Slackware/bootstrap
1
0
Fork 0
Code Releases Wiki Activity
bootstrap/02-system-setup

110 lines
3.9 KiB
Bash
Executable file
Raw Blame History

#!/bin/bash
# Re-generate root's password for longer hash.
passwd root
# Make Tadgy's account.
adduser tadgy
# Move the 'console' group. I dislike it above 100.
grep "^console:x:101:" /etc/group >/dev/null && groupmod -g 97 console
grpconv
# Add group 'admin', and make root and Tadgy a member.
grep "^admin:" /etc/group >/dev/null || groupadd -g 101 admin
usermod -aG admin root
usermod -aG admin tadgy
# Restrict access to 'logger', since it can be used to spam the logs.
chown root:admin /usr/bin/logger
chmod 750 /usr/bin/logger
# Copy ssh keys into place for root and tadgy.
mkdir -p -m 0700 /root/.ssh
cp authorized_keys /root/.ssh
mkdir -p -m 0700 /home/tadgy/.ssh
cp authorized_keys /home/tadgy/.ssh
chown -R tadgy:users /home/tadgy/.ssh
# Encrypt the databases so they can be checked into git.
echo "Encrypting /etc/shadow..."
gpg -c -o /etc/shadow.gpg /etc/shadow
echo "Encrypting /etc/gshadow..."
gpg -c -o /etc/gshadow.gpg /etc/gshadow
# Create /opt directories.
mkdir -p -m 755 {/opt,/opt/{bin,include,info,lib64,man,man/man{0..8},sbin,share}}
# Create log archive directories and move old log files.
[ ! -d /var/log/Archived/pre-sysconfig ] && {
mkdir -p -m 750 /var/log/Archived
mkdir -p -m 750 /var/log/Archived/pre-sysconfig
mv /var/log/{btmp.*,{cron,debug,maillog,messages,secure,spooler,syslog}{,.*}} /var/log/Archived/pre-sysconfig/ 2>/dev/null
}
# Stop syslog from producing a "MARK" every 20 minutes.
# -current 20200626 uses /etc/default now, this is not required.
# sed -i /etc/rc.d/rc.syslog -r -e '/^#SYSLOGD_OPTIONS/ s/#//' -e '/^SYSLOGD_OPTIONS/ s/"-c "$/"-c -m 0"/'
# Restart syslogd.
/etc/rc.d/rc.syslog restart
# Restart ntpd.
[ -x /etc/rc.d/rc.ntpd ] && /etc/rc.d/rc.ntpd restart
# Restart sshd.
/etc/rc.d/rc.sshd restart
# Keep an su'ers log.
touch /var/log/sulog
# Keep fail2ban logs.
touch /var/log/fail2ban
# Add an rc.local_shutdown script if it doesn't exist already.
[ ! -e /etc/rc.d/rc.local_shutdown ] && {
echo "#!/bin/sh" >/etc/rc.d/rc.local_shutdown
echo "# /etc/rc.d/rc.local_shutdown - Local system shutdown script." >>/etc/rc.d/rc.local_shutdown
echo "# This script will be run when the system is shutdown or rebooted." >>/etc/rc.d/rc.local_shutdown
chmod 755 /etc/rc.d/rc.local_shutdown
}
# To clear all ACLs:
# setfacl -Rk /path
# setfacl -Rd group:admin: /path
# setfacl -Rx mask:: /path
# Secure /var/log
# Set standard access perms for directories
setfacl -m user::rwx,group::rx,other::x /var/log/
setfacl -m user::rwx,group::rx,other::- /var/log/*/ /var/log/*/*/
# Set standard access perms for files
find /var/log -type f -exec setfacl -Rm user::rw,group::r,other::- {} \;
# Allow group 'admin' read access to all directories/files
setfacl -m group:admin:rX /var/log/ /var/log/*/ /var/log/*/*/
find /var/log -type f -exec setfacl -m group:admin:r {} \;
# Set default access for new files in directories.
setfacl -dm user::rwX,group::rX,other::- /var/log/ /var/log/*/ /var/log/*/*/
setfacl -dm group:admin:rX /var/log/ /var/log/*/ /var/log/*/*/
# /var/log/wtmp needs to be readable by everyone
setfacl -m user::rw,group::r,other::r /var/log/wtmp
# Secure /root
# Set standard access perms for directories
find /root -type d -exec setfacl -m user::rwx,group::rx,other::- {} \;
# Set standard access perms for files
find /root -type f -exec setfacl -m user::rwX,group::rX,other::- {} \;
# Allow group 'admin' read access to all files/dirs
find /root -type d -exec setfacl -m group:admin:rX {} \;
find /root -type f -exec setfacl -m group:admin:rX {} \;
# Set default access for new files/dirs
find /root -type d -exec setfacl -dm user::rwX,group::rX,other::- {} \;
find /root -type d -exec setfacl -dm group:admin:rX {} \;
# Clean up some cruft.
rm -rf /etc/nntpserver /etc/lilo.conf_example
rm -rf /usr/{local/games,local/man/cat*,man/cat*} /var/man
# Finally, check for FIXMEs.
echo "There may be some FIXMEs to attend to:"
grep -R FIXME /etc | egrep -v "^/etc/(\.git|file|magic|misc)"
View git blame Copy permalink