mateusz/portfolio
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
4e739c5c995531d59bb28c3e924250554189bd22
portfolio/labs/linux/setup/scripts/08-security-baseline.sh
T
Mateusz Suski 4e739c5c99
lint / shell-yaml-ansible (push) Failing after 16s
Details
Add Linux fresh setup toolkit
2026-06-06 00:23:11 +00:00

62 lines
1.4 KiB
Bash
Executable File
Raw Blame History

#!/usr/bin/env bash
set -o errexit
set -o nounset
set -o pipefail
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
# shellcheck source=00-platform-guard.inc
source "$SCRIPT_DIR/00-platform-guard.inc"
enable_ufw=0
usage() {
cat <<'EOF'
Usage: sudo ./08-security-baseline.sh [--enable-ufw]
Installs fail2ban and UFW. UFW is enabled only with the explicit flag.
EOF
}
while (($# > 0)); do
case "$1" in
--enable-ufw)
enable_ufw=1
;;
-h|--help)
usage
exit 0
;;
*)
printf 'CRITICAL: unknown option: %s\n' "$1" >&2
exit 2
;;
esac
shift
done
if ((EUID != 0)); then
printf 'CRITICAL: security baseline setup must run as root\n' >&2
exit 2
fi
require_supported_ubuntu
if ! command -v apt-get >/dev/null 2>&1; then
printf 'CRITICAL: apt-get is required\n' >&2
exit 2
fi
apt-get update
DEBIAN_FRONTEND=noninteractive apt-get install -y fail2ban ufw
systemctl enable --now fail2ban
if ((enable_ufw == 1)); then
printf 'WARNING: UFW was explicitly requested; SSH and Cockpit rules will be added before enablement\n'
ufw allow OpenSSH
ufw allow 9090/tcp comment 'Cockpit'
ufw --force enable
else
printf 'WARNING: UFW is installed but was not enabled; use --enable-ufw after reviewing access requirements\n'
fi
ufw status verbose || printf 'WARNING: unable to read UFW status\n'
printf 'OK: security baseline completed\n'
Reference in New Issue View Git Blame Copy Permalink