From fc05ad5a1c6f1efa2c47a4a8207bec00107b775d Mon Sep 17 00:00:00 2001 From: "Hunter T." Date: Sat, 13 Apr 2024 12:12:24 -0700 Subject: [PATCH 01/13] chore: refactor entire repo structure --- auditing/{ => Lynis Installer}/lynis-installer | 0 hardening/{ => Root Locker}/root-locker | 0 hardening/{ => SSHD Hardening}/sshd | 0 3 files changed, 0 insertions(+), 0 deletions(-) rename auditing/{ => Lynis Installer}/lynis-installer (100%) rename hardening/{ => Root Locker}/root-locker (100%) rename hardening/{ => SSHD Hardening}/sshd (100%) diff --git a/auditing/lynis-installer b/auditing/Lynis Installer/lynis-installer similarity index 100% rename from auditing/lynis-installer rename to auditing/Lynis Installer/lynis-installer diff --git a/hardening/root-locker b/hardening/Root Locker/root-locker similarity index 100% rename from hardening/root-locker rename to hardening/Root Locker/root-locker diff --git a/hardening/sshd b/hardening/SSHD Hardening/sshd similarity index 100% rename from hardening/sshd rename to hardening/SSHD Hardening/sshd From e22f8e6f510275cb947f79c2ea2ccbf837a29c58 Mon Sep 17 00:00:00 2001 From: "Hunter T." Date: Sat, 13 Apr 2024 12:18:02 -0700 Subject: [PATCH 02/13] doc: update documentation and comments --- hardening/SSHD Hardening/sshd | 32 ++++++++++++-------------------- 1 file changed, 12 insertions(+), 20 deletions(-) diff --git a/hardening/SSHD Hardening/sshd b/hardening/SSHD Hardening/sshd index 3cf2f1e..cfdfc4f 100755 --- a/hardening/SSHD Hardening/sshd +++ b/hardening/SSHD Hardening/sshd @@ -7,10 +7,10 @@ # # Version: v1.1.2 # License: MIT License -# Copyright (c) 2020-2023 Hunter T. (StrangeRanger) +# Copyright (c) 2020-2024 Hunter T. (StrangeRanger) # ######################################################################################## -#### [ Variables ] +####[ Script Wide Variables ]########################################################### config_file_bak="/etc/ssh/sshd_config.bak" @@ -21,27 +21,25 @@ red="$(printf '\033[1;31m')" nc="$(printf '\033[0m')" -#### End of [ Variables ] -######################################################################################## -#### [ Functions ] +####[ Functions ]####################################################################### -######## +#### # Cleanly exit the script. # # Arguments: -# $1 - required -# Exit status code. -######## +# - $1: exit_code (Required) +# - Description: The exit code to exit the script with. +#### clean_up() { + local exit_code="$1" + echo -e "\nExiting..." - exit "$1" + exit "$exit_code" } -#### End of [ Functions ] -######################################################################################## -#### [ Prepping ] +####[ Prepping ]######################################################################## ## Check if the script was executed with root privilege. @@ -58,9 +56,7 @@ if [[ ! -f $config_file ]]; then fi -#### End of [ Prepping ] -######################################################################################## -#### [ Main ] +####[ Main ]########################################################################### read -rp "We will now harden sshd. Press [Enter] to continue." @@ -244,7 +240,3 @@ echo -e "${cyan}It is highly recommended to manually: 1) Change the default sshd port (22) 2) Disable PasswordAuthentication in favor of PubkeyAuthentication 3) Add 'AllowUsers [your username]' to the bottom of 'sshd_config'${nc}" - - -#### End of [ Main ] -######################################################################################## From a802aefacf2a38db5ad0584efc1798b678b0ce31 Mon Sep 17 00:00:00 2001 From: "Hunter T." Date: Sat, 13 Apr 2024 12:22:15 -0700 Subject: [PATCH 03/13] doc: update CHANGELOG.md --- hardening/SSHD Hardening/CHANGELOG.md | 60 +++++++++++++++++++++++++++ 1 file changed, 60 insertions(+) create mode 100644 hardening/SSHD Hardening/CHANGELOG.md diff --git a/hardening/SSHD Hardening/CHANGELOG.md b/hardening/SSHD Hardening/CHANGELOG.md new file mode 100644 index 0000000..6c9dd9e --- /dev/null +++ b/hardening/SSHD Hardening/CHANGELOG.md @@ -0,0 +1,60 @@ +# Changelog + +All notable changes to this project will be documented in this file. + +The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). + +## v1.1.3 - 2024-04-13 + +Due to the poor maintenance of this repository, the changelog has not been updated as frequently as it should have been. The changes listed below are only the most recent changes. + +### Changed + +- Improved documentation of code. + +## v1.0.5 - 2022-07-13 + +### Changed + +- Changed how the variables used to change the color of output text, are formatted, in the hopes of increasing portability. +- Exit codes beyond 1, were reverted back to 1. + +## v1.0.4 - 2022-07-10 + +### Changed + +- Modified exit codes. + +## v1.0.3 - 2020-12-01 + +### Changed + +- Changed some of the output text. + +### Fixed + +- Added missing variable to `echo`, resulting in the text color to remain cyan. + +## v1.0.2 - N/A + +### Added + +- Added error catching when attempting to download lynis + +### Fixed + +- Fixed mistyped environmental variable from 'USER_SUDO' to 'SUDO_USER' + +## v1.0.1 - N/A + +### Added + +- Now prompts the user before performing actions + +### Fixed + +- Fixed script not wanting to run as root + +## v1.0.0 - N/A + +- Initial creation From eb6ffedd4b5f7c4bd7d004633237a8fd697a5a45 Mon Sep 17 00:00:00 2001 From: "Hunter T." Date: Sat, 13 Apr 2024 12:22:58 -0700 Subject: [PATCH 04/13] chore: update version number --- hardening/SSHD Hardening/sshd | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hardening/SSHD Hardening/sshd b/hardening/SSHD Hardening/sshd index cfdfc4f..82d3197 100755 --- a/hardening/SSHD Hardening/sshd +++ b/hardening/SSHD Hardening/sshd @@ -5,7 +5,7 @@ # Note: This configures sshd_config to the recommendations of the security auditing tool # knonw as Lynis (https://github.com/CISOfy/lynis). # -# Version: v1.1.2 +# Version: v1.1.3 # License: MIT License # Copyright (c) 2020-2024 Hunter T. (StrangeRanger) # From c5a2aaba986370448f27b78e40519295a8b6c26b Mon Sep 17 00:00:00 2001 From: "Hunter T." Date: Sat, 13 Apr 2024 12:27:49 -0700 Subject: [PATCH 05/13] chore: move CHANGELOG.md to correct location --- hardening/{SSHD Hardening => Root Locker}/CHANGELOG.md | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) rename hardening/{SSHD Hardening => Root Locker}/CHANGELOG.md (84%) diff --git a/hardening/SSHD Hardening/CHANGELOG.md b/hardening/Root Locker/CHANGELOG.md similarity index 84% rename from hardening/SSHD Hardening/CHANGELOG.md rename to hardening/Root Locker/CHANGELOG.md index 6c9dd9e..31356c4 100644 --- a/hardening/SSHD Hardening/CHANGELOG.md +++ b/hardening/Root Locker/CHANGELOG.md @@ -4,9 +4,7 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). -## v1.1.3 - 2024-04-13 - -Due to the poor maintenance of this repository, the changelog has not been updated as frequently as it should have been. The changes listed below are only the most recent changes. +## v1.0.6 - 2024-04-13 ### Changed From e519ed53f5cfdd10ded75ea8c4ae3b37fa3f1b97 Mon Sep 17 00:00:00 2001 From: "Hunter T." Date: Sat, 13 Apr 2024 12:28:45 -0700 Subject: [PATCH 06/13] doc: update documentation and comments --- hardening/Root Locker/root-locker | 18 +++++------------- 1 file changed, 5 insertions(+), 13 deletions(-) diff --git a/hardening/Root Locker/root-locker b/hardening/Root Locker/root-locker index 0d9e232..931df0a 100755 --- a/hardening/Root Locker/root-locker +++ b/hardening/Root Locker/root-locker @@ -2,12 +2,12 @@ # # Locks the root account and erases it's current password. # -# Version: v1.0.5 +# Version: v1.0.6 # License: MIT License -# Copyright (c) 2020-2023 Hunter T. (StrangeRanger) +# Copyright (c) 2020-2024 Hunter T. (StrangeRanger) # ######################################################################################## -#### [ Variables ] +####[ Script Wide Variables ]########################################################### green="$(printf '\033[0;32m')" @@ -15,9 +15,7 @@ red="$(printf '\033[1;31m')" nc="$(printf '\033[0m')" -##### End of [ Variables ] -######################################################################################## -#### [ Prepping ] +####[ Prepping ]######################################################################## ## Check if this script was executed with root privilege. @@ -28,9 +26,7 @@ if [[ $EUID != 0 ]]; then fi -#### End of [ Prepping ] -######################################################################################## -#### [ Main ] +####[ Main ]############################################################################ read -rp "We will now disable the root account. Press [Enter] to continue." @@ -43,7 +39,3 @@ passwd -dl root || { } echo -e "\n${green}The root account has been locked${nc}" - - -#### End of [ Main ] -######################################################################################## From 65a91de77d1f6ad405e5bbd18c2ddfd67519a8fe Mon Sep 17 00:00:00 2001 From: "Hunter T." Date: Sat, 13 Apr 2024 12:35:25 -0700 Subject: [PATCH 07/13] doc: create CHANGELOG.md --- hardening/SSHD Hardening/CHANGELOG.md | 63 +++++++++++++++++++++++++++ 1 file changed, 63 insertions(+) create mode 100644 hardening/SSHD Hardening/CHANGELOG.md diff --git a/hardening/SSHD Hardening/CHANGELOG.md b/hardening/SSHD Hardening/CHANGELOG.md new file mode 100644 index 0000000..e287867 --- /dev/null +++ b/hardening/SSHD Hardening/CHANGELOG.md @@ -0,0 +1,63 @@ +# Changelog + +All notable changes to this project will be documented in this file. + +The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). + +## v1.1.3 - 2024-04-13 + +### Changed + +- Improved documentation and comments of code. + +## v1.1.1 - 2022-07-13 + +### Changed + +- Changed how the variables used to change the color of output text, are formatted, in the hopes of increasing portability. +- Exit codes beyond 1, were reverted back to 1. +- Other efficiency changes. + +## v1.1.0 - 2022-07-10 + +### Added + +- Sets `KbdInteractiveAuthentication` to `KbdInteractiveAuthentication no`. + - This setting is introduced in Ubuntu 22.04, seeming to replace `ChallengeResponseAuthentication`. +- Asks if the end user would like to overwrite the existing backup of `sshd_config`, if it exists. + +### Changed + +- Modified exit codes. +- Modified the output text, depending on whether the specific configurations have already been set. +- Updated the flags and regex used by `sed` to set the configurations. + +## v1.0.3 - 2020-12-01 + +### Changed + +- Changed commenting style. + +### Fixed + +- Added missing variable to `echo`, resulting in the text color to remain cyan. + +## v1.0.2 - N/A + +### Added + +- Checks if `sshd_config` exists before attempting to modify the file. + +## v1.0.1 - N/A + +### Added + +- Now prompts the user before performing actions. + +### Fixed + +- Fixed script not wanting to run as root. + +## v1.0.0 + +- Initial creation. From d14b7a48f4d9800e173dd87de926fb21cd7827ad Mon Sep 17 00:00:00 2001 From: "Hunter T." Date: Sat, 13 Apr 2024 12:35:50 -0700 Subject: [PATCH 08/13] chore: fix bad version number --- hardening/SSHD Hardening/sshd | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hardening/SSHD Hardening/sshd b/hardening/SSHD Hardening/sshd index 82d3197..cfdfc4f 100755 --- a/hardening/SSHD Hardening/sshd +++ b/hardening/SSHD Hardening/sshd @@ -5,7 +5,7 @@ # Note: This configures sshd_config to the recommendations of the security auditing tool # knonw as Lynis (https://github.com/CISOfy/lynis). # -# Version: v1.1.3 +# Version: v1.1.2 # License: MIT License # Copyright (c) 2020-2024 Hunter T. (StrangeRanger) # From 5919c4cb2e3a11740f9aa5039cceee8d5ee69b84 Mon Sep 17 00:00:00 2001 From: "Hunter T." Date: Sat, 13 Apr 2024 12:38:12 -0700 Subject: [PATCH 09/13] style: fix documentation style --- hardening/SSHD Hardening/sshd | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hardening/SSHD Hardening/sshd b/hardening/SSHD Hardening/sshd index cfdfc4f..fb0bbed 100755 --- a/hardening/SSHD Hardening/sshd +++ b/hardening/SSHD Hardening/sshd @@ -56,7 +56,7 @@ if [[ ! -f $config_file ]]; then fi -####[ Main ]########################################################################### +####[ Main ]############################################################################ read -rp "We will now harden sshd. Press [Enter] to continue." From 612babe0d4c748970f4a09693596664d8eb41133 Mon Sep 17 00:00:00 2001 From: "Hunter T." Date: Sat, 13 Apr 2024 12:40:01 -0700 Subject: [PATCH 10/13] chore: move CHANGELOG.md to correct location --- {hardening/Root Locker => auditing/Lynis Installer}/CHANGELOG.md | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename {hardening/Root Locker => auditing/Lynis Installer}/CHANGELOG.md (100%) diff --git a/hardening/Root Locker/CHANGELOG.md b/auditing/Lynis Installer/CHANGELOG.md similarity index 100% rename from hardening/Root Locker/CHANGELOG.md rename to auditing/Lynis Installer/CHANGELOG.md From d649b17d191e4f331885fed57d9825fe7f0cda76 Mon Sep 17 00:00:00 2001 From: "Hunter T." Date: Sat, 13 Apr 2024 12:40:17 -0700 Subject: [PATCH 11/13] doc: update documentation and comments --- auditing/Lynis Installer/lynis-installer | 18 +++++------------- 1 file changed, 5 insertions(+), 13 deletions(-) diff --git a/auditing/Lynis Installer/lynis-installer b/auditing/Lynis Installer/lynis-installer index 0484a90..bfcc0f0 100755 --- a/auditing/Lynis Installer/lynis-installer +++ b/auditing/Lynis Installer/lynis-installer @@ -2,12 +2,12 @@ # # A script for installing and running lynis with recommended options. # -# Version: v1.0.5 +# Version: v1.0.6 # License: MIT License -# Copyright (c) 2020-2023 Hunter T. (StrangeRanger) +# Copyright (c) 2020-2024 Hunter T. (StrangeRanger) # ######################################################################################## -#### [ Variables ] +####[ Script Wide Variables ]########################################################### green="$(printf '\033[0;32m')" @@ -16,9 +16,7 @@ red="$(printf '\033[1;31m')" nc="$(printf '\033[0m')" -##### End of [ Variables ] -######################################################################################## -#### [ Prepping ] +####[ Prepping ]######################################################################## ## Check if the script was executed with root privilege. @@ -29,9 +27,7 @@ if [[ $EUID != 0 ]]; then fi -#### End of [ Prepping ] -######################################################################################## -#### [ Main ] +####[ Main ]############################################################################ read -rp "We will now download lynis. Press [Enter] to continue." @@ -54,7 +50,3 @@ chown -R root:root lynis echo -e "\n${green}Lynis has been downloaded to your system" echo -e "${cyan}To perform a system scan with lynis, execute the following command in" \ "the lynis root directory: sudo ./lynis audit system${nc}" - - -#### End of [ Main ] -######################################################################################## From fdaf5b50672204c4c96d9c7e646a6e4869106bd3 Mon Sep 17 00:00:00 2001 From: "Hunter T." Date: Sat, 13 Apr 2024 12:41:44 -0700 Subject: [PATCH 12/13] doc: add CHANGELOG.md --- hardening/Root Locker/CHANGELOG.md | 45 ++++++++++++++++++++++++++++++ 1 file changed, 45 insertions(+) create mode 100644 hardening/Root Locker/CHANGELOG.md diff --git a/hardening/Root Locker/CHANGELOG.md b/hardening/Root Locker/CHANGELOG.md new file mode 100644 index 0000000..e149588 --- /dev/null +++ b/hardening/Root Locker/CHANGELOG.md @@ -0,0 +1,45 @@ +# Changelog + +All notable changes to this project will be documented in this file. + +The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). + +## v1.0.6 - 2024-04-13 + +### Changed + +- Improved documentation of code. + +## v1.0.5 - 2022-07-13 + +### Changed + +- Changed how the variables used to change the color of output text, are formatted, in the hopes of increasing portability. +- Exit codes beyond 1, were reverted back to 1. + +## v1.0.4 - 2022-07-10 + +### Changed + +- Modified exit codes. +- No longer backs up `/etc/shadow`. + +## v1.0.3 - 2020-12-01 + +### Changed + +- Changed commenting style. + +### Fixed + +- Added missing variable to `echo`, resulting in the text color to remain cyan. + +## v1.0.2 - N/A + +### Changed + +- Changed placement of `read -p "We will now disable the root account. Press [Enter] to continue."`. + +## v1.0.0 - N/A + +- Initial creation. From 89fdf43320238f2ade7179a16e3914025ece83fd Mon Sep 17 00:00:00 2001 From: "Hunter T." Date: Sat, 13 Apr 2024 12:49:58 -0700 Subject: [PATCH 13/13] doc: update script descriptions --- auditing/Lynis Installer/lynis-installer | 5 ++++- hardening/Root Locker/root-locker | 4 +++- hardening/SSHD Hardening/sshd | 3 ++- 3 files changed, 9 insertions(+), 3 deletions(-) diff --git a/auditing/Lynis Installer/lynis-installer b/auditing/Lynis Installer/lynis-installer index bfcc0f0..f599ff3 100755 --- a/auditing/Lynis Installer/lynis-installer +++ b/auditing/Lynis Installer/lynis-installer @@ -1,6 +1,9 @@ #!/bin/bash # -# A script for installing and running lynis with recommended options. +# This script downloads a security auditing tool called Lynis, designed to scan a system +# and identify security issues, and provides recommendations on how to better secure it. +# Lynis, unless an error is encountered, will always be downloaded to the user's root +# directory (/home/USERNAME/). # # Version: v1.0.6 # License: MIT License diff --git a/hardening/Root Locker/root-locker b/hardening/Root Locker/root-locker index 931df0a..6c431ca 100755 --- a/hardening/Root Locker/root-locker +++ b/hardening/Root Locker/root-locker @@ -1,6 +1,8 @@ #!/bin/bash # -# Locks the root account and erases it's current password. +# This script locks and removes the root account's password (if one is set). This +# prevents users from successfully logging into the root account via su. Note that it +# doesn't prevent users from becoming root via methods such as sudo su. # # Version: v1.0.6 # License: MIT License diff --git a/hardening/SSHD Hardening/sshd b/hardening/SSHD Hardening/sshd index fb0bbed..f39e723 100755 --- a/hardening/SSHD Hardening/sshd +++ b/hardening/SSHD Hardening/sshd @@ -1,6 +1,7 @@ #!/bin/bash # -# Hardens sshd by modifying the configurations of '/etc/ssh/sshd_config'. +# This script hardens the sshd-server, by modifying it's configuration file +# (sshd_config). # # Note: This configures sshd_config to the recommendations of the security auditing tool # knonw as Lynis (https://github.com/CISOfy/lynis).