diff --git a/test/common.sh b/test/common.sh index 7dcf638..cb2ca08 100644 --- a/test/common.sh +++ b/test/common.sh @@ -155,4 +155,9 @@ command_exists() { # Function to check if package is installed is_package_installed() { dpkg -l "$1" | grep -q "^ii" >/dev/null 2>&1 +} + +# Function to check if a service is running +service() { + systemctl $1 $2 } \ No newline at end of file diff --git a/test/modules/additional_hardening.sh b/test/modules/additional_hardening.sh index 739af40..b277207 100644 --- a/test/modules/additional_hardening.sh +++ b/test/modules/additional_hardening.sh @@ -278,7 +278,7 @@ EOF log_message "SUCCESS" "Rsyslog security configuration created at $rsyslog_security" # Restart rsyslog - systemctl restart rsyslog + service restart rsyslog # Configure log rotation local logrotate_conf="/etc/logrotate.d/rsyslog-security" diff --git a/test/modules/antivirus.sh b/test/modules/antivirus.sh index bdac7cb..07a4c72 100644 --- a/test/modules/antivirus.sh +++ b/test/modules/antivirus.sh @@ -44,11 +44,11 @@ configure_clamav() { log_message "SUCCESS" "ClamAV freshclam configuration updated" # Create a daily scan script - local scan_script="/etc/cron.daily/clamscan" + local SCAN_SCRIPT="/etc/cron.daily/clamscan" log_message "INFO" "Creating daily scan script" - cat > "$scan_script" << 'EOF' + cat > "$SCAN_SCRIPT" << 'EOF' #!/bin/bash # ClamAV daily scan script @@ -84,13 +84,13 @@ fi echo "ClamAV daily scan completed at $(date)" >> "$LOG_FILE" EOF - chmod +x "$scan_script" - log_message "SUCCESS" "ClamAV daily scan script created at $scan_script" + chmod +x "$SCAN_SCRIPT" + log_message "SUCCESS" "ClamAV daily scan script created at $SCAN_SCRIPT" # Restart ClamAV services log_message "INFO" "Starting ClamAV services" - systemctl start clamav-freshclam - systemctl start clamav-daemon + service start clamav-freshclam + service start clamav-daemon if [ $? -eq 0 ]; then log_message "SUCCESS" "ClamAV services started successfully" diff --git a/test/modules/auditing.sh b/test/modules/auditing.sh index d94fb67..6370931 100644 --- a/test/modules/auditing.sh +++ b/test/modules/auditing.sh @@ -26,12 +26,12 @@ configure_auditd() { fi # Configure auditd - local audit_rules="/etc/audit/rules.d/audit.rules" + local AUDIT_RULES="/etc/audit/rules.d/audit.rules" log_message "INFO" "Creating audit rules" - backup_file "$audit_rules" + backup_file "$AUDIT_RULES" - cat > "$audit_rules" << 'EOF' + cat > "$AUDIT_RULES" << 'EOF' # Audit configuration # Hardened audit rules @@ -106,11 +106,11 @@ configure_auditd() { -a always,exit -F arch=b32 -S setuid -S setgid -k privilege_escalation EOF - log_message "SUCCESS" "Audit rules created at $audit_rules" + log_message "SUCCESS" "Audit rules created at $AUDIT_RULES" # Restart auditd service log_message "INFO" "Restarting auditd service" - service auditd restart + service restart auditd if [ $? -eq 0 ]; then log_message "SUCCESS" "auditd service restarted successfully" diff --git a/test/modules/auto_updates.sh b/test/modules/auto_updates.sh index 6d07b32..0b91c55 100644 --- a/test/modules/auto_updates.sh +++ b/test/modules/auto_updates.sh @@ -27,12 +27,12 @@ configure_auto_updates() { fi # Configure unattended-upgrades - local unattended_conf="/etc/apt/apt.conf.d/50unattended-upgrades" + local UNATTENDED_CONF="/etc/apt/apt.conf.d/50unattended-upgrades" log_message "INFO" "Creating unattended-upgrades configuration" - backup_file "$unattended_conf" + backup_file "$UNATTENDED_CONF" - cat > "$unattended_conf" << EOF + cat > "$UNATTENDED_CONF" << EOF // Unattended-Upgrades configuration // Generated by security hardening script @@ -87,14 +87,14 @@ APT::Periodic::AutocleanInterval "7"; APT::Periodic::Unattended-Upgrade "1"; EOF - log_message "SUCCESS" "unattended-upgrades configuration created at $unattended_conf" + log_message "SUCCESS" "unattended-upgrades configuration created at $UNATTENDED_CONF" # Create a configuration file to enable automatic updates - local auto_upgrades="/etc/apt/apt.conf.d/20auto-upgrades" + local AUTO_UPGRADES="/etc/apt/apt.conf.d/20auto-upgrades" log_message "INFO" "Creating auto-upgrades configuration" - cat > "$auto_upgrades" << EOF + cat > "$AUTO_UPGRADES" << EOF // Auto-upgrade configuration // Generated by security hardening script @@ -104,15 +104,15 @@ APT::Periodic::AutocleanInterval "7"; APT::Periodic::Unattended-Upgrade "1"; EOF - log_message "SUCCESS" "auto-upgrades configuration created at $auto_upgrades" + log_message "SUCCESS" "auto-upgrades configuration created at $AUTO_UPGRADES" # Configure apt-listchanges - local listchanges_conf="/etc/apt/listchanges.conf" + local LISTCHANGES_CONF="/etc/apt/listchanges.conf" log_message "INFO" "Creating apt-listchanges configuration" - backup_file "$listchanges_conf" + backup_file "$LISTCHANGES_CONF" - cat > "$listchanges_conf" << EOF + cat > "$LISTCHANGES_CONF" << EOF [apt] frontend=pager email_address=root @@ -121,12 +121,12 @@ save_seen=/var/lib/apt/listchanges.db which=both EOF - log_message "SUCCESS" "apt-listchanges configuration created at $listchanges_conf" + log_message "SUCCESS" "apt-listchanges configuration created at $LISTCHANGES_CONF" # Enable and start unattended-upgrades service log_message "INFO" "Enabling unattended-upgrades service" - systemctl enable unattended-upgrades - systemctl restart unattended-upgrades + service enable unattended-upgrades + service restart unattended-upgrades if [ $? -eq 0 ]; then log_message "SUCCESS" "unattended-upgrades service enabled and restarted successfully" diff --git a/test/modules/custom_prompt.sh b/test/modules/custom_prompt.sh index 3ee28a0..7cefa67 100644 --- a/test/modules/custom_prompt.sh +++ b/test/modules/custom_prompt.sh @@ -79,61 +79,6 @@ configure_custom_profile() { # Custom secure server profile # Generated by security hardening script -# Check if the terminal supports colors -if [ -x /usr/bin/tput ] && tput setaf 1 >&/dev/null; then - # Color definitions - BLUE="\[\033[01;34m\]" - GREEN="\[\033[01;32m\]" - RED="\[\033[01;31m\]" - YELLOW="\[\033[01;33m\]" - PURPLE="\[\033[01;35m\]" - CYAN="\[\033[01;36m\]" - WHITE="\[\033[01;37m\]" - RESET="\[\033[00m\]" - BOLD="\[\033[01m\]" - - # Get server IP - SERVER_IP=$(hostname -I | awk '{print $1}') - - # Define symbols based on privilege - if [ "$(id -u)" -eq 0 ]; then - # Root user - red prompt - USER_COLOR=$RED - PROMPT_SYMBOL="#" - else - # Regular user - green prompt - USER_COLOR=$GREEN - PROMPT_SYMBOL="$" - fi - - # Set the prompt - PS1="${BOLD}[${USER_COLOR}\u${RESET}${BOLD}@${CYAN}\h${RESET}${BOLD} ${YELLOW}\w${RESET}${BOLD}]${RESET}\\n${USER_COLOR}${PROMPT_SYMBOL}${RESET} " - - # Show additional security information for root users - if [ "$(id -u)" -eq 0 ]; then - # Display system information - echo -e "\n${RED}ATTENTION: ROOT LOGIN${RESET}" - echo -e "${YELLOW}System Info:${RESET}" - echo -e " ${CYAN}Hostname:${RESET} $(hostname)" - echo -e " ${CYAN}IP Address:${RESET} ${SERVER_IP}" - echo -e " ${CYAN}Kernel:${RESET} $(uname -r)" - echo -e " ${CYAN}Uptime:${RESET} $(uptime -p | sed 's/up //')" - echo -e " ${CYAN}Load:${RESET} $(cat /proc/loadavg | awk '{print $1 ", " $2 ", " $3}')" - - # Show recent failed login attempts - FAILED_LOGINS=$(grep "Failed password" /var/log/auth.log | tail -5) - if [ ! -z "$FAILED_LOGINS" ]; then - echo -e "\n${YELLOW}Recent Failed Login Attempts:${RESET}" - echo -e "${RED}$(grep "Failed password" /var/log/auth.log | tail -5)${RESET}" - fi - - echo -e "\n${RED}THIS IS A SECURED SERVER - ALL ACTIONS ARE LOGGED${RESET}\n" - fi -else - # Simple prompt for terminals without color support - PS1="[\u@\h \W]\\$ " -fi - # Set some useful aliases alias ll='ls -la' alias l='ls -l' @@ -141,6 +86,7 @@ alias rm='rm -i' alias cp='cp -i' alias mv='mv -i' alias grep='grep --color=auto' +alias ls='ls --color=auto' EOF chmod +x "$profile_file" @@ -177,21 +123,21 @@ PROCESSOR_NAME=$(awk -F": " '/model name/ { print $2 }' /proc/cpuinfo | head -1) PROCESSOR_COUNT=$(grep -ioPc 'processor\t:' /proc/cpuinfo) # colors -W="\e[0;39m" -G="\e[1;32m" -R="\e[1;31m" +WHITE="\e[0;39m" +GREEN="\e[1;32m" +RED="\e[1;31m" dim="\e[2m" undim="\e[0m" echo -e "${W}System info: -$W Hostname$dim····$undim: $W${HOSTNAME} -$W Distro$dim······$undim: $W$(grep "PRETTY_NAME" /etc/*release | cut -d "=" -f 2- | sed 's/"//g') -$W Kernel$dim······$undim: $W$(uname -sr) -$W Uptime$dim······$undim: $W$(uptime -p) -$W Load$dim········$undim: $G$LOAD1$W (1m), $G$LOAD5$W (5m), $G$LOAD15$W (15m) -$W Processes$dim···$undim: $G$PROCESS_ROOT$W (root), $G$PROCESS_USER$W (user), $G$PROCESS_ALL$W (total) -$W CPU$dim·········$undim: $W$PROCESSOR_NAME ($G$PROCESSOR_COUNT$W vCPU) -$W Memory$dim······$undim: $G$USED$W used, $G$AVAIL$W avail, $G$TOTAL$W total" +$WHITE Hostname$dim····$undim: $WHITE${HOSTNAME} +$WHITE Distro$dim······$undim: $WHITE$(grep "PRETTY_NAME" /etc/*release | cut -d "=" -f 2- | sed 's/"//g') +$WHITE Kernel$dim······$undim: $WHITE$(uname -sr) +$WHITE Uptime$dim······$undim: $WHITE$(uptime -p) +$WHITE Load$dim········$undim: $GREEN$LOAD1$WHITE (1m), $GREEN$LOAD5$WHITE (5m), $GREEN$LOAD15$WHITE (15m) +$WHITE Processes$dim···$undim: $GREEN$PROCESS_ROOT$WHITE (root), $GREEN$PROCESS_USER$WHITE (user), $GREEN$PROCESS_ALL$WHITE (total) +$WHITE CPU$dim·········$undim: $WHITE$PROCESSOR_NAME ($GREEN$PROCESSOR_COUNT$WHITE vCPU) +$WHITE Memory$dim······$undim: $GREEN$USED$WHITE used, $GREEN$AVAIL$WHITE avail, $GREEN$TOTAL$WHITE total" # config max_usage=90 @@ -206,9 +152,9 @@ while read line; do used_width=$((($usage*$bar_width)/100)) # color is green if usage < max_usage, else red if [ "${usage}" -ge "${max_usage}" ]; then - color=$R + color=$RED else - color=$G + color=$GREEN fi # print green/red bar until used_width bar="[${color}" diff --git a/test/modules/dns_config.sh b/test/modules/dns_config.sh index 0c108fe..c5987a3 100644 --- a/test/modules/dns_config.sh +++ b/test/modules/dns_config.sh @@ -17,12 +17,12 @@ configure_dns() { backup_file "/etc/resolv.conf" # Create systemd-resolved configuration - local resolved_conf="/etc/systemd/resolved.conf" + local RESOLVED_CONF="/etc/systemd/resolved.conf" log_message "INFO" "Creating systemd-resolved configuration" - backup_file "$resolved_conf" + backup_file "$RESOLVED_CONF" - cat > "$resolved_conf" << EOF + cat > "$RESOLVED_CONF" << EOF [Resolve] # Google and Cloudflare DNS servers DNS=8.8.8.8 8.8.4.4 1.1.1.1 1.0.0.1 @@ -39,12 +39,12 @@ DNSStubListener=yes ReadEtcHosts=yes EOF - log_message "SUCCESS" "systemd-resolved configuration created at $resolved_conf" + log_message "SUCCESS" "systemd-resolved configuration created at $RESOLVED_CONF" # Restart systemd-resolved service if systemctl is-active systemd-resolved >/dev/null 2>&1; then log_message "INFO" "Restarting systemd-resolved service" - systemctl restart systemd-resolved + service restart systemd-resolved if [ $? -eq 0 ]; then log_message "SUCCESS" "systemd-resolved service restarted successfully" diff --git a/test/modules/fail2ban.sh b/test/modules/fail2ban.sh index c5b51eb..ed25518 100644 --- a/test/modules/fail2ban.sh +++ b/test/modules/fail2ban.sh @@ -26,12 +26,12 @@ configure_fail2ban() { fi # Create fail2ban local configuration - local fail2ban_local="/etc/fail2ban/jail.local" + local FAIL2BAN_LOCAL="/etc/fail2ban/jail.local" log_message "INFO" "Creating fail2ban configuration" - backup_file "$fail2ban_local" + backup_file "$FAIL2BAN_LOCAL" - cat > "$fail2ban_local" << EOF + cat > "$FAIL2BAN_LOCAL" << EOF [DEFAULT] # Ban hosts for 1 hour bantime = 3600 @@ -52,7 +52,7 @@ banaction_allports = iptables-allports # SSH jail configuration (custom port) [sshd] enabled = true -port = 2222 +port = 22 filter = sshd logpath = /var/log/auth.log maxretry = 3 @@ -75,7 +75,7 @@ logpath = /var/log/nginx/error.log maxretry = 3 EOF - log_message "SUCCESS" "fail2ban configuration created at $fail2ban_local" + log_message "SUCCESS" "fail2ban configuration created at $FAIL2BAN_LOCAL" # Restart fail2ban service log_message "INFO" "Restarting fail2ban service" diff --git a/test/modules/firewall.sh b/test/modules/firewall.sh index 5e28af6..e1fc163 100644 --- a/test/modules/firewall.sh +++ b/test/modules/firewall.sh @@ -29,30 +29,41 @@ configure_ufw() { ufw --force reset # Set default policies - log_message "INFO" "Setting default UFW policies" + log_message "INFO" "IPv4 : Setting default UFW policies" ufw default deny incoming ufw default allow outgoing # Allow SSH on custom port - log_message "INFO" "Allowing SSH on port 2222" - ufw allow 2222/tcp + log_message "INFO" "IPv4 : Allowing SSH on port 22" + ufw allow 22/tcp # Allow HTTP/HTTPS for web services if needed - log_message "INFO" "Allowing HTTP/HTTPS ports" + log_message "INFO" "IPv4 : Allowing HTTP/HTTPS ports" ufw allow 80/tcp ufw allow 443/tcp # Allow SNMP for monitoring - log_message "INFO" "Allowing SNMP port for monitoring" + log_message "INFO" "IPv4 : Allowing SNMP port for monitoring" ufw allow 161/udp # Allow NRPE for monitoring - log_message "INFO" "Allowing NRPE port for monitoring" + log_message "INFO" "IPv4 : Allowing NRPE port for monitoring" ufw allow 5666/tcp + # Allow IPv6 if needed + log_message "INFO" "IPv6 : Setting default UFW policies" + ufw allow in on lo + ufw allow out on lo + ufw deny in from ::/0 + ufw allow out to ::/0 + + # Enable log + log_message "INFO" "Enabling logging for UFW" + ufw logging on + # Enable UFW log_message "INFO" "Enabling UFW" - echo "y" | ufw enable + echo "y" | ufw -force enable if [ $? -eq 0 ]; then log_message "SUCCESS" "UFW enabled successfully" diff --git a/test/modules/glpi_agent.sh b/test/modules/glpi_agent.sh index 5591a3b..e23af18 100644 --- a/test/modules/glpi_agent.sh +++ b/test/modules/glpi_agent.sh @@ -138,8 +138,8 @@ EOF # Enable and start GLPI agent service log_message "INFO" "Enabling and starting GLPI agent service" systemctl daemon-reload - systemctl enable glpi-agent - systemctl restart glpi-agent + service enable glpi-agent + service restart glpi-agent if [ $? -eq 0 ]; then log_message "SUCCESS" "GLPI agent service enabled and started" diff --git a/test/modules/monitoring.sh b/test/modules/monitoring.sh index 0dfab8d..9dd502a 100644 --- a/test/modules/monitoring.sh +++ b/test/modules/monitoring.sh @@ -102,8 +102,8 @@ EOF # Restart SNMP service log_message "INFO" "Restarting SNMP service" - systemctl enable snmpd - systemctl restart snmpd + service enable snmpd + service restart snmpd if [ $? -eq 0 ]; then log_message "SUCCESS" "SNMP service restarted successfully" @@ -279,8 +279,8 @@ EOF # Restart NRPE service log_message "INFO" "Restarting NRPE service" - systemctl enable nagios-nrpe-server - systemctl restart nagios-nrpe-server + service enable nagios-nrpe-server + service restart nagios-nrpe-server if [ $? -eq 0 ]; then log_message "SUCCESS" "NRPE service restarted successfully" diff --git a/test/modules/ntp.sh b/test/modules/ntp.sh index 1b0f3f2..2c52bb9 100644 --- a/test/modules/ntp.sh +++ b/test/modules/ntp.sh @@ -27,12 +27,12 @@ configure_ntp() { fi # Configure chrony - local chrony_conf="/etc/chrony/chrony.conf" + local CHRONY_CONFf="/etc/chrony/chrony.conf" log_message "INFO" "Creating chrony configuration" - backup_file "$chrony_conf" + backup_file "$CHRONY_CONF" - cat > "$chrony_conf" << EOF + cat > "$CHRONY_CONF" << EOF # Chrony NTP configuration # Generated by security hardening script @@ -72,12 +72,12 @@ allow 127.0.0.1 deny all EOF - log_message "SUCCESS" "chrony configuration created at $chrony_conf" + log_message "SUCCESS" "chrony configuration created at $CHRONY_CONF" # Restart chrony service log_message "INFO" "Restarting chrony service" - systemctl enable chrony - systemctl restart chrony + service enable chrony + service restart chrony if [ $? -eq 0 ]; then log_message "SUCCESS" "chrony service restarted successfully" diff --git a/test/modules/package_management.sh b/test/modules/package_management.sh index 081b656..9bdc897 100644 --- a/test/modules/package_management.sh +++ b/test/modules/package_management.sh @@ -141,6 +141,7 @@ install_new_packages() { EOF chmod +x "$SCRIPT_DIR/install_packages.sh" + log_message "INFO" "Created new package installation module at $SCRIPT_DIR/install_packages.sh" # Main execution for package management diff --git a/test/modules/ssh_hardening.sh b/test/modules/ssh_hardening.sh index 316754b..51e343f 100644 --- a/test/modules/ssh_hardening.sh +++ b/test/modules/ssh_hardening.sh @@ -106,17 +106,18 @@ harden_ssh_config() { # Hardened configuration from security script # Basic SSH server settings -Port 2222 -AddressFamily inet -ListenAddress 0.0.0.0 +Port 22 +#AddressFamily inet +#ListenAddress 0.0.0.0 +#ListenAddress :: # Authentication settings #AuthorizedKeysFile /root/.ssh/authorized_keys/%u -PermitRootLogin prohibit-password -PubkeyAuthentication yes -PasswordAuthentication no -PermitEmptyPasswords no -ChallengeResponseAuthentication no +#PermitRootLogin prohibit-password +#PubkeyAuthentication yes +#PasswordAuthentication no +#PermitEmptyPasswords no +#ChallengeResponseAuthentication no UsePAM yes # Security settings @@ -127,15 +128,18 @@ Subsystem sftp /usr/lib/openssh/sftp-server # Hardening options LoginGraceTime 30 -MaxAuthTries 3 -MaxSessions 5 +MaxAuthTries 5 +MaxSessions 3 ClientAliveInterval 300 ClientAliveCountMax 3 +# +Banner /etc/banner + # Disable weak crypto -KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 -Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr -MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256 +#KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 +#Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr +#MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256 # Logging SyslogFacility AUTH diff --git a/test/modules/wazuh_agent.sh b/test/modules/wazuh_agent.sh index ad61882..8d3b0be 100644 --- a/test/modules/wazuh_agent.sh +++ b/test/modules/wazuh_agent.sh @@ -91,8 +91,8 @@ EOF # Enable and start Wazuh agent log_message "INFO" "Enabling and starting Wazuh agent" systemctl daemon-reload - systemctl enable wazuh-agent - systemctl restart wazuh-agent + service enable wazuh-agent + service restart wazuh-agent if [ $? -eq 0 ]; then log_message "SUCCESS" "Wazuh agent service enabled and started"