u+rw,g+rw,o-rwx /media/sd-card/cloudsync # Give read-write access to denali by making it the owner. + mkdir -p /media/sd-card/log chown -R denali.denali /media/sd-card/log + + mkdir -p /media/sd-card/service chown -R denali.denali /media/sd-card/service # Set the immutable attribute for all of the files. @@ -326,22 +233,39 @@ usermod -a -G tty denali } +function cleanup() { + # ----------------------------------------- Remove the setup files + post_log_dash " Remove the setup files " + + rm $SETUP_CONF_FILE + rm /home/root/setup.sh + rm -frd $HOME/.ssh + rm -frd /media/sd-card/* + +} + function main() { + cleanup + + secureDenali + secureCloudSync - # Move the App Files to their home directories and setup the file - # permissions needed to make them work. - moveCustomerAppFiles setPermissionsCustomerAppFiles updateSudoers - # Block incoming traffic except for ssh and established. secureIPTables - # Turn off root login in by ssh. -# secureSsh + secureSsh + } # Running the main function -main +main -exit 0 +rm $(basename $0) + +sync +sync +sync + +reboot