diff --git a/usr/bin/hardening-enable b/usr/bin/hardening-enable index ec01756..469364a 100755 --- a/usr/bin/hardening-enable +++ b/usr/bin/hardening-enable @@ -3,13 +3,68 @@ ## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -set -x set -e +if [ -f /usr/lib/helper-scripts/pre.bsh ]; then + source /usr/lib/helper-scripts/pre.bsh +fi + +## Thanks to: +## http://mywiki.wooledge.org/BashFAQ/035 + +while : +do + case $1 in + --ssh) + ssh=true + shift + ;; + --nossh) + ssh=false + shift + ;; + --) + shift + break + ;; + -*) + echo "$0 unknown option: $1" >&2 + exit 2 + ;; + *) + break + ;; + esac +done + +## If there are input files (for example) that follow the options, they +## will remain in the "$@" positional parameters. + +if [ "$ssh" = "" ]; then + echo "${red}ERROR${reset}: must use either --ssh or --nossh. For example:" >&2 + echo "$0 --nossh" >&2 + exit 2 +fi + +echo "${bold}[Hide Hardware Info]${reset}" +echo "Enabling enable hide-hardware-info.service by running 'systemctl enable hide-hardware-info.service'..." + systemctl enable hide-hardware-info.service +echo "${green}Success.${reset}" +echo "" + +echo "${bold}[NOEXEC]${reset}" +echo "Enabling noexec by creating file /etc/noexec ..." + touch /etc/noexec +echo "${green}Success.${reset}" +echo "" + +echo "${bold}[LKRG - Linux Kernel Runtime Guard]${reset}" +echo "LKRG hardening by creating /etc/sysctl.d/40-security-misc-autogenerated.conf ..." + mkdir -p /etc/sysctl.d echo "\ @@ -22,4 +77,15 @@ echo "\ lkrg.ci_panic=1 lkrg.umh_lock=1" > /etc/sysctl.d/40-security-misc-autogenerated.conf -pam-auth-update --enable console-lockdown-security-misc +echo "${green}Success.${reset}" +echo "" + +if [ "$ssh" = "false" ]; then + echo "${bold}[Console Lockdown]${reset}" + echo "Enabling Console Lockdown by removing user 'user' from group 'ssh'." + + delgroup user ssh &>/dev/null || true + + echo "${green}Success.${reset}" + echo "" +fi