forked from konstruktoid/hardening
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathaptget
113 lines (87 loc) · 4.84 KB
/
aptget
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
function f_aptget {
echo "[$SCRIPT_COUNT] Updating the package index files from their sources"
$APT update
((SCRIPT_COUNT++))
echo "[$SCRIPT_COUNT] Upgrading installed packages"
$APT -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold" --with-new-pkgs upgrade
((SCRIPT_COUNT++))
}
function f_aptget_clean {
echo "[$SCRIPT_COUNT] Removing unused packages"
apt-get -qq clean
apt-get -qq autoremove
for deb_clean in $(dpkg -l | grep '^rc' | awk '{print $2}'); do
$APT purge "$deb_clean"
done
((SCRIPT_COUNT++))
}
function f_aptget_configure {
echo "[$SCRIPT_COUNT] Configure APT"
if ! grep '^Acquire::http::AllowRedirect' /etc/apt/apt.conf.d/* ; then
echo 'Acquire::http::AllowRedirect "false";' >> /etc/apt/apt.conf.d/98-hardening-ubuntu
else
sed -i 's/.*Acquire::http::AllowRedirect.*/Acquire::http::AllowRedirect "false";/g' "$(grep -l 'Acquire::http::AllowRedirect' /etc/apt/apt.conf.d/*)"
fi
if ! grep '^APT::Get::AllowUnauthenticated' /etc/apt/apt.conf.d/* ; then
echo 'APT::Get::AllowUnauthenticated "false";' >> /etc/apt/apt.conf.d/98-hardening-ubuntu
else
sed -i 's/.*APT::Get::AllowUnauthenticated.*/APT::Get::AllowUnauthenticated "false";/g' "$(grep -l 'APT::Get::AllowUnauthenticated' /etc/apt/apt.conf.d/*)"
fi
if ! grep '^APT::Periodic::AutocleanInterval' /etc/apt/apt.conf.d/*; then
echo 'APT::Periodic::AutocleanInterval "7";' >> /etc/apt/apt.conf.d/10periodic
else
sed -i 's/.*APT::Periodic::AutocleanInterval.*/APT::Periodic::AutocleanInterval "7";/g' "$(grep -l 'APT::Periodic::AutocleanInterval' /etc/apt/apt.conf.d/*)"
fi
if ! grep '^APT::Install-Recommends' /etc/apt/apt.conf.d/*; then
echo 'APT::Install-Recommends "false";' >> /etc/apt/apt.conf.d/98-hardening-ubuntu
else
sed -i 's/.*APT::Install-Recommends.*/APT::Install-Recommends "false";/g' "$(grep -l 'APT::Install-Recommends' /etc/apt/apt.conf.d/*)"
fi
if ! grep '^APT::Get::AutomaticRemove' /etc/apt/apt.conf.d/*; then
echo 'APT::Get::AutomaticRemove "true";' >> /etc/apt/apt.conf.d/98-hardening-ubuntu
else
sed -i 's/.*APT::Get::AutomaticRemove.*/APT::Get::AutomaticRemove "true";/g' "$(grep -l 'APT::Get::AutomaticRemove' /etc/apt/apt.conf.d/*)"
fi
if ! grep '^APT::Install-Suggests' /etc/apt/apt.conf.d/*; then
echo 'APT::Install-Suggests "false";' >> /etc/apt/apt.conf.d/98-hardening-ubuntu
else
sed -i 's/.*APT::Install-Suggests.*/APT::Install-Suggests "false";/g' "$(grep -l 'APT::Install-Suggests' /etc/apt/apt.conf.d/*)"
fi
if ! grep '^Unattended-Upgrade::Remove-Unused-Dependencies' /etc/apt/apt.conf.d/*; then
echo 'Unattended-Upgrade::Remove-Unused-Dependencies "true";' >> /etc/apt/apt.conf.d/50unattended-upgrades
else
sed -i 's/.*Unattended-Upgrade::Remove-Unused-Dependencies.*/Unattended-Upgrade::Remove-Unused-Dependencies "true";/g' "$(grep -l 'Unattended-Upgrade::Remove-Unused-Dependencies' /etc/apt/apt.conf.d/*)"
fi
if ! grep '^Unattended-Upgrade::Remove-Unused-Kernel-Packages' /etc/apt/apt.conf.d/*; then
echo 'Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";' >> /etc/apt/apt.conf.d/50unattended-upgrades
else
sed -i 's/.*Unattended-Upgrade::Remove-Unused-Kernel-Packages.*/Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";/g' "$(grep -l 'Unattended-Upgrade::Remove-Unused-Kernel-Packages' /etc/apt/apt.conf.d/*)"
fi
if ! grep '^Acquire::AllowDowngradeToInsecureRepositories' /etc/apt/apt.conf.d/*; then
echo 'Acquire::AllowDowngradeToInsecureRepositories "false";' >> /etc/apt/apt.conf.d/98-hardening-ubuntu
else
sed -i 's/.*Acquire::AllowDowngradeToInsecureRepositories.*/Acquire::AllowDowngradeToInsecureRepositories "false";/g' "$(grep -l 'Acquire::AllowDowngradeToInsecureRepositories' /etc/apt/apt.conf.d/*)"
fi
if ! grep '^Acquire::AllowInsecureRepositories' /etc/apt/apt.conf.d/*; then
echo 'Acquire::AllowInsecureRepositories "false";' >> /etc/apt/apt.conf.d/98-hardening-ubuntu
else
sed -i 's/.*Acquire::AllowInsecureRepositories.*/Acquire::AllowInsecureRepositories "false";/g' "$(grep -l 'Acquire::AllowInsecureRepositories' /etc/apt/apt.conf.d/*)"
fi
if ! grep '^APT::Sandbox::Seccomp' /etc/apt/apt.conf.d/*; then
echo 'APT::Sandbox::Seccomp "1";' >> /etc/apt/apt.conf.d/98-hardening-ubuntu
else
sed -i 's/.*APT::Sandbox::Seccomp.*/APT::Sandbox::Seccomp "1";/g' "$(grep -l 'APT::Sandbox::Seccomp' /etc/apt/apt.conf.d/*)"
fi
((SCRIPT_COUNT++))
}
function f_aptget_noexec {
if [[ $LXC == "1" ]]; then
return
fi
echo "[$SCRIPT_COUNT] Configure DPkg noexec"
if ! grep 'mount.* /tmp' /etc/apt/apt.conf.d/* ; then
echo 'DPkg::Pre-Invoke {"mount -o remount,exec,nodev,nosuid /tmp";};' >> /etc/apt/apt.conf.d/99noexec-tmp
echo 'DPkg::Post-Invoke {"mount -o remount,mode=1777,strictatime,noexec,nodev,nosuid /tmp";};' >> /etc/apt/apt.conf.d/99noexec-tmp
fi
((SCRIPT_COUNT++))
}