Gitiles
Code Review Sign In
gerrit.mcp.mirantis.com / mk / packer-templates / f6ea26dcf32e37e182c6ad61bdb33b4e887639fa / . / common / ubuntu_security.sh
blob: f2641c38d2f3c30e1b0b808ebb6a185ddcb19a71 [file] [log] [blame]
Richard Felkld59c5652018-02-08 13:14:05 +0100[diff] [blame]1#!/bin/bash -xe
Ivan Berezovskiy41a6b822018-09-11 18:02:29 +0400[diff] [blame]2
Richard Felkld59c5652018-02-08 13:14:05 +0100[diff] [blame]3# Libvirt serial console support
Ivan Berezovskiy41a6b822018-09-11 18:02:29 +0400[diff] [blame]4cat << EOF >> /etc/systemd/system/serial-getty@.service
Richard Felkld59c5652018-02-08 13:14:05 +0100[diff] [blame]5[Unit]
6Description=Getty on %I
7Documentation=man:agetty(8) man:systemd-getty-generator(8)
8Documentation=http://0pointer.de/blog/projects/serial-console.html
9After=systemd-user-sessions.service plymouth-quit-wait.service
10After=rc-local.service
11
12Before=getty.target
13IgnoreOnIsolate=yes
14
15ConditionPathExists=/dev/ttyS0
16
17[Service]
azvyagintsev495fcdd2018-10-17 14:25:29 +0300[diff] [blame]18ExecStart=-/sbin/agetty -8 --noclear %I 115200 \$TERM
Richard Felkld59c5652018-02-08 13:14:05 +0100[diff] [blame]19Type=idle
20Restart=always
21RestartSec=0
22UtmpIdentifier=%I
23TTYPath=/dev/%I
24TTYReset=yes
25TTYVHangup=yes
26TTYVTDisallocate=yes
27KillMode=process
28IgnoreSIGPIPE=no
29SendSIGHUP=yes
30
31Environment=LANG= LANGUAGE= LC_CTYPE= LC_NUMERIC= LC_TIME= LC_COLLATE= LC_MONETARY= LC_MESSAGES= LC_PAPER= LC_NAME= LC_ADDRESS= LC_TELEPHONE= LC_MEASUREMENT= LC_IDENTIFICATION=
32
33[Install]
34WantedBy=getty.target
35DefaultInstance=ttyS0
36EOF
37
38systemctl daemon-reload
39systemctl enable serial-getty@ttyS0.service
40
41# Disable password root login
42usermod -p '!' root
43
azvyagintsevbbae0352018-10-09 21:11:22 +0300[diff] [blame]44# Drop default 'ubuntu' user
45userdel -rf ubuntu
46
Richard Felkld59c5652018-02-08 13:14:05 +0100[diff] [blame]47# Disable SSH password authentication and permit root login
48sed -i 's|[#]*PasswordAuthentication yes|PasswordAuthentication no|g' /etc/ssh/sshd_config
Ivan Berezovskiy41a6b822018-09-11 18:02:29 +0400[diff] [blame]49sed -i 's|[#]*PermitRootLogin.*|PermitRootLogin no|g' /etc/ssh/sshd_config