External/du_setup
1
0
Fork 0
mirror of https://github.com/buildplan/du_setup.git synced 2025-12-29 16:14:59 +00:00
Code Issues Packages Projects Releases Wiki Activity

small stuff and fixing

Browse Source
This commit is contained in:
Ali
2025-06-29 18:38:12 +01:00
parent a712742fcf
commit 161d5f0c44
1 changed files with 71 additions and 55 deletions
Download Patch File Download Diff File Expand all files Collapse all files

126
setup_harden_debian_ubuntu.sh
View File

@@ -57,6 +57,7 @@ NC='\033[0m' # No Color
# Script variables # Script variables
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
LOG_FILE="/var/log/setup_harden_debian_ubuntu_$(date +%Y%m%d_%H%M%S).log" LOG_FILE="/var/log/setup_harden_debian_ubuntu_$(date +%Y%m%d_%H%M%S).log"
BACKUP_LOG="/var/log/backup_rsync.log"
VERBOSE=true VERBOSE=true
BACKUP_DIR="/root/setup_harden_backup_$(date +%Y%m%d_%H%M%S)" BACKUP_DIR="/root/setup_harden_backup_$(date +%Y%m%d_%H%M%S)"
IS_CONTAINER=false IS_CONTAINER=false
@@ -1422,6 +1423,7 @@ test_backup() {
echo "$RSYNC_OUTPUT" >> "$BACKUP_LOG" echo "$RSYNC_OUTPUT" >> "$BACKUP_LOG"
if [[ $RSYNC_EXIT_CODE -eq 0 ]]; then if [[ $RSYNC_EXIT_CODE -eq 0 ]]; then
echo "Test backup successful" >> "$BACKUP_LOG"
print_success "Test backup successful! Check $BACKUP_LOG for details." print_success "Test backup successful! Check $BACKUP_LOG for details."
log "Test backup successful." log "Test backup successful."
else else
@@ -1600,63 +1602,71 @@ configure_time_sync() {
configure_security_audit() { configure_security_audit() {
print_section "Security Audit Configuration" print_section "Security Audit Configuration"
if ! confirm "Run a security audit with Lynis (and optionally debsecan)?"; then if ! confirm "Run a security audit with Lynis (and optionally debsecan on Debian)?"; then
print_info "Skipping security audit." print_info "Security audit skipped."
log "Security audit skipped by user." log "Security audit skipped by user."
AUDIT_RAN=false
return 0 return 0
fi fi
local AUDIT_LOG="/var/log/setup_harden_security_audit_$(date +%Y%m%d_%H%M%S).log" AUDIT_LOG="/var/log/setup_harden_security_audit_$(date +%Y%m%d_%H%M%S).log"
touch "$AUDIT_LOG" && chmod 600 "$AUDIT_LOG" touch "$AUDIT_LOG" && chmod 600 "$AUDIT_LOG"
log "Starting security audit. Results will be saved to $AUDIT_LOG." AUDIT_RAN=true
HARDENING_INDEX=""
DEBSECAN_VULNS="Not run"
# Install Lynis # Install and run Lynis
print_info "Installing Lynis..." print_info "Installing Lynis..."
if ! apt-get update -qq; then if ! apt-get update -qq; then
print_error "Failed to update package lists. Cannot install Lynis." print_error "Failed to update package lists. Cannot install Lynis."
log "apt-get update failed for Lynis installation." log "apt-get update failed for Lynis installation."
return 1 return 1
elif ! apt-get install -y -qq lynis; then elif ! apt-get install -y -qq lynis; then
print_warning "Failed to install Lynis. Skipping Lynis audit." print_warning "Failed to install Lynis. Skipping Lynis audit."
log "Lynis installation failed." log "Lynis installation failed."
else else
print_info "Running Lynis audit (non-interactive mode)..." print_info "Running Lynis audit (non-interactive mode)..."
if lynis audit system --quick > "$AUDIT_LOG" 2>&1; then if lynis audit system --quick >> "$AUDIT_LOG" 2>&1; then
print_success "Lynis audit completed. Check $AUDIT_LOG for details." print_success "Lynis audit completed. Check $AUDIT_LOG for details."
# Extract hardening index from Lynis log log "Lynis audit completed successfully."
local HARDENING_SCORE # Extract hardening index
HARDENING_SCORE=$(grep "Hardening index" /var/log/lynis.log | awk '{print $NF}' || echo "N/A") HARDENING_INDEX=$(grep -oP "Hardening index : \K\d+" "$AUDIT_LOG" || echo "Unknown")
print_info "Lynis Hardening Index: $HARDENING_SCORE" # Append Lynis system log for persistence
log "Lynis audit completed with hardening index: $HARDENING_SCORE" cat /var/log/lynis.log >> "$AUDIT_LOG" 2>/dev/null
# Copy Lynis log to audit log for persistence
cat /var/log/lynis.log >> "$AUDIT_LOG"
else else
print_error "Lynis audit failed. Check $AUDIT_LOG for details." print_error "Lynis audit failed. Check $AUDIT_LOG for details."
log "Lynis audit failed." log "Lynis audit failed."
fi fi
fi fi
# Optional debsecan # Check if system is Debian before running debsecan
if confirm "Also run debsecan to check for package vulnerabilities?"; then source /etc/os-release
print_info "Installing debsecan..." if [[ "$ID" == "debian" ]]; then
if ! apt-get install -y -qq debsecan; then if confirm "Also run debsecan to check for package vulnerabilities?"; then
print_warning "Failed to install debsecan. Skipping debsecan audit." print_info "Installing debsecan..."
log "debsecan installation failed." if ! apt-get install -y -qq debsecan; then
else print_warning "Failed to install debsecan. Skipping debsecan audit."
print_info "Running debsecan audit..." log "debsecan installation failed."
if debsecan --suite "$(. /etc/os-release && echo "$VERSION_CODENAME")" >> "$AUDIT_LOG" 2>&1; then
local VULN_COUNT
VULN_COUNT=$(grep -c "CVE-" "$AUDIT_LOG" || echo "0")
print_success "debsecan audit completed. Found $VULN_COUNT vulnerabilities."
log "debsecan audit completed with $VULN_COUNT vulnerabilities."
else else
print_error "debsecan audit failed. Check $AUDIT_LOG for details." print_info "Running debsecan audit..."
log "debsecan audit failed." if debsecan --suite "$VERSION_CODENAME" >> "$AUDIT_LOG" 2>&1; then
DEBSECAN_VULNS=$(grep -c "CVE-" "$AUDIT_LOG" || echo "0")
print_success "debsecan audit completed. Found $DEBSECAN_VULNS vulnerabilities."
log "debsecan audit completed with $DEBSECAN_VULNS vulnerabilities."
else
print_error "debsecan audit failed. Check $AUDIT_LOG for details."
log "debsecan audit failed."
DEBSECAN_VULNS="Failed"
fi
fi fi
else
print_info "debsecan audit skipped."
log "debsecan audit skipped by user."
fi fi
else else
print_info "Skipping debsecan audit." print_info "debsecan is not supported on Ubuntu. Skipping debsecan audit."
log "debsecan audit skipped by user." log "debsecan audit skipped (Ubuntu detected)."
DEBSECAN_VULNS="Not supported on Ubuntu"
fi fi
print_warning "Review audit results in $AUDIT_LOG for security recommendations." print_warning "Review audit results in $AUDIT_LOG for security recommendations."
@@ -1713,6 +1723,11 @@ generate_summary() {
TS_COMMAND=${TS_COMMAND:-"tailscale up --operator=$USERNAME"} TS_COMMAND=${TS_COMMAND:-"tailscale up --operator=$USERNAME"}
fi fi
fi fi
if [[ "$AUDIT_RAN" == true ]]; then
print_success "Security audit performed."
else
print_info "Security audit not performed."
fi
echo -e "\n${GREEN}Server setup and hardening script has finished successfully.${NC}\n" echo -e "\n${GREEN}Server setup and hardening script has finished successfully.${NC}\n"
echo -e "${YELLOW}Configuration Summary:${NC}" echo -e "${YELLOW}Configuration Summary:${NC}"
printf " %-16s%s\n" "Admin User:" "$USERNAME" printf " %-16s%s\n" "Admin User:" "$USERNAME"
@@ -1737,6 +1752,13 @@ generate_summary() {
printf " %-16s%s\n" "- Remote Path:" "$REMOTE_BACKUP_PATH" printf " %-16s%s\n" "- Remote Path:" "$REMOTE_BACKUP_PATH"
printf " %-16s%s\n" "- Cron Schedule:" "$CRON_SCHEDULE" printf " %-16s%s\n" "- Cron Schedule:" "$CRON_SCHEDULE"
printf " %-16s%s\n" "- Notifications:" "$NOTIFICATION_STATUS" printf " %-16s%s\n" "- Notifications:" "$NOTIFICATION_STATUS"
if [[ -f "$BACKUP_LOG" ]] && grep -q "Test backup successful" "$BACKUP_LOG" 2>/dev/null; then
printf " %-16s%s\n" "- Test Status:" "Successful"
elif [[ -f "$BACKUP_LOG" ]]; then
printf " %-16s%s\n" "- Test Status:" "Failed (check $BACKUP_LOG)"
else
printf " %-16s%s\n" "- Test Status:" "Not run"
fi
else else
echo -e " Remote Backup: ${RED}Not configured${NC}" echo -e " Remote Backup: ${RED}Not configured${NC}"
fi fi
@@ -1747,6 +1769,14 @@ generate_summary() {
else else
echo -e " Tailscale: ${RED}Not configured${NC}" echo -e " Tailscale: ${RED}Not configured${NC}"
fi fi
if [[ "$AUDIT_RAN" == true ]]; then
echo -e " Security Audit: ${GREEN}Performed${NC}"
printf " %-16s%s\n" "- Audit Log:" "$AUDIT_LOG"
printf " %-16s%s\n" "- Hardening Index:" "${HARDENING_INDEX:-Unknown}"
printf " %-16s%s\n" "- Vulnerabilities:" "$DEBSECAN_VULNS"
else
echo -e " Security Audit: ${RED}Not run${NC}"
fi
echo echo
printf "${PURPLE}%-16s%s${NC}\n" "Log File:" "$LOG_FILE" printf "${PURPLE}%-16s%s${NC}\n" "Log File:" "$LOG_FILE"
printf "${PURPLE}%-16s%s${NC}\n" "Backups:" "$BACKUP_DIR" printf "${PURPLE}%-16s%s${NC}\n" "Backups:" "$BACKUP_DIR"
@@ -1772,30 +1802,16 @@ generate_summary() {
printf " %-18s${CYAN}%s${NC}\n" "- Verify SSH key:" "cat /root/.ssh/id_ed25519.pub" printf " %-18s${CYAN}%s${NC}\n" "- Verify SSH key:" "cat /root/.ssh/id_ed25519.pub"
printf " %-18s${CYAN}%s${NC}\n" "- Copy key if needed:" "ssh-copy-id -p $BACKUP_PORT -s $BACKUP_DEST" printf " %-18s${CYAN}%s${NC}\n" "- Copy key if needed:" "ssh-copy-id -p $BACKUP_PORT -s $BACKUP_DEST"
printf " %-18s${CYAN}%s${NC}\n" "- Test backup:" "sudo /root/run_backup.sh" printf " %-18s${CYAN}%s${NC}\n" "- Test backup:" "sudo /root/run_backup.sh"
printf " %-18s${CYAN}%s${NC}\n" "- Check logs:" "sudo less /var/log/backup_rsync.log" printf " %-18s${CYAN}%s${NC}\n" "- Check logs:" "sudo less $BACKUP_LOG"
fi
if [[ "$AUDIT_RAN" == true ]]; then
echo -e " Security Audit:"
printf " %-18s${CYAN}%s${NC}\n" "- Check results:" "sudo less $AUDIT_LOG"
fi fi
local BACKUP_TEST_RESULT="Not run"
if grep -q "Test backup successful" "$BACKUP_LOG"; then
BACKUP_TEST_RESULT="Successful"
elif grep -q "Test backup failed" "$BACKUP_LOG"; then
BACKUP_TEST_RESULT="Failed (check $BACKUP_LOG)"
fi
printf " %-16s%s\n" "- Test Result:" "$BACKUP_TEST_RESULT"
print_warning "\nACTION REQUIRED: If remote backup is enabled, ensure the root SSH key is copied to the destination server." print_warning "\nACTION REQUIRED: If remote backup is enabled, ensure the root SSH key is copied to the destination server."
if [[ -n "$TS_COMMAND" ]]; then if [[ -n "$TS_COMMAND" ]]; then
print_warning "ACTION REQUIRED: Tailscale connection failed. Run the command above to connect manually." print_warning "ACTION REQUIRED: Tailscale connection failed. Run the command above to connect manually."
fi fi
if [[ -f /var/log/setup_harden_security_audit_*.log ]]; then
local AUDIT_LOG=$(ls -t /var/log/setup_harden_security_audit_*.log | head -n1)
echo -e " Security Audit: ${GREEN}Completed${NC}"
printf " %-16s%s\n" "- Results:" "$AUDIT_LOG"
local HARDENING_SCORE=$(grep "Hardening index" "$AUDIT_LOG" | awk '{print $NF}' || echo "N/A")
local VULN_COUNT=$(grep -c "CVE-" "$AUDIT_LOG" || echo "0")
printf " %-16s%s\n" "- Lynis Score:" "$HARDENING_SCORE"
printf " %-16s%s\n" "- Vulnerabilities:" "$VULN_COUNT"
else
echo -e " Security Audit: ${RED}Not run${NC}"
fi
print_warning "A reboot is required to apply all changes cleanly." print_warning "A reboot is required to apply all changes cleanly."
if [[ $VERBOSE == true ]]; then if [[ $VERBOSE == true ]]; then
if confirm "Reboot now?" "y"; then if confirm "Reboot now?" "y"; then