#!/bin/bash # UAML Operator Workstation Hardening — LINUX # Review every command before running. Re-running is safe (idempotent). # This script DOES NOT touch any UAML data; it only configures your local OS. set -e REPORT_URL="${UAML_REPORT_URL:-}" # if set, POSTs JSON result back to UAML REPORT_TOKEN="${UAML_REPORT_TOKEN:-}" findings=() applied=() require_root() { if [ "$(id -u)" -ne 0 ]; then echo "This script must run as root (sudo)." >&2 exit 1 fi } require_root echo "=== 1. SSH hardening (if sshd installed) ===" if [ -d /etc/ssh ]; then cat > /etc/ssh/sshd_config.d/00-uaml-operator-hardening.conf <<'CFG' PermitRootLogin prohibit-password PasswordAuthentication no PubkeyAuthentication yes MaxAuthTries 3 LoginGraceTime 20 CFG if sshd -t 2>/dev/null; then systemctl reload ssh.service 2>/dev/null || systemctl reload sshd.service 2>/dev/null || true applied+=("ssh-hardening-dropin") else rm -f /etc/ssh/sshd_config.d/00-uaml-operator-hardening.conf findings+=("sshd config test failed; drop-in removed") fi fi echo "=== 2. UFW (Ubuntu/Debian) or firewalld (RHEL family) ===" if command -v ufw >/dev/null 2>&1; then ufw --force default deny incoming ufw --force default allow outgoing ufw allow 22/tcp comment "ssh" 2>/dev/null || true ufw delete allow 22/tcp 2>/dev/null || true ufw limit 22/tcp comment "ssh-rate-limit" ufw --force enable applied+=("ufw") elif command -v firewall-cmd >/dev/null 2>&1; then systemctl enable --now firewalld 2>/dev/null || true applied+=("firewalld") else findings+=("no host firewall available (install ufw or firewalld)") fi echo "=== 3. Fail2Ban ===" if ! command -v fail2ban-client >/dev/null 2>&1; then if command -v apt-get >/dev/null 2>&1; then DEBIAN_FRONTEND=noninteractive apt-get install -y fail2ban elif command -v dnf >/dev/null 2>&1; then dnf install -y fail2ban fi fi if command -v fail2ban-client >/dev/null 2>&1; then systemctl enable --now fail2ban applied+=("fail2ban") fi echo "=== 4. Unattended security updates ===" if command -v apt-get >/dev/null 2>&1; then DEBIAN_FRONTEND=noninteractive apt-get install -y unattended-upgrades cat > /etc/apt/apt.conf.d/20auto-upgrades <<'CFG' APT::Periodic::Update-Package-Lists "1"; APT::Periodic::Unattended-Upgrade "1"; CFG systemctl enable --now unattended-upgrades.service applied+=("unattended-upgrades") elif command -v dnf >/dev/null 2>&1; then dnf install -y dnf-automatic systemctl enable --now dnf-automatic.timer applied+=("dnf-automatic") fi echo "=== 5. Disk encryption check (informational) ===" if ! lsblk -o NAME,TYPE,FSTYPE 2>/dev/null | grep -q crypto_LUKS; then findings+=("no LUKS-encrypted volume detected; consider enabling for laptop") fi echo "=== 6. Auto-screen-lock check (informational, GUI only) ===" if command -v gsettings >/dev/null 2>&1; then lock_enabled=$(gsettings get org.gnome.desktop.screensaver lock-enabled 2>/dev/null || echo unknown) if [ "$lock_enabled" != "true" ]; then findings+=("GNOME auto-screen-lock not enabled") fi fi echo echo "=== Summary ===" echo "Applied: ${applied[*]:-none}" echo "Findings: ${findings[*]:-none}" # Optional: report back to UAML if [ -n "$REPORT_URL" ]; then payload=$(printf '{"hostname":"%s","platform":"linux","applied":%s,"findings":%s,"ts":"%s"}' \ "$(hostname)" \ "$(printf '%s\n' "${applied[@]}" | jq -R . | jq -s . 2>/dev/null || echo '[]')" \ "$(printf '%s\n' "${findings[@]}" | jq -R . | jq -s . 2>/dev/null || echo '[]')" \ "$(date -Is)") curl -fsS -X POST -H "Content-Type: application/json" \ ${REPORT_TOKEN:+-H "Authorization: Bearer $REPORT_TOKEN"} \ --data "$payload" "$REPORT_URL" || echo "(report POST failed; that's OK)" fi