debian-cis/install.sh

#!/bin/bash

# Made By Taylor Christian Newsome

# Ensure we run as root
if [ "$(id -u)" -ne "0" ]; then
  echo "This script must be run as root."
  exit 1
fi

# Define variables
REPO_URL="https://github.com/ovh/debian-cis.git"
REPO_DIR="/opt/debian-cis"
DEFAULT_CONFIG="/etc/default/cis-hardening"
LOG_FILE="/var/log/debian-cis-hardening.log"

# Log function
log() {
  local msg="$1"
  echo "$(date '+%Y-%m-%d %H:%M:%S') - $msg" >> "$LOG_FILE"
}

# Initialize log file
if [ ! -f "$LOG_FILE" ]; then
  touch "$LOG_FILE"
  chmod 600 "$LOG_FILE"
  log "Log file created."
fi

# Clone the repository if not already present
if [ ! -d "$REPO_DIR" ]; then
  log "Cloning the debian-cis repository..."
  git clone "$REPO_URL" "$REPO_DIR" >> "$LOG_FILE" 2>&1
  if [ $? -ne 0 ]; then
    log "Failed to clone repository."
    exit 1
  fi
else
  log "Repository already cloned."
fi

cd "$REPO_DIR" || exit

# Copy default configuration
if [ -f "$DEFAULT_CONFIG" ]; then
  log "$DEFAULT_CONFIG already exists. Backing up..."
  cp "$DEFAULT_CONFIG" "$DEFAULT_CONFIG.bak"
  if [ $? -ne 0 ]; then
    log "Failed to back up default configuration."
    exit 1
  fi
fi
cp debian/default "$DEFAULT_CONFIG"
if [ $? -ne 0 ]; then
  log "Failed to copy default configuration."
  exit 1
fi

# Update configuration with the repository paths
log "Updating configuration paths..."
sed -i "s#CIS_LIB_DIR=.*#CIS_LIB_DIR='$(pwd)'/lib#" "$DEFAULT_CONFIG"
sed -i "s#CIS_CHECKS_DIR=.*#CIS_CHECKS_DIR='$(pwd)'/bin/hardening#" "$DEFAULT_CONFIG"
sed -i "s#CIS_CONF_DIR=.*#CIS_CONF_DIR='$(pwd)'/etc#" "$DEFAULT_CONFIG"
sed -i "s#CIS_TMP_DIR=.*#CIS_TMP_DIR='$(pwd)'/tmp#" "$DEFAULT_CONFIG"

# Run full audit
log "Running full audit with all available checks..."
./bin/hardening.sh --audit-all >> "$LOG_FILE" 2>&1
if [ $? -ne 0 ]; then
  log "Full audit failed."
  exit 1
fi

# Perform specific script audit
log "Running audit for specific script: 1.1.1.1_disable_freevxfs.sh..."
./bin/hardening/1.1.1.1_disable_freevxfs.sh --audit >> "$LOG_FILE" 2>&1
if [ $? -ne 0 ]; then
  log "Specific script audit failed."
  exit 1
fi

# Additional audit options
echo "Choose additional audit options (press Enter to skip):"
echo "1. Audit all checks and enable passing checks"
echo "2. Audit with sudo escalation"
echo "3. Audit specific check number"
echo "4. Set hardening level"
echo "5. Allow specific services"
read -r OPTION

case $OPTION in
  1)
    log "Running audit with all checks and enabling passing checks..."
    ./bin/hardening.sh --audit-all-enable-passed >> "$LOG_FILE" 2>&1
    if [ $? -ne 0 ]; then
      log "Audit with all checks and enabling passing checks failed."
      exit 1
    fi
    ;;
  2)
    log "Running audit with sudo escalation..."
    ./bin/hardening.sh --sudo >> "$LOG_FILE" 2>&1
    if [ $? -ne 0 ]; then
      log "Audit with sudo escalation failed."
      exit 1
    fi
    ;;
  3)
    echo "Enter the specific check number:"
    read -r CHECK_NUMBER
    log "Running audit for check number $CHECK_NUMBER..."
    ./bin/hardening.sh --only "$CHECK_NUMBER" >> "$LOG_FILE" 2>&1
    if [ $? -ne 0 ]; then
      log "Audit for check number $CHECK_NUMBER failed."
      exit 1
    fi
    ;;
  4)
    echo "Enter the hardening level (e.g., 2 for level 2):"
    read -r HARDENING_LEVEL
    log "Running audit with hardening level $HARDENING_LEVEL..."
    ./bin/hardening.sh --set-hardening-level "$HARDENING_LEVEL" >> "$LOG_FILE" 2>&1
    if [ $? -ne 0 ]; then
      log "Audit with hardening level $HARDENING_LEVEL failed."
      exit 1
    fi
    ;;
  5)
    echo "Enter services to allow (e.g., http mail):"
    read -r ALLOWED_SERVICES
    log "Running audit with allowed services: $ALLOWED_SERVICES..."
    ./bin/hardening.sh --set-hardening-level 2 --allow-service "$ALLOWED_SERVICES" >> "$LOG_FILE" 2>&1
    if [ $? -ne 0 ]; then
      log "Audit with allowed services $ALLOWED_SERVICES failed."
      exit 1
    fi
    ;;
  *)
    log "No additional options selected."
    ;;
esac

# Apply changes if selected
echo "Would you like to apply changes for all enabled checks? (y/n)"
read -r APPLY_CHANGES
if [ "$APPLY_CHANGES" = "y" ]; then
  log "Applying changes for all enabled checks..."
  ./bin/hardening.sh --apply >> "$LOG_FILE" 2>&1
  if [ $? -ne 0 ]; then
    log "Applying changes failed."
    exit 1
  fi
fi

log "Configuration and audit setup complete."
Create install.sh 2024-09-07 21:48:53 +02:00			`#!/bin/bash`

			`# Made By Taylor Christian Newsome`

			`# Ensure we run as root`
			`if [ "$(id -u)" -ne "0" ]; then`
			`echo "This script must be run as root."`
			`exit 1`
			`fi`

			`# Define variables`
			`REPO_URL="https://github.com/ovh/debian-cis.git"`
			`REPO_DIR="/opt/debian-cis"`
			`DEFAULT_CONFIG="/etc/default/cis-hardening"`
			`LOG_FILE="/var/log/debian-cis-hardening.log"`

			`# Log function`
			`log() {`
			`local msg="$1"`
			`echo "$(date '+%Y-%m-%d %H:%M:%S') - $msg" >> "$LOG_FILE"`
			`}`

			`# Initialize log file`
			`if [ ! -f "$LOG_FILE" ]; then`
			`touch "$LOG_FILE"`
			`chmod 600 "$LOG_FILE"`
			`log "Log file created."`
			`fi`

			`# Clone the repository if not already present`
			`if [ ! -d "$REPO_DIR" ]; then`
			`log "Cloning the debian-cis repository..."`
			`git clone "$REPO_URL" "$REPO_DIR" >> "$LOG_FILE" 2>&1`
			`if [ $? -ne 0 ]; then`
			`log "Failed to clone repository."`
			`exit 1`
			`fi`
			`else`
			`log "Repository already cloned."`
			`fi`

			`cd "$REPO_DIR" \|\| exit`

			`# Copy default configuration`
			`if [ -f "$DEFAULT_CONFIG" ]; then`
			`log "$DEFAULT_CONFIG already exists. Backing up..."`
			`cp "$DEFAULT_CONFIG" "$DEFAULT_CONFIG.bak"`
			`if [ $? -ne 0 ]; then`
			`log "Failed to back up default configuration."`
			`exit 1`
			`fi`
			`fi`
			`cp debian/default "$DEFAULT_CONFIG"`
			`if [ $? -ne 0 ]; then`
			`log "Failed to copy default configuration."`
			`exit 1`
			`fi`

			`# Update configuration with the repository paths`
			`log "Updating configuration paths..."`
			`sed -i "s#CIS_LIB_DIR=.*#CIS_LIB_DIR='$(pwd)'/lib#" "$DEFAULT_CONFIG"`
			`sed -i "s#CIS_CHECKS_DIR=.*#CIS_CHECKS_DIR='$(pwd)'/bin/hardening#" "$DEFAULT_CONFIG"`
			`sed -i "s#CIS_CONF_DIR=.*#CIS_CONF_DIR='$(pwd)'/etc#" "$DEFAULT_CONFIG"`
			`sed -i "s#CIS_TMP_DIR=.*#CIS_TMP_DIR='$(pwd)'/tmp#" "$DEFAULT_CONFIG"`

			`# Run full audit`
			`log "Running full audit with all available checks..."`
			`./bin/hardening.sh --audit-all >> "$LOG_FILE" 2>&1`
			`if [ $? -ne 0 ]; then`
			`log "Full audit failed."`
			`exit 1`
			`fi`

			`# Perform specific script audit`
			`log "Running audit for specific script: 1.1.1.1_disable_freevxfs.sh..."`
			`./bin/hardening/1.1.1.1_disable_freevxfs.sh --audit >> "$LOG_FILE" 2>&1`
			`if [ $? -ne 0 ]; then`
			`log "Specific script audit failed."`
			`exit 1`
			`fi`

			`# Additional audit options`
			`echo "Choose additional audit options (press Enter to skip):"`
			`echo "1. Audit all checks and enable passing checks"`
			`echo "2. Audit with sudo escalation"`
			`echo "3. Audit specific check number"`
			`echo "4. Set hardening level"`
			`echo "5. Allow specific services"`
			`read -r OPTION`

			`case $OPTION in`
			`1)`
			`log "Running audit with all checks and enabling passing checks..."`
			`./bin/hardening.sh --audit-all-enable-passed >> "$LOG_FILE" 2>&1`
			`if [ $? -ne 0 ]; then`
			`log "Audit with all checks and enabling passing checks failed."`
			`exit 1`
			`fi`
			`;;`
			`2)`
			`log "Running audit with sudo escalation..."`
			`./bin/hardening.sh --sudo >> "$LOG_FILE" 2>&1`
			`if [ $? -ne 0 ]; then`
			`log "Audit with sudo escalation failed."`
			`exit 1`
			`fi`
			`;;`
			`3)`
			`echo "Enter the specific check number:"`
			`read -r CHECK_NUMBER`
			`log "Running audit for check number $CHECK_NUMBER..."`
			`./bin/hardening.sh --only "$CHECK_NUMBER" >> "$LOG_FILE" 2>&1`
			`if [ $? -ne 0 ]; then`
			`log "Audit for check number $CHECK_NUMBER failed."`
			`exit 1`
			`fi`
			`;;`
			`4)`
			`echo "Enter the hardening level (e.g., 2 for level 2):"`
			`read -r HARDENING_LEVEL`
			`log "Running audit with hardening level $HARDENING_LEVEL..."`
			`./bin/hardening.sh --set-hardening-level "$HARDENING_LEVEL" >> "$LOG_FILE" 2>&1`
			`if [ $? -ne 0 ]; then`
			`log "Audit with hardening level $HARDENING_LEVEL failed."`
			`exit 1`
			`fi`
			`;;`
			`5)`
			`echo "Enter services to allow (e.g., http mail):"`
			`read -r ALLOWED_SERVICES`
			`log "Running audit with allowed services: $ALLOWED_SERVICES..."`
			`./bin/hardening.sh --set-hardening-level 2 --allow-service "$ALLOWED_SERVICES" >> "$LOG_FILE" 2>&1`
			`if [ $? -ne 0 ]; then`
			`log "Audit with allowed services $ALLOWED_SERVICES failed."`
			`exit 1`
			`fi`
			`;;`
			`*)`
			`log "No additional options selected."`
			`;;`
			`esac`

			`# Apply changes if selected`
			`echo "Would you like to apply changes for all enabled checks? (y/n)"`
			`read -r APPLY_CHANGES`
			`if [ "$APPLY_CHANGES" = "y" ]; then`
			`log "Applying changes for all enabled checks..."`
			`./bin/hardening.sh --apply >> "$LOG_FILE" 2>&1`
			`if [ $? -ne 0 ]; then`
			`log "Applying changes failed."`
			`exit 1`
			`fi`
			`fi`

			`log "Configuration and audit setup complete."`