harden_linux/update_grub_config.sh at main · b-etz/harden_linux · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
#!/bin/bash

# Enhanced GRUB Configuration Script
# Version: 2.0
# Author: captainzero93 (Joe.Faulkner.0@gmail.com)
# Last Updated: 2024-08-15
# Description: This script updates GRUB configuration to enhance system security.
#              It adds various kernel parameters and enables cryptodisk support.


# Global variables
VERSION="2.0"
GRUB_CONFIG="/etc/default/grub"
BACKUP_FILE="${GRUB_CONFIG}.bak.$(date +%Y%m%d_%H%M%S)"
LOG_FILE="/var/log/grub_config_update.log"

# Function to log messages
log() {
    local message="$(date '+%Y-%m-%d %H:%M:%S'): $1"
    echo "$message" | tee -a "$LOG_FILE"
}

# Function to display help
display_help() {
    echo "Usage: sudo $0 [OPTIONS]"
    echo "Options:"
    echo "  -h, --help     Display this help message"
    echo "  --version      Display script version"
    echo "  --dry-run      Perform a dry run without making changes"
    exit 0
}

# Function to display version
display_version() {
    echo "Enhanced GRUB Configuration Script v$VERSION"
    exit 0
}

# Check for root privileges
if [ "$(id -u)" -ne 0 ]; then
    log "Error: This script must be run as root. Please use sudo."
    exit 1
fi

# Parse command line arguments
dry_run=false
while [[ $# -gt 0 ]]; do
    case $1 in
        -h|--help)
            display_help
            ;;
        --version)
            display_version
            ;;
        --dry-run)
            dry_run=true
            shift
            ;;
        *)
            echo "Unknown option: $1"
            display_help
            ;;
    esac
done

# Backup the original file
if [ -f "$GRUB_CONFIG" ]; then
    if ! $dry_run; then
        cp "$GRUB_CONFIG" "$BACKUP_FILE"
        log "Backup created: $BACKUP_FILE"
    else
        log "Dry run: Would create backup: $BACKUP_FILE"
    fi
else
    log "Error: $GRUB_CONFIG not found. Exiting."
    exit 1
fi

# Parameters to add
PARAMS=(
    "page_alloc.shuffle=1"
    "slab_nomerge"
    "init_on_alloc=1"
    "init_on_free=1"
    "randomize_kstack_offset=1"
    "kernel.unprivileged_bpf_disabled=1"
    "net.core.bpf_jit_harden=2"
    "kernel.kptr_restrict=2"
    "kernel.dmesg_restrict=1"
    "kernel.perf_event_paranoid=3"
    "vm.mmap_rnd_bits=32"
    "vm.mmap_rnd_compat_bits=16"
    "vsyscall=none"
    "debugfs=off"
    "oops=panic"
    "module.sig_enforce=1"
)

# Read the current GRUB_CMDLINE_LINUX_DEFAULT value
CURRENT_VALUE=$(grep GRUB_CMDLINE_LINUX_DEFAULT "$GRUB_CONFIG" | cut -d'"' -f2)

# Add new parameters
for param in "${PARAMS[@]}"; do
    if [[ $CURRENT_VALUE != *"$param"* ]]; then
        CURRENT_VALUE="$CURRENT_VALUE $param"
        log "Added parameter: $param"
    else
        log "Parameter already present: $param"
    fi
done

# Update the GRUB configuration file
if ! $dry_run; then
    sed -i 's/GRUB_CMDLINE_LINUX_DEFAULT=".*"/GRUB_CMDLINE_LINUX_DEFAULT="'"$CURRENT_VALUE"'"/' "$GRUB_CONFIG"
    log "Updated GRUB_CMDLINE_LINUX_DEFAULT in $GRUB_CONFIG"
else
    log "Dry run: Would update GRUB_CMDLINE_LINUX_DEFAULT in $GRUB_CONFIG"
fi

# Ensure GRUB_ENABLE_CRYPTODISK is set to y
if ! $dry_run; then
    if grep -q "^GRUB_ENABLE_CRYPTODISK=" "$GRUB_CONFIG"; then
        sed -i 's/^GRUB_ENABLE_CRYPTODISK=.*/GRUB_ENABLE_CRYPTODISK=y/' "$GRUB_CONFIG"
    else
        echo "GRUB_ENABLE_CRYPTODISK=y" >> "$GRUB_CONFIG"
    fi
    log "Enabled GRUB_ENABLE_CRYPTODISK"
else
    log "Dry run: Would enable GRUB_ENABLE_CRYPTODISK"
fi

# Update GRUB
if ! $dry_run; then
    if command -v update-grub &> /dev/null; then
        update-grub
        log "GRUB configuration updated using update-grub"
    elif command -v grub2-mkconfig &> /dev/null; then
        grub2-mkconfig -o /boot/grub2/grub.cfg
        log "GRUB configuration updated using grub2-mkconfig"
    else
        log "Warning: Neither update-grub nor grub2-mkconfig found. Please update GRUB manually."
    fi
else
    log "Dry run: Would update GRUB configuration"
fi

log "Script execution completed. Please reboot your system for changes to take effect."