diff --git a/.gitignore b/.gitignore index ff1f297..fe2ab41 100644 --- a/.gitignore +++ b/.gitignore @@ -1,10 +1,24 @@ -# Ignore the file '/overrideOwnDomain' because this is per host individually. +# Ignore the file '/overrideOwnDomain' because this is per host individually if it was created. /overrideOwnDomain # Ignore the subfolders only, because their content are other git repositories. -# But 'definitions and 'states' should be prepared by cloning this repository. -/definitions/*/ -/states/*/ +# But 'definitions and 'states' should be prepared by cloning this repository, so: + +# 1.) Ignore all content of 'definitions', except file README.md and subfolder 'default/core/all/' +/definitions/* +!/definitions/README.md +!/definitions/default/ +/definitions/default/* +!/definitions/default/core/ +/definitions/default/core/* +!/definitions/default/core/all/ + +# 2.) Ignore all content of 'states', except file README.md +/states/* +!/states/README.md # Ignore environment files .env + +# Ignore docker-compose files +docker-compose.yml diff --git a/core/ensureUsageOfDefinitions.sh b/core/ensureUsageOfDefinitions.sh index cd12b24..841b9c4 100755 --- a/core/ensureUsageOfDefinitions.sh +++ b/core/ensureUsageOfDefinitions.sh @@ -53,14 +53,14 @@ function filterInvalidAuthorizedKeysFilesOfRoot() { } function printSelectedDefinition() { - local _DEFINITIONS _CORE_FILE_DEFINED_ALL_HOSTS _CORE_FILE_DEFINED_THIS_HOST _FILE_DEFINED_ALL_HOSTS _FILE_DEFINED_THIS_HOST + local _DEFINITIONS _CORE_FILE_DEFAULT_ALL_HOSTS _CORE_FILE_DEFINED_ALL_HOSTS _CORE_FILE_DEFINED_THIS_HOST _FILE_DEFINED_ALL_HOSTS _FILE_DEFINED_THIS_HOST _DEFINITIONS="${1:?"Missing CIS_ROOT"}definitions/${2:?"Missing DOMAIN"}/" - _CORE_DEFAULT_ALL_HOSTS="${1:?"Missing CIS_ROOT"}core/default${3:?"Missing CURRENT_FULLFILE"}" + _CORE_FILE_DEFAULT_ALL_HOSTS="${1:?"Missing CIS_ROOT"}definitions/default/core/all${3:?"Missing CURRENT_FULLFILE"}" _CORE_FILE_DEFINED_ALL_HOSTS="${_DEFINITIONS:?"Missing DEFINITIONS"}core/all${3:?"Missing CURRENT_FULLFILE"}" _CORE_FILE_DEFINED_THIS_HOST="${_DEFINITIONS:?"Missing DEFINITIONS"}core/$(hostname -s)${3:?"Missing CURRENT_FULLFILE"}" _FILE_DEFINED_ALL_HOSTS="${_DEFINITIONS:?"Missing DEFINITIONS"}hosts/all${3:?"Missing CURRENT_FULLFILE"}" _FILE_DEFINED_THIS_HOST="${_DEFINITIONS:?"Missing DEFINITIONS"}hosts/$(hostname -s)${3:?"Missing CURRENT_FULLFILE"}" - readonly _DEFINITIONS _CORE_FILE_DEFINED_ALL_HOSTS _CORE_FILE_DEFINED_THIS_HOST _FILE_DEFINED_ALL_HOSTS _FILE_DEFINED_THIS_HOST + readonly _DEFINITIONS _CORE_FILE_DEFAULT_ALL_HOSTS _CORE_FILE_DEFINED_ALL_HOSTS _CORE_FILE_DEFINED_THIS_HOST _FILE_DEFINED_ALL_HOSTS _FILE_DEFINED_THIS_HOST #The following are special definitions that affect the core functionality. #Try this host first because it should be priorized. @@ -77,8 +77,8 @@ function printSelectedDefinition() { #The following are special definitions that affect the core functionality. isCoreDefinition "${3:?"Missing CURRENT_FULLFILE"}" \ - && [ -s "${_CORE_DEFAULT_ALL_HOSTS}" ] \ - && filterInvalidAuthorizedKeysFilesOfRoot "${_CORE_DEFAULT_ALL_HOSTS}" \ + && [ -s "${_CORE_FILE_DEFAULT_ALL_HOSTS}" ] \ + && filterInvalidAuthorizedKeysFilesOfRoot "${_CORE_FILE_DEFAULT_ALL_HOSTS}" \ && return 0 #Try this host first because it should be priorized. diff --git a/definitions/default/core/all/etc/adduser.conf b/definitions/default/core/all/etc/adduser.conf new file mode 100644 index 0000000..44f5404 --- /dev/null +++ b/definitions/default/core/all/etc/adduser.conf @@ -0,0 +1,109 @@ +# /etc/adduser.conf: `adduser' configuration. +# See adduser(8) and adduser.conf(5) for full documentation. + +# A commented out setting indicates that this is the default in the +# code. If you need to change those settings, remove the comment and +# make your intended change. + +# STDERRMSGLEVEL, STDOUTMSGLEVEL, and LOGMSGLEVEL set the minimum +# priority for messages logged to syslog/journal and the console, +# respectively. +# Values are trace, debug, info, warn, err, and fatal. +# Messages with the set priority or higher get logged to the +# respective medium. +#STDERRMSGLEVEL=warn +#STDOUTMSGLEVEL=info +#SYSLOGLEVEL=info + +# The login shell to be used for all new users. +# Default: DSHELL=/bin/bash +#DSHELL=/bin/bash + +# The directory in which new home directories should be created. +# Default: DHOME=/home +# DHOME=/home + +# The directory from which skeletal user configuration files +# will be copied. +# Default: SKEL=/etc/skel +#SKEL=/etc/skel + +# Specify inclusive ranges of UIDs and GIDs from which UIDs and GIDs +# for system users, system groups, non-system users and non-system groups +# can be dynamically allocated. +# Default: FIRST_SYSTEM_UID=100, LAST_SYSTEM_UID=999 +#FIRST_SYSTEM_UID=100 +#LAST_SYSTEM_UID=999 + +# Default: FIRST_SYSTEM_GID=100, LAST_SYSTEM_GID=999 +#FIRST_SYSTEM_GID=100 +#LAST_SYSTEM_GID=999 + +# Default: FIRST_UID=1000, LAST_UID=59999 +#FIRST_UID=1000 +#LAST_UID=59999 + +# Default: FIRST_GID=1000, LAST_GID=59999 +#FIRST_GID=1000 +#LAST_GID=59999 + +# Specify a file or a directory containing UID and GID pool. +#UID_POOL=/etc/adduser-pool.conf +#UID_POOL=/etc/adduser-pool.d/ +#GID_POOL=/etc/adduser-pool.conf +#GID_POOL=/etc/adduser-pool.d/ + +# Specify whether each created non-system user will be +# given their own group to use. +# Default: USERGROUPS=yes +#USERGROUPS=yes + +# Defines the groupname or GID of the group all newly-created +# non-system users are placed into. +# It is a configuration error to define both variables +# even if the values are consistent. +# Default: USERS_GID=undefined, USERS_GROUP=users +#USERS_GID=100 +#USERS_GROUP=users + +# The permissions mode for home directories of non-system users. +# Default: DIR_MODE=0750 +#DIR_MODE=0750 + +# The permissions mode for home directories of system users. +# Default: SYS_DIR_MODE=0750 +#SYS_DIR_MODE=0750 + +# If set to a nonempty value, new users will have quotas copied +# from that user with `edquota -p QUOTAUSER newuser' +# Default: QUOTAUSER="" +#QUOTAUSER="" + +# Non-system user- and groupnames are checked against this regular +# expression. +# Default: NAME_REGEX="^[a-z][-a-z0-9_]*\$?$" +#NAME_REGEX="^[a-z][-a-z0-9_]*\$?$" + +# System user- and groupnames are checked against this regular +# expression. +# Default: SYS_NAME_REGEX="^[A-Za-z_][-A-Za-z0-9_]*\$?$" +#SYS_NAME_REGEX="^[A-Za-z_][-A-Za-z0-9_]*\$?$" + +# When populating the newly created home directory of a non-system user, +# files in SKEL matching this regex are not copied. +# Default: SKEL_IGNORE_REGEX="\.(dpkg|ucf)-(old|new|dist|save)$" +#SKEL_IGNORE_REGEX="\.(dpkg|ucf)-(old|new|dist|save)$" + +# list of groups that new non-system users will be added to +# if ADD_EXTRA_GROUPS is non-zero or set on the command line. +# Default: EXTRA_GROUPS="users" +#EXTRA_GROUPS="users" + +# Setting this to something other than 0 will cause adduser to add +# newly created non-system users to the list of groups defined by +# EXTRA_GROUPS. +# Default: ADD_EXTRA_GROUPS=0 +#ADD_EXTRA_GROUPS=0 + +# use extrausers by default +#USE_EXTRAUSERS=1 diff --git a/definitions/default/core/all/etc/ssh/sshd_config.d/AccessRestriction.conf b/definitions/default/core/all/etc/ssh/sshd_config.d/AccessRestriction.conf new file mode 100644 index 0000000..f00d8bb --- /dev/null +++ b/definitions/default/core/all/etc/ssh/sshd_config.d/AccessRestriction.conf @@ -0,0 +1,13 @@ +# Remove insecure MACs (Message Authentication Codes). Note the leading '-'. +MACs -*md5*,*-64*,*sha1* +# Allows user 'root' to use ssh always. +# This should prevent lockout because access is allowed without group membership. +# For details see: https://serverfault.com/questions/617081/how-to-use-both-allowgroups-and-allowusers-in-sshd-config +AllowUsers root +# 1. Create custom group 'ssh_login' of type system if not exist: +# - addgroup --system "ssh_login" +# 2. Additionally allow users of group 'ssh_login' to use ssh only: +# - adduser "${USER}" "ssh_login" +Match group ssh_login + AllowUsers * + PasswordAuthentication no diff --git a/definitions/default/core/all/etc/sudoers.d/allow-jenkins-updateRepositories b/definitions/default/core/all/etc/sudoers.d/allow-jenkins-updateRepositories new file mode 100644 index 0000000..804dba5 --- /dev/null +++ b/definitions/default/core/all/etc/sudoers.d/allow-jenkins-updateRepositories @@ -0,0 +1,6 @@ +Cmnd_Alias C_JENKINS = \ + /cis/updateRepositories.sh --core, \ + /cis/updateRepositories.sh --scripts, \ + /cis/updateRepositories.sh --definitions, \ + /cis/updateRepositories.sh --states +jenkins ALL = (root) NOPASSWD: C_JENKINS diff --git a/setupCoreOntoThisHost.sh b/setupCoreOntoThisHost.sh index 81773f0..fb59987 100755 --- a/setupCoreOntoThisHost.sh +++ b/setupCoreOntoThisHost.sh @@ -216,8 +216,27 @@ function setup() { return 1 } -# sanitizes all parameters -setup "$(echo ${1} | sed -E 's|[^a-zA-Z0-9/:@._-]*||g')" \ - && exit 0 +function isValid() { + # printf '%s' + # - always treats the contents of ${1} as pure plain text. + # grep -qE: checks RegExp, but quiet + printf '%s' "${1}" | grep -qE "${2:?"isValid(): Missing REGEXP"}" +} + +function isValidOptional() { + [ -z "${1}" ] || isValid "${1}" "${2}" +} + + + +# Parameter 1: Only alphanumeric characters allowed and [.-] if not leading (due to: -oProxyCommand=...). +if isValidOptional "${1}" '^[a-zA-Z0-9][a-zA-Z0-9.-]*$' +then + setup "${1}" \ + && exit 0 +else + echo "Failure: At least one parameter is invalid" >&2 + exit 1 +fi exit 1 diff --git a/updateRepositories.sh b/updateRepositories.sh index bbad32e..0825c89 100755 --- a/updateRepositories.sh +++ b/updateRepositories.sh @@ -73,8 +73,27 @@ function update_repositories() { return 1 } -# sanitizes all parameters -update_repositories "$(echo ${1} | sed -E 's|[^a-zA-Z0-9/:@._-]*||g')" \ - && exit 0 +function isValid() { + # printf '%s' + # - always treats the contents of ${1} as pure plain text. + # grep -qE: checks RegExp, but quiet + printf '%s' "${1}" | grep -qE "${2:?"isValid(): Missing REGEXP"}" +} + +function isValidOptional() { + [ -z "${1}" ] || isValid "${1}" "${2}" +} + + + +# Parameter 1: Only one of these values are allowed (--core, --definitions, --repair, --scripts, --states, --test) +if isValidOptional "${1}" '^(--core|--definitions|--repair|--scripts|--states|--test)$' +then + update_repositories "${1}" \ + && exit 0 +else + echo "Failure: At least one parameter is invalid" >&2 + exit 1 +fi exit 1