Integrate scripts to 'bootstrap' and update.
This commit is contained in:
parent
389dfc8ba6
commit
cb0a177a9d
3 changed files with 190 additions and 171 deletions
|
|
@ -1,63 +0,0 @@
|
|||
#!/bin/bash
|
||||
|
||||
umask 022
|
||||
|
||||
# Create /opt directories.
|
||||
mkdir -p -m 755 {/opt,/opt/{bin,include,info,lib64,man,man/man{0..8},sbin,share}}
|
||||
|
||||
# Install the CA bundles, to stop wget moaning.
|
||||
cp -R ca-certificates /usr/local/share
|
||||
update-ca-certificates
|
||||
|
||||
# Install memtest86 into /boot.
|
||||
# Only install if /boot exists, so we are container compatible.
|
||||
[[ -e /boot ]] && [[ ! -e /boot/efi ]] && cp memtest86+ /boot
|
||||
|
||||
# Install root's new crontab.
|
||||
cat root.crontab >/var/spool/cron/crontabs/root
|
||||
/etc/rc.d/rc.crond restart
|
||||
|
||||
# Install the /etc files.
|
||||
( cd base-files
|
||||
IFS=$'\n'
|
||||
for dir in $(find . -type d | sort | sed -re 's/^\.\///'); do
|
||||
mkdir -p -m 755 /etc/$dir
|
||||
done
|
||||
for file in $(find . -type f | sort | sed -re 's/^\.\///'); do
|
||||
cat "$file" >"/etc/$file"
|
||||
done )
|
||||
|
||||
# Correct file/directory specific permissions.
|
||||
chmod 755 /etc/cron.daily/update-slackpkg-template
|
||||
chmod 755 /etc/cron.daily/warn-git-status
|
||||
chmod 755 /etc/cron.hourly/log-acls
|
||||
chmod 755 /etc/initscript
|
||||
chmod 755 /etc/profile.d/biff.csh
|
||||
chmod 755 /etc/profile.d/biff.sh
|
||||
chmod 755 /etc/profile.d/lang.csh
|
||||
chmod 755 /etc/profile.d/lang.sh
|
||||
chmod 755 /etc/profile.d/less.csh
|
||||
chmod 755 /etc/profile.d/less.sh
|
||||
chmod 755 /etc/profile.d/optpaths.csh
|
||||
chmod 755 /etc/profile.d/optpaths.sh
|
||||
chmod 750 /etc/sudoers.d
|
||||
|
||||
# Install pushover.
|
||||
cp utils/pushover /opt/bin
|
||||
chmod 755 /opt/bin/pushover
|
||||
|
||||
# Decrypt the pushover-config.
|
||||
echo "Decrypting /etc/pushover/*.gpg..."
|
||||
read -r -p "Passphraise (appears in clear text): " PASS
|
||||
gpg -d --passphrase "$PASS" -o /etc/pushover/backups /etc/pushover/backups.gpg
|
||||
gpg -d --passphrase "$PASS" -o /etc/pushover/mirroring /etc/pushover/mirroring.gpg
|
||||
gpg -d --passphrase "$PASS" -o /etc/pushover/server /etc/pushover/server.gpg
|
||||
chmod 640 /etc/pushover/*
|
||||
|
||||
# Decrypt the netdata SSL key.
|
||||
echo "Decrypting netdata SSL key..."
|
||||
gpg -d --passphrase "$PASS" -o /etc/certificates/_netdata_.opensourcerers.net-key.pem /etc/certificates/_netdata_.opensourcerers.net-key.pem.gpg
|
||||
chmod 640 /etc/certificates/_netdata_.opensourcerers.net-key.pem
|
||||
chown root:36 /etc/certificates/_netdata_.opensourcerers.net-key.pem
|
||||
rm -f /etc/certificates/_netdata_.opensourcerers.net-key.pem.gpg
|
||||
unset PASS
|
||||
108
02-system-setup
108
02-system-setup
|
|
@ -1,108 +0,0 @@
|
|||
#!/bin/bash
|
||||
|
||||
# Re-generate root's password for longer hash.
|
||||
echo "Set a password for root:"
|
||||
passwd root
|
||||
|
||||
# Make Tadgy's account.
|
||||
adduser tadgy
|
||||
|
||||
# Move the 'console' group. I dislike it above 100.
|
||||
grep "^console:x:101:" /etc/group >/dev/null && groupmod -g 97 console
|
||||
grpconv
|
||||
|
||||
# Add group 'admin', and make root and Tadgy a member.
|
||||
grep "^admin:" /etc/group >/dev/null || groupadd -g 101 admin
|
||||
usermod -aG admin root
|
||||
usermod -aG admin tadgy
|
||||
|
||||
# Restrict access to 'logger', since it can be used to spam the logs.
|
||||
chown root:admin /usr/bin/logger
|
||||
chmod 750 /usr/bin/logger
|
||||
|
||||
# Copy ssh keys into place for root and tadgy.
|
||||
mkdir -p -m 0700 /root/.ssh
|
||||
cp authorized_keys /root/.ssh
|
||||
mkdir -p -m 0700 /home/tadgy/.ssh
|
||||
cp authorized_keys /home/tadgy/.ssh
|
||||
chown -R tadgy:users /home/tadgy/.ssh
|
||||
|
||||
# Encrypt the databases so they can be checked into git.
|
||||
echo "Encrypting /etc/shadow..."
|
||||
gpg -c -o /etc/shadow.gpg /etc/shadow
|
||||
echo "Encrypting /etc/gshadow..."
|
||||
gpg -c -o /etc/gshadow.gpg /etc/gshadow
|
||||
|
||||
# Create log archive directories and move old log files.
|
||||
[ ! -d /var/log/Archived/pre-sysconfig ] && {
|
||||
mkdir -p -m 750 /var/log/Archived
|
||||
mkdir -p -m 750 /var/log/Archived/pre-sysconfig
|
||||
mv /var/log/{btmp.*,{cron,debug,maillog,messages,secure,spooler,syslog}{,.*}} /var/log/Archived/pre-sysconfig/ 2>/dev/null
|
||||
}
|
||||
|
||||
# Stop syslog from producing a "MARK" every 20 minutes.
|
||||
# -current 20200626 uses /etc/default now, this is not required.
|
||||
# sed -i /etc/rc.d/rc.syslog -r -e '/^#SYSLOGD_OPTIONS/ s/#//' -e '/^SYSLOGD_OPTIONS/ s/"-c "$/"-c -m 0"/'
|
||||
|
||||
# Restart syslogd.
|
||||
/etc/rc.d/rc.syslog restart
|
||||
|
||||
# Restart ntpd.
|
||||
[ -x /etc/rc.d/rc.ntpd ] && /etc/rc.d/rc.ntpd restart
|
||||
|
||||
# Restart sshd.
|
||||
/etc/rc.d/rc.sshd restart
|
||||
|
||||
# Keep an su'ers log.
|
||||
touch /var/log/sulog
|
||||
|
||||
# Keep fail2ban logs.
|
||||
touch /var/log/fail2ban
|
||||
|
||||
# Add an rc.local_shutdown script if it doesn't exist already.
|
||||
[ ! -e /etc/rc.d/rc.local_shutdown ] && {
|
||||
echo "#!/bin/sh" >/etc/rc.d/rc.local_shutdown
|
||||
echo "# /etc/rc.d/rc.local_shutdown - Local system shutdown script." >>/etc/rc.d/rc.local_shutdown
|
||||
echo "# This script will be run when the system is shutdown or rebooted." >>/etc/rc.d/rc.local_shutdown
|
||||
chmod 755 /etc/rc.d/rc.local_shutdown
|
||||
}
|
||||
|
||||
# To clear all ACLs:
|
||||
# setfacl -Rk /path
|
||||
# setfacl -Rd group:admin: /path
|
||||
# setfacl -Rx mask:: /path
|
||||
|
||||
# Secure /var/log
|
||||
# Set standard access perms for directories
|
||||
setfacl -m user::rwx,group::rx,other::x /var/log/
|
||||
setfacl -m user::rwx,group::rx,other::- /var/log/*/ /var/log/*/*/
|
||||
# Set standard access perms for files
|
||||
find /var/log -type f -exec setfacl -Rm user::rw,group::r,other::- {} \;
|
||||
# Allow group 'admin' read access to all directories/files
|
||||
setfacl -m group:admin:rX /var/log/ /var/log/*/ /var/log/*/*/
|
||||
find /var/log -type f -exec setfacl -m group:admin:r {} \;
|
||||
# Set default access for new files in directories.
|
||||
setfacl -dm user::rwX,group::rX,other::- /var/log/ /var/log/*/ /var/log/*/*/
|
||||
setfacl -dm group:admin:rX /var/log/ /var/log/*/ /var/log/*/*/
|
||||
# /var/log/wtmp needs to be readable by everyone
|
||||
setfacl -m user::rw,group::r,other::r /var/log/wtmp
|
||||
|
||||
# Secure /root
|
||||
# Set standard access perms for directories
|
||||
find /root -type d -exec setfacl -m user::rwx,group::rx,other::- {} \;
|
||||
# Set standard access perms for files
|
||||
find /root -type f -exec setfacl -m user::rwX,group::rX,other::- {} \;
|
||||
# Allow group 'admin' read access to all files/dirs
|
||||
find /root -type d -exec setfacl -m group:admin:rX {} \;
|
||||
find /root -type f -exec setfacl -m group:admin:rX {} \;
|
||||
# Set default access for new files/dirs
|
||||
find /root -type d -exec setfacl -dm user::rwX,group::rX,other::- {} \;
|
||||
find /root -type d -exec setfacl -dm group:admin:rX {} \;
|
||||
|
||||
# Clean up some cruft.
|
||||
rm -rf /etc/nntpserver /etc/lilo.conf_example
|
||||
rm -rf /usr/{local/games,local/man/cat*,man/cat*} /var/man
|
||||
|
||||
# Finally, check for FIXMEs.
|
||||
echo "There may be some FIXMEs to attend to:"
|
||||
grep -R FIXME /etc | egrep -v "^/etc/(\.git|file|magic|misc)"
|
||||
190
bootstrap
Executable file
190
bootstrap
Executable file
|
|
@ -0,0 +1,190 @@
|
|||
#!/bin/bash
|
||||
|
||||
umask 022
|
||||
|
||||
# Create /opt directories.
|
||||
echo "-> Creating /opt directories..."
|
||||
mkdir -p -m 755 {/opt,/opt/{bin,include,info,lib64,man,man/man{0..8},sbin,share}}
|
||||
|
||||
# Install the CA bundles, to stop wget moaning.
|
||||
echo "-> Adding CA certificates..."
|
||||
cp -R ca-certificates /usr/local/share
|
||||
update-ca-certificates
|
||||
|
||||
# Install memtest86 into /boot.
|
||||
# Only install if /boot exists, and this isn't an EFI system.
|
||||
[[ -e /boot ]] && [[ ! -e /boot/efi ]] && echo "-> Adding memtest86+..." && cp memtest86+ /boot
|
||||
|
||||
# Install root's new crontab.
|
||||
echo "-> Changing root's crontab..."
|
||||
cat root.crontab >/var/spool/cron/crontabs/root
|
||||
/etc/rc.d/rc.crond restart
|
||||
|
||||
# Install the /etc files.
|
||||
echo "-> Copying base files into /etc..."
|
||||
( cd base-files
|
||||
IFS=$'\n'
|
||||
for dir in $(find . -type d | sort | sed -re 's/^\.\///'); do
|
||||
mkdir -p -m 755 /etc/$dir
|
||||
done
|
||||
for file in $(find . -type f | sort | sed -re 's/^\.\///'); do
|
||||
cat "$file" >"/etc/$file"
|
||||
done )
|
||||
|
||||
echo "-> Fixing base files' permissions..."
|
||||
# Correct file/directory specific permissions.
|
||||
chmod 755 /etc/cron.daily/update-slackpkg-template
|
||||
chmod 755 /etc/cron.daily/warn-git-status
|
||||
chmod 755 /etc/cron.hourly/log-acls
|
||||
chmod 755 /etc/initscript
|
||||
chmod 755 /etc/profile.d/biff.csh
|
||||
chmod 755 /etc/profile.d/biff.sh
|
||||
chmod 755 /etc/profile.d/lang.csh
|
||||
chmod 755 /etc/profile.d/lang.sh
|
||||
chmod 755 /etc/profile.d/less.csh
|
||||
chmod 755 /etc/profile.d/less.sh
|
||||
chmod 755 /etc/profile.d/optpaths.csh
|
||||
chmod 755 /etc/profile.d/optpaths.sh
|
||||
chmod 750 /etc/sudoers.d
|
||||
|
||||
# Install pushover.
|
||||
echo "-> Installing pushover..."
|
||||
cp utils/pushover /opt/bin
|
||||
chmod 755 /opt/bin/pushover
|
||||
|
||||
# Read the gpg passphraise.
|
||||
read -r -p "----> Enter GPG decryption passphraise (appears in clear text): " PASS
|
||||
|
||||
# Decrypt the pushover-config.
|
||||
echo "-> Decrypting /etc/pushover/*.gpg..."
|
||||
gpg -d --passphrase "$PASS" -o /etc/pushover/backups /etc/pushover/backups.gpg
|
||||
gpg -d --passphrase "$PASS" -o /etc/pushover/mirroring /etc/pushover/mirroring.gpg
|
||||
gpg -d --passphrase "$PASS" -o /etc/pushover/server /etc/pushover/server.gpg
|
||||
chmod 640 /etc/pushover/*
|
||||
|
||||
# Decrypt the netdata SSL key.
|
||||
echo "-> Decrypting netdata SSL key..."
|
||||
gpg -d --passphrase "$PASS" -o /etc/certificates/_netdata_-key.pem /etc/certificates/_netdata_-key.pem.gpg
|
||||
chmod 600 /etc/certificates/_netdata_-key.pem
|
||||
setfacl -m u:36:r /etc/certificates/_netdata_-key.pem
|
||||
|
||||
# Decrypt the msmtp SSL key.
|
||||
echo "-> Decrypting msmtp SSL key..."
|
||||
gpg -d --passphrase "$PASS" -o /etc/certificates/_msmtp_-key.pem /etc/certificates/_msmtp_-key.pem.gpg
|
||||
chmod 600 /etc/certificates/_msmtp_-key.pem
|
||||
setfacl -m g:mail:r /etc/certificates/_msmtp_-key.pem
|
||||
|
||||
unset PASS
|
||||
|
||||
# Re-generate root's password for longer hash.
|
||||
echo "-> Re-set root's password..."
|
||||
passwd root
|
||||
|
||||
# Make Tadgy's account.
|
||||
echo "-> Adding user 'tadgy'..."
|
||||
adduser tadgy
|
||||
|
||||
# Move the 'console' group. I dislike it above 100.
|
||||
echo "-> Fixing 'console' GID..."
|
||||
grep "^console:x:101:" /etc/group >/dev/null && groupmod -g 97 console
|
||||
grpconv
|
||||
|
||||
# Add group 'admin', and make root and tadgy a member.
|
||||
echo "-> Adding 'admin' group and making 'root' and 'tadgy' members..."
|
||||
grep "^admin:" /etc/group >/dev/null || groupadd -g 101 admin
|
||||
usermod -aG admin root
|
||||
usermod -aG admin tadgy
|
||||
|
||||
# Restrict access to 'logger', since it can be used to spam the logs.
|
||||
echo "-> Restricting access to /usr/bin/logger..."
|
||||
chmod 750 /usr/bin/logger
|
||||
setfacl -m g:admin:rx /usr/bin/logger
|
||||
|
||||
# Copy ssh keys into place for root and tadgy.
|
||||
echo "-> Adding authorized_keys for 'root' and 'tadgy'..."
|
||||
mkdir -p -m 0700 /root/.ssh
|
||||
cat authorized_keys >/root/.ssh/authorized_keys
|
||||
mkdir -p -m 0700 /home/tadgy/.ssh
|
||||
cat authorized_keys >/home/tadgy/.ssh/authorized_keys
|
||||
chown -R tadgy:users /home/tadgy/.ssh
|
||||
|
||||
# Encrypt the databases so they can be checked into git.
|
||||
echo "-> Encrypting /etc/shadow and /etc/gshadow..."
|
||||
read -r -p "----> Enter GPG encryption passphraise (appears in clear text): " PASS
|
||||
gpg -c --passphrase "$PASS" -o /etc/shadow.gpg /etc/shadow
|
||||
gpg -c --passphrase "$PASS" -o /etc/gshadow.gpg /etc/gshadow
|
||||
|
||||
unset PASS
|
||||
|
||||
# Create log archive directories and move old log files.
|
||||
echo "-> Archiving old logs..."
|
||||
[ ! -d /var/log/Archived ] && mkdir -m 750 /var/log/Archived
|
||||
[ ! -d /var/log/Archived/pre-bootstrapping ] && mkdir -m 750 /var/log/Archived/pre-bootstrapping
|
||||
mv /var/log/{btmp.*,{cron,debug,maillog,messages,secure,spooler,syslog}{,.*}} /var/log/Archived/pre-bootstrapping/
|
||||
|
||||
# Restart syslogd.
|
||||
echo "-> Restarting syslogd for new config..."
|
||||
/etc/rc.d/rc.syslog restart
|
||||
|
||||
# Restart ntpd.
|
||||
[ -x /etc/rc.d/rc.ntpd ] && echo "-> Restarting ntpd for new config..." && /etc/rc.d/rc.ntpd restart
|
||||
|
||||
# Restart sshd.
|
||||
echo "-> Restarting sshd for new config..."
|
||||
/etc/rc.d/rc.sshd restart
|
||||
|
||||
echo "-> Creating optional log files..."
|
||||
touch /var/log/sulog
|
||||
touch /var/log/fail2ban
|
||||
|
||||
# Add an rc.local_shutdown script if it doesn't exist already.
|
||||
[ ! -e /etc/rc.d/rc.local_shutdown ] && {
|
||||
echo "-> Creating rc.local_shutdown..."
|
||||
echo "#!/bin/bash" >/etc/rc.d/rc.local_shutdown
|
||||
echo "# /etc/rc.d/rc.local_shutdown - Local system shutdown script." >>/etc/rc.d/rc.local_shutdown
|
||||
echo "# This script will be run when the system is shutdown or rebooted." >>/etc/rc.d/rc.local_shutdown
|
||||
chmod 755 /etc/rc.d/rc.local_shutdown
|
||||
}
|
||||
|
||||
# Secure /var/log
|
||||
echo "-> Securing /var/log..."
|
||||
shopt -s globstar
|
||||
# Set standard access perms for directories
|
||||
setfacl -m user::rwx,group::rx,other::- /var/log/**/
|
||||
setfacl -m user::rwx,group::rx,other::x /var/log/
|
||||
# Set standard access perms for files
|
||||
find /var/log -type f -exec setfacl -m user::rw,group::r,other::- {} \;
|
||||
# Allow group 'admin' read access to all directories/files
|
||||
setfacl -m group:admin:rX /var/log/**/
|
||||
find /var/log -type f -exec setfacl -m group:admin:r {} \;
|
||||
# Set default access for new files in directories.
|
||||
setfacl -dm user::rwX,group::rX,other::- /var/log/**/
|
||||
setfacl -dm group:admin:rX /var/log/**/
|
||||
# /var/log/wtmp needs to be readable by everyone
|
||||
setfacl -m user::rw,group::r,other::r /var/log/wtmp
|
||||
|
||||
# Secure /root
|
||||
echo "-> Securing /root..."
|
||||
# Set standard access perms for files
|
||||
setfacl -m user::rwX,group::rX,other::- /root/**
|
||||
# Set standard access perms for directories
|
||||
setfacl -m user::rwx,group::rx,other::- /root/**/
|
||||
# Allow group 'admin' read access to all files/dirs
|
||||
setfacl -m group:admin:rX /root/**
|
||||
setfacl -m group:admin:rx /root/**/
|
||||
# Set default access for new files/dirs
|
||||
setfacl -dm user::rwX,group::rX,other::- /root/**/
|
||||
setfacl -dm group:admin:rX /root/**/
|
||||
|
||||
# Clean up some cruft.
|
||||
echo "-> Cleaning up..."
|
||||
rm -rf /etc/nntpserver /etc/lilo.conf_example
|
||||
rm -rf /usr/{local/games,local/man/cat*,man/cat*} /var/man
|
||||
|
||||
# Finally, check for FIXMEs.
|
||||
echo "-> There may be some FIXMEs to attend to:"
|
||||
while IFS=$'\n' read -r ITEM; do
|
||||
echo " -> $ITEM"
|
||||
done < <(grep -R FIXME /etc | egrep -v "^/etc/(\.git|file|magic|misc)")
|
||||
|
||||
echo "-> Bootstrap complete!"
|
||||
Loading…
Add table
Add a link
Reference in a new issue