Merge pull request #22 from StrangeRanger/dev

Author: StrangeRanger

README.md

@@ -1,33 +1,118 @@
 # Linux Security Scripts
 
-[![Project Tracker](https://img.shields.io/badge/repo%20status-Project%20Tracker-lightgrey)](https://wiki.hthompson.dev/en/project-tracker)
-[![Style Guide](https://img.shields.io/badge/code%20style-Style%20Guide-blueviolet)](https://github.com/StrangeRanger/bash-style-guide)
+[![Project Tracker](https://img.shields.io/badge/repo%20status-Project%20Tracker-lightgrey)](https://hthompson.dev/project-tracker#project-293920085)
+[![Style Guide](https://img.shields.io/badge/code%20style-Style%20Guide-blueviolet)](https://bsg.hthompson.dev/)
 [![Codacy Badge](https://app.codacy.com/project/badge/Grade/598c2083cd6f432a910a315fd10aaa66)](https://www.codacy.com/gh/StrangeRanger/linux-security-scripts/dashboard?utm_source=github.com&utm_medium=referral&utm_content=StrangeRanger/linux-security-scripts&utm_campaign=Badge_Grade)
 
-This repository is a collection of scripts designed to secure/harden Linux based Distributions.
+This repository is a collection of scripts designed to secure/harden Linux-based distributions.
+
+<details>
+<summary><strong>Table of Contents</strong></summary>
+
+- [Linux Security Scripts](#linux-security-scripts)
+  - [Tools and Scripts](#tools-and-scripts)
+  - [Getting Started](#getting-started)
+    - [Prerequisites](#prerequisites)
+    - [Download and Setup](#download-and-setup)
+  - [Usage](#usage)
+    - [Quick Start](#quick-start)
+    - [Individual Script Usage](#individual-script-usage)
+  - [Post-Installation](#post-installation)
+  - [Tested On](#tested-on)
+  - [Other Resources](#other-resources)
+    - [Security Auditing Tools](#security-auditing-tools)
+    - [Additional Hardening Resources](#additional-hardening-resources)
+    - [System Monitoring](#system-monitoring)
+  - [Support and Issues](#support-and-issues)
+  - [License](#license)
+
+</details>
+
+## Tools and Scripts
+
+Below is a list of tools included in this repository.
+
+| Tool Name | Description | Category | Requirements | Notes |
+|-----------|-------------|----------|--------------|-------|
+| **[Lynis Installer](auditing/Lynis%20Installer/lynis-installer.bash)** | Download (clone) Lynis, a security auditing tool for Unix-like systems. | Auditing | Git, Internet connection | No root required |
+| **[Root Locker](hardening/Root%20Locker/root-locker.bash)** | Locks the root account to prevent direct logins. | Hardening | Root privileges | Preserves sudo access |
+| **[SSHD Hardening](hardening/SSHD%20Hardening/harden-sshd.bash)** | Harden OpenSSH server (sshd) per Lynis recommendations. | Hardening | Root privileges | Creates backups |
+| **[UFW Cloudflare](hardening/UFW%20Cloudflare/ufw-cloudflare.bash)** | Configure UFW to only allow HTTP/HTTPS from Cloudflare IP ranges. | Hardening | Root privileges, UFW, Internet connection | Creates backups |
 
-<!-- TODO: Add a list of all avaliable scripts and what they do. -->
+> [!NOTE]
+> All scripts include version information in their headers. Check individual CHANGELOG.md files in each tool's directory for version history and updates.
 
 ## Getting Started
 
-### Downloading
+### Prerequisites
+
+The following requirements extend to every tool in this repository:
+
+- **Bash**: Version 4.0 or higher
+- **Operating System**: Linux-based distribution
+
+> [!NOTE]
+> Individual scripts may have additional requirements listed in the table above.
+
+### Download and Setup
 
 All you need to do is download this repository to your local machine:
 
-`git clone https://github.com/StrangeRanger/linux-security-scripts`
+```bash
+git clone https://github.com/StrangeRanger/linux-security-scripts
+cd linux-security-scripts
+```
 
 ## Usage
 
-> [!NOTE]
-> Some of the scripts in this repository require root privileges to run. You can run the scripts with the `sudo` command to give them the necessary permissions.
+### Quick Start
+
+For users who want to get started immediately:
+
+1. **Audit your system first**: Run the Lynis installer to download the auditing tool.
+   ```bash
+   ./auditing/Lynis\ Installer/lynis-installer.bash
+   ```
+
+2. **Run a security audit**: Use Lynis to identify security issues.
+   ```bash
+   cd ~/lynis && sudo ./lynis audit system
+   ```
+
+3. **Apply hardening**: Based on the audit results, run the appropriate hardening scripts with root privileges.
+
+> [!CAUTION]
+> **Production Environment Warning**: Always test scripts in a non-production environment first. Some scripts modify critical system configurations and may affect system accessibility.
+
+### Individual Script Usage
+
+You can run any script individually using one of the following methods:
 
-You can run the scripts in this repository by using the following command:
+```bash
+./[script-name]
+```
 
-`./[script name]` OR `bash [script name]`
+**or**
+
+```bash
+bash [script-name]
+```
+
+## Post-Installation
+
+After running the hardening scripts:
+
+1. **Verify SSH access**: Before logging out, test SSH connectivity in a new terminal session.
+2. **Review firewall rules**: Check UFW status with `sudo ufw status verbose` if you used the UFW Cloudflare script.
+3. **Run Lynis again**: Re-audit your system to see security improvements.
+4. **Backup configurations**: Keep copies of any modified configuration files.
+
+> [!WARNING]
+> The SSHD hardening script modifies SSH configurations. Ensure you have alternative access to your system before applying changes in production environments.
 
 ## Tested On
 
-All of the scripts should work on most, if not all Linux Distributions. With that said, below is a list of Linux Distributions that the scripts have been officially tested and are confirmed to work on.
+All of the scripts should work on most, if not all, Linux distributions with Bash v4.0+ installed. With that said, below is a list of Linux distributions that the scripts have been officially tested and are confirmed to work on.
 
 | Distributions | Distro Versions        |
 | ------------- | ---------------------- |
@@ -36,6 +121,28 @@ All of the scripts should work on most, if not all Linux Distributions. With tha
 
 ## Other Resources
 
-While this repository has scripts that can help secure Linux, it's not nearly enough to secure the system as much as it needs to be. Below is a list of other resources that you can/should use to help make your system as secure as possible.
+Below is a list of additional resources that you can/should use to help make your system as secure as possible.
+
+### Security Auditing Tools
+
+- [SSH Audit](https://github.com/jtesta/ssh-audit) - SSH server & client auditing (banner, key exchange, encryption, mac, compression, compatibility, security, etc)
+
+### Additional Hardening Resources
+
+- [CIS Benchmarks](https://www.cisecurity.org/cis-benchmarks) - Industry-standard security configuration guidelines
+- [NIST Cybersecurity Framework](https://www.nist.gov/cyberframework) - Comprehensive cybersecurity guidance
+- [OpenSCAP](https://www.open-scap.org/) - Security compliance and vulnerability management
+
+### System Monitoring
+
+- [AIDE](https://aide.github.io/) - Advanced Intrusion Detection Environment
+- [Fail2Ban](https://github.com/fail2ban/fail2ban) - Intrusion prevention software
+- [rkhunter](http://rkhunter.sourceforge.net/) - Rootkit detection tool
+
+## Support and Issues
+
+Please use [GitHub Issues](https://github.com/StrangeRanger/linux-security-scripts/issues) for bug reports and feature requests.
+
+## License
 
-- [SSH Audit](https://github.com/jtesta/ssh-audit) - SSH server & client auditing (banner, key exchange, encryption, mac, compression, compatibility, security, etc).
+Licensing may vary by tool; see individual file headers.

auditing/Lynis Installer/CHANGELOG.md

@@ -4,6 +4,12 @@ All notable changes to this project will be documented in this file.
 
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## v1.0.9 - 2025-08-10
+
+### Removed
+
+- Remove pointless `-e` flag in `echo`.
+
 ## v1.0.8 - 2024-12-20
 
 ### Changed
@@ -17,7 +23,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 - No longer requires root permission to run the script.
 - Won't download lynis if is already present on the system.
 - Improved syntax of the script.
-- Rename script to `lynis-installer.bash`. 
+- Rename script to `lynis-installer.bash`.
 
 ## v1.0.6 - 2024-04-13
 

auditing/Lynis Installer/lynis-installer.bash

@@ -5,9 +5,9 @@
 # it. Unless an error is encountered, Lynis will always be downloaded to the current
 # user's root directory (`/home/USERNAME/`).
 #
-# Version: v1.0.8
+# Version: v1.0.9
 # License: MIT License
-#          Copyright (c) 2020-2024 Hunter T. (StrangeRanger)
+#          Copyright (c) 2020-2025 Hunter T. (StrangeRanger)
 #
 ########################################################################################
 
@@ -48,5 +48,5 @@ git clone https://github.com/CISOfy/lynis || {
 }
 
 echo -e "\n${C_SUCCESS}Lynis has been downloaded to your system"
-echo -e "${C_NOTE}To perform a system scan with lynis, execute the following command" \
+echo "${C_NOTE}To perform a system scan with lynis, execute the following command" \
     "in the lynis root directory: sudo ./lynis audit system"

hardening/Root Locker/CHANGELOG.md

@@ -4,6 +4,19 @@ All notable changes to this project will be documented in this file.
 
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## v1.0.10 - 2025-08-10
+
+### Changed
+
+- Replace `[[ ]]` with `(( ))`.
+- Remove redundant comments.
+
+## v1.0.9 - 2025-08-09
+
+### Changed
+
+- Removed "Exiting..." message from output.
+
 ## v1.0.8 - 2024-12-20
 
 ### Changed

hardening/Root Locker/root-locker.bash

@@ -6,9 +6,9 @@
 #   Locking the root account doesn't prevent users from using something like `sudo su`
 #   to gain root access.
 #
-# Version: v1.0.8
+# Version: v1.0.10
 # License: MIT License
-#          Copyright (c) 2020-2024 Hunter T. (StrangeRanger)
+#          Copyright (c) 2020-2025 Hunter T. (StrangeRanger)
 #
 ########################################################################################
 
@@ -24,10 +24,8 @@ C_INFO="${C_BLUE}==>${C_NC} "
 C_NOTE="${C_CYAN}==>${C_NC} "
 
 
-## Check if this script was executed with root privilege.
-if [[ $EUID != 0 ]]; then
+if (( EUID != 0 )); then
     echo "${C_ERROR}Please run this script as or with root privilege" >&2
-    echo -e "\n${C_INFO}Exiting..."
     exit 1
 fi
 
@@ -37,7 +35,6 @@ read -rp "${C_NOTE}We will now disable the root account. Press [Enter] to contin
 echo "${C_INFO}Disabling root account..."
 usermod -L root || {
     echo -e "${C_ERROR}Failed to lock the root account" >&2
-    echo -e "\n${C_INFO}Exiting..."
     exit 1
 }
 

hardening/SSHD Hardening/CHANGELOG.md

@@ -2,7 +2,22 @@
 
 All notable changes to this project will be documented in this file.
 
-The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+## v2.1.0 - 2025-08-09
+
+### Added
+
+- **Session backup system**: Automatic restoration during script interruptions with temporary backup preservation for manual recovery
+- **Cross-platform SSH service restart**: Automatically detects and restarts either `sshd` or `ssh` service based on distribution
+- **Enhanced signal handling**: Proper restoration and cleanup on script interruption (SIGHUP, SIGINT, SIGTERM)
+
+### Changed
+
+- **Backup strategy**: Dual backup system with permanent `.bak` file for user reference and session backup for auto-restoration
+- **Exit handling**: Strategic use of `clean_exit` function only when cleanup or restoration is needed
+- **User messaging**: Enhanced feedback throughout backup, restoration, and cleanup processes
+- **Output colors**: "Already set" messages now use note (cyan) instead of success (green) for better semantic clarity
 
 ## v2.0.2 - 2024-12-20