CICA/CISS.2024.vps.bookworm.hardening.testing
1
0
Fork 0
Code Pull Requests Activity
CISS.2024.vps.bookworm.hard.../lib/mod/do_ephemeral_tmp.lib
marc.weidner b39fa9c55c
ML5.0.768
2024-08-08 19:30:19 +01:00

109 lines
4.2 KiB
Bash
Raw Permalink Blame History

#!/bin/bash
###########################################################################################
# Debian Bookworm VPS Hardening Setup Script V5.0.768.2024.08.08 #
###########################################################################################
# Copyright (c) 2019 - 2024, Marc Weidner, Centurion Intelligence Consulting Agency #
# https://coresecret.eu/ #
# Licensed under the EUROPEAN UNION PUBLIC LICENCE v. 1.2 https://eupl.eu/1.2/en/ #
###########################################################################################
# https://keys.openpgp.org/vks/v1/by-fingerprint/A6D46A56AE17A185AB0F6DB77095A8A13CBE0FA3 #
# Fingerprint A6D4 6A56 AE17 A185 AB0F 6DB7 7095 A8A1 3CBE 0FA3 ## valid till: 01.01.2031 #
###########################################################################################
# Module: exdo_ephemeral_tmp #
###########################################################################################
# shellcheck disable=SC2129 disable=SC2162
set -o errexit # Exit if a command fails.
set -o nounset # Exit if an unset variable is used.
set -o pipefail # Exit if a pipeline fails.
set -o noclobber # Prevent output redirection ">", ">&", "<>" from overwriting existing files.
set +o history # Temporarily turn off history, to avoid sensitive information leakage.
exdo_ephemeral_tmp() {
clear
date >>"$LOG_INS"
echo -e "\033[33m++++ ++++ ++++ ++++ ++++ ++++ ++ Initalizing Ephemeral /tmp - ...\033[0m" | tee -a "$LOG_INS"
echo ""
lsblk
echo ""
date >>"$LOG_INS"
echo -e "\033[33m++++ ++++ ++++ ++++ ++++ ++++ ++ Ephemeral /tmp will be installed on $EPHEMERAL_TMP_PARTITION \033[0m" | tee -a "$LOG_INS"
echo ""
date >>"$LOG_INS"
echo -e "\033[33m++++ ++++ ++++ ++++ ++++ ++++ ++ Please confirm, press 'ENTER' to continue \033[0m" | tee -a "$LOG_INS"
read
set +e
mkfs.ext4 -L crypt_tmp_ephem /dev/"$EPHEMERAL_TMP_PARTITION" 1M
set -e
cp -a /etc/crypttab /root/hardening/backup/crypttab.before.etmp
chmod 0640 /root/hardening/backup/crypttab.before.etmp
cat <<EOF >>/etc/crypttab
##### Added by hardening.sh - Module: exdo_ephemeral_tmp #####
crypt_ephemeral_tmp LABEL=crypt_tmp_ephem /dev/random offset=2048,cipher=aes-xts-plain64,size=512,sector-size=4096,tmp=ext4
EOF
cp -a /etc/fstab /root/hardening/backup/fstab.before.etmp
chmod 0640 /root/hardening/backup/fstab.before.etmp
cp -a /etc/fstab.defaults /root/hardening/backup/fstab.defaults.before.etmp
chmod 0640 /root/hardening/backup/fstab.defaults.before.etmp
cp -a /etc/fstab.hardened /root/hardening/backup/fstab.hardened.before.etmp
chmod 0640 /root/hardening/backup/fstab.hardened.before.etmp
sed -i '/\/tmp/ { /\/var\/tmp/!d; }' /etc/fstab
cat <<EOF >>/etc/fstab
##### Added by hardening.sh - Module: exdo_ephemeral_tmp #####
/dev/mapper/crypt_ephemeral_tmp /tmp ext4 defaults,rw,nodev,nosuid,noexec,relatime 0 0
EOF
sed -i '/\/tmp/ { /\/var\/tmp/!d; }' /etc/fstab.defaults
cat <<EOF >>/etc/fstab.defaults
##### Added by hardening.sh - Module: exdo_ephemeral_tmp #####
/dev/mapper/crypt_ephemeral_tmp /tmp ext4 defaults 0 0
EOF
sed -i '/\/tmp/ { /\/var\/tmp/!d; }' /etc/fstab.hardened
cat <<EOF >>/etc/fstab.hardened
##### Added by hardening.sh - Module: exdo_ephemeral_tmp #####
/dev/mapper/crypt_ephemeral_tmp /tmp ext4 defaults,rw,nodev,nosuid,noexec,relatime 0 0
EOF
###########################################################################################
# Remarks: Set 1777 permissions on /tmp on each boot #
###########################################################################################
touch /etc/systemd/system/tmp-permissions.service
cat <<EOF>>/etc/systemd/system/tmp-permissions.service
[Unit]
Description=Set permissions for /tmp
After=tmp.mount
[Service]
Type=oneshot
ExecStart=/bin/chmod 1777 /tmp
RemainAfterExit=true
[Install]
WantedBy=multi-user.target
EOF
systemctl enable tmp-permissions.service
date >>"$LOG_INS"
echo -e "\033[32m++++ ++++ ++++ ++++ ++++ ++++ ++ Initalizing Ephemeral /tmp - done\033[0m" | tee -a "$LOG_INS"
sleep "$SLEEPTIMER"
clear
}
View Git Blame Copy Permalink