labs/linux/setup/scripts/08-security-baseline.sh

#!/usr/bin/env bash
set -o errexit
set -o nounset
set -o pipefail

SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
# shellcheck source=00-platform-guard.inc
source "$SCRIPT_DIR/00-platform-guard.inc"

enable_ufw=0

usage() {
  cat <<'EOF'
Usage: sudo ./08-security-baseline.sh [--enable-ufw]

Installs fail2ban and UFW. UFW is enabled only with the explicit flag.
EOF
}

while (($# > 0)); do
  case "$1" in
    --enable-ufw)
      enable_ufw=1
      ;;
    -h|--help)
      usage
      exit 0
      ;;
    *)
      printf 'CRITICAL: unknown option: %s\n' "$1" >&2
      exit 2
      ;;
  esac
  shift
done

if ((EUID != 0)); then
  printf 'CRITICAL: security baseline setup must run as root\n' >&2
  exit 2
fi
require_supported_ubuntu
if ! command -v apt-get >/dev/null 2>&1; then
  printf 'CRITICAL: apt-get is required\n' >&2
  exit 2
fi

apt-get update
DEBIAN_FRONTEND=noninteractive apt-get install -y fail2ban ufw
systemctl enable --now fail2ban

if ((enable_ufw == 1)); then
  printf 'WARNING: UFW was explicitly requested; SSH and Cockpit rules will be added before enablement\n'
  ufw allow OpenSSH
  ufw allow 9090/tcp comment 'Cockpit'
  ufw --force enable
else
  printf 'WARNING: UFW is installed but was not enabled; use --enable-ufw after reviewing access requirements\n'
fi

ufw status verbose || printf 'WARNING: unable to read UFW status\n'
printf 'OK: security baseline completed\n'
Add Linux fresh setup toolkit 2026-06-06 00:23:11 +00:00			`#!/usr/bin/env bash`
			`set -o errexit`
			`set -o nounset`
			`set -o pipefail`

			`SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"`
			`# shellcheck source=00-platform-guard.inc`
			`source "$SCRIPT_DIR/00-platform-guard.inc"`

			`enable_ufw=0`

			`usage() {`
			`cat <<'EOF'`
			`Usage: sudo ./08-security-baseline.sh [--enable-ufw]`

			`Installs fail2ban and UFW. UFW is enabled only with the explicit flag.`
			`EOF`
			`}`

			`while (($# > 0)); do`
			`case "$1" in`
			`--enable-ufw)`
			`enable_ufw=1`
			`;;`
			`-h\|--help)`
			`usage`
			`exit 0`
			`;;`
			`*)`
			`printf 'CRITICAL: unknown option: %s\n' "$1" >&2`
			`exit 2`
			`;;`
			`esac`
			`shift`
			`done`

			`if ((EUID != 0)); then`
			`printf 'CRITICAL: security baseline setup must run as root\n' >&2`
			`exit 2`
			`fi`
			`require_supported_ubuntu`
			`if ! command -v apt-get >/dev/null 2>&1; then`
			`printf 'CRITICAL: apt-get is required\n' >&2`
			`exit 2`
			`fi`

			`apt-get update`
			`DEBIAN_FRONTEND=noninteractive apt-get install -y fail2ban ufw`
			`systemctl enable --now fail2ban`

			`if ((enable_ufw == 1)); then`
			`printf 'WARNING: UFW was explicitly requested; SSH and Cockpit rules will be added before enablement\n'`
			`ufw allow OpenSSH`
			`ufw allow 9090/tcp comment 'Cockpit'`
			`ufw --force enable`
			`else`
			`printf 'WARNING: UFW is installed but was not enabled; use --enable-ufw after reviewing access requirements\n'`
			`fi`

			`ufw status verbose \|\| printf 'WARNING: unable to read UFW status\n'`
			`printf 'OK: security baseline completed\n'`