-
Notifications
You must be signed in to change notification settings - Fork 20
Expand file tree
/
Copy pathharden
More file actions
executable file
·111 lines (94 loc) · 2.72 KB
/
harden
File metadata and controls
executable file
·111 lines (94 loc) · 2.72 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
#!/bin/sh
set -x
set -e
set -o pipefail
################################################################################
# Docker build calls this script to harden the image during build.
#
# NOTE: To build on CircleCI, you must take care to keep the `find`
# command out of the /proc filesystem to avoid errors like:
#
# find: /proc/tty/driver: Permission denied
# lxc-start: The container failed to start.
# lxc-start: Additional information can be obtained by \
# setting the --logfile and --logpriority options.
################################################################################
finish() {
readonly RC=$?
if [ ${RC} -eq 0 ]; then
echo "$0" OK >&2
else
echo "$0" failed with exit code ${RC} >&2
exit ${RC}
fi
}
trap finish EXIT
# Remove existing crontabs, if any.
rm -fr /var/spool/cron
rm -fr /etc/crontabs
rm -fr /etc/periodic
# Remove all but a handful of admin commands.
find /usr/sbin ! -type d \
-a ! -name nologin \
-delete
# Centos 7.5 does not have /sbin.
readonly sysdirs="
/bin
/etc
/lib
/opt
/usr
"
# Remove world-writable permissions.
# Normally, I'd do this on the root fs, but circle ci fails with:
# chmod: /dev/mqueue: Operation not permitted
# Therefore restrict the find to sysdirs listed above.
#
# shellcheck disable=SC2086
find ${sysdirs} -xdev -type d -perm /0002 -exec chmod o-w {} +
#
# shellcheck disable=SC2086
find ${sysdirs} -xdev -type f -perm /0002 -exec chmod o-w {} +
# Remove crufty...
# /etc/shadow-
# /etc/passwd-
# /etc/group-
#
# shellcheck disable=SC2086
find ${sysdirs} -xdev -type f -regex '.*-$' -exec rm -f {} +
# Ensure system dirs are owned by root and not writable by anybody else.
#
# shellcheck disable=SC2086
find ${sysdirs} -xdev -type d \
-exec chown root:root {} \; \
-exec chmod 0755 {} \;
# Remove all suid files.
#
# shellcheck disable=SC2086
find ${sysdirs} -xdev -type f -a -perm /4000 -delete
# Remove init scripts since we do not use them.
rm -fr /etc/init.d
rm -fr /lib/rc
rm -fr /etc/conf.d
rm -fr /etc/inittab
rm -fr /etc/runlevels
rm -fr /etc/rc.conf
# Remove kernel tunables since we do not need them.
rm -fr /etc/sysctl*
rm -fr /etc/modprobe.d
rm -fr /etc/modules
rm -fr /etc/mdev.conf
rm -fr /etc/acpi
# Remove root homedir since we do not need it.
rm -fr /root
# Remove fstab since we do not need it.
rm -f /etc/fstab
# Remove broken symlinks (because we removed the targets above).
#
# shellcheck disable=SC2086
find ${sysdirs} -xdev -type l -exec test ! -e {} \; -delete
# Remove unnecessary user accounts.
sed -i -r '/^(duo)/!d' /etc/group
sed -i -r '/^(duo)/!d' /etc/passwd
# Remove interactive login shell for everybody but unprivileged user.
sed -i -r '/^duo:/! s#^(.*):[^:]*$#\1:/usr/sbin/nologin#' /etc/passwd