#!/bin/bash
# Load configuration from YAML (using yq to parse YAML)
CONFIG_FILE="/path/to/your/config.yaml"
# Function to get value from YAML
get_yaml_value() {
local key=$1
yq eval ".$key" "$CONFIG_FILE"
}
# Load configuration values
RAMDISK_DIR=$(get_yaml_value "ram_disk.mount_point")
RAMDISK_SIZE=$(get_yaml_value "ram_disk.size")
USER_NAME=$(get_yaml_value "user.username")
USER_HOME=$(get_yaml_value "user.home_directory")
USER_SHELL=$(get_yaml_value "user.shell")
CREATE_SCRIPT=$(get_yaml_value "user.environment_setup.script")
CLEANUP_SCRIPT=$(get_yaml_value "user.logout_cleanup_script")
AUDIT_TOOL=$(get_yaml_value "security_measures.audit_and_monitor.tool")
FIREWALL_TOOL=$(get_yaml_value "security_measures.firewall_rules.recommended_tool")
# Create a dynamic RAM disk on user login
create_ramdisk() {
if [ ! -d "$RAMDISK_DIR" ]; then
mkdir -p "$RAMDISK_DIR"
mount -t tmpfs -o size="$RAMDISK_SIZE" tmpfs "$RAMDISK_DIR"
chmod 700 "$RAMDISK_DIR"
echo "RAM disk created at $RAMDISK_DIR with size $RAMDISK_SIZE."
fi
}
# Cleanup RAM disk on logout
cleanup_ramdisk() {
if [ -d "$RAMDISK_DIR" ]; then
umount "$RAMDISK_DIR"
rmdir "$RAMDISK_DIR"
echo "RAM disk at $RAMDISK_DIR cleaned up."
fi
}
# Set up allowed commands for the user
setup_allowed_commands() {
mkdir -p "$RAMDISK_DIR/bin"
ln -s /bin/ls "$RAMDISK_DIR/bin/"
ln -s /bin/cat "$RAMDISK_DIR/bin/"
ln -s /bin/grep "$RAMDISK_DIR/bin/"
echo 'PATH=$PATH:'"$RAMDISK_DIR/bin" >> "$USER_HOME/.bash_profile"
}
# Create user and configure environment
create_user() {
sudo adduser --disabled-password --gecos "" "$USER_NAME"
sudo usermod -d "$USER_HOME" "$USER_NAME"
sudo chsh -s "$USER_SHELL" "$USER_NAME"
}
# Set up SSH configuration
setup_ssh_config() {
SSH_CONFIG_FILE="/etc/ssh/sshd_config"
echo "Match User $USER_NAME" >> "$SSH_CONFIG_FILE"
echo " ChrootDirectory $RAMDISK_DIR" >> "$SSH_CONFIG_FILE"
echo " ForceCommand internal-sftp" >> "$SSH_CONFIG_FILE" # Remove if command-line access is needed
echo " AllowTcpForwarding no" >> "$SSH_CONFIG_FILE"
echo " X11Forwarding no" >> "$SSH_CONFIG_FILE"
sudo systemctl restart sshd
}
# Set up audit logging (requires auditd to be installed)
setup_audit_logging() {
sudo apt install -y auditd
echo "watch -r $RAMDISK_DIR" | sudo tee -a /etc/audit/rules.d/audit.rules
sudo service auditd restart
}
# Set up firewall rules (requires iptables or ufw to be installed)
setup_firewall_rules() {
if [ "$FIREWALL_TOOL" == "iptables" ]; then
sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT
elif [ "$FIREWALL_TOOL" == "ufw" ]; then
sudo ufw allow 22
fi
}
# Main function to run the setup
main() {
create_user
create_ramdisk
setup_allowed_commands
setup_ssh_config
setup_audit_logging
setup_firewall_rules
echo "Setup complete. Please ensure the scripts for dynamic RAM disk creation and cleanup are added to the user's profile."
}
# Execute main function
main-
Install Dependencies: Ensure you have
yqinstalled to parse the YAML file:sudo apt install yq
-
Adjust Paths: Update the
CONFIG_FILEvariable with the path to your YAML configuration file. -
Run the Script: Execute the script with root privileges:
sudo bash /path/to/your/script.sh
-
Dynamic RAM Disk Handling: Remember to add the following lines to the user’s
.bash_profilefor dynamic creation and cleanup:/path/to/create_ramdisk.sh # To be executed on login /path/to/cleanup_ramdisk.sh # To be executed on logout
-
Verify Firewall and Audit Configuration: Ensure the firewall rules and audit logging are set up as expected.
This script implements the configuration outlined in the YAML file and sets up a secure environment for the specified user, restricting access to a RAM disk and enhancing security through auditing and firewall rules. Adjust any paths or commands as necessary to fit your specific environment!