mirror of
https://github.com/roddhjav/apparmor.d.git
synced 2025-01-24 20:08:11 +01:00
184 lines
4.1 KiB
Bash
184 lines
4.1 KiB
Bash
#!/usr/bin/env bash
|
|
# apparmor.d - Full set of apparmor profiles
|
|
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
|
|
# SPDX-License-Identifier: GPL-2.0-only
|
|
|
|
set -u
|
|
|
|
# shellcheck source=/dev/null
|
|
_lsb_release() {
|
|
. /etc/os-release || exit 1
|
|
echo "$ID"
|
|
}
|
|
DISTRIBUTION="$(_lsb_release)"
|
|
readonly SELF="$0"
|
|
readonly DISTRIBUTION
|
|
|
|
export HISTSIZE=0
|
|
export DEBIAN_FRONTEND=noninteractive
|
|
|
|
readonly green='\e[0;32m' Bold='\e[1m'
|
|
_msg() { printf '%b- %s%b\n' "$Bold" "$*" "$green" >&2; }
|
|
_disksize() { df --total --block-size=1 --output=size | tail -1; }
|
|
_diskused() { df --total --block-size=1 --output=used | tail -1; }
|
|
|
|
_sshdgenkeys() {
|
|
cat <<-_EOF >/usr/lib/systemd/system/sshdgenkeys.service
|
|
[Unit]
|
|
Description=SSH Key Generation
|
|
ConditionPathExists=|!/etc/ssh/ssh_host_ecdsa_key
|
|
ConditionPathExists=|!/etc/ssh/ssh_host_ecdsa_key.pub
|
|
ConditionPathExists=|!/etc/ssh/ssh_host_ed25519_key
|
|
ConditionPathExists=|!/etc/ssh/ssh_host_ed25519_key.pub
|
|
ConditionPathExists=|!/etc/ssh/ssh_host_rsa_key
|
|
ConditionPathExists=|!/etc/ssh/ssh_host_rsa_key.pub
|
|
|
|
[Service]
|
|
ExecStart=/usr/bin/ssh-keygen -A
|
|
Type=oneshot
|
|
RemainAfterExit=yes
|
|
_EOF
|
|
mkdir -p /usr/lib/systemd/system/ssh.service.d
|
|
cat <<-_EOF >/usr/lib/systemd/system/ssh.service.d/sshdgenkeys.conf
|
|
[Unit]
|
|
Wants=sshdgenkeys.service
|
|
After=sshdgenkeys.service
|
|
_EOF
|
|
}
|
|
|
|
clean_debian() {
|
|
_msg "Apt clean configuration"
|
|
|
|
_msg "Full system upgrade"
|
|
apt-get update -y
|
|
apt-get -qq -y --no-install-recommends upgrade
|
|
apt-get -qq -y --no-install-recommends dist-upgrade
|
|
|
|
_msg "Clean the apt cache"
|
|
apt-get -y autoremove --purge
|
|
apt-get -y autoclean
|
|
apt-get -y clean
|
|
}
|
|
|
|
clean_arch() {
|
|
_msg "Pacman clean configuration"
|
|
|
|
pacman -Syu --noconfirm
|
|
pacman -Qdtq | while IFS='' read -r pkg; do
|
|
pacman -Rsccn --noconfirm "$pkg"
|
|
done
|
|
pacman -Scc --noconfirm
|
|
}
|
|
|
|
clean_opensuse() {
|
|
_msg "zypper clean configuration"
|
|
|
|
zypper update -y
|
|
zypper clean -y
|
|
}
|
|
|
|
# Make the image as impersonal as possible.
|
|
impersonalize() {
|
|
_msg "Make the image as impersonal as possible."
|
|
|
|
# Remove remaining pkg file, docs and caches
|
|
dirs=(
|
|
/usr/share/doc
|
|
/usr/share/man
|
|
/var/cache/
|
|
/var/lib/apt
|
|
/var/lib/dhcp
|
|
/var/tmp
|
|
)
|
|
for dir in "${dirs[@]}"; do
|
|
if [[ -d "$dir" ]]; then
|
|
find "$dir" -mindepth 1 -delete
|
|
fi
|
|
done
|
|
|
|
# Truncate any logs that have built up during the install
|
|
find /var/log -type f -exec truncate --size=0 {} \;
|
|
|
|
# Truncate the machine-id
|
|
truncate --size=0 /etc/machine-id
|
|
truncate --size=0 /var/lib/dbus/machine-id
|
|
|
|
remove=(
|
|
# Remove remaining pkg file, docs and caches
|
|
/usr/share/info/
|
|
/usr/share/lintian/
|
|
/usr/share/linda/
|
|
|
|
# Remove history & unique ids
|
|
/etc/adjtime
|
|
/etc/ansible/
|
|
/etc/ssh/ssh_host_*_key*
|
|
/home/*/.ansible/
|
|
/home/*/.bash_history
|
|
/home/*/.sudo_as_admin_successful
|
|
/home/*/.zsh_history
|
|
/root/.ansible/
|
|
/root/.bash_history
|
|
/root/.wget-hsts
|
|
/var/cache/ldconfig/aux-cache
|
|
/var/lib/systemd/random-seed
|
|
/var/log/private
|
|
|
|
# Remove itself
|
|
"$(readlink -f "$SELF")"
|
|
)
|
|
rm -rf "${remove[@]}"
|
|
}
|
|
|
|
# Free all unused storage block.
|
|
trim() {
|
|
local swapuuid swappart
|
|
|
|
if swapuuid=$(blkid -o value -l -s UUID -t TYPE=swap); then
|
|
swappart=$(readlink -f /dev/disk/by-uuid/"$swapuuid")
|
|
_msg "Fill with 0 the swap partition to reduce box size"
|
|
swapoff "$swappart"
|
|
dd if=/dev/zero of="$swappart" bs=1M || true
|
|
mkswap -U "$swapuuid" "$swappart"
|
|
elif [[ -f /swap/swapfile ]]; then
|
|
swapoff /swap/swapfile
|
|
truncate --size=0 /swap/swapfile
|
|
fi
|
|
|
|
# _msg "Fill root filesystem with 0 to reduce box size"
|
|
# dd if=/dev/zero of=/EMPTY bs=1M || true
|
|
# rm -f /EMPTY
|
|
|
|
# Block until the empty file has been removed, otherwise, Packer will
|
|
# try to kill the box while the disk is still full and that is bad.
|
|
sync
|
|
}
|
|
|
|
main() {
|
|
local begin end
|
|
begin=$(_diskused)
|
|
case "$DISTRIBUTION" in
|
|
debian | ubuntu)
|
|
clean_debian
|
|
_sshdgenkeys
|
|
;;
|
|
|
|
opensuse*)
|
|
clean_opensuse
|
|
;;
|
|
|
|
arch)
|
|
clean_arch
|
|
;;
|
|
esac
|
|
impersonalize
|
|
trim
|
|
|
|
end="$(_diskused)"
|
|
((res = begin - end))
|
|
echo "Inital used space: $(numfmt --to=iec "$begin")"
|
|
echo "Final space: $(numfmt --to=iec "$end")"
|
|
echo "Saved space: $(numfmt --to=iec "$res")"
|
|
}
|
|
|
|
main "$@"
|