#!/bin/bash # Re-generate root's password for longer hash. echo "Set a password for root:" passwd root # Make Tadgy's account. adduser tadgy # Move the 'console' group. I dislike it above 100. grep "^console:x:101:" /etc/group >/dev/null && groupmod -g 97 console grpconv # Add group 'admin', and make root and Tadgy a member. grep "^admin:" /etc/group >/dev/null || groupadd -g 101 admin usermod -aG admin root usermod -aG admin tadgy # Restrict access to 'logger', since it can be used to spam the logs. chown root:admin /usr/bin/logger chmod 750 /usr/bin/logger # Copy ssh keys into place for root and tadgy. mkdir -p -m 0700 /root/.ssh cp authorized_keys /root/.ssh mkdir -p -m 0700 /home/tadgy/.ssh cp authorized_keys /home/tadgy/.ssh chown -R tadgy:users /home/tadgy/.ssh # Encrypt the databases so they can be checked into git. echo "Encrypting /etc/shadow..." gpg -c -o /etc/shadow.gpg /etc/shadow echo "Encrypting /etc/gshadow..." gpg -c -o /etc/gshadow.gpg /etc/gshadow # Create log archive directories and move old log files. [ ! -d /var/log/Archived/pre-sysconfig ] && { mkdir -p -m 750 /var/log/Archived mkdir -p -m 750 /var/log/Archived/pre-sysconfig mv /var/log/{btmp.*,{cron,debug,maillog,messages,secure,spooler,syslog}{,.*}} /var/log/Archived/pre-sysconfig/ 2>/dev/null } # Stop syslog from producing a "MARK" every 20 minutes. # -current 20200626 uses /etc/default now, this is not required. # sed -i /etc/rc.d/rc.syslog -r -e '/^#SYSLOGD_OPTIONS/ s/#//' -e '/^SYSLOGD_OPTIONS/ s/"-c "$/"-c -m 0"/' # Restart syslogd. /etc/rc.d/rc.syslog restart # Restart ntpd. [ -x /etc/rc.d/rc.ntpd ] && /etc/rc.d/rc.ntpd restart # Restart sshd. /etc/rc.d/rc.sshd restart # Keep an su'ers log. touch /var/log/sulog # Keep fail2ban logs. touch /var/log/fail2ban # Add an rc.local_shutdown script if it doesn't exist already. [ ! -e /etc/rc.d/rc.local_shutdown ] && { echo "#!/bin/sh" >/etc/rc.d/rc.local_shutdown echo "# /etc/rc.d/rc.local_shutdown - Local system shutdown script." >>/etc/rc.d/rc.local_shutdown echo "# This script will be run when the system is shutdown or rebooted." >>/etc/rc.d/rc.local_shutdown chmod 755 /etc/rc.d/rc.local_shutdown } # To clear all ACLs: # setfacl -Rk /path # setfacl -Rd group:admin: /path # setfacl -Rx mask:: /path # Secure /var/log # Set standard access perms for directories setfacl -m user::rwx,group::rx,other::x /var/log/ setfacl -m user::rwx,group::rx,other::- /var/log/*/ /var/log/*/*/ # Set standard access perms for files find /var/log -type f -exec setfacl -Rm user::rw,group::r,other::- {} \; # Allow group 'admin' read access to all directories/files setfacl -m group:admin:rX /var/log/ /var/log/*/ /var/log/*/*/ find /var/log -type f -exec setfacl -m group:admin:r {} \; # Set default access for new files in directories. setfacl -dm user::rwX,group::rX,other::- /var/log/ /var/log/*/ /var/log/*/*/ setfacl -dm group:admin:rX /var/log/ /var/log/*/ /var/log/*/*/ # /var/log/wtmp needs to be readable by everyone setfacl -m user::rw,group::r,other::r /var/log/wtmp # Secure /root # Set standard access perms for directories find /root -type d -exec setfacl -m user::rwx,group::rx,other::- {} \; # Set standard access perms for files find /root -type f -exec setfacl -m user::rwX,group::rX,other::- {} \; # Allow group 'admin' read access to all files/dirs find /root -type d -exec setfacl -m group:admin:rX {} \; find /root -type f -exec setfacl -m group:admin:rX {} \; # Set default access for new files/dirs find /root -type d -exec setfacl -dm user::rwX,group::rX,other::- {} \; find /root -type d -exec setfacl -dm group:admin:rX {} \; # Clean up some cruft. rm -rf /etc/nntpserver /etc/lilo.conf_example rm -rf /usr/{local/games,local/man/cat*,man/cat*} /var/man # Finally, check for FIXMEs. echo "There may be some FIXMEs to attend to:" grep -R FIXME /etc | egrep -v "^/etc/(\.git|file|magic|misc)"