|
1 | 1 | #!/bin/bash |
2 | 2 |
|
3 | 3 | # Debian 12 and Ubuntu Server Hardening Interactive Script |
4 | | -# Version: 0.60 | 2025-07-15 |
| 4 | +# Version: 0.61 | 2025-08-03 |
5 | 5 | # Changelog: |
| 6 | +# - v0.61: Display Lynis suggestions in summary, hide tailscale auth key, cleanup temp files |
6 | 7 | # - v0.60: CI for shellcheck |
7 | 8 | # - v0.59: Add a new optional function that applies a set of recommended sysctl security settings to harden the kernel. |
8 | 9 | # Script can now check for update and can run self-update. |
|
60 | 61 | set -euo pipefail # Exit on error, undefined vars, pipe failures |
61 | 62 |
|
62 | 63 | # --- Update Configuration --- |
63 | | -CURRENT_VERSION="0.60" |
| 64 | +CURRENT_VERSION="0.61" |
64 | 65 | SCRIPT_URL="https://raw.githubusercontent.com/buildplan/du_setup/refs/heads/main/du_setup.sh" |
65 | 66 | CHECKSUM_URL="${SCRIPT_URL}.sha256" |
66 | 67 |
|
@@ -121,7 +122,7 @@ print_header() { |
121 | 122 | echo -e "${CYAN}╔═════════════════════════════════════════════════════════════════╗${NC}" |
122 | 123 | echo -e "${CYAN}║ ║${NC}" |
123 | 124 | echo -e "${CYAN}║ DEBIAN/UBUNTU SERVER SETUP AND HARDENING SCRIPT ║${NC}" |
124 | | - echo -e "${CYAN}║ v0.60 | 2025-07-15 ║${NC}" |
| 125 | + echo -e "${CYAN}║ v0.61 | 2025-08-03 ║${NC}" |
125 | 126 | echo -e "${CYAN}║ ║${NC}" |
126 | 127 | echo -e "${CYAN}╚═════════════════════════════════════════════════════════════════╝${NC}" |
127 | 128 | echo |
@@ -1434,7 +1435,8 @@ install_tailscale() { |
1434 | 1435 | done |
1435 | 1436 | fi |
1436 | 1437 | while true; do |
1437 | | - read -rp "$(echo -e "${CYAN}Enter Tailscale pre-auth key: ${NC}")" AUTH_KEY |
| 1438 | + read -sp "$(echo -e "${CYAN}Enter Tailscale pre-auth key: ${NC}")" AUTH_KEY |
| 1439 | + echo |
1438 | 1440 | if [[ "$TS_CONNECTION" == "1" && "$AUTH_KEY" =~ ^tskey-auth- ]]; then break |
1439 | 1441 | elif [[ "$TS_CONNECTION" == "2" && -n "$AUTH_KEY" ]]; then |
1440 | 1442 | print_warning "Ensure the pre-auth key is valid for your custom Tailscale server ($LOGIN_SERVER)." |
@@ -2175,6 +2177,8 @@ configure_security_audit() { |
2175 | 2177 | log "Lynis audit completed successfully." |
2176 | 2178 | # Extract hardening index |
2177 | 2179 | HARDENING_INDEX=$(grep -oP "Hardening index : \K\d+" "$AUDIT_LOG" || echo "Unknown") |
| 2180 | + #Extract top suggestions |
| 2181 | + grep "Suggestion:" /var/log/lynis-report.dat | head -n 5 > /tmp/lynis_suggestions.txt 2>/dev/null || true |
2178 | 2182 | # Append Lynis system log for persistence |
2179 | 2183 | cat /var/log/lynis.log >> "$AUDIT_LOG" 2>/dev/null |
2180 | 2184 | else |
@@ -2362,6 +2366,10 @@ generate_summary() { |
2362 | 2366 | printf " %-17s%s\n" "- Audit Log:" "${AUDIT_LOG:-N/A}" |
2363 | 2367 | printf " %-17s%s\n" "- Hardening Index:" "${HARDENING_INDEX:-Unknown}" |
2364 | 2368 | printf " %-17s%s\n" "- Vulnerabilities:" "${DEBSECAN_VULNS:-N/A}" |
| 2369 | + if [[ -s /tmp/lynis_suggestions.txt ]]; then |
| 2370 | + echo -e " ${YELLOW}- Top Lynis Suggestions:${NC}" |
| 2371 | + sed 's/^/ /' /tmp/lynis_suggestions.txt |
| 2372 | + fi |
2365 | 2373 | else |
2366 | 2374 | echo -e " Security Audit: ${RED}Not run${NC}" |
2367 | 2375 | fi |
@@ -2434,6 +2442,7 @@ handle_error() { |
2434 | 2442 |
|
2435 | 2443 | main() { |
2436 | 2444 | trap 'handle_error $LINENO' ERR |
| 2445 | + trap 'rm -f /tmp/lynis_suggestions.txt /tmp/tailscale_*.txt /tmp/sshd_config_test.log /tmp/ssh*.log /tmp/sshd_restart*.log' EXIT |
2437 | 2446 |
|
2438 | 2447 | # --- Root Check --- |
2439 | 2448 | if [[ $(id -u) -ne 0 ]]; then |
|
0 commit comments