#!/bin/bash # tunevault-lockdown.sh # ================================================== # Run this on your Oracle server BEFORE installing # the TuneVault proxy. It creates a restricted OS # user and configures minimal sudo privileges. # # Usage: # chmod +x tunevault-lockdown.sh # sudo ./tunevault-lockdown.sh [--install-dir /opt/tunevault] # # Requirements: bash, sudo, useradd/adduser # Tested on: Oracle Linux 7/8/9, RHEL 7/8/9, Ubuntu 20/22 # ================================================== set -euo pipefail INSTALL_DIR=${1:-/opt/tunevault} PROXY_USER=tunevault PROXY_GROUP=tunevault # Must run as root if [ "$(id -u)" != "0" ]; then echo "ERROR: Must run as root (sudo ./tunevault-lockdown.sh)" exit 1 fi echo "========================================" echo " TuneVault Lockdown Script" echo " $(date)" echo " Install dir: $INSTALL_DIR" echo "========================================" echo "" # --- Create restricted group and user --- if ! getent group "$PROXY_GROUP" &>/dev/null; then echo "[1/4] Creating group: $PROXY_GROUP" groupadd --system "$PROXY_GROUP" else echo "[1/4] Group $PROXY_GROUP already exists — skipping" fi if ! id "$PROXY_USER" &>/dev/null; then echo "[2/4] Creating user: $PROXY_USER (no login shell, system account)" useradd \ --system \ --gid "$PROXY_GROUP" \ --shell /sbin/nologin \ --no-create-home \ --comment "TuneVault proxy service account" \ "$PROXY_USER" else echo "[2/4] User $PROXY_USER already exists — skipping" fi # --- Create and lock down install directory --- echo "[3/4] Setting up install directory: $INSTALL_DIR" mkdir -p "$INSTALL_DIR" chown "$PROXY_USER:$PROXY_GROUP" "$INSTALL_DIR" chmod 750 "$INSTALL_DIR" # Log directory (writable by proxy user only) mkdir -p "$INSTALL_DIR/logs" chown "$PROXY_USER:$PROXY_GROUP" "$INSTALL_DIR/logs" chmod 700 "$INSTALL_DIR/logs" # --- Configure sudoers whitelist --- echo "[4/4] Writing sudoers whitelist..." SUDOERS_FILE=/etc/sudoers.d/tunevault # Remove existing file if present [ -f "$SUDOERS_FILE" ] && rm -f "$SUDOERS_FILE" cat > "$SUDOERS_FILE" << 'SUDOERS_EOF' # TuneVault proxy — minimal sudo whitelist (EBS 12.2.x application tier) # Generated by tunevault-lockdown.sh # DO NOT edit manually — re-run lockdown.sh to update # # All paths use $ADMIN_SCRIPTS_HOME set in the oracle user environment. # Only "status" subcommands are listed — start/stop/restart are NOT granted. # admanagedsrvctl.sh is the unified controller for all managed servers. Defaults:tunevault env_keep += "ADMIN_SCRIPTS_HOME" # Non-managed services (individual *ctl.sh scripts) Cmnd_Alias TUNEVAULT_NON_MANAGED = $ADMIN_SCRIPTS_HOME/adcmctl.sh status, $ADMIN_SCRIPTS_HOME/adalnctl.sh status, $ADMIN_SCRIPTS_HOME/adadminsrvctl.sh status, $ADMIN_SCRIPTS_HOME/adnodemgrctl.sh status, $ADMIN_SCRIPTS_HOME/adopmnctl.sh status, $ADMIN_SCRIPTS_HOME/mwactl.sh status, $ADMIN_SCRIPTS_HOME/adapcctl.sh status # Managed servers (all routed through admanagedsrvctl.sh) Cmnd_Alias TUNEVAULT_MANAGED = $ADMIN_SCRIPTS_HOME/admanagedsrvctl.sh status oacore_server1, $ADMIN_SCRIPTS_HOME/admanagedsrvctl.sh status forms_server1, $ADMIN_SCRIPTS_HOME/admanagedsrvctl.sh status oafm_server1, $ADMIN_SCRIPTS_HOME/admanagedsrvctl.sh status wfmlrsvc, $ADMIN_SCRIPTS_HOME/admanagedsrvctl.sh status opp tunevault ALL=(oracle) NOPASSWD: TUNEVAULT_NON_MANAGED, TUNEVAULT_MANAGED # No other commands are permitted SUDOERS_EOF # Validate sudoers file syntax if command -v visudo &>/dev/null; then if visudo -c -f "$SUDOERS_FILE" &>/dev/null; then echo " sudoers syntax OK: $SUDOERS_FILE" else echo "ERROR: sudoers validation failed — removing $SUDOERS_FILE" rm -f "$SUDOERS_FILE" exit 1 fi fi chmod 440 "$SUDOERS_FILE" # --- Print verification summary --- echo "" echo "========================================" echo " Lockdown complete. Verify before use:" echo "========================================" echo "" echo "OS user:" id tunevault 2>/dev/null || echo " ERROR: user not found" echo "" echo "Install directory:" ls -la "$INSTALL_DIR" 2>/dev/null | head -5 echo "" echo "Sudoers whitelist:" cat "$SUDOERS_FILE" 2>/dev/null echo "" echo "Shell (should be /sbin/nologin or /bin/false):" getent passwd tunevault | cut -d: -f7 echo "" echo "========================================" echo " Next: install the proxy as user 'tunevault'" echo " See: https://tunevault.app/docs/oracle-setup" echo "========================================"