From d22918601953ac9de4bf5a7051deeba2ba63aa1b Mon Sep 17 00:00:00 2001
From: Aditya Pingle <apingle@splunk.com>
Date: Tue, 21 Nov 2023 18:31:54 -0800
Subject: [PATCH] introduced secure-start shell to disable shell access for
 container post Container provisioning;

---
 splunk/common-files/entrypoint.sh | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)

diff --git a/splunk/common-files/entrypoint.sh b/splunk/common-files/entrypoint.sh
index a230ba3f..02f8b492 100755
--- a/splunk/common-files/entrypoint.sh
+++ b/splunk/common-files/entrypoint.sh
@@ -67,6 +67,9 @@ watch_for_failure(){
 		echo Ansible playbook complete, will begin streaming ${SPLUNK_TAIL_FILE}
 		${RUN_AS_SPLUNK} tail -n 0 -f ${SPLUNK_TAIL_FILE} &
 	fi
+	if [[ "$DISABLE_ENTIRE_SHELL_ACCESS" == "true" ]]; then
+		disable_entire_shell_access_for_container
+	fi
 	wait
 }
 
@@ -90,6 +93,12 @@ start() {
 	watch_for_failure
 }
 
+secure_start() {
+    start_and_exit
+    export DISABLE_ENTIRE_SHELL_ACCESS="true"
+    watch_for_failure
+}
+
 configure_multisite() {
 	prep_ansible
 	ansible-playbook $ANSIBLE_EXTRA_FLAGS -i inventory/environ.py -l localhost multisite.yml
@@ -103,6 +112,16 @@ restart(){
 	watch_for_failure
 }
 
+disable_entire_shell_access_for_container() {
+	if [[ "$DISABLE_ENTIRE_SHELL_ACCESS" == "true" ]]; then
+		bash -c "sudo usermod -s /sbin/nologin splunk"
+		bash -c "sudo usermod -s /sbin/nologin ansible"
+		sudo rm /bin/sh
+		sudo rm /bin/bash
+		sudo ln -s /bin/busybox /bin/sh
+	fi
+}
+
 user_permission_change(){
 	if [[ "$STEPDOWN_ANSIBLE_USER" == "true" ]]; then
 		bash -c "sudo deluser -q ansible sudo"
@@ -175,6 +194,10 @@ case "$1" in
 		tail -n 0 -f /etc/hosts &
 		wait
 		;;
+	secure-start|secure-start-service)
+		shift
+		secure_start $@
+		;;
 	bash|splunk-bash)
 		/bin/bash --init-file ${SPLUNK_HOME}/bin/setSplunkEnv
 		;;