Qubes-VM-hardening/install

#!/bin/bash
# From https://github.com/tasket/Qubes-VM-hardening
# installer version 0.9.3

set -e
[ `id -u` -eq 0 ] || exit

if [ "$1" = "--uninstall" ]; then
    echo "Removing vm-boot-protect.service..."
    echo "Warning: This will remove any custom files added to /etc/default/vms!"
    read -p "Proceed [y/N]? " ans
    if [[ $ans == @(Y|y) ]]; then
        systemctl disable vm-boot-protect.service
        rm -r /lib/systemd/system/vm-boot-protect.service /usr/lib/qubes/init/vm-boot-protect.sh /etc/default/vms
        systemctl daemon-reload
        echo "Done."
    else
        echo "Aborted."
    fi
    exit 0
fi


echo "Installing vm-boot-protect.service..."
cp vm-boot-protect.sh /usr/lib/qubes/init
chmod +x /usr/lib/qubes/init/vm-boot-protect.sh
cp vm-boot-protect.service /lib/systemd/system
systemctl daemon-reload
systemctl enable vm-boot-protect.service

echo "Adding defaults in /etc/default/vms..."
mkdir -p /etc/default/vms
# Careful... ownership & mode are not preserved here!
cp -riv default/vms/* /etc/default/vms

echo "Adding nosuid,nodev options to /etc/fstab..."
cp /etc/fstab /etc/fstab.bak
awk '($1~"^/rw/" || $2~"^/rw$") && ($4!~"nosuid" || $4!~"nodev") {$4=$4",nosuid,nodev"}1' \
    /etc/fstab.bak >/etc/fstab


echo -e "\nvm-boot-protect installed!\n"

#bash ./configure-sudo-prompt
exit 0
Misc fixes, additions Fix rescue mode, deployment. Add whitelist and sudo config. 2018-04-12 15:24:46 -04:00			`#!/bin/bash`
			`# From https://github.com/tasket/Qubes-VM-hardening`
add nosuid,nodev protection 2019-08-27 21:13:20 -04:00			`# installer version 0.9.3`
Misc fixes, additions Fix rescue mode, deployment. Add whitelist and sudo config. 2018-04-12 15:24:46 -04:00
Readme. Install defaults. 2018-04-03 10:53:15 -04:00			`set -e`
Readme and add local dir 2018-02-20 17:40:29 -05:00			[ `id -u` -eq 0 ] \|\| exit

add uninstall, refine ibrowse 2019-08-13 13:46:52 -04:00			`if [ "$1" = "--uninstall" ]; then`
			`echo "Removing vm-boot-protect.service..."`
			`echo "Warning: This will remove any custom files added to /etc/default/vms!"`
			`read -p "Proceed [y/N]? " ans`
			`if [[ $ans == @(Y\|y) ]]; then`
			`systemctl disable vm-boot-protect.service`
			`rm -r /lib/systemd/system/vm-boot-protect.service /usr/lib/qubes/init/vm-boot-protect.sh /etc/default/vms`
			`systemctl daemon-reload`
			`echo "Done."`
			`else`
			`echo "Aborted."`
			`fi`
fix uninstall exit 2019-08-13 16:22:27 -04:00			`exit 0`
add uninstall, refine ibrowse 2019-08-13 13:46:52 -04:00			`fi`

bak dir path and issue 11 2018-03-29 07:22:22 -04:00
Readme. Install defaults. 2018-04-03 10:53:15 -04:00			`echo "Installing vm-boot-protect.service..."`
Service rename to vm-boot-protect 2018-03-29 02:57:06 -04:00			`cp vm-boot-protect.sh /usr/lib/qubes/init`
			`chmod +x /usr/lib/qubes/init/vm-boot-protect.sh`
			`cp vm-boot-protect.service /lib/systemd/system`
Readme and add local dir 2018-02-20 17:40:29 -05:00			`systemctl daemon-reload`
Service rename to vm-boot-protect 2018-03-29 02:57:06 -04:00			`systemctl enable vm-boot-protect.service`
Readme and add local dir 2018-02-20 17:40:29 -05:00
Readme. Install defaults. 2018-04-03 10:53:15 -04:00			`echo "Adding defaults in /etc/default/vms..."`
fix install copying to subdir 2019-01-29 23:09:53 -05:00			`mkdir -p /etc/default/vms`
Readme. Install defaults. 2018-04-03 10:53:15 -04:00			`# Careful... ownership & mode are not preserved here!`
Tweak readme, strings 2018-04-14 11:18:55 -04:00			`cp -riv default/vms/* /etc/default/vms`
Readme. Install defaults. 2018-04-03 10:53:15 -04:00
add nosuid,nodev protection 2019-08-27 21:13:20 -04:00			`echo "Adding nosuid,nodev options to /etc/fstab..."`
			`cp /etc/fstab /etc/fstab.bak`
			`awk '($1~"^/rw/" \|\| $2~"^/rw$") && ($4!~"nosuid" \|\| $4!~"nodev") {$4=$4",nosuid,nodev"}1' \`
			`/etc/fstab.bak >/etc/fstab`

add uninstall, refine ibrowse 2019-08-13 13:46:52 -04:00
Misc fixes, additions Fix rescue mode, deployment. Add whitelist and sudo config. 2018-04-12 15:24:46 -04:00			`echo -e "\nvm-boot-protect installed!\n"`

makefile and debian 2019-09-02 08:50:18 -04:00			`#bash ./configure-sudo-prompt`
Misc fixes, additions Fix rescue mode, deployment. Add whitelist and sudo config. 2018-04-12 15:24:46 -04:00			`exit 0`
Readme and add local dir 2018-02-20 17:40:29 -05:00