Update : all variable, create function service

2025-04-24 08:09:49 +02:00 · 2025-04-24 08:09:49 +02:00 · 9db64d936e
commit 9db64d936e
parent 5991764110
15 changed files with 104 additions and 137 deletions
--- a/test/common.sh
+++ b/test/common.sh
@ -156,3 +156,8 @@ command_exists() {
 is_package_installed() {
  dpkg -l "$1" | grep -q "^ii" >/dev/null 2>&1
 }
+
+# Function to check if a service is running
+service() {
+  systemctl $1 $2
+}
--- a/test/modules/additional_hardening.sh
+++ b/test/modules/additional_hardening.sh
@ -278,7 +278,7 @@ EOF
  log_message "SUCCESS" "Rsyslog security configuration created at $rsyslog_security"
  
  # Restart rsyslog
-  systemctl restart rsyslog
+  service restart rsyslog
  
  # Configure log rotation
  local logrotate_conf="/etc/logrotate.d/rsyslog-security"
--- a/test/modules/antivirus.sh
+++ b/test/modules/antivirus.sh
@ -44,11 +44,11 @@ configure_clamav() {
  log_message "SUCCESS" "ClamAV freshclam configuration updated"
  
  # Create a daily scan script
-  local scan_script="/etc/cron.daily/clamscan"
+  local SCAN_SCRIPT="/etc/cron.daily/clamscan"
  
  log_message "INFO" "Creating daily scan script"
  
-  cat > "$scan_script" << 'EOF'
+  cat > "$SCAN_SCRIPT" << 'EOF'
 #!/bin/bash

 # ClamAV daily scan script
@ -84,13 +84,13 @@ fi
 echo "ClamAV daily scan completed at $(date)" >> "$LOG_FILE"
 EOF

-  chmod +x "$scan_script"
-  log_message "SUCCESS" "ClamAV daily scan script created at $scan_script"
+  chmod +x "$SCAN_SCRIPT"
+  log_message "SUCCESS" "ClamAV daily scan script created at $SCAN_SCRIPT"
  
  # Restart ClamAV services
  log_message "INFO" "Starting ClamAV services"
-  systemctl start clamav-freshclam
-  systemctl start clamav-daemon
+  service start clamav-freshclam
+  service start clamav-daemon
  
  if [ $? -eq 0 ]; then
    log_message "SUCCESS" "ClamAV services started successfully"
--- a/test/modules/auditing.sh
+++ b/test/modules/auditing.sh
@ -26,12 +26,12 @@ configure_auditd() {
  fi
  
  # Configure auditd
-  local audit_rules="/etc/audit/rules.d/audit.rules"
+  local AUDIT_RULES="/etc/audit/rules.d/audit.rules"
  
  log_message "INFO" "Creating audit rules"
-  backup_file "$audit_rules"
+  backup_file "$AUDIT_RULES"
  
-  cat > "$audit_rules" << 'EOF'
+  cat > "$AUDIT_RULES" << 'EOF'
 # Audit configuration
 # Hardened audit rules

@ -106,11 +106,11 @@ configure_auditd() {
 -a always,exit -F arch=b32 -S setuid -S setgid -k privilege_escalation
 EOF

-  log_message "SUCCESS" "Audit rules created at $audit_rules"
+  log_message "SUCCESS" "Audit rules created at $AUDIT_RULES"
  
  # Restart auditd service
  log_message "INFO" "Restarting auditd service"
-  service auditd restart
+  service restart auditd 
  
  if [ $? -eq 0 ]; then
    log_message "SUCCESS" "auditd service restarted successfully"
--- a/test/modules/auto_updates.sh
+++ b/test/modules/auto_updates.sh
@ -27,12 +27,12 @@ configure_auto_updates() {
  fi
  
  # Configure unattended-upgrades
-  local unattended_conf="/etc/apt/apt.conf.d/50unattended-upgrades"
+  local UNATTENDED_CONF="/etc/apt/apt.conf.d/50unattended-upgrades"
  
  log_message "INFO" "Creating unattended-upgrades configuration"
-  backup_file "$unattended_conf"
+  backup_file "$UNATTENDED_CONF"
  
-  cat > "$unattended_conf" << EOF
+  cat > "$UNATTENDED_CONF" << EOF
 // Unattended-Upgrades configuration
 // Generated by security hardening script

@ -87,14 +87,14 @@ APT::Periodic::AutocleanInterval "7";
 APT::Periodic::Unattended-Upgrade "1";
 EOF

-  log_message "SUCCESS" "unattended-upgrades configuration created at $unattended_conf"
+  log_message "SUCCESS" "unattended-upgrades configuration created at $UNATTENDED_CONF"
  
  # Create a configuration file to enable automatic updates
-  local auto_upgrades="/etc/apt/apt.conf.d/20auto-upgrades"
+  local AUTO_UPGRADES="/etc/apt/apt.conf.d/20auto-upgrades"
  
  log_message "INFO" "Creating auto-upgrades configuration"
  
-  cat > "$auto_upgrades" << EOF
+  cat > "$AUTO_UPGRADES" << EOF
 // Auto-upgrade configuration
 // Generated by security hardening script

@ -104,15 +104,15 @@ APT::Periodic::AutocleanInterval "7";
 APT::Periodic::Unattended-Upgrade "1";
 EOF

-  log_message "SUCCESS" "auto-upgrades configuration created at $auto_upgrades"
+  log_message "SUCCESS" "auto-upgrades configuration created at $AUTO_UPGRADES"
  
  # Configure apt-listchanges
-  local listchanges_conf="/etc/apt/listchanges.conf"
+  local LISTCHANGES_CONF="/etc/apt/listchanges.conf"
  
  log_message "INFO" "Creating apt-listchanges configuration"
-  backup_file "$listchanges_conf"
+  backup_file "$LISTCHANGES_CONF"
  
-  cat > "$listchanges_conf" << EOF
+  cat > "$LISTCHANGES_CONF" << EOF
 [apt]
 frontend=pager
 email_address=root
@ -121,12 +121,12 @@ save_seen=/var/lib/apt/listchanges.db
 which=both
 EOF

-  log_message "SUCCESS" "apt-listchanges configuration created at $listchanges_conf"
+  log_message "SUCCESS" "apt-listchanges configuration created at $LISTCHANGES_CONF"
  
  # Enable and start unattended-upgrades service
  log_message "INFO" "Enabling unattended-upgrades service"
-  systemctl enable unattended-upgrades
-  systemctl restart unattended-upgrades
+  service enable unattended-upgrades
+  service restart unattended-upgrades
  
  if [ $? -eq 0 ]; then
    log_message "SUCCESS" "unattended-upgrades service enabled and restarted successfully"
--- a/test/modules/custom_prompt.sh
+++ b/test/modules/custom_prompt.sh
@ -79,61 +79,6 @@ configure_custom_profile() {
 # Custom secure server profile
 # Generated by security hardening script

-# Check if the terminal supports colors
-if [ -x /usr/bin/tput ] && tput setaf 1 >&/dev/null; then
-  # Color definitions
-  BLUE="\[\033[01;34m\]"
-  GREEN="\[\033[01;32m\]"
-  RED="\[\033[01;31m\]"
-  YELLOW="\[\033[01;33m\]"
-  PURPLE="\[\033[01;35m\]"
-  CYAN="\[\033[01;36m\]"
-  WHITE="\[\033[01;37m\]"
-  RESET="\[\033[00m\]"
-  BOLD="\[\033[01m\]"
-
-  # Get server IP
-  SERVER_IP=$(hostname -I | awk '{print $1}')
-
-  # Define symbols based on privilege
-  if [ "$(id -u)" -eq 0 ]; then
-    # Root user - red prompt
-    USER_COLOR=$RED
-    PROMPT_SYMBOL="#"
-  else
-    # Regular user - green prompt
-    USER_COLOR=$GREEN
-    PROMPT_SYMBOL="$"
-  fi
-
-  # Set the prompt
-  PS1="${BOLD}[${USER_COLOR}\u${RESET}${BOLD}@${CYAN}\h${RESET}${BOLD} ${YELLOW}\w${RESET}${BOLD}]${RESET}\\n${USER_COLOR}${PROMPT_SYMBOL}${RESET} "
-
-  # Show additional security information for root users
-  if [ "$(id -u)" -eq 0 ]; then
-    # Display system information
-    echo -e "\n${RED}ATTENTION: ROOT LOGIN${RESET}"
-    echo -e "${YELLOW}System Info:${RESET}"
-    echo -e "  ${CYAN}Hostname:${RESET} $(hostname)"
-    echo -e "  ${CYAN}IP Address:${RESET} ${SERVER_IP}"
-    echo -e "  ${CYAN}Kernel:${RESET} $(uname -r)"
-    echo -e "  ${CYAN}Uptime:${RESET} $(uptime -p | sed 's/up //')"
-    echo -e "  ${CYAN}Load:${RESET} $(cat /proc/loadavg | awk '{print $1 ", " $2 ", " $3}')"
-
-    # Show recent failed login attempts
-    FAILED_LOGINS=$(grep "Failed password" /var/log/auth.log | tail -5)
-    if [ ! -z "$FAILED_LOGINS" ]; then
-      echo -e "\n${YELLOW}Recent Failed Login Attempts:${RESET}"
-      echo -e "${RED}$(grep "Failed password" /var/log/auth.log | tail -5)${RESET}"
-    fi
-
-    echo -e "\n${RED}THIS IS A SECURED SERVER - ALL ACTIONS ARE LOGGED${RESET}\n"
-  fi
-else
-  # Simple prompt for terminals without color support
-  PS1="[\u@\h \W]\\$ "
-fi
-
 # Set some useful aliases
 alias ll='ls -la'
 alias l='ls -l'
@ -141,6 +86,7 @@ alias rm='rm -i'
 alias cp='cp -i'
 alias mv='mv -i'
 alias grep='grep --color=auto'
+alias ls='ls --color=auto'
 EOF

  chmod +x "$profile_file"
@ -177,21 +123,21 @@ PROCESSOR_NAME=$(awk -F": " '/model name/ { print $2 }' /proc/cpuinfo | head -1)
 PROCESSOR_COUNT=$(grep -ioPc 'processor\t:' /proc/cpuinfo)

 # colors
-W="\e[0;39m"
-G="\e[1;32m"
-R="\e[1;31m"
+WHITE="\e[0;39m"
+GREEN="\e[1;32m"
+RED="\e[1;31m"
 dim="\e[2m"
 undim="\e[0m"

 echo -e "${W}System info:
-$W  Hostname$dim····$undim: $W${HOSTNAME}
-$W  Distro$dim······$undim: $W$(grep "PRETTY_NAME" /etc/*release | cut -d "=" -f 2- | sed 's/"//g')
-$W  Kernel$dim······$undim: $W$(uname -sr)
-$W  Uptime$dim······$undim: $W$(uptime -p)
-$W  Load$dim········$undim: $G$LOAD1$W (1m), $G$LOAD5$W (5m), $G$LOAD15$W (15m)
-$W  Processes$dim···$undim: $G$PROCESS_ROOT$W (root), $G$PROCESS_USER$W (user), $G$PROCESS_ALL$W (total)
-$W  CPU$dim·········$undim: $W$PROCESSOR_NAME ($G$PROCESSOR_COUNT$W vCPU)
-$W  Memory$dim······$undim: $G$USED$W used, $G$AVAIL$W avail, $G$TOTAL$W total"
+$WHITE  Hostname$dim····$undim: $WHITE${HOSTNAME}
+$WHITE  Distro$dim······$undim: $WHITE$(grep "PRETTY_NAME" /etc/*release | cut -d "=" -f 2- | sed 's/"//g')
+$WHITE  Kernel$dim······$undim: $WHITE$(uname -sr)
+$WHITE  Uptime$dim······$undim: $WHITE$(uptime -p)
+$WHITE  Load$dim········$undim: $GREEN$LOAD1$WHITE (1m), $GREEN$LOAD5$WHITE (5m), $GREEN$LOAD15$WHITE (15m)
+$WHITE  Processes$dim···$undim: $GREEN$PROCESS_ROOT$WHITE (root), $GREEN$PROCESS_USER$WHITE (user), $GREEN$PROCESS_ALL$WHITE (total)
+$WHITE  CPU$dim·········$undim: $WHITE$PROCESSOR_NAME ($GREEN$PROCESSOR_COUNT$WHITE vCPU)
+$WHITE  Memory$dim······$undim: $GREEN$USED$WHITE used, $GREEN$AVAIL$WHITE avail, $GREEN$TOTAL$WHITE total"

 # config
 max_usage=90
@ -206,9 +152,9 @@ while read line; do
    used_width=$((($usage*$bar_width)/100))
    # color is green if usage < max_usage, else red
    if [ "${usage}" -ge "${max_usage}" ]; then
-        color=$R
+        color=$RED
    else
-        color=$G
+        color=$GREEN
    fi
    # print green/red bar until used_width
    bar="[${color}"
--- a/test/modules/dns_config.sh
+++ b/test/modules/dns_config.sh
@ -17,12 +17,12 @@ configure_dns() {
  backup_file "/etc/resolv.conf"
  
  # Create systemd-resolved configuration
-  local resolved_conf="/etc/systemd/resolved.conf"
+  local RESOLVED_CONF="/etc/systemd/resolved.conf"
  
  log_message "INFO" "Creating systemd-resolved configuration"
-  backup_file "$resolved_conf"
+  backup_file "$RESOLVED_CONF"
  
-  cat > "$resolved_conf" << EOF
+  cat > "$RESOLVED_CONF" << EOF
 [Resolve]
 # Google and Cloudflare DNS servers
 DNS=8.8.8.8 8.8.4.4 1.1.1.1 1.0.0.1
@ -39,12 +39,12 @@ DNSStubListener=yes
 ReadEtcHosts=yes
 EOF

-  log_message "SUCCESS" "systemd-resolved configuration created at $resolved_conf"
+  log_message "SUCCESS" "systemd-resolved configuration created at $RESOLVED_CONF"
  
  # Restart systemd-resolved service
  if systemctl is-active systemd-resolved >/dev/null 2>&1; then
    log_message "INFO" "Restarting systemd-resolved service"
-    systemctl restart systemd-resolved
+    service restart systemd-resolved
    
    if [ $? -eq 0 ]; then
      log_message "SUCCESS" "systemd-resolved service restarted successfully"
--- a/test/modules/fail2ban.sh
+++ b/test/modules/fail2ban.sh
@ -26,12 +26,12 @@ configure_fail2ban() {
  fi

  # Create fail2ban local configuration
-  local fail2ban_local="/etc/fail2ban/jail.local"
+  local FAIL2BAN_LOCAL="/etc/fail2ban/jail.local"

  log_message "INFO" "Creating fail2ban configuration"
-  backup_file "$fail2ban_local"
+  backup_file "$FAIL2BAN_LOCAL"

-  cat > "$fail2ban_local" << EOF
+  cat > "$FAIL2BAN_LOCAL" << EOF
 [DEFAULT]
 # Ban hosts for 1 hour
 bantime = 3600
@ -52,7 +52,7 @@ banaction_allports = iptables-allports
 # SSH jail configuration (custom port)
 [sshd]
 enabled = true
-port = 2222
+port = 22
 filter = sshd
 logpath = /var/log/auth.log
 maxretry = 3
@ -75,7 +75,7 @@ logpath = /var/log/nginx/error.log
 maxretry = 3
 EOF

-  log_message "SUCCESS" "fail2ban configuration created at $fail2ban_local"
+  log_message "SUCCESS" "fail2ban configuration created at $FAIL2BAN_LOCAL"

  # Restart fail2ban service
  log_message "INFO" "Restarting fail2ban service"
--- a/test/modules/firewall.sh
+++ b/test/modules/firewall.sh
@ -29,30 +29,41 @@ configure_ufw() {
  ufw --force reset

  # Set default policies
-  log_message "INFO" "Setting default UFW policies"
+  log_message "INFO" "IPv4 : Setting default UFW policies"
  ufw default deny incoming
  ufw default allow outgoing

  # Allow SSH on custom port
-  log_message "INFO" "Allowing SSH on port 2222"
-  ufw allow 2222/tcp
+  log_message "INFO" "IPv4 : Allowing SSH on port 22"
+  ufw allow 22/tcp

  # Allow HTTP/HTTPS for web services if needed
-  log_message "INFO" "Allowing HTTP/HTTPS ports"
+  log_message "INFO" "IPv4 : Allowing HTTP/HTTPS ports"
  ufw allow 80/tcp
  ufw allow 443/tcp

  # Allow SNMP for monitoring
-  log_message "INFO" "Allowing SNMP port for monitoring"
+  log_message "INFO" "IPv4 : Allowing SNMP port for monitoring"
  ufw allow 161/udp

  # Allow NRPE for monitoring
-  log_message "INFO" "Allowing NRPE port for monitoring"
+  log_message "INFO" "IPv4 : Allowing NRPE port for monitoring"
  ufw allow 5666/tcp

+  # Allow IPv6 if needed
+  log_message "INFO" "IPv6 : Setting default UFW policies"
+  ufw allow in on lo
+  ufw allow out on lo
+  ufw deny in from ::/0
+  ufw allow out to ::/0
+
+  # Enable log
+  log_message "INFO" "Enabling logging for UFW"
+  ufw logging on
+
  # Enable UFW
  log_message "INFO" "Enabling UFW"
-  echo "y" | ufw enable
+  echo "y" | ufw -force enable

  if [ $? -eq 0 ]; then
    log_message "SUCCESS" "UFW enabled successfully"
--- a/test/modules/glpi_agent.sh
+++ b/test/modules/glpi_agent.sh
@ -138,8 +138,8 @@ EOF
  # Enable and start GLPI agent service
  log_message "INFO" "Enabling and starting GLPI agent service"
  systemctl daemon-reload
-  systemctl enable glpi-agent
-  systemctl restart glpi-agent
+  service enable glpi-agent
+  service restart glpi-agent
  
  if [ $? -eq 0 ]; then
    log_message "SUCCESS" "GLPI agent service enabled and started"
--- a/test/modules/monitoring.sh
+++ b/test/modules/monitoring.sh
@ -102,8 +102,8 @@ EOF
  
  # Restart SNMP service
  log_message "INFO" "Restarting SNMP service"
-  systemctl enable snmpd
-  systemctl restart snmpd
+  service enable snmpd
+  service restart snmpd
  
  if [ $? -eq 0 ]; then
    log_message "SUCCESS" "SNMP service restarted successfully"
@ -279,8 +279,8 @@ EOF
  
  # Restart NRPE service
  log_message "INFO" "Restarting NRPE service"
-  systemctl enable nagios-nrpe-server
-  systemctl restart nagios-nrpe-server
+  service enable nagios-nrpe-server
+  service restart nagios-nrpe-server
  
  if [ $? -eq 0 ]; then
    log_message "SUCCESS" "NRPE service restarted successfully"
--- a/test/modules/ntp.sh
+++ b/test/modules/ntp.sh
@ -27,12 +27,12 @@ configure_ntp() {
  fi
  
  # Configure chrony
-  local chrony_conf="/etc/chrony/chrony.conf"
+  local CHRONY_CONFf="/etc/chrony/chrony.conf"
  
  log_message "INFO" "Creating chrony configuration"
-  backup_file "$chrony_conf"
+  backup_file "$CHRONY_CONF"
  
-  cat > "$chrony_conf" << EOF
+  cat > "$CHRONY_CONF" << EOF
 # Chrony NTP configuration
 # Generated by security hardening script

@ -72,12 +72,12 @@ allow 127.0.0.1
 deny all
 EOF

-  log_message "SUCCESS" "chrony configuration created at $chrony_conf"
+  log_message "SUCCESS" "chrony configuration created at $CHRONY_CONF"
  
  # Restart chrony service
  log_message "INFO" "Restarting chrony service"
-  systemctl enable chrony
-  systemctl restart chrony
+  service enable chrony
+  service restart chrony
  
  if [ $? -eq 0 ]; then
    log_message "SUCCESS" "chrony service restarted successfully"
--- a/test/modules/package_management.sh
+++ b/test/modules/package_management.sh
@ -141,6 +141,7 @@ install_new_packages() {
 EOF

 chmod +x "$SCRIPT_DIR/install_packages.sh"
+
 log_message "INFO" "Created new package installation module at $SCRIPT_DIR/install_packages.sh"

 # Main execution for package management
--- a/test/modules/ssh_hardening.sh
+++ b/test/modules/ssh_hardening.sh
@ -106,17 +106,18 @@ harden_ssh_config() {
 # Hardened configuration from security script

 # Basic SSH server settings
-Port 2222
-AddressFamily inet
-ListenAddress 0.0.0.0
+Port 22
+#AddressFamily inet
+#ListenAddress 0.0.0.0
+#ListenAddress ::

 # Authentication settings
 #AuthorizedKeysFile /root/.ssh/authorized_keys/%u
-PermitRootLogin prohibit-password
-PubkeyAuthentication yes
-PasswordAuthentication no
-PermitEmptyPasswords no
-ChallengeResponseAuthentication no
+#PermitRootLogin prohibit-password
+#PubkeyAuthentication yes
+#PasswordAuthentication no
+#PermitEmptyPasswords no
+#ChallengeResponseAuthentication no
 UsePAM yes

 # Security settings
@ -127,15 +128,18 @@ Subsystem sftp /usr/lib/openssh/sftp-server

 # Hardening options
 LoginGraceTime 30
-MaxAuthTries 3
-MaxSessions 5
+MaxAuthTries 5
+MaxSessions 3
 ClientAliveInterval 300
 ClientAliveCountMax 3

+#
+Banner /etc/banner
+
 # Disable weak crypto
-KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
-Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
-MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256
+#KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
+#Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
+#MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256

 # Logging
 SyslogFacility AUTH
--- a/test/modules/wazuh_agent.sh
+++ b/test/modules/wazuh_agent.sh
@ -91,8 +91,8 @@ EOF
  # Enable and start Wazuh agent
  log_message "INFO" "Enabling and starting Wazuh agent"
  systemctl daemon-reload
-  systemctl enable wazuh-agent
-  systemctl restart wazuh-agent
+  service enable wazuh-agent
+  service restart wazuh-agent
  
  if [ $? -eq 0 ]; then
    log_message "SUCCESS" "Wazuh agent service enabled and started"