diff --git a/lib/lib_hardening_ultra.sh b/lib/lib_hardening_ultra.sh index d0fe202..77d6a6a 100644 --- a/lib/lib_hardening_ultra.sh +++ b/lib/lib_hardening_ultra.sh @@ -23,59 +23,120 @@ guard_sourcing # VAR_SSHPUBKEY # VAR_WORKDIR # Arguments: -# None +# None ####################################### hardening_ultra() { # shellcheck disable=SC2164 cd "${VAR_WORKDIR}" + + ### ./config/bootloaders printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Copying ./config/bootloaders ... \e[0m\n" + if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/config/bootloaders" ]]; then + mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/bootloaders" cp -af ./config/bootloaders "${VAR_HANDLER_BUILD_DIR}/config" + else + cp -af ./config/bootloaders "${VAR_HANDLER_BUILD_DIR}/config" + fi + printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Copying ./config/bootloaders done.\e[0m\n" + + ### ./config/includes.chroot_after_packages + printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Copying ./config/includes.chroot_after_packages ... \e[0m\n" + + if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot_after_packages" ]]; then + + mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot_after_packages" + cp -af ./config/includes.chroot_after_packages "${VAR_HANDLER_BUILD_DIR}/config" + + else + + cp -af ./config/includes.chroot_after_packages "${VAR_HANDLER_BUILD_DIR}/config" + + fi + + printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Copying ./config/includes.chroot_after_packages done.\e[0m\n" + + + ### ./config/includes.binary printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Copying ./config/includes.binary ... \e[0m\n" + if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/config/includes.binary/boot/grub" ]]; then + mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/includes.binary/boot/grub" cp -af ./config/includes.binary "${VAR_HANDLER_BUILD_DIR}/config" + else + cp -af ./config/includes.binary "${VAR_HANDLER_BUILD_DIR}/config" + fi + printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Copying ./config/includes.binary done.\e[0m\n" - printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Copying ./config/hooks/live ... \e[0m\n" - if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/config/hooks/live" ]]; then - mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/hooks/live" - cp -af ./config/hooks/live "${VAR_HANDLER_BUILD_DIR}/config/hooks" - else - cp -af ./config/hooks/live "${VAR_HANDLER_BUILD_DIR}/config/hooks" - fi - printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Copying ./config/hooks/live done.\e[0m\n" - - if [[ -d "${VAR_WORKDIR}/config/hooks/early" ]]; then - printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Copying ./config/hooks/early ... \e[0m\n" - if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/config/hooks/early" ]]; then - mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/hooks/early" - cp -af ./config/hooks/early "${VAR_HANDLER_BUILD_DIR}/config/hooks" - else - cp -af ./config/hooks/early "${VAR_HANDLER_BUILD_DIR}/config/hooks" - fi - printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Copying ./config/hooks/early done.\e[0m\n" - fi + ### ./config/includes.chroot printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Copying ./config/includes.chroot ... \e[0m\n" + if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot" ]]; then + mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot" cp -af ./config/includes.chroot "${VAR_HANDLER_BUILD_DIR}/config" + else + cp -af ./config/includes.chroot "${VAR_HANDLER_BUILD_DIR}/config" + fi + printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Copying ./config/includes.chroot done.\e[0m\n" + + ### ./config/hooks/early + if [[ -d "${VAR_WORKDIR}/config/hooks/early" ]]; then + + printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Copying ./config/hooks/early ... \e[0m\n" + + if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/config/hooks/early" ]]; then + + mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/hooks/early" + cp -af ./config/hooks/early "${VAR_HANDLER_BUILD_DIR}/config/hooks" + + else + + cp -af ./config/hooks/early "${VAR_HANDLER_BUILD_DIR}/config/hooks" + + fi + + printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Copying ./config/hooks/early done.\e[0m\n" + + fi + + + ### ./config/hooks/live + printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Copying ./config/hooks/live ... \e[0m\n" + + if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/config/hooks/live" ]]; then + + mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/hooks/live" + cp -af ./config/hooks/live "${VAR_HANDLER_BUILD_DIR}/config/hooks" + + else + + cp -af ./config/hooks/live "${VAR_HANDLER_BUILD_DIR}/config/hooks" + + fi + + printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Copying ./config/hooks/live done.\e[0m\n" + + + printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Copying ./config/package-lists ... \e[0m\n" if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/config/package-lists" ]]; then mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/package-lists" @@ -98,6 +159,7 @@ hardening_ultra() { esac declare pkgs + # shellcheck disable=SC2312 mapfile -t pkgs < <( grep -v '^\s*#' "${arch_list}" | sed '/^\s*$/d' ) @@ -140,6 +202,7 @@ hardening_ultra() { declare file="${VAR_HANDLER_BUILD_DIR}/config/hooks/live/0900_ufw_setup.chroot" sed -i "/^ufw allow in \"\${SSHPORT}\"\/tcp comment 'Incoming SSH (Custom-Port)'$/d" "${file}" declare line + # shellcheck disable=SC2312 line=$(grep -n '^ufw default deny forward$' "${file}" | cut -d: -f1) if [[ -z "${line}" ]]; then @@ -150,7 +213,7 @@ hardening_ultra() { declare host for host in "${ARY_HANDLER_JUMPHOST_UNIQUE[@]}"; do ((line++)) - sed -i "${line}a ufw allow from ${host} to any port ${sshport} proto tcp comment \"Incoming SSH ([${host}]:${sshport})\"" "$file" + sed -i "${line}a ufw allow from ${host} to any port ${sshport} proto tcp comment \"Incoming SSH ([${host}]:${sshport})\"" "${file}" done fi @@ -163,7 +226,7 @@ hardening_ultra() { declare -r sshport="${VAR_SSHPORT:-22}" sed -i "s|^port = MUST_BE_SET|port = ${sshport}|" "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9950_fail2ban_hardening.chroot" - sed -i "s|^declare -r SSHPORT=\"MUST_BE_SET\"|declare -r SSHPORT=\"$sshport\"|" "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/0900_ufw_setup.chroot" + sed -i "s|^declare -r SSHPORT=\"MUST_BE_SET\"|declare -r SSHPORT=\"${sshport}\"|" "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/0900_ufw_setup.chroot" sed -i "s|^Port MUST_BE_CHANGED|Port ${sshport}|" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/ssh/sshd_config" if [[ ${#ARY_HANDLER_JUMPHOST_UNIQUE[@]} -gt 0 ]]; then @@ -171,6 +234,7 @@ hardening_ultra() { declare file="${VAR_HANDLER_BUILD_DIR}/config/hooks/live/0900_ufw_setup.chroot" sed -i "/^ufw allow in \"\${SSHPORT}\"\/tcp comment 'Incoming SSH (Custom-Port)'$/d" "${file}" declare line + # shellcheck disable=SC2312 line=$(grep -n '^ufw default deny forward$' "${file}" | cut -d: -f1) if [[ -z "${line}" ]]; then @@ -181,7 +245,7 @@ hardening_ultra() { declare host for host in "${ARY_HANDLER_JUMPHOST_UNIQUE[@]}"; do ((line++)) - sed -i "${line}a ufw allow from ${host} to any port ${sshport} proto tcp comment \"Incoming SSH ([${host}]:${sshport})\"" "$file" + sed -i "${line}a ufw allow from ${host} to any port ${sshport} proto tcp comment \"Incoming SSH ([${host}]:${sshport})\"" "${file}" done fi fi @@ -204,6 +268,7 @@ hardening_ultra() { declare ips="${ARY_HANDLER_JUMPHOST[*]}" # Flatten to a single line and strip literal brackets [] declare flat_ips + # shellcheck disable=SC2312 flat_ips=$(printf "%s" "${ips}" | tr '\n' ' ' | tr -d '[]') # flat_ips now contains e.g., "123.128.111.42 2a03:ffff:0815:4711:... 2a03:.../64"