This repository has been archived by the owner on Nov 1, 2023. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 255
/
bastion_bootstrap.sh
470 lines (396 loc) · 14.3 KB
/
bastion_bootstrap.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
#!/bin/bash -e
# Bastion Bootstrapping
# authors: tonynv@amazon.com, sancard@amazon.com, ianhill@amazon.com
# NOTE: This requires GNU getopt. On Mac OS X and FreeBSD you must install GNU getopt and mod the checkos function so that it's supported
# Configuration
PROGRAM='Linux Bastion'
##################################### Functions Definitions
function checkos () {
platform='unknown'
unamestr=`uname`
if [[ "${unamestr}" == 'Linux' ]]; then
platform='linux'
else
echo "[WARNING] This script is not supported on MacOS or FreeBSD"
exit 1
fi
echo "${FUNCNAME[0]} Ended"
}
function setup_environment_variables() {
REGION=$(curl -sq http://169.254.169.254/latest/meta-data/placement/availability-zone/)
#ex: us-east-1a => us-east-1
REGION=${REGION: :-1}
ETH0_MAC=$(/sbin/ip link show dev eth0 | /bin/egrep -o -i 'link/ether\ ([0-9a-z]{2}:){5}[0-9a-z]{2}' | /bin/sed -e 's,link/ether\ ,,g')
_userdata_file="/var/lib/cloud/instance/user-data.txt"
INSTANCE_ID=$(curl -s http://169.254.169.254/latest/meta-data/instance-id)
EIP_LIST=$(grep EIP_LIST ${_userdata_file} | sed -e 's/EIP_LIST=//g' -e 's/\"//g')
LOCAL_IP_ADDRESS=$(curl -sq 169.254.169.254/latest/meta-data/network/interfaces/macs/${ETH0_MAC}/local-ipv4s/)
CWG=$(grep CLOUDWATCHGROUP ${_userdata_file} | sed 's/CLOUDWATCHGROUP=//g')
# LOGGING CONFIGURATION
BASTION_MNT="/var/log/bastion"
BASTION_LOG="bastion.log"
echo "Setting up bastion session log in ${BASTION_MNT}/${BASTION_LOG}"
mkdir -p ${BASTION_MNT}
BASTION_LOGFILE="${BASTION_MNT}/${BASTION_LOG}"
BASTION_LOGFILE_SHADOW="${BASTION_MNT}/.${BASTION_LOG}"
touch ${BASTION_LOGFILE}
if ! [ -L "$BASTION_LOGFILE_SHADOW" ]; then
ln ${BASTION_LOGFILE} ${BASTION_LOGFILE_SHADOW}
fi
mkdir -p /usr/bin/bastion
touch /tmp/messages
chmod 770 /tmp/messages
export REGION ETH0_MAC EIP_LIST CWG BASTION_MNT BASTION_LOG BASTION_LOGFILE BASTION_LOGFILE_SHADOW \
LOCAL_IP_ADDRESS INSTANCE_ID
}
function verify_dependencies(){
if [[ "a$(which aws)" == "a" ]]; then
pip install awscli
fi
echo "${FUNCNAME[0]} Ended"
}
function usage() {
echo "$0 <usage>"
echo " "
echo "options:"
echo -e "--help \t Show options for this script"
echo -e "--banner \t Enable or Disable Bastion Message"
echo -e "--enable \t SSH Banner"
echo -e "--tcp-forwarding \t Enable or Disable TCP Forwarding"
echo -e "--x11-forwarding \t Enable or Disable X11 Forwarding"
}
function chkstatus () {
if [[ $? -eq 0 ]]
then
echo "Script [PASS]"
else
echo "Script [FAILED]" >&2
exit 1
fi
}
function osrelease () {
OS=`cat /etc/os-release | grep '^NAME=' | tr -d \" | sed 's/\n//g' | sed 's/NAME=//g'`
if [[ "${OS}" == "Ubuntu" ]]; then
echo "Ubuntu"
elif [[ "${OS}" == "Amazon Linux AMI" ]] || [[ "${OS}" == "Amazon Linux" ]]; then
echo "AMZN"
elif [[ "${OS}" == "CentOS Linux" ]]; then
echo "CentOS"
elif [[ "${OS}" == "SLES" ]]; then
echo "SLES"
else
echo "Operating System Not Found"
fi
echo "${FUNCNAME[0]} Ended" >> /var/log/cfn-init.log
}
function harden_ssh_security () {
# Allow ec2-user only to access this folder and its content
#chmod -R 770 /var/log/bastion
#setfacl -Rdm other:0 /var/log/bastion
# Make OpenSSH execute a custom script on logins
echo -e "\nForceCommand /usr/bin/bastion/shell" >> /etc/ssh/sshd_config
cat <<'EOF' >> /usr/bin/bastion/shell
bastion_mnt="/var/log/bastion"
bastion_log="bastion.log"
# Check that the SSH client did not supply a command. Only SSH to instance should be allowed.
export Allow_SSH="ssh"
export Allow_SCP="scp"
if [[ -z $SSH_ORIGINAL_COMMAND ]] || [[ $SSH_ORIGINAL_COMMAND =~ ^$Allow_SSH ]] || [[ $SSH_ORIGINAL_COMMAND =~ ^$Allow_SCP ]]; then
#Allow ssh to instance and log connection
if [[ -z "$SSH_ORIGINAL_COMMAND" ]]; then
/bin/bash
exit 0
else
$SSH_ORIGINAL_COMMAND
fi
log_shadow_file_location="${bastion_mnt}/.${bastion_log}"
log_file=`echo "$log_shadow_file_location"`
DATE_TIME_WHOAMI="`whoami`:`date "+%Y-%m-%d %H:%M:%S"`"
LOG_ORIGINAL_COMMAND=`echo "$DATE_TIME_WHOAMI:$SSH_ORIGINAL_COMMAND"`
echo "$LOG_ORIGINAL_COMMAND" >> "${bastion_mnt}/${bastion_log}"
log_dir="/var/log/bastion/"
else
# The "script" program could be circumvented with some commands
# (e.g. bash, nc). Therefore, I intentionally prevent users
# from supplying commands.
echo "This bastion supports interactive sessions only. Do not supply a command"
exit 1
fi
EOF
# Make the custom script executable
chmod a+x /usr/bin/bastion/shell
release=$(osrelease)
if [[ "${release}" == "CentOS" ]]; then
semanage fcontext -a -t ssh_exec_t /usr/bin/bastion/shell
fi
echo "${FUNCNAME[0]} Ended"
}
function setup_logs () {
echo "${FUNCNAME[0]} Started"
if [[ "${release}" == "SLES" ]]; then
curl 'https://s3.amazonaws.com/amazoncloudwatch-agent/suse/amd64/latest/amazon-cloudwatch-agent.rpm' -O
zypper install --allow-unsigned-rpm -y ./amazon-cloudwatch-agent.rpm
rm ./amazon-cloudwatch-agent.rpm
elif [[ "${release}" == "CentOS" ]]; then
curl 'https://s3.amazonaws.com/amazoncloudwatch-agent/centos/amd64/latest/amazon-cloudwatch-agent.rpm' -O
rpm -U ./amazon-cloudwatch-agent.rpm
rm ./amazon-cloudwatch-agent.rpm
elif [[ "${release}" == "Ubuntu" ]]; then
curl 'https://s3.amazonaws.com/amazoncloudwatch-agent/ubuntu/amd64/latest/amazon-cloudwatch-agent.deb' -O
dpkg -i -E ./amazon-cloudwatch-agent.deb
rm ./amazon-cloudwatch-agent.deb
elif [[ "${release}" == "AMZN" ]]; then
curl 'https://s3.amazonaws.com/amazoncloudwatch-agent/amazon_linux/amd64/latest/amazon-cloudwatch-agent.rpm' -O
rpm -U ./amazon-cloudwatch-agent.rpm
rm ./amazon-cloudwatch-agent.rpm
fi
cat <<EOF >> /opt/aws/amazon-cloudwatch-agent/etc/amazon-cloudwatch-agent.json
{
"logs": {
"force_flush_interval": 5,
"logs_collected": {
"files": {
"collect_list": [
{
"file_path": "${BASTION_LOGFILE_SHADOW}",
"log_group_name": "${CWG}",
"log_stream_name": "{instance_id}",
"timestamp_format": "%Y-%m-%d %H:%M:%S",
"timezone": "UTC"
}
]
}
}
}
}
EOF
if [ -x /bin/systemctl ] || [ -x /usr/bin/systemctl ]; then
systemctl enable amazon-cloudwatch-agent.service
systemctl restart amazon-cloudwatch-agent.service
else
start amazon-cloudwatch-agent
fi
}
function setup_os () {
echo "${FUNCNAME[0]} Started"
if [[ "${release}" == "AMZN" ]] || [[ "${release}" == "CentOS" ]]; then
bash_file="/etc/bashrc"
else
bash_file="/etc/bash.bashrc"
fi
cat <<EOF >> "${bash_file}"
#Added by Linux bastion bootstrap
declare -rx IP=\$(echo \$SSH_CLIENT | awk '{print \$1}')
declare -rx BASTION_LOG=${BASTION_LOGFILE}
declare -rx PROMPT_COMMAND='history -a >(logger -t "[ON]:\$(date) [FROM]:\${IP} [USER]:\${USER} [PWD]:\${PWD}" -s 2>>\${BASTION_LOG})'
EOF
echo "Defaults env_keep += \"SSH_CLIENT\"" >> /etc/sudoers
if [[ "${release}" == "Ubuntu" ]]; then
user_group="ubuntu"
elif [[ "${release}" == "CentOS" ]]; then
user_group="centos"
elif [[ "${release}" == "SLES" ]]; then
user_group="users"
else
user_group="ec2-user"
fi
chown root:"${user_group}" "${BASTION_MNT}"
chown root:"${user_group}" "${BASTION_LOGFILE}"
chown root:"${user_group}" "${BASTION_LOGFILE_SHADOW}"
chmod 662 "${BASTION_LOGFILE}"
chmod 662 "${BASTION_LOGFILE_SHADOW}"
chattr +a "${BASTION_LOGFILE}"
chattr +a "${BASTION_LOGFILE_SHADOW}"
touch /tmp/messages
chown root:"${user_group}" /tmp/messages
if [[ "${release}" == "CentOS" ]]; then
restorecon -v /etc/ssh/sshd_config
systemctl restart sshd
fi
if [[ "${release}" == "SLES" ]]; then
echo "0 0 * * * zypper patch --non-interactive" > ~/mycron
elif [[ "${release}" == "Ubuntu" ]]; then
apt-get install -y unattended-upgrades
echo "0 0 * * * unattended-upgrades -d" > ~/mycron
else
echo "0 0 * * * yum -y update --security" > ~/mycron
fi
crontab ~/mycron
rm ~/mycron
echo "${FUNCNAME[0]} Ended"
}
function request_eip() {
# Is the already-assigned Public IP an elastic IP?
_query_assigned_public_ip
set +e
_determine_eip_assc_status ${PUBLIC_IP_ADDRESS}
set -e
if [[ ${_eip_associated} -eq 0 ]]; then
echo "The Public IP address associated with eth0 (${PUBLIC_IP_ADDRESS}) is already an Elastic IP. Not proceeding further."
exit 1
fi
EIP_ARRAY=(${EIP_LIST//,/ })
_eip_assigned_count=0
for eip in "${EIP_ARRAY[@]}"; do
if [[ "${eip}" == "Null" ]]; then
echo "Detected a NULL Value, moving on."
continue
fi
# Determine if the EIP has already been assigned.
set +e
_determine_eip_assc_status ${eip}
set -e
if [[ ${_eip_associated} -eq 0 ]]; then
echo "Elastic IP [${eip}] already has an association. Moving on."
let _eip_assigned_count+=1
if [[ "${_eip_assigned_count}" -eq "${#EIP_ARRAY[@]}" ]]; then
echo "All of the stack EIPs have been assigned (${_eip_assigned_count}/${#EIP_ARRAY[@]}). I can't assign anything else. Exiting."
exit 1
fi
continue
fi
_determine_eip_allocation ${eip}
# Attempt to assign EIP to the ENI.
set +e
aws ec2 associate-address --instance-id ${INSTANCE_ID} --allocation-id ${eip_allocation} --region ${REGION}
rc=$?
set -e
if [[ ${rc} -ne 0 ]]; then
let _eip_assigned_count+=1
continue
else
echo "The newly-assigned EIP is ${eip}. It is mapped under EIP Allocation ${eip_allocation}"
break
fi
done
echo "${FUNCNAME[0]} Ended"
}
function _query_assigned_public_ip() {
# Note: ETH0 Only.
# - Does not distinguish between EIP and Standard IP. Need to cross-ref later.
echo "Querying the assigned public IP"
PUBLIC_IP_ADDRESS=$(curl -sq 169.254.169.254/latest/meta-data/public-ipv4/${ETH0_MAC}/public-ipv4s/)
}
function _determine_eip_assc_status(){
# Is the provided EIP associated?
# Also determines if an IP is an EIP.
# 0 => true
# 1 => false
echo "Determining EIP Association Status for [${1}]"
set +e
aws ec2 describe-addresses --public-ips ${1} --output text --region ${REGION} 2>/dev/null | grep -o -i eipassoc -q
rc=$?
set -e
if [[ ${rc} -eq 1 ]]; then
_eip_associated=1
else
_eip_associated=0
fi
}
function _determine_eip_allocation(){
echo "Determining EIP Allocation for [${1}]"
resource_id_length=$(aws ec2 describe-addresses --public-ips ${1} --output text --region ${REGION} | head -n 1 | awk {'print $2'} | sed 's/.*eipalloc-//')
if [[ "${#resource_id_length}" -eq 17 ]]; then
eip_allocation=$(aws ec2 describe-addresses --public-ips ${1} --output text --region ${REGION}| egrep 'eipalloc-([a-z0-9]{17})' -o)
else
eip_allocation=$(aws ec2 describe-addresses --public-ips ${1} --output text --region ${REGION}| egrep 'eipalloc-([a-z0-9]{8})' -o)
fi
}
function prevent_process_snooping() {
# Prevent bastion host users from viewing processes owned by other users.
mount -o remount,rw,hidepid=2 /proc
awk '!/proc/' /etc/fstab > temp && mv temp /etc/fstab
echo "proc /proc proc defaults,hidepid=2 0 0" >> /etc/fstab
echo "${FUNCNAME[0]} Ended"
}
##################################### End Function Definitions
# Call checkos to ensure platform is Linux
checkos
# Verify dependencies are installed.
verify_dependencies
# Assuming it is, setup environment variables.
setup_environment_variables
## set an initial value
SSH_BANNER="LINUX BASTION"
# Read the options from cli input
TEMP=`getopt -o h --longoptions help,banner:,enable:,tcp-forwarding:,x11-forwarding: -n $0 -- "$@"`
eval set -- "${TEMP}"
if [[ $# == 1 ]] ; then echo "No input provided! type ($0 --help) to see usage help" >&2 ; exit 1 ; fi
# extract options and their arguments into variables.
while true; do
case "$1" in
-h | --help)
usage
exit 1
;;
--banner)
BANNER_PATH="$2";
shift 2
;;
--enable)
ENABLE="$2";
shift 2
;;
--tcp-forwarding)
TCP_FORWARDING="$2";
shift 2
;;
--x11-forwarding)
X11_FORWARDING="$2";
shift 2
;;
--)
break
;;
*)
break
;;
esac
done
# BANNER CONFIGURATION
BANNER_FILE="/etc/ssh_banner"
if [[ ${ENABLE} == "true" ]];then
if [[ -z ${BANNER_PATH} ]];then
echo "BANNER_PATH is null skipping ..."
else
echo "BANNER_PATH = ${BANNER_PATH}"
echo "Creating Banner in ${BANNER_FILE}"
echo "curl -s ${BANNER_PATH} > ${BANNER_FILE}"
curl -s ${BANNER_PATH} > ${BANNER_FILE}
if [[ -e ${BANNER_FILE} ]] ;then
echo "[INFO] Installing banner ... "
echo -e "\n Banner ${BANNER_FILE}" >>/etc/ssh/sshd_config
else
echo "[INFO] banner file is not accessible skipping ..."
exit 1;
fi
fi
else
echo "Banner message is not enabled!"
fi
#Enable/Disable TCP forwarding
TCP_FORWARDING=`echo "${TCP_FORWARDING}" | sed 's/\\n//g'`
#Enable/Disable X11 forwarding
X11_FORWARDING=`echo "${X11_FORWARDING}" | sed 's/\\n//g'`
echo "Value of TCP_FORWARDING - ${TCP_FORWARDING}"
echo "Value of X11_FORWARDING - ${X11_FORWARDING}"
if [[ ${TCP_FORWARDING} == "false" ]];then
awk '!/AllowTcpForwarding/' /etc/ssh/sshd_config > temp && mv temp /etc/ssh/sshd_config
echo "AllowTcpForwarding no" >> /etc/ssh/sshd_config
harden_ssh_security
fi
if [[ ${X11_FORWARDING} == "false" ]];then
awk '!/X11Forwarding/' /etc/ssh/sshd_config > temp && mv temp /etc/ssh/sshd_config
echo "X11Forwarding no" >> /etc/ssh/sshd_config
fi
release=$(osrelease)
if [[ "${release}" == "Operating System Not Found" ]]; then
echo "[ERROR] Unsupported Linux Bastion OS"
exit 1
else
setup_os
setup_logs
fi
prevent_process_snooping
request_eip
echo "Bootstrap complete."