From 7d386d11e54f6878e69e5100bc65f6604d8530e8 Mon Sep 17 00:00:00 2001 From: "Hunter T." Date: Wed, 30 Oct 2024 14:03:24 -0700 Subject: [PATCH 01/11] Modify comment --- hardening/Root Locker/root-locker.bash | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hardening/Root Locker/root-locker.bash b/hardening/Root Locker/root-locker.bash index fe077b1..2217876 100755 --- a/hardening/Root Locker/root-locker.bash +++ b/hardening/Root Locker/root-locker.bash @@ -2,7 +2,7 @@ # # This script locks the root account, preventing users from directly logging in as root. # -# Note: +# NOTE: # Locking the root account doesn't prevent users from using something like `sudo su` # to gain root access. # From be4cad774f6a561dc586702a4ed363fcb6fbea94 Mon Sep 17 00:00:00 2001 From: "Hunter T." Date: Wed, 30 Oct 2024 14:13:40 -0700 Subject: [PATCH 02/11] Fix trapping logic and clean_exit function --- hardening/SSHD Hardening/harden-sshd.bash | 28 ++++++++++++++++------- 1 file changed, 20 insertions(+), 8 deletions(-) diff --git a/hardening/SSHD Hardening/harden-sshd.bash b/hardening/SSHD Hardening/harden-sshd.bash index b14d3ff..e4c4904 100755 --- a/hardening/SSHD Hardening/harden-sshd.bash +++ b/hardening/SSHD Hardening/harden-sshd.bash @@ -2,11 +2,14 @@ # # This script hardens the ssh server by modifying its configuration file, 'sshd_config'. # -# Note: +# NOTE: # These configurations align with the recommendations of the security auditing tool # known as Lynis (https://github.com/CISOfy/lynis). # -# Version: v2.0.0 +# TODO: +# - Impliment functionality to revert changes if the script fails. +# +# Version: v2.0.1 # License: MIT License # Copyright (c) 2020-2024 Hunter T. (StrangeRanger) # @@ -33,7 +36,7 @@ readonly C_ERROR="${C_RED}ERROR:${C_NC} " readonly C_INFO="${C_BLUE}==>${C_NC} " readonly C_NOTE="${C_CYAN}==>${C_NC} " -# Associative array containing the configuration settings for sshd_config. +# Associative array containing the configuration settings for 'sshd_config'. declare -A C_SSHD_CONFIG=( ["LogLevel"]="VERBOSE" ["LogLevelRegex"]='^#?LogLevel\s+.*$' @@ -87,14 +90,20 @@ readonly C_SSHD_CONFIG clean_exit() { local exit_code="$1" + # Unset the EXIT trap to prevent re-entry. + trap - EXIT + case "$exit_code" in 0) exit 0 ;; 1) echo "" ;; - 130) echo -e "\n${C_WARNING}User interrupt detected" ;; - *) echo -e "\n${C_RED}==>${C_NC} Exiting with code: $exit_code" ;; + 130) echo -e "\n${C_WARNING}User interrupt detected (SIGINT)" ;; + 143) echo -e "\n${C_WARNING}Termination signal detected (SIGTERM)" ;; + 129) echo -e "\n${C_WARNING}Hangup signal detected (SIGHUP)" ;; + 131) echo -e "\n${C_WARNING}Quit signal detected (SIGQUIT)" ;; + *) echo -e "\n${C_WARNING}Exiting with code: $exit_code" ;; esac - echo -e "${C_INFO}Exiting..." + echo "Exiting..." exit "$exit_code" } @@ -102,8 +111,11 @@ clean_exit() { ####[ Trapping Logic ]################################################################## -# Catch some of the most common signals. -trap 'clean_exit $?' EXIT INT TERM HUP QUIT ERR +trap 'clean_exit 130' SIGINT +trap 'clean_exit 143' SIGTERM +trap 'clean_exit 129' SIGHUP +trap 'clean_exit 131' SIGQUIT +trap 'clean_exit $?' EXIT ####[ Prepping ]######################################################################## From 1dde6d49154a8e6b1e6af8a60b3f55847a34ce00 Mon Sep 17 00:00:00 2001 From: "Hunter T." Date: Wed, 30 Oct 2024 14:15:54 -0700 Subject: [PATCH 03/11] Update CHANGELOG.md --- hardening/SSHD Hardening/CHANGELOG.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/hardening/SSHD Hardening/CHANGELOG.md b/hardening/SSHD Hardening/CHANGELOG.md index 7ebd5e4..38261b7 100644 --- a/hardening/SSHD Hardening/CHANGELOG.md +++ b/hardening/SSHD Hardening/CHANGELOG.md @@ -4,6 +4,12 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). +## v2.0.1 - 2024-10-30 + +### Fixed + +- Fixed trapping logic and how errors are handled. + ## v2.0.0 - 2024-08-15 Complete rewrite of the script. Below are just some of the differences in the new version. From 2d26b45bcfa9d6cd8e01f771c746e7b6b80854d6 Mon Sep 17 00:00:00 2001 From: "Hunter T." Date: Wed, 30 Oct 2024 14:18:35 -0700 Subject: [PATCH 04/11] Update trapping logic --- hardening/UFW Cloudflare/ufw-cloudflare.bash | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/hardening/UFW Cloudflare/ufw-cloudflare.bash b/hardening/UFW Cloudflare/ufw-cloudflare.bash index cd70ca4..f63248a 100755 --- a/hardening/UFW Cloudflare/ufw-cloudflare.bash +++ b/hardening/UFW Cloudflare/ufw-cloudflare.bash @@ -2,7 +2,7 @@ # # Sets up UFW to only allow HTTP and HTTPS traffic from Cloudflare's IP ranges. # -# Version: v1.0.0-beta.1 +# Version: v1.0.0-beta.2 # License: MIT License # Copyright (c) 2024 Hunter T. (StrangeRanger) # @@ -139,10 +139,14 @@ cleanup() { } -####[ Trap Logic ]###################################################################### +####[ Trapping Logic ]################################################################## -trap cleanup EXIT +trap 'clean_exit 130' SIGINT +trap 'clean_exit 143' SIGTERM +trap 'clean_exit 129' SIGHUP +trap 'clean_exit 131' SIGQUIT +trap 'clean_exit $?' EXIT ####[ Main ]############################################################################ From 25f45b256f853b342b0006e1963e6c0631d969e1 Mon Sep 17 00:00:00 2001 From: "Hunter T." Date: Wed, 30 Oct 2024 14:21:19 -0700 Subject: [PATCH 05/11] Fix comment --- hardening/SSHD Hardening/harden-sshd.bash | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hardening/SSHD Hardening/harden-sshd.bash b/hardening/SSHD Hardening/harden-sshd.bash index e4c4904..9a9d457 100755 --- a/hardening/SSHD Hardening/harden-sshd.bash +++ b/hardening/SSHD Hardening/harden-sshd.bash @@ -141,7 +141,7 @@ fi read -rp "${C_NOTE}We will now harden sshd. Press [Enter] to continue." ### -### [ Backup 'sshd_config' ] +### [ Back up 'sshd_config' ] ### if [[ -f $C_CONFIG_FILE_BAK ]]; then From 1398cb9be10abf6fd3c66663e686b7c70e4785fa Mon Sep 17 00:00:00 2001 From: "Hunter T." Date: Fri, 20 Dec 2024 16:38:34 -0800 Subject: [PATCH 06/11] style: modify style and colorization of output --- auditing/Lynis Installer/lynis-installer.bash | 31 +++++++++++-------- 1 file changed, 18 insertions(+), 13 deletions(-) diff --git a/auditing/Lynis Installer/lynis-installer.bash b/auditing/Lynis Installer/lynis-installer.bash index d0faf96..75fe317 100755 --- a/auditing/Lynis Installer/lynis-installer.bash +++ b/auditing/Lynis Installer/lynis-installer.bash @@ -5,7 +5,7 @@ # it. Unless an error is encountered, Lynis will always be downloaded to the current # user's root directory (`/home/USERNAME/`). # -# Version: v1.0.7 +# Version: v1.0.8 # License: MIT License # Copyright (c) 2020-2024 Hunter T. (StrangeRanger) # @@ -13,35 +13,40 @@ C_YELLOW="$(printf '\033[1;33m')" C_GREEN="$(printf '\033[0;32m')" +C_BLUE="$(printf '\033[0;34m')" C_CYAN="$(printf '\033[0;36m')" C_RED="$(printf '\033[1;31m')" C_NC="$(printf '\033[0m')" + +C_SUCCESS="${C_GREEN}==>${C_NC} " C_ERROR="${C_RED}ERROR:${C_NC} " -C_WARNING="${C_YELLOW}WARNING:${C_NC} " +C_WARNING="${C_YELLOW}==>${C_NC} " +C_INFO="${C_BLUE}==>${C_NC} " +C_NOTE="${C_CYAN}==>${C_NC} " -read -rp "We will now download lynis. Press [Enter] to continue." +read -rp "${C_NOTE}We will now download lynis. Press [Enter] to continue." -[[ -d "$HOME/lynis" ]] && { +if [[ -d "$HOME/lynis" ]]; then echo "${C_WARNING}Lynis is already downloaded to your system" >&2 - echo "Current location: '$HOME/lynis'" - echo -e "\nExiting..." + echo "${C_NOTE} Current location: '$HOME/lynis'" + echo -e "\n${C_INFO}Exiting..." exit 0 -} +fi -echo "Changing working directory to '$HOME'..." +echo "${C_INFO}Changing working directory to '$HOME'..." cd "$HOME" || { echo "${C_ERROR}Failed to change working directory to '$HOME'" >&2 echo "${C_CYAN}Lynis will download to '$PWD'${C_NC}" } -echo "Downloading lynis..." +echo "${C_INFO}Downloading lynis..." git clone https://github.com/CISOfy/lynis || { echo "${C_ERROR}Failed to download lynis" >&2 - echo -e "\nExiting..." + echo -e "\n${C_INFO}Exiting..." exit 1 } -echo -e "\n${C_GREEN}Lynis has been downloaded to your system" -echo -e "${C_CYAN}To perform a system scan with lynis, execute the following command" \ - "in the lynis root directory: sudo ./lynis audit system${C_NC}" +echo -e "\n${C_SUCCESS}Lynis has been downloaded to your system" +echo -e "${C_NOTE}To perform a system scan with lynis, execute the following command" \ + "in the lynis root directory: sudo ./lynis audit system" From adff1948ba7822167792028408ce674abcd1b896 Mon Sep 17 00:00:00 2001 From: "Hunter T." Date: Fri, 20 Dec 2024 16:39:30 -0800 Subject: [PATCH 07/11] docs: update CHANGELOG.md --- auditing/Lynis Installer/CHANGELOG.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/auditing/Lynis Installer/CHANGELOG.md b/auditing/Lynis Installer/CHANGELOG.md index 22aaed8..4e023ef 100644 --- a/auditing/Lynis Installer/CHANGELOG.md +++ b/auditing/Lynis Installer/CHANGELOG.md @@ -4,6 +4,12 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). +## v1.0.8 - 2024-12-20 + +### Changed + +- Improved the colorization of the output text. + ## v1.0.7 - 2024-08-15 ### Changed From 00edd71899f8f674279194b04640be73caa78f7e Mon Sep 17 00:00:00 2001 From: "Hunter T." Date: Fri, 20 Dec 2024 16:45:12 -0800 Subject: [PATCH 08/11] style: modify style and colorization of output --- hardening/Root Locker/root-locker.bash | 23 +++++++++++++++-------- 1 file changed, 15 insertions(+), 8 deletions(-) diff --git a/hardening/Root Locker/root-locker.bash b/hardening/Root Locker/root-locker.bash index 2217876..02e0583 100755 --- a/hardening/Root Locker/root-locker.bash +++ b/hardening/Root Locker/root-locker.bash @@ -6,32 +6,39 @@ # Locking the root account doesn't prevent users from using something like `sudo su` # to gain root access. # -# Version: v1.0.7 +# Version: v1.0.8 # License: MIT License # Copyright (c) 2020-2024 Hunter T. (StrangeRanger) # ######################################################################################## C_GREEN="$(printf '\033[0;32m')" +C_BLUE="$(printf '\033[0;34m')" +C_CYAN="$(printf '\033[0;36m')" C_RED="$(printf '\033[1;31m')" C_NC="$(printf '\033[0m')" +C_SUCCESS="${C_GREEN}==>${C_NC} " +C_ERROR="${C_RED}ERROR:${C_NC} " +C_INFO="${C_BLUE}==>${C_NC} " +C_NOTE="${C_CYAN}==>${C_NC} " + ## Check if this script was executed with root privilege. if [[ $EUID != 0 ]]; then - echo "${C_RED}Please run this script as or with root privilege${C_NC}" >&2 - echo -e "\nExiting..." + echo "${C_ERROR}Please run this script as or with root privilege" >&2 + echo -e "\n${C_INFO}Exiting..." exit 1 fi -read -rp "We will now disable the root account. Press [Enter] to continue." +read -rp "${C_NOTE}We will now disable the root account. Press [Enter] to continue." -echo "Disabling root account..." +echo "${C_INFO}Disabling root account..." usermod -L root || { - echo -e "${C_RED}ERROR:${C_NC} Failed to lock the root account" >&2 - echo -e "\nExiting..." + echo -e "${C_ERROR}Failed to lock the root account" >&2 + echo -e "\n${C_INFO}Exiting..." exit 1 } -echo -e "\n${C_GREEN}The root account has been locked${C_NC}" +echo -e "\n${C_SUCCESS}The root account has been locked" From 44cf81e8fc268dbfa401ca9a5838b8bb4005630e Mon Sep 17 00:00:00 2001 From: "Hunter T." Date: Fri, 20 Dec 2024 16:46:16 -0800 Subject: [PATCH 09/11] docs: update CHANGELOG.md --- hardening/Root Locker/CHANGELOG.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/hardening/Root Locker/CHANGELOG.md b/hardening/Root Locker/CHANGELOG.md index 0f2ab58..a5d5905 100644 --- a/hardening/Root Locker/CHANGELOG.md +++ b/hardening/Root Locker/CHANGELOG.md @@ -4,6 +4,12 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). +## v1.0.8 - 2024-12-20 + +### Changed + +- Improved the colorization of the output text. + ## v1.0.7 - 2024-08-15 ### Changed From 42ade261efe0d02020718e07fa1be797c928a21a Mon Sep 17 00:00:00 2001 From: "Hunter T." Date: Fri, 20 Dec 2024 16:55:43 -0800 Subject: [PATCH 10/11] refactor: remove trap for 'SIGQUIT' --- hardening/SSHD Hardening/harden-sshd.bash | 17 +++++++---------- 1 file changed, 7 insertions(+), 10 deletions(-) diff --git a/hardening/SSHD Hardening/harden-sshd.bash b/hardening/SSHD Hardening/harden-sshd.bash index 9a9d457..52fcdbb 100755 --- a/hardening/SSHD Hardening/harden-sshd.bash +++ b/hardening/SSHD Hardening/harden-sshd.bash @@ -9,7 +9,7 @@ # TODO: # - Impliment functionality to revert changes if the script fails. # -# Version: v2.0.1 +# Version: v2.0.2 # License: MIT License # Copyright (c) 2020-2024 Hunter T. (StrangeRanger) # @@ -82,11 +82,10 @@ readonly C_SSHD_CONFIG #### -# Cleanly exit the script. +# Exit the script and display a message based on the exit code. # # PARAMETERS: # - $1: exit_code (Required) -# - The exit code to exit the script with. clean_exit() { local exit_code="$1" @@ -94,13 +93,12 @@ clean_exit() { trap - EXIT case "$exit_code" in - 0) exit 0 ;; - 1) echo "" ;; + 0) ;; + 1) echo "" ;; + 129) echo -e "\n${C_WARNING}Hangup signal detected (SIGHUP)" ;; 130) echo -e "\n${C_WARNING}User interrupt detected (SIGINT)" ;; 143) echo -e "\n${C_WARNING}Termination signal detected (SIGTERM)" ;; - 129) echo -e "\n${C_WARNING}Hangup signal detected (SIGHUP)" ;; - 131) echo -e "\n${C_WARNING}Quit signal detected (SIGQUIT)" ;; - *) echo -e "\n${C_WARNING}Exiting with code: $exit_code" ;; + *) echo -e "\n${C_WARNING}Exiting with code: $exit_code" ;; esac echo "Exiting..." @@ -111,10 +109,9 @@ clean_exit() { ####[ Trapping Logic ]################################################################## +trap 'clean_exit 129' SIGHUP trap 'clean_exit 130' SIGINT trap 'clean_exit 143' SIGTERM -trap 'clean_exit 129' SIGHUP -trap 'clean_exit 131' SIGQUIT trap 'clean_exit $?' EXIT From 740df0f9e237d4b8e06d81769c079827e3738b25 Mon Sep 17 00:00:00 2001 From: "Hunter T." Date: Fri, 20 Dec 2024 16:55:52 -0800 Subject: [PATCH 11/11] docs: update CHANGELOG.md --- hardening/SSHD Hardening/CHANGELOG.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/hardening/SSHD Hardening/CHANGELOG.md b/hardening/SSHD Hardening/CHANGELOG.md index 38261b7..9ec38e4 100644 --- a/hardening/SSHD Hardening/CHANGELOG.md +++ b/hardening/SSHD Hardening/CHANGELOG.md @@ -4,6 +4,13 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). +## v2.0.2 - 2024-12-20 + +### Changed + +- Remove trap for `SIGQUIT`. +- Move around traps and cases. + ## v2.0.1 - 2024-10-30 ### Fixed