288 lines
12 KiB
Bash
288 lines
12 KiB
Bash
#!/bin/bash
|
|
###########################################################################################
|
|
# Debian Bookworm VPS Hardening Setup Script V5.0.384.2024.08.06 #
|
|
###########################################################################################
|
|
# Copyright (c) 2019 - 2024, Marc Weidner, Centurion Intelligence Consulting Agency #
|
|
# https://coresecret.eu/ #
|
|
# Licensed under the EUROPEAN UNION PUBLIC LICENCE v. 1.2 https://eupl.eu/1.2/en/ #
|
|
###########################################################################################
|
|
# https://keys.openpgp.org/vks/v1/by-fingerprint/A6D46A56AE17A185AB0F6DB77095A8A13CBE0FA3 #
|
|
# Fingerprint A6D4 6A56 AE17 A185 AB0F 6DB7 7095 A8A1 3CBE 0FA3 ## valid till: 01.01.2031 #
|
|
###########################################################################################
|
|
# Module: exdo_bootencryption_luks2 #
|
|
###########################################################################################
|
|
# shellcheck disable=SC2129 disable=SC2162
|
|
set -o errexit # Exit if a command fails.
|
|
set -o nounset # Exit if an unset variable is used.
|
|
set -o pipefail # Exit if a pipeline fails.
|
|
set -o noclobber # Prevent output redirection ">", ">&", "<>" from overwriting existing files.
|
|
set +o history # Temporarily turn off history, to avoid sensitive information leakage.
|
|
|
|
###########################################################################################
|
|
# Remarks: Error Handling #
|
|
###########################################################################################
|
|
# shellcheck disable=SC2317 disable=SC2329
|
|
exdo_handle_sigint () {
|
|
local VAR="2"
|
|
|
|
date >> "$LOG_ERR"
|
|
|
|
echo ""
|
|
|
|
if [ "$HANDLER_DBG" = 1 ]; then
|
|
echo -e "\033[33mexdo_bootencryption_luks2 terminated by User : cat $LOG_DBG for more information \033[0m"
|
|
fi
|
|
|
|
echo -e "\033[33mexdo_bootencryption_luks2 terminated by User : cat $LOG_ERR for more information \033[0m"
|
|
echo -e "\033[33mexdo_bootencryption_luks2 terminated by User : '$VAR' received in script: '$0' while executing: '$3' in module: '$4' | PID: '$5' EOL \033[0m"
|
|
|
|
echo -e "\033[33m++++ ++++ ++++ ++++ ++++ ++++ ++ exdo_bootencryption_luks2 terminated by User : '$VAR' received in script: '$0' while executing: '$3' in module: '$4' | PID: '$5' EOL \033[0m" >>"$LOG_ERR"
|
|
|
|
exit 2
|
|
}
|
|
|
|
# shellcheck disable=SC2317 disable=SC2329
|
|
exdo_handle_sigterm () {
|
|
local VAR="15"
|
|
|
|
date >> "$LOG_ERR"
|
|
|
|
echo ""
|
|
|
|
if [ "$HANDLER_DBG" = 1 ]; then
|
|
echo -e "\033[31mexdo_bootencryption_luks2 exited by SIGTERM : cat $LOG_DBG for more information \033[0m"
|
|
fi
|
|
|
|
echo -e "\033[31mexdo_bootencryption_luks2 exited by SIGTERM : cat $LOG_ERR for more information \033[0m"
|
|
echo -e "\033[31mexdo_bootencryption_luks2 exited by SIGTERM : '$VAR' received in script: '$0' while executing: '$3' in module: '$4' | PID: '$5' EOL \033[0m"
|
|
|
|
echo -e "\033[31m++++ ++++ ++++ ++++ ++++ ++++ ++ exdo_bootencryption_luks2 exited by SIGTERM : '$VAR' received in script: '$0' while executing: '$3' in module: '$4' | PID: '$5' EOL \033[0m" >>"$LOG_ERR"
|
|
|
|
exit 15
|
|
}
|
|
|
|
exdo_catch_err() {
|
|
trap 'exdo_handle_sigint $? $LINENO "$BASH_COMMAND" "$MODULE_ERR" "$$"' SIGINT
|
|
trap 'exdo_handle_sigterm $? $LINENO "$BASH_COMMAND" "$MODULE_ERR" "$$"' SIGTERM
|
|
}
|
|
|
|
###########################################################################################
|
|
# Remarks: exdo_bootencryption_luks2 #
|
|
###########################################################################################
|
|
exdo_bootencryption_luks2() {
|
|
clear
|
|
date >>"$LOG_INS"
|
|
echo -e "\033[33m++++ ++++ ++++ ++++ ++++ ++++ ++ Encryption of /boot with LUKS2 - ...\033[0m" | tee -a "$LOG_INS"
|
|
exdo_catch_err
|
|
###########################################################################################
|
|
# Remarks: ! WARNING ! GRUB uses the US keyboard layout by default ! #
|
|
###########################################################################################
|
|
# Remarks: grub-common (2.12-1~bpo12+1) is required for LUKS2 compatibility at boot time. #
|
|
# https://wiki.archlinux.org/title/GRUB#Encrypted_/boot #
|
|
# https://wiki.archlinux.org/title/GRUB#LUKS2 #
|
|
# https://wiki.archlinux.org/title/Dm-crypt/Encrypting_an_entire_system #
|
|
###########################################################################################
|
|
/usr/bin/apt install -t bookworm-backports grub-common -y
|
|
|
|
###########################################################################################
|
|
# Remarks: Generating helper variables #
|
|
###########################################################################################
|
|
set +e
|
|
if lsblk | grep /boot/efi >/dev/null; then
|
|
set -e
|
|
local EFI_SETUP="Y"
|
|
else
|
|
set -e
|
|
local EFI_SETUP="N"
|
|
fi
|
|
|
|
local INSTALL_GRUB_ON
|
|
INSTALL_GRUB_ON=$(findmnt -n /boot | awk '{ print $2 }' | cut -c1-8)
|
|
readonly INSTALL_GRUB_ON
|
|
|
|
local BOOT_IS_ON
|
|
BOOT_IS_ON=$(findmnt -n /boot | awk '{ print $2 }')
|
|
readonly BOOT_IS_ON
|
|
|
|
local UUID_OLD_BOOT
|
|
UUID_OLD_BOOT=$(blkid -o value -s UUID "$BOOT_IS_ON")
|
|
readonly UUID_OLD_BOOT
|
|
|
|
local FS_OLD_BOOT
|
|
FS_OLD_BOOT=$(findmnt -n /boot | awk '{ print $3 }')
|
|
readonly FS_OLD_BOOT
|
|
|
|
if [ $EFI_SETUP = "Y" ]; then
|
|
# FAT is needed for UEFI, so de-blacklist it
|
|
sed -i 's/install fat \/bin\/true/# install fat \/bin\/true/' /etc/modprobe.d/30-cendev-hardening.conf
|
|
sed -i 's/blacklist fat/# blacklist fat/' /etc/modprobe.d/30-cendev-hardening.conf
|
|
local EFI_BOOT_IS_ON
|
|
EFI_BOOT_IS_ON=$(findmnt -n /boot/efi | awk '{ print $2 }')
|
|
readonly EFI_BOOT_IS_ON
|
|
|
|
# local UUID_OLD_EFI_BOOT
|
|
# UUID_OLD_EFI_BOOT=$(blkid -o value -s UUID $EFI_BOOT_IS_ON)
|
|
|
|
echo ""
|
|
lsblk
|
|
|
|
echo ""
|
|
date >>"$LOG_INS"
|
|
echo -e "\033[33m++++ ++++ ++++ ++++ ++++ ++++ ++ /boot is on $BOOT_IS_ON \033[0m" | tee -a "$LOG_INS"
|
|
date >>"$LOG_INS"
|
|
echo -e "\033[33m++++ ++++ ++++ ++++ ++++ ++++ ++ /boot/efi is on $EFI_BOOT_IS_ON \033[0m" | tee -a "$LOG_INS"
|
|
echo ""
|
|
date >>"$LOG_INS"
|
|
echo -e "\033[33m++++ ++++ ++++ ++++ ++++ ++++ ++ Please verify that /boot & /boot/efi are on the shown devices, press 'ENTER' to continue \033[0m" | tee -a "$LOG_INS"
|
|
read
|
|
|
|
else
|
|
|
|
echo ""
|
|
lsblk
|
|
|
|
echo ""
|
|
date >>"$LOG_INS"
|
|
echo -e "\033[33m++++ ++++ ++++ ++++ ++++ ++++ ++ /boot is on $BOOT_IS_ON \033[0m" | tee -a "$LOG_INS"
|
|
echo ""
|
|
date >>"$LOG_INS"
|
|
echo -e "\033[33m++++ ++++ ++++ ++++ ++++ ++++ ++ Please verify that /boot is on the shown device, press 'ENTER' to continue \033[0m" | tee -a "$LOG_INS"
|
|
read
|
|
|
|
fi
|
|
|
|
###########################################################################################
|
|
# Remarks: ro mount, backup and unmount of /boot /boot/efi #
|
|
###########################################################################################
|
|
mount -oremount,ro /boot
|
|
install -m0600 /dev/null /tmp/boot.tar
|
|
tar -C /boot --acls --xattrs --one-file-system -cf /tmp/boot.tar .
|
|
if [ $EFI_SETUP = "Y" ]; then
|
|
umount /boot/efi
|
|
fi
|
|
umount /boot
|
|
|
|
###########################################################################################
|
|
# Remarks: encryption of /boot partition #
|
|
###########################################################################################
|
|
local INPUT=""
|
|
set +e
|
|
cryptsetup luksFormat --type luks2 --pbkdf pbkdf2 "$BOOT_IS_ON" 2>&1
|
|
set -e
|
|
echo ""
|
|
date >>"$LOG_INS"
|
|
echo -e "\033[33m++++ ++++ ++++ ++++ ++++ ++++ ++ LUKS2 setup correct? Please confirm: 'Yes' | 'No'\033[0m" | tee -a "$LOG_INS"
|
|
read INPUT
|
|
date >>"$LOG_INS"
|
|
echo "$INPUT" >>"$LOG_INS"
|
|
|
|
while true ; do
|
|
|
|
case "$INPUT" in
|
|
|
|
Yes | yes | Y | y)
|
|
|
|
echo ""
|
|
date >>"$LOG_INS"
|
|
echo -e "\033[32m++++ ++++ ++++ ++++ ++++ ++++ ++ LUKS2 setup correct. Proceeding with Setup. \033[0m" | tee -a "$LOG_INS"
|
|
echo ""
|
|
break
|
|
;;
|
|
|
|
No | no | N | n)
|
|
|
|
echo ""
|
|
date >>"$LOG_INS"
|
|
echo -e "\033[33m++++ ++++ ++++ ++++ ++++ ++++ ++ LUKS2 setup NOT correct. Try again: \033[0m" | tee -a "$LOG_INS"
|
|
echo ""
|
|
set +e
|
|
cryptsetup luksFormat --type luks2 --pbkdf pbkdf2 "$BOOT_IS_ON" 2>&1
|
|
set -e
|
|
date >>"$LOG_INS"
|
|
echo -e "\033[33m++++ ++++ ++++ ++++ ++++ ++++ ++ LUKS2 setup correct? Please confirm: 'Yes' | 'No'\033[0m" | tee -a "$LOG_INS"
|
|
read INPUT
|
|
date >>"$LOG_INS"
|
|
echo "$INPUT" >>"$LOG_INS"
|
|
if [[ "$INPUT" = Yes || "$INPUT" = yes || "$INPUT" = Y || "$INPUT" = y ]]; then
|
|
break
|
|
fi
|
|
;;
|
|
|
|
esac
|
|
|
|
date >>"$LOG_INS"
|
|
echo -e "\033[33mPlease type 'Yes' or 'No'\033[0m" | tee -a "$LOG_INS"
|
|
read INPUT
|
|
date >>"$LOG_INS"
|
|
|
|
done
|
|
|
|
###########################################################################################
|
|
# Remarks: Preparing mounting, format and mouting #
|
|
###########################################################################################
|
|
local UUID_NEW_BOOT
|
|
UUID_NEW_BOOT="$(blkid -o value -s UUID "$BOOT_IS_ON")"
|
|
readonly UUID_NEW_BOOT
|
|
|
|
date >>"$LOG_INS"
|
|
echo -e "\033[32m++++ ++++ ++++ ++++ ++++ ++++ ++ encrypted $BOOT_IS_ON has the new UUID=$UUID_NEW_BOOT \033[0m" | tee -a "$LOG_INS"
|
|
sleep "$SLEEPTIMER"
|
|
|
|
cp -a /etc/crypttab /root/hardening/backup/crypttab.before.boot_luks2
|
|
chmod 0640 /root/hardening/backup/crypttab.before.boot_luks2
|
|
|
|
cat <<EOF >>/etc/crypttab
|
|
|
|
##### Added by hardening.sh - Module: exdo_bootencryption_luks2 #####
|
|
crypt_boot UUID=$UUID_NEW_BOOT none luks,discard
|
|
|
|
EOF
|
|
|
|
cryptdisks_start crypt_boot 2>&1
|
|
mkfs.ext4 -m0 -U "$UUID_OLD_BOOT" /dev/mapper/crypt_boot
|
|
|
|
if [ ! "$FS_OLD_BOOT" = "ext4" ]; then
|
|
sed -i "s/$FS_OLD_BOOT/ext4/g" /etc/fstab
|
|
sed -i "s/$FS_OLD_BOOT/ext4/g" /etc/fstab.defaults
|
|
sed -i "s/$FS_OLD_BOOT/ext4/g" /etc/fstab.hardened
|
|
fi
|
|
|
|
mount -v /boot
|
|
systemctl daemon-reload
|
|
|
|
###########################################################################################
|
|
# Remarks: Restoring saved files #
|
|
###########################################################################################
|
|
tar -C /boot --acls --xattrs -xf /tmp/boot.tar
|
|
|
|
###########################################################################################
|
|
# Remarks: Mount /boot/efi if so #
|
|
###########################################################################################
|
|
if [ $EFI_SETUP = "Y" ]; then
|
|
mount -v /boot/efi
|
|
fi
|
|
|
|
###########################################################################################
|
|
# Remarks: Final GRUB preparation #
|
|
###########################################################################################
|
|
echo "GRUB_ENABLE_CRYPTODISK=y" >>/etc/default/grub
|
|
update-grub
|
|
echo ""
|
|
lsblk
|
|
echo ""
|
|
|
|
date >>"$LOG_INS"
|
|
echo -e "\033[33m++++ ++++ ++++ ++++ ++++ ++++ ++ Install GRUB on device: $INSTALL_GRUB_ON \033[0m" | tee -a "$LOG_INS"
|
|
echo ""
|
|
date >>"$LOG_INS"
|
|
echo -e "\033[33m++++ ++++ ++++ ++++ ++++ ++++ ++ Please check that GRUB will be installed on the correct device, press 'ENTER' to continue \033[0m" | tee -a "$LOG_INS"
|
|
read
|
|
|
|
grub-install "$INSTALL_GRUB_ON"
|
|
|
|
date >>"$LOG_INS"
|
|
echo -e "\033[32m++++ ++++ ++++ ++++ ++++ ++++ ++ Encryption of /boot with LUKS2 - done\033[0m" | tee -a "$LOG_INS"
|
|
sleep "$SLEEPTIMER"
|
|
clear
|
|
}
|