Foundation for a scoped sudoers: route every genuine system-admin command (systemctl/ufw/ufw-docker/nft/apt/apt-get/pacman/sysctl/useradd/usermod/ service/wg/wg-quick/cscli/loginctl) through runSystem instead of raw sudo across 28 active scripts. runSystem is 'sudo "$@"' so this is byte-identical in every mode (safe on live installs) — it just collects all real-root use at one chokepoint that will define the eventual /etc/sudoers.d allowlist. Also: revert a crowdsec advice message the sweep wrongly rewrote (the admin types sudo, not runSystem), and give crontab_check_processor.sh the same startup bootstrap as the task processor — it runs standalone via cron and already used runFileOp/runFileWrite (undefined there), so it was silently broken; now it sources the helpers + docker-type config. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> Signed-off-by: librelad <librelad@digitalangels.vip>
69 lines
2.4 KiB
Bash
Executable File
69 lines
2.4 KiB
Bash
Executable File
#!/bin/bash
|
|
|
|
installUFW()
|
|
{
|
|
if [[ "$CFG_REQUIREMENT_UFW" == "true" ]]; then
|
|
ISUFW=$( (runSystem ufw status ) 2>&1 )
|
|
if [[ "$ISUFW" == *"command not found"* ]]; then
|
|
isHeader "Install UFW Firewall"
|
|
|
|
((menu_number++))
|
|
echo ""
|
|
echo "---- $menu_number. Installing using linux package installer"
|
|
echo ""
|
|
|
|
local result=$(yes | runSystem apt-get install ufw )
|
|
checkSuccess "Installing UFW package"
|
|
|
|
# ((menu_number++))
|
|
# echo ""
|
|
# echo "---- $menu_number. Updating Firewall Rules"
|
|
# echo ""
|
|
|
|
# # Detect SSH port if not provided
|
|
# if [[ -z "$ssh_port" ]]; then
|
|
# SSH_CONFIG="/etc/ssh/sshd_config"
|
|
# ssh_port=$(grep "^Port" "$SSH_CONFIG" 2>/dev/null | awk '{print $2}' | head -n1)
|
|
# ssh_port=${ssh_port:-22} # Default to 22 if not found
|
|
# fi
|
|
|
|
# local result=$(runSystem ufw allow $ssh_port)
|
|
# checkSuccess "Enabling Port $ssh_port through the firewall"
|
|
# local result=$(runSystem ufw allow ssh)
|
|
# checkSuccess "Enabling SSH through the firewall"
|
|
|
|
# while true; do
|
|
# isQuestion "Do you want to keep port $ssh_port (SSH) open? (y/n): "
|
|
# read -rp "" UFWSSH
|
|
# if [[ "$UFWSSH" =~ ^[yYnN]$ ]]; then
|
|
# break
|
|
# fi
|
|
# isNotice "Please provide a valid input (y/n)."
|
|
# done
|
|
|
|
# if [[ "$UFWSSH" == [nN] ]]; then
|
|
# local result=$(runSystem ufw deny $ssh_port)
|
|
# checkSuccess "Blocking Port $ssh_port through the firewall"
|
|
# local result=$(runSystem ufw deny ssh)
|
|
# checkSuccess "Blocking SSH through the firewall"
|
|
# fi
|
|
|
|
local result=$(runSystem ufw --force enable)
|
|
checkSuccess "Enabling UFW Firewall"
|
|
|
|
((menu_number++))
|
|
echo ""
|
|
echo "---- $menu_number. Changing logging options"
|
|
echo ""
|
|
|
|
local result=$(yes | runSystem ufw logging $CFG_UFW_LOGGING)
|
|
checkSuccess "Disabling UFW Firewall Logging"
|
|
|
|
isSuccessful "UFW Firewall has been installed, you can use ufw status to see the status"
|
|
|
|
menu_number=0
|
|
cd
|
|
fi
|
|
fi
|
|
}
|