backup,media: add backup and find media modules

Backups are xz-compressed tar archives saved under /opt/backup and
made immutable to prevent accidental changes/deletion

The find_media module can be used to search for unauthorized media
files, and is disabled by default

diff --git a/linux.sh b/linux.sh
index ecdb607c5b5b1b76524fc861950b5e663bff942f..77a113fb5130e27b34dc1f4630b3456d4c7aefdf 100755 (executable)
--- a/linux.sh
+++ b/linux.sh
@@ -108,6 +108,27 @@ read_check() {
        fi
 }
 
+# ------------------------------------------------------------------------------
+backup_system() {
+       log_info "Backing up system files"
+       BACKUPLOC=/opt/backup
+       BACKUPARCHIVE="$BACKUPLOC/$(date +%Y-%m-%d_%H:%M:%S)"
+       BACKUPDIRS="/etc /var/www /srv /root /var/lib /var/mail"
+       mkdir -p "$BACKUPARCHIVE"
+       chmod 700 "$BACKUPLOC" "$BACKUPARCHIVE"
+       chown root:root "$BACKUPLOC" "$BACKUPARCHIVE"
+       for dir in $BACKUPDIRS; do
+               if  [ -e "$dir" ]; then
+                       backup_archive_name="$BACKUPARCHIVE/$(echo $dir | sed 's/\//_/g').tar.xz"
+                       tar -c -J -f "$backup_archive_name" "$dir"
+                       chmod 400 "$backup_archive_name"
+                       chattr +i "$backup_archive_name"
+               fi
+       done
+       chmod 500 "$BACKUPARCHIVE"
+       log_info "Backup saved to $BACKUPARCHIVE"
+}
+
 # ------------------------------------------------------------------------------
 info_getstate_before() {
        log_info "Recording current state"
@@ -1166,6 +1187,13 @@ info_getstate_after() {
        done
 }
 
+
+# ------------------------------------------------------------------------------
+misc_find_media() {
+       log_info "Finding media files"
+       find / -type f \( -name "*.3g2" -o -name "*.3gp" -o -name "*.aac" -o -name "*.aif" -o -name "*.amr" -o -name "*.asf" -o -name "*.asx" -o -name "*.avchd" -o -name "*.avi" -o -name "*.f4v" -o -name "*.fla" -o -name "*.flac" -o -name "*.flv" -o -name "*.m3u" -o -name "*.m4a" -o -name "*.m4b" -o -name "*.m4v" -o -name "*.mid" -o -name "*.mkv" -o -name "*.mov" -o -name "*.mp3" -o -name "*.mp4" -o -name "*.mpe" -o -name "*.mpg" -o -name "*.ogg" -o -name "*.ogv" -o -name "*.opu" -o -name "*.pls" -o -name "*.ram" -o -name "*.rm" -o -name "*.srt" -o -name "*.swf" -o -name "*.ts" -o -name "*.vob" -o -name "*.wav" -o -name "*.web" -o -name "*.wma" -o -name "*.wmv" \)
+}
+
 # ------------------------------------------------------------------------------
 # ------------------------------------------------------------------------------
 # ------------------------------------------------------------------------------
@@ -1173,6 +1201,7 @@ info_getstate_after() {
 # Change what modules are executed here
 run_modules() {
        read_check
+       backup_system
        info_getstate_before
        firewall_drop_all
        packages_repo_settings
@@ -1202,6 +1231,7 @@ run_modules() {
        usbguard_configure
        aide_configure
        packages_verify_all
+       #misc_find_media
        info_processes_root
        info_files_writable
        info_suid_sgid