From: mivirl <>
Date: Tue, 25 Jun 2024 02:03:18 +0000 (-0500)
Subject: backup,media: add backup and find media modules
X-Git-Url: http://mivirl.dev/git/?a=commitdiff_plain;h=refs%2Fheads%2Fmaster;p=hardening-scripts.git

backup,media: add backup and find media modules

Backups are xz-compressed tar archives saved under /opt/backup and
made immutable to prevent accidental changes/deletion

The find_media module can be used to search for unauthorized media
files, and is disabled by default
---

diff --git a/linux.sh b/linux.sh
index ecdb607..77a113f 100755
--- a/linux.sh
+++ b/linux.sh
@@ -108,6 +108,27 @@ read_check() {
 	fi
 }
 
+# ------------------------------------------------------------------------------
+backup_system() {
+	log_info "Backing up system files"
+	BACKUPLOC=/opt/backup
+	BACKUPARCHIVE="$BACKUPLOC/$(date +%Y-%m-%d_%H:%M:%S)"
+	BACKUPDIRS="/etc /var/www /srv /root /var/lib /var/mail"
+	mkdir -p "$BACKUPARCHIVE"
+	chmod 700 "$BACKUPLOC" "$BACKUPARCHIVE"
+	chown root:root "$BACKUPLOC" "$BACKUPARCHIVE"
+	for dir in $BACKUPDIRS; do
+		if  [ -e "$dir" ]; then
+			backup_archive_name="$BACKUPARCHIVE/$(echo $dir | sed 's/\//_/g').tar.xz"
+			tar -c -J -f "$backup_archive_name" "$dir"
+			chmod 400 "$backup_archive_name"
+			chattr +i "$backup_archive_name"
+		fi
+	done
+	chmod 500 "$BACKUPARCHIVE"
+	log_info "Backup saved to $BACKUPARCHIVE"
+}
+
 # ------------------------------------------------------------------------------
 info_getstate_before() {
 	log_info "Recording current state"
@@ -1166,6 +1187,13 @@ info_getstate_after() {
 	done
 }
 
+
+# ------------------------------------------------------------------------------
+misc_find_media() {
+	log_info "Finding media files"
+	find / -type f \( -name "*.3g2" -o -name "*.3gp" -o -name "*.aac" -o -name "*.aif" -o -name "*.amr" -o -name "*.asf" -o -name "*.asx" -o -name "*.avchd" -o -name "*.avi" -o -name "*.f4v" -o -name "*.fla" -o -name "*.flac" -o -name "*.flv" -o -name "*.m3u" -o -name "*.m4a" -o -name "*.m4b" -o -name "*.m4v" -o -name "*.mid" -o -name "*.mkv" -o -name "*.mov" -o -name "*.mp3" -o -name "*.mp4" -o -name "*.mpe" -o -name "*.mpg" -o -name "*.ogg" -o -name "*.ogv" -o -name "*.opu" -o -name "*.pls" -o -name "*.ram" -o -name "*.rm" -o -name "*.srt" -o -name "*.swf" -o -name "*.ts" -o -name "*.vob" -o -name "*.wav" -o -name "*.web" -o -name "*.wma" -o -name "*.wmv" \)
+}
+
 # ------------------------------------------------------------------------------
 # ------------------------------------------------------------------------------
 # ------------------------------------------------------------------------------
@@ -1173,6 +1201,7 @@ info_getstate_after() {
 # Change what modules are executed here
 run_modules() {
 	read_check
+	backup_system
 	info_getstate_before
 	firewall_drop_all
 	packages_repo_settings
@@ -1202,6 +1231,7 @@ run_modules() {
 	usbguard_configure
 	aide_configure
 	packages_verify_all
+	#misc_find_media
 	info_processes_root
 	info_files_writable
 	info_suid_sgid