#ANNEXE 15 - debian-secinst.sh
#=============================
#
#!/bin/sh
# Debian-secinst v0.2.0 : ANNEXE 15 - debian-secinst.sh - v1.0
# (c) 2004 Simon Castro <scastro [at] entreelibre.com>
# http://www.entreelibre.com/scastro/debian-secinst/
#
# Note : Ce script automatise 2 etapes de la documentation debian-secinst :
#   3.3. Script de securisation minimale
#   4.3. Securisation des comptes
#

PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
umask 027

#####################
### CONFIGURATION ###
#####################

ADMIN_USERS="simsim"
# Next set is only used to create /etc/issue* files
IP=10.1.1.100
HOSTNAME=DS

######################
### /CONFIGURATION ###
######################

#################
### FUNCTIONS ###
#################

skel_env()
{
  echo "Creating /etc/skel common configuration files"

  find /etc/skel/ -type f -print0 | while read filename ; do
    if [ ! -f "$filename.orig" ] ; then 
      mv "$filename" "$filename.orig"
      chmod 640 "$filename.orig"
    fi
  done

  cat > /etc/skel/.alias << EOF
alias rm='rm -i'
alias cp='cp -i'
alias mv='mv -i'
alias ll='ls -l'
alias la='ll -A'
alias lld='ll -d'
alias lli='ll -i'
alias l='ll -CF'
#alias screen='screen -D -R -e^Nn'
EOF

  cat > /etc/skel/.bash_logout << EOF
case "`tty`" in
  /dev/tty[0-9]) clear
esac
EOF

  cat > /etc/skel/.bashrc << EOF
umask 027
export TMOUT=300
if [ -f ~/.alias ]; then
  source ~/.alias
fi
EOF

  cat > /etc/skel/.bash_profile << EOF
if [ -f ~/.bashrc ]; then
  source ~/.bashrc
fi
EOF

  cat > /etc/skel/.inputrc << EOF
set bell-style none
"\C-a": beginning-of-line
"\C-e": end-of-line
"\C-b": backward-word
"\C-f": forward-word
"\C-k": kill-line
"\C-j": backward-kill-line
"\C-x": kill-word
"\C-w": backward-kill-word
"\C-r": reverse-search-history
"\C-t": forward-search-history
"\C-space": set-mark
"\C-h": kill-region
"\C-y": yank
"\C-u": undo
EOF

  chmod 644 /etc/skel/{.alias,.bash_logout,.bashrc,.bash_profile,.inputrc}

  TMP=`sed 's/^umask.*/umask 027/;s/^\(PATH.*\):\/usr\/bin\/X11.*/\1"/' /etc/profile`
  echo -e "$TMP" > /etc/profile
  egrep "^export TMOUT" /etc/profile > /dev/null || echo "export TMOUT=300" >> /etc/profile

}

root_env()
{
  echo "Setting up root environment"
  chmod 750 /root

  cat > /root/.bashrc << EOF
umask 027
export TMOUT=300
export PS1='!!!ROOT!!!@\h:\w\$ '
export HISTFILE=/dev/null
alias l='ls'
alias ll='l -l'
alias la='ll -a'
alias lld='ll -d'
alias lli='ll -i'
alias rm='rm -i'
alias cp='cp -i'
alias mv='mv -i'
EOF

  cat > /root/.bash_logout <<EOF
case "`tty`" in
  /dev/tty[0-9]) clear
esac
EOF

  cat > /root/.inputrc <<EOF
set bell-style none
EOF

  chmod 640 /root/{.bash*,.profile,.inputrc}

  echo "Setting up /home/system root environment"
  mkdir -p /home/system/{download,applis,deleted_accounts}
  chown root.adm /home/{system,{system/{download,applis,deleted_accounts}}}

}

admin_env()
{
  echo "Setting up administrators environment"
  for admin in $ADMIN_USERS ; do

    chmod 750 /home/$admin
    cp -f /etc/skel/{.alias,.bash_logout,.bashrc,.bash_profile,.inputrc} /home/$admin/
    chown $admin.$admin /home/$admin/{.alias,.bash_logout,.bashrc,.bash_profile,.inputrc}
    chmod 640 /home/$admin/{.alias,.bash_logout,.bashrc,.bash_profile,.inputrc}

  done

  echo "Setting up administrators in the adm group"
  for admin in $ADMIN_USERS ; do

    usermod -g $admin -G adm,users $admin

  done
}

sec_min()
{
  echo "Securing (minimal) the system :"

  echo "  Disabling inetd.conf services..."
  TMP=`sed 's/^\([^#].*\)$/#\1/g' /etc/inetd.conf`
  echo -e "$TMP" > /etc/inetd.conf
  chmod 640 /etc/inetd.conf

  echo "  Stopping inetd, lpd, nfs-common and portmap..."
  for i in inetd lpd nfs-common portmap exim; do
    /etc/init.d/$i stop > /dev/null 2>&1
    update-rc.d -f $i remove > /dev/null 2>&1
  done

  echo "  Updating syslog.conf and restarting syslog..."

  cp /etc/syslog.conf /etc/syslog.conf.orig
  chmod 640 /etc/syslog.conf.orig

  cat > /etc/syslog.conf << EOF
auth,authpriv.*                  /var/log/auth.log
*.*;auth,authpriv.none;cron.none /var/log/syslog
cron.*                           /var/log/cron.log
daemon.*                         /var/log/daemon.log
kern.*                           /var/log/kern.log
mail.*                           /var/log/mail.log
user.*                           /var/log/user.log

*.=debug;\\
        auth,authpriv.none;\\
        news.none;mail.none      /var/log/debug
*.=info;*.=notice;*.=warn;\\
        auth,authpriv.none;\\
        cron,daemon.none;\\
        mail,news.none           /var/log/messages

*.emerg                         *
EOF
  chmod 640 /etc/syslog.conf

  /etc/init.d/sysklogd restart > /dev/null 2>&1
  rm -rf /var/log/{mail.err,mail.info,mail.warn,lp*,news,uucp.log}

  if [ -f /etc/cron.weekly/lpr ] ; then
    TMP=`sed 's/^\([^#].*\)$/#\1/g' /etc/cron.weekly/lpr`
    echo -e "$TMP" > /etc/cron.weekly/lpr
  fi

  echo "  Updating /etc/issue*..."
  cat > /etc/issue << EOF
$HOSTNAME ($IP) : Consultez les articles 323.1 a 323.3 du
Nouveau Code Penal relatifs aux autorisations  d'acces  a
ce systeme.
Toutes les connexions et acces a ce systeme font  l'objet
d'un enregistrement.
EOF

  cp -f /etc/issue /etc/issue.net
  chmod 644 /etc/{issue,issue.net}

  echo "  Updating /etc/securetty..."
  TMP=`sed 's/^\(tty.*\)$/#\1/' /etc/securetty`
  echo -e "$TMP" > /etc/securetty

  echo "  Storing original suid/sgid files list in /root/sguid_original_list.txt..."
  find / -type f \( -perm -004000 -o -perm -002000 \) -exec ls -la {} \; 2> /dev/null > /root/sguid_original_list.txt

  echo "  Removing non mandatory suid/sgid flag from files..."
  for i in /bin/ping /bin/mount /bin/umount /usr/bin/at /usr/bin/newgrp \
/usr/bin/chfn /usr/bin/chsh /usr/bin/gpg /usr/bin/lpq /usr/bin/lpr \
/usr/bin/lprm /usr/bin/mtr; do
    if [ -f $i ] ; then 
      echo "    Removing suid/sgid flag from  $i."
      chmod -s $i ; 
    fi
  done
  
  echo "  Securing cron usage with /etc/cron.allow..."
  touch /etc/cron.allow
  chmod 640 /etc/cron.allow

  echo "  Updating /etc/ssh/sshd_config..."
  cp /etc/ssh/sshd_config /etc/ssh/sshd_config.orig
  chmod 640 /etc/ssh/{sshd_config.orig,sshd_config}
  TMP=`sed 's/^\(PermitRootLogin \)yes$/\1no/;\
s/^\(RSAAuthentication \)yes$/\1no/;\
s/^\(PubkeyAuthentication \)yes$/\1no/;\
s/^#\(Banner.*\)/\1/;\
s/^#\(ChallengeResponseAuthentication.*\)/\1/;\
s/^\(LoginGraceTime\).*/\1 60/' /etc/ssh/sshd_config`
  echo -e "$TMP" > /etc/ssh/sshd_config
  egrep -e "^ClientAliveInterval" /etc/ssh/sshd_config > /dev/null || echo "ClientAliveInterval 20" >> /etc/ssh/sshd_config
  egrep -e "^ClientAliveCountMax" /etc/ssh/sshd_config > /dev/null || echo "ClientAliveCountMax 3" >> /etc/ssh/sshd_config
  egrep -e "^GatewayPorts" /etc/ssh/sshd_config > /dev/null || echo "GatewayPorts no" >> /etc/ssh/sshd_config

  echo "  Updating /etc/ssh/ssh_config and restarting sshd..."
  cp /etc/ssh/ssh_config /etc/ssh/ssh_config.orig
  chmod 640 /etc/ssh/ssh_config.orig
  chmod 644 /etc/ssh/ssh_config
  TMP=`sed 's/^#.*\(ForwardAgent no\)$/\1/;\
s/^#.*\(ForwardX11 no\)$/\1/;\
s/^.*\(RhostsAuthentication no\)$/\1/;\
s/^.*\(StrictHostKeyChecking ask\)$/\1/' /etc/ssh/ssh_config`
  echo -e "$TMP" > /etc/ssh/ssh_config
  /etc/init.d/ssh restart > /dev/null 2>&1

}

sec_accounts()
{

  echo "Securing (minimal) accounts policies :"
  echo "  Updating login.defs..."   
  cp /etc/login.defs /etc/login.defs.orig
  chmod 640 /etc/login.defs.orig
  TMP=`sed 's/^LOG_OK_LOGINS.*no/LOG_OK_LOGINS yes/;\
s/^#\(SULOG.*sulog\)$/\1/;\
s/^\(ENV_PATH.*\):\/usr\/bin\/X11.*$/\1/;\
s/^\(UMASK\).*022/\1 027/;\
s/^\(PASS_MAX_DAYS\).*/\1 30/;\
s/^\(DEFAULT_HOME\).*no$/\1 yes/' /etc/login.defs`
  echo -e "$TMP" > /etc/login.defs

  echo "  Removing non mandatory users and groups..."
  unalias userdel > /dev/null 2>&1
  for i in `echo games sync sys irc` ; do userdel $i 2> /dev/null ; done
  for i in `echo irc dialout fax voice audio dip video` ; do groupdel $i 2> /dev/null ; done
  echo "  Disabling shells for some users..."
  for i in `echo lp list uucp news proxy postgres www-data nobody` ; do chsh $i -s /bin/false 2> /dev/null ; done

  echo "  Getting back unaffected files (this may take a while)..."
  find / -nouser -o -nogroup 2> /dev/null | while read filename ; do
    chown root.root $filename
    chmod 600 $filename;
  done

  echo "  Updating adduser.conf and deluser.conf..."
  cp /etc/adduser.conf /etc/adduser.conf.orig
  cp /etc/deluser.conf /etc/deluser.conf.orig
  chmod 640 /etc/{adduser.conf.orig,deluser.conf.orig}
  TMP=`sed 's/^USERGROUPS=yes/USERGROUPS=no/;s/^DIR_MODE=.*/DIR_MODE=0700/' /etc/adduser.conf`
  echo -e "$TMP" > /etc/adduser.conf
  TMP=`sed 's/^REMOVE_HOME.*/REMOVE_HOME = 1/;s/^BACKUP.*/BACKUP =1/' /etc/deluser.conf`
  echo -e "$TMP" > /etc/deluser.conf
  
  echo "  Preparing directory for deleted accounts..."
  if [ ! -d /home/system/deleted_accounts ] ; then mkdir /home/system/deleted_accounts ; fi
  chown root.adm /home/system/deleted_accounts
  chmod 1750 /home/system/deleted_accounts

  echo "  Creating removing script..."
  cat > /usr/local/sbin/deluser.local << EOF
#!/bin/sh
if ! [ -n "$1" ] ; then echo "No args ?" && exit -1 ; fi

echo "  deluser.local backup for $1.tar.bz2..."

if [ ! -f "$1.tar.bz2" ] ; then echo "No backup archive." && exit -1 ; fi
if [ ! -d "/home/system/deleted_accounts" ] ; then
  echo "No /home/system/deleted_accounts backup directory."
  echo "Move ./$1.tar.bz2 now."
  exit -1
else
  echo "Moving $1.tar.bz2 to /home/system/deleted_accounts."
  mv "$1.tar.bz2" /home/system/deleted_accounts/
  chown root.adm "/home/system/deleted_accounts/$1.tar.bz2"
  exit 0
fi

EOF
  chmod 700 /usr/local/sbin/deluser.local
}

version()
{
  cat <<EOF
debian-secinst.sh - v1.0 - http://www.entreelibre.com/scastro/debian-secinst/
(c) 2004 Simon Castro <scastro [at] entreelibre.com>

EOF
}

synopsis()
{
  version
  cat <<EOF
Synopsis
--------
  debian-secinst.sh -A | -S "stage1 stage2 stagex"

  -A  executes all stages
  -S  executes only set stages

  Stages :
    o skel_env     : creates the {/etc/skel,/etc/profile} config. environment
    o root_env     : creates root environment
    o admin_env    : creates admin environment from skel_env configuration
    o sec_min      : securing the system (inetd,syslog,cron,issue,s[ug]id,sshd)
    o sec_accounts : securing accounts policies (login.defs, users/group, adduser/deluser

EOF
  exit
}

############
### MAIN ###
############

FINISH=
while [ $# -gt 0 ]; do
  case "$1" in
    -A)
      FINISH=0
      break
      ;;
    -S)
      if ! [ -n "$2" ] ; then synopsis
      else FINISH="$2" ; fi
      break
      ;;
    ?*)
      synopsis
      ;;
  esac
done

if ! [ -n "$FINISH" ] ; then synopsis; fi

version

if [ "$FINISH" == 0 ] ; then
  skel_env
  root_env
  admin_env
  sec_min
  sec_accounts
  echo DONE
  exit
fi

for stage in $FINISH ; do
  case "$stage" in
    skel_env)
      skel_env
      ;;
    root_env)
      root_env
      ;;
    admin_env)
      admin_env
      ;;
    sec_min)
      sec_min
      ;;
    sec_accounts)
      sec_accounts
      ;;
  esac
done

exit