Rebuilt target

deajan · deajan · commit e28420d16aa4 · 2025-09-10T17:42:14.000+02:00
diff --git a/ks.el9-10.cfg b/ks.el9-10.cfg
@@ -986,6 +986,7 @@ lang C.UTF-8
 # Security & basic setup configuration script from NetPerfect
 # Works with RHEL / AlmaLinux / RockyLinux / CentOS EL8, EL9 and EL10
 # Works with Debian 12
+# Works with Debian 13, although atm no scap profile is available as of 27-08-2025
 
 SCRIPT_BUILD="2025080501"
 
@@ -1022,6 +1023,7 @@ EOF
 # Select SCAP PROFILE, choosing "" disables scap profile
 # Get profile list with oscap info "/usr/share/xml/scap/ssg/content/ssg-${DIST}${RELEASE}-ds.xml"
 # where flavor in rhel,debian and release = major os version
+# See https://www.open-scap.org/download/
 SCAP_PROFILE=anssi_bp28_high
 #SCAP_PROFILE=anssi_bp28_intermediary
 #SCAP_PROFILE=false
@@ -1072,6 +1074,10 @@ CONFIGURE_FAIL2BAN=true
 # Optional whitelist IPs / CIDR for Fail2ban
 FAIL2BAN_IGNORE_IP_LIST="${FIREWALL_WHITELIST_IP_LIST}"
 
+# Optionl allow non protected fs symlinks
+# Will be necessary for docker to write to /dev/stdout via mount --bind links
+ALLOW_UNPROTECTED_FS_SYMLINKS=false
+
 LOG_FILE=/root/.el-configurator.log
 
 log() {
@@ -1167,17 +1173,18 @@ get_el_version() {
         # DIST must contain "rhel", "almalinux", "debian" or alike
 	# The following awk line has been tested on almalinux 8, rhel 10 and debian 12
         DIST=$(awk '{ if ($1~/^ID=/) { sub("ID=","", $0); gsub("\"","", $0); print tolower($0) }}' /etc/os-release)
+        RELEASE=0
         if grep 'ID="rhel"' /etc/os-release > /dev/null || grep 'ID_LIKE="*rhel*' /etc/os-release > /dev/null; then
             FLAVOR=rhel
 	    if grep -e 'PLATFORM_ID=".*el10' /etc/os-release > /dev/null; then
                 RELEASE=10
-		SYSTEMD_PREFIX=/usr/lib/systemd
+		        SYSTEMD_PREFIX=/usr/lib/systemd
             elif grep -e 'PLATFORM_ID=".*el9' /etc/os-release > /dev/null; then
                 RELEASE=9
-		SYSTEMD_PREFIX=/etc/systemd
+		        SYSTEMD_PREFIX=/etc/systemd
             elif grep -e 'PLATFORM_ID=".*el8' /etc/os-release > /dev/null; then
                 RELEASE=8
-		SYSTEMD_PREFIX=/etc/systemd
+		        SYSTEMD_PREFIX=/etc/systemd
             else
                 log_quit "RHEL or alike release not compatible: dist=${DIST},flavor=${FLAVOR},release=${RELEASE}"
             fi
@@ -1190,12 +1197,15 @@ get_el_version() {
             FLAVOR=debian
             if grep -e 'VERSION_ID="11' /etc/os-release > /dev/null; then
                 RELEASE=11
-		SYSTEMD_PREFIX=/etc/systemd
+		        SYSTEMD_PREFIX=/etc/systemd
             elif grep -e 'VERSION_ID="12' /etc/os-release > /dev/null; then
                 RELEASE=12
-		SYSTEMD_PREFIX=/etc/systemd
+		        SYSTEMD_PREFIX=/etc/systemd
+            elif grep -e 'VERSION_ID="13' /etc/os-release > /dev/null; then
+                RELEASE=13
+		        SYSTEMD_PREFIX=/etc/systemd
             fi
-            if [ "${RELEASE}" -eq 11 ] || [ "${RELEASE}" -eq 12 ]; then
+            if [ "${RELEASE}" -eq 11 ] || [ "${RELEASE}" -eq 12 ] || [ "${RELEASE}" -eq 13 ]; then
                 log "Found Linux ${DIST} release ${RELEASE}"
             else
                 log_quit "Not compatible with ${DIST} release ${RELEASE} "
@@ -1331,22 +1341,7 @@ if [ "${SCAP_PROFILE}" != false ]; then
         if [ "${FLAVOR}" = "rhel" ]; then
             dnf install -y openscap scap-security-guide 2> "${LOG_FILE}" || log "OpenSCAP is missing and cannot be installed" "ERROR"
         elif [ "${FLAVOR}" = "debian" ]; then
-            # Download debian 12 anssi profiles which need ssg-debian 0.17.4 at least
-            # which are not available in stable as of 2025/02/14
-            # As of 2025/04/24, ssg-debian 0.1.76-1 is the most recent release one can get
-            if [ "${RELEASE}" -eq 12 ]; then
-                log "Downloading up ssg openscap data for debian 12"
-                if type curl > /dev/null 2>&1; then
-                    curl -OL http://ftp.debian.org/debian/pool/main/s/scap-security-guide/ssg-base_0.1.76-1_all.deb 2> "${LOG_FILE}" || log "OpenSCAP new deb 12 profiles ssg-base cannot be downloaded with curl" "ERROR"
-                    curl -OL http://ftp.debian.org/debian/pool/main/s/scap-security-guide/ssg-debian_0.1.76-1_all.deb 2> "${LOG_FILE}" || log "OpenSCAP new deb 12 profiles ssg-debian cannot be downloaded with curl" "ERROR"
-                else
-                    wget http://ftp.debian.org/debian/pool/main/s/scap-security-guide/ssg-base_0.1.76-1_all.deb 2> "${LOG_FILE}" || log "OpenSCAP new deb 12 profiles ssg-base cannot be downloaded with wget" "ERROR"
-                    wget http://ftp.debian.org/debian/pool/main/s/scap-security-guide/ssg-debian_0.1.76-1_all.deb 2> "${LOG_FILE}" || log "OpenSCAP new deb 12 profiles ssg-debian cannot be downloaded with wget" "ERROR"
-                fi
-                dpkg -i ssg-base_0.1.76-1_all.deb 2> "${LOG_FILE}" || log "OpenSCAP new deb 12 profiles ssg-base cannot be installed" "ERROR"
-                dpkg -i ssg-debian_0.1.76-1_all.deb 2> "${LOG_FILE}" || log "OpenSCAP new deb 12 profiles ssg-debian cannot be installed" "ERROR"
-            fi
-            apt install -y openscap-utils  2> "${LOG_FILE}" || log "OpenSCAP is missing and cannot be installed" "ERROR"
+            apt install -y openscap-utils ssg-base ssg-debderived ssg-debian ssg-applications 2> "${LOG_FILE}" || log "OpenSCAP is missing and cannot be installed" "ERROR"
         else
             log_quit "Cannot setup OpenSCAP on this system"
         fi
@@ -1396,8 +1391,8 @@ fi
 check_internet
 if [ $? -eq 0 ]; then
     log "Install available with internet. setting up additional packages."
-    dnf install -4 -y tar >> "${LOG_FILE}" || log "Cannot install tar" "ERROR"
     if  [ "${FLAVOR}" = "rhel" ]; then
+        dnf install -4 -y tar >> "${LOG_FILE}" || log "Cannot install tar" "ERROR"
         dnf install -4 -y epel-release 2>> "${LOG_FILE}" || log "Failed to install epel-release, some tools like fail2ban will not be installed" "ERROR"
         # The following packages are epel dependent
         # WIP: RHEL 10 ha no atop nor nmon for the moment
@@ -1417,6 +1412,7 @@ if [ $? -eq 0 ]; then
             dnf install -4 -y tuned 2>> "${LOG_FILE}" || log "Failed to install tuned" "ERROR"
         fi
     elif [ "${FLAVOR}" = "debian" ]; then
+        apt install -y tar 2>> "${LOG_FILE}" || log "Cannot install tar" "ERROR"
         apt install -y htop atop nmon iftop iptraf-ng  tar 2>> "${LOG_FILE}" || log "Failed to install additional tools" "ERROR"
         if [ "${CONFIGURE_AUTOMATIC_UPDATES}" != false ]; then
             apt install -y unattended-upgrades 2>> "${LOG_FILE}" || log "Failed to install unattended-upgrades" "ERROR"
@@ -2714,10 +2710,10 @@ if [ "${CONFIGURE_AUTOMATIC_UPDATES}" != false ]; then
     if [ "${FLAVOR}" = "rhel" ]; then
         log "Setup DNF automatic except for updates that require reboot"
         auto_upgrades_file="/etc/dnf/automatic.conf"
-        set_conf_value "${auto_upgrades_file}" "upgrade_type" "security" " = "
-        set_conf_value "${auto_upgrades_file}" "download_updates" "yes" " = "
-        set_conf_value "${auto_upgrades_file}" "apply_updates" "yes" " = "
-        set_conf_value "${auto_upgrades_file}" "emit_via" "stdio" " = "
+        set_conf_value "${auto_upgrades_file}" "upgrade_type" "security" "="
+        set_conf_value "${auto_upgrades_file}" "download_updates" "yes" "="
+        set_conf_value "${auto_upgrades_file}" "apply_updates" "yes" "="
+        set_conf_value "${auto_upgrades_file}" "emit_via" "stdio" "="
         systemctl enable dnf-automatic.timer 2>> "${LOG_FILE}" || log "Failed to start dnf-automatic timer" "ERROR"
     elif [ "${FLAVOR}" = "debian" ]; then
         log "Setup unattended automatic upgrades"
@@ -2831,7 +2827,7 @@ if [ "${CONFIGURE_FAIL2BAN}" != false ]; then
 	    systemctl enable fail2ban 2>> "${LOG_FILE}" || log "Failed to enable fail2ban" "ERROR"
 	    # Starting fail2ban may need a reboot to work, so let's not log start failures here
 	    systemctl start fail2ban
-     fi
+    fi
 fi
 
 # Enable guest agent on KVM
@@ -2890,6 +2886,12 @@ EOF
     chmod +x /usr/local/bin/el_configurator_metrics.sh  || log "Failed to chmod /usr/local/bin/el_configurator_metrics.sh" "ERROR"
 fi
 
+if [ "${ALLOW_UNPROTECTED_FS_SYMLINKS}" != false ]; then
+    log "Allowing unprotected symlinks in filesystems"
+    sysctl -w fs.protected_symlinks=0 2>> "${LOG_FILE}" || log "Failed to set fs.protected_symlinks at runtime" "ERROR"
+    set_conf_value /etc/sysctl.d/99-fs-symlinks.conf "fs.protected_symlinks" "0" || log "Failed to set fs.protected_symlinks in /etc/sysctl.d/99-fs-symlinks.conf" "ERROR"
+fi
+
 # Setting up watchdog in systemd
 if [ "${CONFIGURE_WATCHDOG}" != false ]; then
     log "Setting up systemd watchdog"
@@ -2912,14 +2914,14 @@ fi
 if [ "${ALLOW_SUDO}" = true ] && [ "${SCAP_PROFILE}" != false ]; then
     log "Allowing sudo command regardless of scap profile ${SCAP_PROFILE}"
     # Patch sudoers file since noexec is set by default, which prevents sudo
-    sed -i 's/^Defaults noexec/#Defaults noexec/g' /etc/sudoers 2>> "${LOG_FILE}" || log "Failed to sed /etc/sudoers" "ERROR"
-    if [ "${FLAVOR}" = "rhel" ]; then
+     if [ "${FLAVOR}" = "rhel" ]; then
         dnf install -y sudo 2>> "${LOG_FILE}" || log "Failed to install sudo" "ERROR"
         # chmod 4111 /usr/bin/sudo is not needed on RHEL normally
     elif [ "${FLAVOR}" = "debian" ]; then
         apt install -y sudo 2>> "${LOG_FILE}" || log "Failed to install sudo" "ERROR"
         chmod 4755 /usr/bin/sudo 2>> "${LOG_FILE}" || log "Failed to chmod /usr/bin/sudo" "ERROR"
     fi
+    sed -i 's/^Defaults noexec/#Defaults noexec/g' /etc/sudoers 2>> "${LOG_FILE}" || log "Failed to sed /etc/sudoers" "ERROR"
 else
     log "Not altering sudo behavior"
 fi
