A collection of system hardening and generally-useful scripts for Linux systems. Targets Artix, works on any distro. Some inits require disabling the included boot parameter hardening, otherwise they won't boot (systemd)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 

114 lines
4.3 KiB

#!/bin/bash
#echo "Error: This script is not yet ready for production. Quitting."
#exit
#if [[ "$1" == "" ]]; then
# "$0" "$USER" "$@"
#fi
if [[ "$UID" != 0 ]]; then
sudo "$0" "$@"
exit
fi
failed=notyet
# validpgpkeys=(
# 'ABAF11C65A2970B130ABE3C479BE3E4300411886' # Linus Torvalds
# '647F28654894E3BD457199BE38DBBDC86092693E' # Greg Kroah-Hartman
# 'E240B57E2C4630BA768E2F26FC1B547C8D8172C8' # Levente Polyak
# 'A2FF3A36AAA56654109064AB19802F8B0D70FC30' # Jan Alexander Steffens (heftig)
# )
#pacman -Sy # update package lists before querying?
echo "Running '$0' with arguments '$@': $(date)" | tee /var/log/psec-update-kernel.log
currentversion="$(pacman -Q linux-hardened-selfbuilt | cut -d' ' -f2)"
latestversion="$(pacman -Ss linux-hardened | grep "/linux-hardened " | cut -d' ' -f2)"
if [[ "$currentversion" == "$latestversion" ]]; then
echo "You're already running the latest kernel." | tee -a /var/log/psec-update-kernel.log
if [[ "$1" == "--force" ]]; then
echo "'--force' was passed. Installing anyway." | tee -a /var/log/psec-update-kernel.log
else
echo "To install anyway, run '$0 --force' instead" | tee -a /var/log/psec-update-kernel.log
echo "Aborting." | tee -a /var/log/psec-update-kernel.log
exit
fi
fi
echo "Current running kernel: $currentversion ($(uname -r))"
echo "Latest available kernel: $latestversion"
sleep 1
#useradd kernel_build_user
#dir="/home/kernel_build_user/psec-kernel-build-$(cat /dev/urandom | head -c64 | md5sum | cut -d' ' -f1)/"
#dir="/parsec/sdb1/user/kernel-build/$(cat /dev/urandom | head -c64 | md5sum | cut -d' ' -f1)/"
dir="/tmp/kernel-build/$(cat /dev/urandom | head -c64 | md5sum | cut -d' ' -f1)/"
#dir="/tmp/kernel-build-c6775d42/"
echo "Building in: '$dir'" | tee -a /var/log/psec-update-kernel.log
mkdir -p "$dir"
if [[ -e "$dir" ]]; then
wipe -rf "$dir"
rm -rf "$dir"
fi
mkdir -p "$dir"
chown -R kernel_build_user /tmp/kernel-build/
mkdir -p /home/kernel_build_user/
chown -R kernel_build_user /home/kernel_build_user/
chown -R kernel_build_user "$dir"
cd "$dir"
#sudo -u kernel_build_user proxychains /parsec/bin/psec-gpg --recv-key E240B57E2C4630BA768E2F26FC1B547C8D8172C8
#sudo -u kernel_build_user proxychains /parsec/bin/psec-gpg --recv-key 647F28654894E3BD457199BE38DBBDC86092693E
#sudo -u kernel_build_user proxychains /parsec/bin/psec-gpg --recv-key ABAF11C65A2970B130ABE3C479BE3E4300411886
echo "Starting download of kernel packages: $(date)" | tee -a /var/log/psec-update-kernel.log
sudo -u kernel_build_user proxychains asp update linux-hardened
sudo -u kernel_build_user proxychains asp export linux-hardened
echo "Patching PKGBUILD..." | tee -a /var/log/psec-update-kernel.log
sudo -u kernel_build_user patch linux-hardened/PKGBUILD /parsec/bin/pkgbuild.patch
cd linux-hardened
pkgver=$(grep -F pkgver= PKGBUILD | cut -d= -f2 | tr -d \' |
tr -d \")
pkgrel=$(grep -F pkgrel= PKGBUILD | cut -d= -f2 | tr -d \' |
tr -d \")
arch=$(grep arch= PKGBUILD | cut -d'(' -f2 | cut -d')' -f1 | tr -d \' |
tr -d \")
echo "Running 'updpkgsums': $(date)" | tee -a /var/log/psec-update-kernel.log
sudo -u kernel_build_user proxychains updpkgsums
echo "Extracting sources with 'makepkg -o': $(date)" | tee -a /var/log/psec-update-kernel.log
sudo -u kernel_build_user proxychains makepkg -o
echo "Starting build with 'makepkg -e': $(date)" | tee -a /var/log/psec-update-kernel.log
sudo -u kernel_build_user proxychains makepkg -e
echo "Done building kernel packages: $(date)" | tee -a /var/log/psec-update-kernel.log
ls *.zst
mkdir -p /root/kernel-pkgs/
cp *.zst /root/kernel-pkgs/
echo "Preparing to install kernel packages: $(date)" | tee -a /var/log/psec-update-kernel.log
echo "Kernel packages to install (with SHA-512 hashes):" | tee -a /var/log/psec-update-kernel.log
sha512sum *.zst | tee -a /var/log/psec-update-kernel.log
echo "Installing kernel packages: $(date)" | tee -a /var/log/psec-update-kernel.log
pacman -U --noconfirm "linux-hardened-selfbuilt-$pkgver-$pkgrel-$arch.pkg.tar.zst" "linux-hardened-selfbuilt-headers-$pkgver-$pkgrel-$arch.pkg.tar.zst" | tee -a /var/log/psec-update-kernel.log
echo "Updating kernel backups: $(date)" | tee -a /var/log/psec-update-kernel.log
/parsec/bin/psec-update-kernel-backups
echo "Cleaning up: $(date)" | tee -a /var/log/psec-update-kernel.log
wipe -rf "$dir" &> /dev/null
rm -rf "$dir"
echo "Done: $(date)" | tee -a /var/log/psec-update-kernel.log