bash tweaks - Bourne-Again SHell
# This is needed if you are planing to run XQuertz on MacOSX in Zsh and X11 over SSH
##################################
# HiddenSSH/XQuartz
#
# XQuartz to normal terminal
export DISPLAY=:0# MacOSX specific .bashrc
##################################
# MACOSX/hardware
#
alias cpuinfo='echo "CPU Frequency (MHz): $(sysctl -n hw.cpufrequency) \
\nCPU Model: $(sysctl -n machdep.cpu.brand_string) \
\nPhysical CPU Packages: $(sysctl -n hw.packages) \
\nLogical CPU Cores: $(sysctl -n hw.logicalcpu) \
\nPhysical CPU Cores: $(sysctl -n hw.physicalcpu)"'
# Function to display system information
sysinfo() {
# Set variables for each of the outputs from uname command
PROCESSOR_TYPE=$(/usr/bin/uname -p)
MACHINE_HARDWARE_NAME=$(uname -m)
KERNEL_RELEASE=$(uname -r)
KERNEL_NAME=$(uname -s)
KERNEL_VERSION=$(uname -v)
NODE_NAME=$(uname -n)
# Echo the variables
echo "Processor Type: $PROCESSOR_TYPE"
echo "Machine Hardware Name: $MACHINE_HARDWARE_NAME"
echo "Kernel Release: $KERNEL_RELEASE"
echo "Kernel Name: $KERNEL_NAME"
echo "Kernel Version: $KERNEL_VERSION"
echo "Node Name: $NODE_NAME"
}
# Firewall
alias firewall-show='echo "Location: /etc/pf.conf" && cat /etc/pf.conf'
alias firewall-restart="sudo pfctl -f /etc/pf.conf"
# Show Interfaces
showinterfacesinfo() {
# Detect the operating system
local OS=$(uname -s)
# Display interface information based on the OS
if [[ "$OS" == "Darwin" ]]; then
# macOS commands
local interfaces=($(ifconfig | grep '^[a-z]' | awk '{print $1}' | tr -d ':'))
for intf in $interfaces; do
local ip_and_mask=$(ifconfig $intf | grep 'inet ' | awk '{print $2, $4}')
print "$intf: $ip_and_mask"
done
elif [[ "$OS" == "Linux" ]]; then
# Linux commands
local interfaces=($(ip -o link show | awk -F': ' '{print $2}' | tr -d '@'))
for intf in $interfaces; do
local ip_and_mask=$(ip -o -f inet addr show $intf | awk '{print $4}')
print "$intf: $ip_and_mask"
done
else
print "Unsupported operating system." >&2
fi
}# Aliases to make life easyer
##################################
# TREZOR
#
alias trezorconnected='trezorctl list'
alias remoteserver='trezor-agent -e ed25519 -c user@httpd.hiddenssh.net'# Add basic layer of security to Linux.
#!/bin/bash
set -e
ask() {
read -rp "$1 (Y/n): " answer
if [[ "$answer" != "Y" && "$answer" != "y" ]]; then
exit 1
fi
}
ask "[*] Apply process visibility and login file restrictions?"
chmod 600 /var/run/utmp && chown root:root /var/run/utmp
chmod 600 /var/log/wtmp && chown root:root /var/log/wtmp
chmod 600 /var/log/lastlog && chown root:root /var/log/lastlog
chmod 600 /var/log/btmp && chown root:root /var/log/btmp
if ! grep -q 'proc /proc proc' /etc/fstab; then
echo "proc /proc proc defaults,hidepid=2 0 0" >> /etc/fstab
fi
mount -o remount /proc
ask "[*] Apply dmesg, ptrace restrictions?"
chattr -i /etc/sysctl.conf || true
sysctl -w kernel.dmesg_restrict=1
sysctl -w kernel.yama.ptrace_scope=2
echo "kernel.dmesg_restrict=1" >> /etc/sysctl.conf
echo "kernel.yama.ptrace_scope=2" >> /etc/sysctl.conf
ask "[*] Lock down /tmp and /dev/shm?"
if ! grep -q -E '^tmpfs\s+/tmp\s+tmpfs' /etc/fstab; then
echo "tmpfs /tmp tmpfs defaults,noexec,nosuid,nodev 0 0" >> /etc/fstab
fi
if ! grep -q -E '^tmpfs\s+/dev/shm\s+tmpfs' /etc/fstab; then
echo "tmpfs /dev/shm tmpfs defaults,noexec,nosuid,nodev 0 0" >> /etc/fstab
fi
systemctl daemon-reload
mount -o remount /tmp || echo "[!] /tmp remount failed"
mount -o remount /dev/shm || echo "[!] /dev/shm remount failed"
mkdir -p /var/run/screen
chmod 755 /var/run/screen
chown root:root /var/run/screen
if ! grep -q "defdir" /etc/screenrc 2>/dev/null; then
echo "defdir \$HOME/tmp" >> /etc/screenrc
echo "deflog on" >> /etc/screenrc
fi
for dir in /home/*; do
if [ -d "$dir" ]; then
mkdir -p "$dir/tmp"
chmod 700 "$dir/tmp"
chown $(basename "$dir"):$(basename "$dir") "$dir/tmp"
fi
done
read -rp "[*] Block incoming ICMP echo requests (pings) via sysctl? (Y/n): " icmpblock
if [[ "$icmpblock" == "Y" || "$icmpblock" == "y" ]]; then
sysctl -w net.ipv4.icmp_echo_ignore_all=1
echo "net.ipv4.icmp_echo_ignore_all=1" >> /etc/sysctl.conf
fi
chmod 600 /proc/net/tcp || true
chmod 600 /proc/net/udp || true
chmod 600 /proc/net/raw || true
chmod 600 /proc/net/tcp6 || true
chmod 600 /proc/net/udp6 || true
chmod 600 /proc/net/raw6 || true
sysctl -p
chattr +i /etc/sysctl.conf
chattr +i /etc/fstab
echo "[-] Hardening complete."
# Distro: Hackertips.today - All Rights Lost (c) 2025
# Linux specific .bashrc
cpuinfo() {
local cpuinfo="/proc/cpuinfo"
if [[ ! -r "$cpuinfo" ]]; then
echo "[-] Cannot read /proc/cpuinfo"
return 1
fi
local logical_cores physical_cores sockets cores_per_socket threads_per_core
local model_name flags kernel_name kernel_release kernel_version distro pretty_name
logical_cores="$(nproc 2>/dev/null || grep -c '^processor' "$cpuinfo")"
model_name="$(
awk -F': ' '/^model name[[:space:]]*:/ {print $2; exit}' "$cpuinfo"
)"
flags="$(
awk -F': ' '/^flags[[:space:]]*:/ {print $2; exit}' "$cpuinfo" \
| tr ' ' '\n' \
| sort -u \
| paste -sd' ' -
)"
sockets="$(
awk -F': ' '/^physical id[[:space:]]*:/ {print $2}' "$cpuinfo" \
| sort -u \
| wc -l
)"
[[ "$sockets" -eq 0 ]] && sockets=1
cores_per_socket="$(
awk -F': ' '/^cpu cores[[:space:]]*:/ {print $2; exit}' "$cpuinfo"
)"
if [[ -n "$cores_per_socket" ]]; then
physical_cores=$((sockets * cores_per_socket))
else
physical_cores="$logical_cores"
fi
if [[ "$physical_cores" -gt 0 ]]; then
threads_per_core=$((logical_cores / physical_cores))
else
threads_per_core="unknown"
fi
kernel_name="$(awk '{print $1}' /proc/sys/kernel/ostype 2>/dev/null)"
kernel_release="$(cat /proc/sys/kernel/osrelease 2>/dev/null)"
kernel_version="$(cat /proc/sys/kernel/version 2>/dev/null)"
if [[ -r /etc/os-release ]]; then
pretty_name="$(
awk -F= '/^PRETTY_NAME=/ {
gsub(/^"/,"",$2);
gsub(/"$/,"",$2);
print $2;
exit
}' /etc/os-release
)"
else
pretty_name="unknown"
fi
cat <<EOF
[ CPU ]
Model: ${model_name:-unknown}
Sockets: ${sockets}
Physical cores: ${physical_cores}
Logical cores: ${logical_cores}
Threads per core: ${threads_per_core}
[ CPU FLAGS ]
${flags:-unknown}
[ KERNEL ]
Name: ${kernel_name:-unknown}
Release: ${kernel_release:-unknown}
Version: ${kernel_version:-unknown}
[ DISTRO ]
Name: ${pretty_name}
EOF
}
cpuinfo "$@"
# Generic cheat commands for ssh debug
cheat-ssh-debug() {
local MAGENTA=$'\033[35m'
local CYAN=$'\033[36m'
local BLUE=$'\033[34m'
local GREEN=$'\033[32m'
local RESET=$'\033[0m'
printf "%s[ SSH Debug Cheat Codes ]%s\n" "$MAGENTA" "$RESET"
printf "%s———————————————————————————————————————————————%s\n" "$CYAN" "$RESET"
printf "%sVerbose debug:%s\n" "$BLUE" "$RESET"
printf "%sssh -v user@host%s\t\t%sBasic debug.%s\n" "$GREEN" "$RESET" "$CYAN" "$RESET"
printf "%sssh -vv user@host%s\t\t%sMore debug.%s\n" "$GREEN" "$RESET" "$CYAN" "$RESET"
printf "%sssh -vvv user@host%s\t\t%sMax debug.%s\n" "$GREEN" "$RESET" "$CYAN" "$RESET"
printf "%sCommand + debug:%s\n" "$BLUE" "$RESET"
printf "%sssh -vvv user@host ls%s\t\t%sDebug while running command.%s\n" "$GREEN" "$RESET" "$CYAN" "$RESET"
printf "%sssh -vvv user@host /bin/ls%s\t%sDebug exact binary call.%s\n" "$GREEN" "$RESET" "$CYAN" "$RESET"
printf "%sssh -vvv user@host 'lsof -Pni'%s\t%sDebug command with args.%s\n" "$GREEN" "$RESET" "$CYAN" "$RESET"
printf "%s———————————————————————————————————————————————%s\n" "$CYAN" "$RESET"
}
# Generic cheat commands for ssh
cheat-ssh() {
local MAGENTA=$'\033[35m'
local CYAN=$'\033[36m'
local BLUE=$'\033[34m'
local GREEN=$'\033[32m'
local RESET=$'\033[0m'
printf "%s[ SSH Cheat Codes ]%s\n" "$MAGENTA" "$RESET"
printf "%s———————————————————————————————————————————————%s\n" "$CYAN" "$RESET"
printf "%sRun commands:%s\n" "$BLUE" "$RESET"
printf "%sssh user@host ls%s\t\t\t%sRun simple command.%s\n" "$GREEN" "$RESET" "$CYAN" "$RESET"
printf "%sssh user@host /bin/ls%s\t\t%sRun binary by absolute path.%s\n" "$GREEN" "$RESET" "$CYAN" "$RESET"
printf "%sssh user@host /usr/bin/id%s\t\t%sCall exact binary directly.%s\n" "$GREEN" "$RESET" "$CYAN" "$RESET"
printf "%sCommands with flags / args:%s\n" "$BLUE" "$RESET"
printf "%sssh user@host 'lsof -Pni'%s\t\t%sQuote full command with args.%s\n" "$GREEN" "$RESET" "$CYAN" "$RESET"
printf "%sssh user@host '/usr/bin/lsof -Pni'%s\t%sExact binary with args.%s\n" "$GREEN" "$RESET" "$CYAN" "$RESET"
printf "%s———————————————————————————————————————————————%s\n" "$CYAN" "$RESET"
}
# Trezor Agent Cheat Codes
cheat-ssh-trezor() {
local MAGENTA=$'\033[35m'
local CYAN=$'\033[36m'
local BLUE=$'\033[34m'
local GREEN=$'\033[32m'
local RESET=$'\033[0m'
printf "%s[ Trezor Agent Cheat Codes ]%s\n" "$MAGENTA" "$RESET"
printf "%s———————————————————————————————————————————————%s\n" "$CYAN" "$RESET"
printf "%sNote:%s %sThese commands do not run ssh directly — they run trezor-agent, which provides an SSH agent socket for hardware-backed keys.%s\n" \
"$BLUE" "$RESET" "$CYAN" "$RESET"
printf "%s———————————————————————————————————————————————%s\n" "$CYAN" "$RESET"
printf "%sAgent (daemon) commands:%s\n" "$BLUE" "$RESET"
printf "%sHiddenssh:%s %strezor-agent -e ed25519 user1@httpd.hiddenssh.net -d --sock-path ~/.ssh/trezor.sock%s\n" "$GREEN" "$RESET" "$CYAN" "$RESET"
printf "%sHiddenssh2:%s %strezor-agent -e ed25519 user2@httpd.hiddenssh.net -d --sock-path ~/.ssh/trezor.sock%s\n" "$GREEN" "$RESET" "$CYAN" "$RESET"
printf "%s———————————————————————————————————————————————%s\n" "$CYAN" "$RESET"
printf "%sOne-off connect (agent wraps the connection):%s\n" "$BLUE" "$RESET"
printf "%streazor-agent -e ed25519 -c user1@httpd.hiddenssh.net%s\n" "$GREEN" "$RESET"
printf "%s———————————————————————————————————————————————%s\n" "$CYAN" "$RESET"
printf "%sQuick connect (one-off) to your hosts:%s\n" "$BLUE" "$RESET"
printf "%shiddenssh:%s %strezor-agent -e ed25519 -c user1@httpd.hiddenssh.net%s\n" "$GREEN" "$RESET" "$CYAN" "$RESET"
printf "%shiddenssh2:%s %strezor-agent -e ed25519 -c user1@httpd.hiddenssh.net%s\n" "$GREEN" "$RESET" "$CYAN" "$RESET"
printf "%s———————————————————————————————————————————————%s\n" "$CYAN" "$RESET"
}
# You need to combine .ssh/config with this one.
cheat-ssh-localportforwarding() {
local MAGENTA=$'\033[35m'
local CYAN=$'\033[36m'
local BLUE=$'\033[34m'
local GREEN=$'\033[32m'
local RESET=$'\033[0m'
printf "%s[ SSH Local Port Forwarding Cheat Codes ]%s\n" "$MAGENTA" "$RESET"
printf "%s———————————————————————————————————————————————%s\n" "$CYAN" "$RESET"
printf "%sDNS example:%s\n" "$BLUE" "$RESET"
printf "%sssh -N -L 127.0.0.1:5300:httpd.hiddenssh.net:53 user1@httpd.hiddenssh.net%s\t%sBind local 5300; SSH forwards TCP DNS to httpd.hiddenssh.net:53.%s\n" "$GREEN" "$RESET" "$CYAN" "$RESET"
printf "%sssh -f -N -L 127.0.0.1:5300:httpd.hiddenssh.net:53 user1@httpd.hiddenssh.net%s\t%sSame, but in background.%s\n" "$GREEN" "$RESET" "$CYAN" "$RESET"
printf "%sNote:%s\n" "$BLUE" "$RESET"
printf "%sLocal 127.0.0.1:5300 forwards through the SSH server, which connects to httpd.hiddenssh.net:53.%s\n" "$CYAN" "$RESET"
printf "%s———————————————————————————————————————————————%s\n" "$CYAN" "$RESET"
}
# SSHD Cheat Codes
cheat-sshd() {
echo -e "${MAGENTA}[ SSHD Cheat Codes ]${RESET}"
echo -e "${CYAN}———————————————————————————————————————————————${RESET}"
echo -e "${BLUE}Check key settings quickly:${RESET}"
echo -e "${GREEN}sudo sshd -T | grep -Ei '^(port|listenaddress|passwordauthentication|pubkeyauthentication|permitrootlogin|allowusers|allowgroups|allowagentforwarding|x11fo>
echo -e "${CYAN} • fast security posture snapshot${RESET}"
echo -e "${BLUE}Show complete effective config (includes defaults):${RESET}"
echo -e "${GREEN}sudo sshd -T${RESET}"
echo -e "${CYAN} • ground truth for what sshd will use${RESET}"
echo -e "${CYAN}———————————————————————————————————————————————${RESET}"
}
# SELinux Cheat codes
cheat-selinux() {
# Define color codes
RED="\e[31m"
GREEN="\e[32m"
YELLOW="\e[33m"
BLUE="\e[34m"
MAGENTA="\e[35m"
CYAN="\e[36m"
RESET="\e[0m"
# Display colorful text for SELinux cheat codes
echo -e "${MAGENTA}[ SELinux Cheat codes ]${RESET}"
echo -e "${CYAN}———————————————————————————————————————————————${RESET}"
# SELinux Status section
echo -e "${BLUE}SELinux Status:${RESET}\t\t\t\t${GREEN}sestatus${RESET}"
# SELinux Activate/Disable section
echo -e "${BLUE}SELinux Activate/Disable:${RESET}\t\t${GREEN}setenforce 1 or 0${RESET}"
# SELinux check Logging is running section
echo -e "${BLUE}SELinux check Logging is running:${RESET}\t${GREEN}rc-service auditd status${RESET}"
# SELinux Check modules section
echo -e "${BLUE}SELinux Check modules:${RESET}\t\t\t${GREEN}semodule -l${RESET}"
# SELinux check website is there section
echo -e "${BLUE}SELinux check website is there:${RESET}\t\t${GREEN}semodule -l | grep hiddenssh.com${RESET}"
# SELinux version of ls command section
echo -e "${BLUE}SELinux version of ls command:${RESET}\t\t${GREEN}ls -Z /web/${RESET}"
# SELinux Logs section
echo -e "${BLUE}SELinux Logs:${RESET}\t\t\t\t${GREEN}cat /var/log/audit/audit.log${RESET}"
# SELinux recent AVCs section
echo -e "${BLUE}SELinux recent AVCs:${RESET}\t\t\t${GREEN}ausearch -m AVC,USER_AVC,SELINUX_ERR,USER_SELINUX_ERR -ts recent${RESET}"
# SELinux logs grep section
echo -e "${BLUE}SELinux logs grep:${RESET}\t\t\t${GREEN}grep \"denied\" /var/log/audit/audit.log${RESET}"
# SELinux Generate a policy section
echo -e "${BLUE}SELinux Generate a policy:${RESET}\t\t${GREEN}audit2allow -a -M hiddenssh.com${RESET}"
echo -e "${BLUE}Install a policy:${RESET}\t\t\t${GREEN}semodule -i hiddenssh.com.pp${RESET}"
# SELinux Read in the rules again section
echo -e "${BLUE}SELinux Read in the rules again:${RESET}\t${GREEN}restorecon -Rv /web ${RESET}"
echo -e "${CYAN}———————————————————————————————————————————————${RESET}"
}
# cheat selinux roles user
cheat-selinux-roles-user() {
echo -e "${MAGENTA}[ SELinux Roles — User Cheat Codes ]${RESET}"
echo -e "${CYAN}————————————————————————————————————————————${RESET}"
echo -e "${BLUE}Check:${RESET}"
echo -e "${GREEN}id -Z${RESET}\t\t\t${CYAN}Current user:role:type:level${RESET}"
echo -e "${GREEN}ps -o pid,user,label,cmd -p \$\$${RESET}\t${CYAN}Current shell label${RESET}"
echo -e "${GREEN}semanage user -l${RESET}\t\t${CYAN}SELinux users -> allowed roles${RESET}"
echo -e "${CYAN}————————————————————————————————————————————${RESET}"
echo -e "${BLUE}Standard user roles:${RESET}"
echo -e "${CYAN}user_r${RESET}\t\t${CYAN}Normal regular user role${RESET}"
echo -e "${CYAN}staff_r${RESET}\t\t${CYAN}Standard admin-capable user role${RESET}"
echo -e "${CYAN}————————————————————————————————————————————${RESET}"
echo -e "${BLUE}Special / not standard daily use:${RESET}"
echo -e "${CYAN}unconfined_r${RESET}\t${CYAN}Unconfined, not standard confined use${RESET}"
echo -e "${CYAN}auditadm_r${RESET}\t${CYAN}Audit admin role${RESET}"
echo -e "${CYAN}secadm_r${RESET}\t\t${CYAN}Security admin role${RESET}"
echo -e "${CYAN}————————————————————————————————————————————${RESET}"
echo -e "${BLUE}Switch if allowed:${RESET}"
echo -e "${GREEN}newrole -r staff_r${RESET}\t${CYAN}Change to staff role${RESET}"
echo -e "${GREEN}runcon -r staff_r -- bash${RESET}\t${CYAN}Run shell in role${RESET}"
echo -e "${CYAN}————————————————————————————————————————————${RESET}"
echo -e "${BLUE}Note:${RESET} ${CYAN}Daily-use roles are usually user_r / staff_r.${RESET}"
echo -e "${CYAN}Enforcing mode does NOT itself block role changes.${RESET}"
echo -e "${CYAN}Role change must be allowed by SELinux policy + user mapping.${RESET}"
}
# cheat selinux roles root
cheat-selinux-roles-root() {
echo -e "${MAGENTA}[ SELinux Roles — Root Cheat Codes ]${RESET}"
echo -e "${CYAN}————————————————————————————————————————————${RESET}"
echo -e "${BLUE}Check:${RESET}"
echo -e "${GREEN}id -Z${RESET}\t\t\t${CYAN}Current user:role:type:level${RESET}"
echo -e "${GREEN}semanage user -l${RESET}\t\t${CYAN}SELinux users -> allowed roles${RESET}"
echo -e "${CYAN}————————————————————————————————————————————${RESET}"
echo -e "${BLUE}Root/admin roles:${RESET}"
echo -e "${RED}sysadm_r${RESET}\t\t${CYAN}Standard root/admin role${RESET}"
echo -e "${GREEN}staff_r${RESET}\t\t${CYAN}Admin-capable user role${RESET}"
echo -e "${CYAN}————————————————————————————————————————————${RESET}"
echo -e "${BLUE}Special roles:${RESET}"
echo -e "${YELLOW}auditadm_r${RESET}\t${CYAN}Audit admin only${RESET}"
echo -e "${YELLOW}secadm_r${RESET}\t\t${CYAN}SELinux/security admin${RESET}"
echo -e "${YELLOW}unconfined_r${RESET}\t${CYAN}Almost full access, root-like, special case${RESET}"
echo -e "${CYAN}————————————————————————————————————————————${RESET}"
echo -e "${BLUE}secadm_r cheat:${RESET}"
echo -e "${CYAN}can:${RESET} policy / settings / modules / SELinux controls"
echo -e "${CYAN}not:${RESET} full file access / full proc control / full sysadmin"
echo -e "${CYAN}————————————————————————————————————————————${RESET}"
echo -e "${BLUE}Note:${RESET} ${CYAN}sysadm_r = normal confined root role${RESET}"
echo -e "${CYAN}unconfined_r = almost unrestricted root-like role${RESET}"
echo -e "${CYAN}secadm_r = SELinux admin, not full root bypass${RESET}"
# cheat for Chroot sshd config
cheat-chroot() {
echo -e "${MAGENTA}[ Chroot Mount Cheat Codes ]${RESET}"
echo -e "${CYAN}———————————————————————————————————————————————${RESET}"
echo -e "${BLUE}Prep pseudo-filesystems for chroot (/home/chroot):${RESET}"
echo -e "${GREEN}mount -t proc proc /home/chroot/proc${RESET}"
echo -e "${CYAN} • /proc: process + kernel view (ps, top, many tools)${RESET}"
echo -e "${GREEN}mount --rbind /sys /home/chroot/sys${RESET}"
echo -e "${CYAN} • /sys: kernel device/sysfs info (udev, drivers, hw tools)${RESET}"
echo -e "${GREEN}mount --make-rslave /home/chroot/sys${RESET}"
echo -e "${CYAN} • keep mount events from “leaking” back unexpectedly${RESET}"
echo -e "${GREEN}mount --rbind /dev /home/chroot/dev${RESET}"
echo -e "${CYAN} • /dev: device nodes (null, tty, disks); many programs require it${RESET}"
echo -e "${GREEN}mount --make-rslave /home/chroot/dev${RESET}"
echo -e "${CYAN} • safe propagation for nested mounts under /dev${RESET}"
echo -e "${GREEN}mount --bind /run /home/chroot/run${RESET}"
echo -e "${CYAN} • /run: runtime state/sockets (dbus, system services, resolv helpers)${RESET}"
echo -e "${BLUE}Verify mounts (with UUID column):${RESET}"
echo -e "${GREEN}findmnt -o TARGET,SOURCE,FSTYPE,OPTIONS,uuid${RESET}"
echo -e "${CYAN} • shows exactly what the chroot sees + mount options${RESET}"
echo -e "${BLUE}Enter chroot:${RESET}"
echo -e "${GREEN}chroot /home/chroot /bin/bash -l${RESET}"
echo -e "${CYAN} • login shell inside chroot${RESET}"
echo -e "${BLUE}Exit + unmount (leave no bind mounts behind):${RESET}"
echo -e "${GREEN}umount -R /home/chroot/run${RESET}"
echo -e "${CYAN} • drop /run bind${RESET}"
echo -e "${GREEN}umount -R /home/chroot/dev${RESET}"
echo -e "${CYAN} • drop /dev bind tree${RESET}"
echo -e "${GREEN}umount -R /home/chroot/sys${RESET}"
echo -e "${CYAN} • drop /sys bind tree${RESET}"
echo -e "${GREEN}umount -R /home/chroot/proc${RESET}"
echo -e "${CYAN} • drop /proc${RESET}"
echo -e "${CYAN}———————————————————————————————————————————————${RESET}"
}
# cheat SELinux roles show
cheat-selinux-roles-show() {
echo -e "${MAGENTA}[ SELinux Roles — Show ]${RESET}"
echo -e "${CYAN}————————————————————————————————————————————${RESET}"
echo -e "${BLUE}1) Linux login -> SELinux user${RESET}"
echo -e "${GREEN}\$ semanage login -l${RESET}"
echo -e "${CYAN}"
echo "Login Name SELinux User MLS/MCS Range Service"
echo "__default__ unconfined_u s0-s0:c0.c1023 *"
echo "root root s0-s0:c0.c1023 *"
echo "myuser staff_u s0-s0:c0.c1023 *"
echo -e "${RESET}"
echo -e "${CYAN}Login user -> SELinux user mapping.${RESET}"
echo -e "${CYAN}————————————————————————————————————————————${RESET}"
echo -e "${BLUE}2) SELinux user -> allowed roles${RESET}"
echo -e "${GREEN}\$ semanage user -l${RESET}"
echo -e "${CYAN}"
echo "SELinux User Prefix MCS Level MCS Range SELinux Roles"
echo -e "root sysadm s0 s0-s15:c0.c1023 ${YELLOW}auditadm_r${RESET} ${YELLOW}secadm_r${RESET} ${GREEN}staff_r${RESET} ${RED}sysadm_r${RESET}"
echo -e "staff_u staff s0 s0-s15:c0.c1023 ${YELLOW}auditadm_r${RESET} ${YELLOW}secadm_r${RESET} ${GREEN}staff_r${RESET} ${RED}sysadm_r${RESET}"
echo -e "sysadm_u sysadm s0 s0-s15:c0.c1023 ${RED}sysadm_r${RESET}"
echo -e "system_u user s0 s0-s15:c0.c1023 ${YELLOW}system_r${RESET}"
echo -e "unconfined_u user s0 s0-s15:c0.c1023 ${YELLOW}unconfined_r${RESET}"
echo -e "user_u user s0 s0 ${GREEN}user_r${RESET}"
echo -e "${RESET}"
echo -e "${CYAN}An SELinux user can be authorized for multiple roles.${RESET}"
echo -e "${CYAN}Example: SELinux user ${GREEN}root${RESET}${CYAN} is allowed:${RESET} ${YELLOW}auditadm_r${RESET} ${YELLOW}secadm_r${RESET} ${GREEN}staff_r${RESET} ${RED}sysadm_r${RESET}"
echo -e "${CYAN}That does NOT mean all are active now.${RESET}"
echo -e "${CYAN}Check current active role with:${RESET} ${GREEN}id -Z${RESET}"
echo -e "${CYAN}Legend: ${GREEN}USER${RESET} ${CYAN}= user_r staff_r ${RED}ROOT${RESET} ${CYAN}= sysadm_r ${YELLOW}SPECIAL${RESET} ${CYAN}= auditadm_r secadm_r unconfined_r system_r${RESET}"
echo -e "${CYAN}Allowed roles only. NOT all active at once.${RESET}"
echo -e "${CYAN}————————————————————————————————————————————${RESET}"
echo -e "${BLUE}3) Check current applied role${RESET}"
echo -e "${GREEN}\$ id -Z${RESET}"
echo -e "${CYAN}staff_u:staff_r:staff_t:s0${RESET}"
echo -e "${CYAN}2nd field = active role -> ${GREEN}staff_r${RESET}"
}