mirror of
https://github.com/tommytran732/Linux-Setup-Scripts
synced 2024-11-25 02:31:34 -05:00
Ensure file permissions on Proxmox and RHEL
This commit is contained in:
parent
3790c4df70
commit
55085948db
@ -25,7 +25,6 @@ systemctl mask debug-shell.service
|
|||||||
|
|
||||||
## Avoid phased updates
|
## Avoid phased updates
|
||||||
curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/apt/apt.conf.d/99sane-upgrades | tee /etc/apt/apt.conf.d/99sane-upgrades
|
curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/apt/apt.conf.d/99sane-upgrades | tee /etc/apt/apt.conf.d/99sane-upgrades
|
||||||
chmod 644 /etc/apt/apt.conf.d/99sane-upgrades
|
|
||||||
|
|
||||||
# Setup NTS
|
# Setup NTS
|
||||||
rm -rf /etc/chrony/chrony.conf
|
rm -rf /etc/chrony/chrony.conf
|
||||||
@ -34,9 +33,7 @@ systemctl restart chronyd
|
|||||||
|
|
||||||
# Harden SSH
|
# Harden SSH
|
||||||
curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/ssh/sshd_config.d/10-custom.conf | tee /etc/ssh/sshd_config.d/10-custom.conf
|
curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/ssh/sshd_config.d/10-custom.conf | tee /etc/ssh/sshd_config.d/10-custom.conf
|
||||||
chmod 644 /etc/ssh/sshd_config.d/10-custom.conf
|
|
||||||
curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/ssh/ssh_config.d/10-custom.conf | tee /etc/ssh/ssh_config.d/10-custom.conf
|
curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/ssh/ssh_config.d/10-custom.conf | tee /etc/ssh/ssh_config.d/10-custom.conf
|
||||||
chmod 644 /etc/ssh/ssh_config.d/10-custom.conf
|
|
||||||
mkdir -p /etc/systemd/system/ssh.service.d
|
mkdir -p /etc/systemd/system/ssh.service.d
|
||||||
curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/systemd/system/sshd.service.d/local.conf | tee /etc/systemd/system/ssh.service.d/override.conf
|
curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/systemd/system/sshd.service.d/local.conf | tee /etc/systemd/system/ssh.service.d/override.conf
|
||||||
systemctl daemon-reload
|
systemctl daemon-reload
|
||||||
@ -74,21 +71,17 @@ proxmox-boot-tool refresh
|
|||||||
|
|
||||||
# Kernel hardening
|
# Kernel hardening
|
||||||
curl https://raw.githubusercontent.com/secureblue/secureblue/live/config/files/usr/etc/modprobe.d/blacklist.conf | tee /etc/modprobe.d/server-blacklist.conf
|
curl https://raw.githubusercontent.com/secureblue/secureblue/live/config/files/usr/etc/modprobe.d/blacklist.conf | tee /etc/modprobe.d/server-blacklist.conf
|
||||||
chmod 644 /etc/modprobe.d/server-blacklist.conf
|
|
||||||
sed -i 's/kernel_io_uring_disable = 2/#ernel_io_uring_disable = 2/g'
|
sed -i 's/kernel_io_uring_disable = 2/#ernel_io_uring_disable = 2/g'
|
||||||
curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/sysctl.d/99-server.conf | tee /etc/sysctl.d/99-server.conf
|
curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/sysctl.d/99-server.conf | tee /etc/sysctl.d/99-server.conf
|
||||||
chmod 644 /etc/sysctl.d/99-server.conf
|
|
||||||
sysctl -p
|
sysctl -p
|
||||||
|
|
||||||
# Rebuild initramfs
|
# Rebuild initramfs
|
||||||
update-initramfs -u
|
update-initramfs -u
|
||||||
|
|
||||||
# Disable coredump
|
# Disable coredump
|
||||||
umask 022
|
|
||||||
unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/security/limits.d/30-disable-coredump.conf | tee /etc/security/limits.d/30-disable-coredump.conf
|
unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/security/limits.d/30-disable-coredump.conf | tee /etc/security/limits.d/30-disable-coredump.conf
|
||||||
mkdir -p /etc/systemd/coredump.conf.d
|
mkdir -p /etc/systemd/coredump.conf.d
|
||||||
unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/systemd/coredump.conf.d/disable.conf | tee /etc/systemd/coredump.conf.d/disable.conf
|
unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/systemd/coredump.conf.d/disable.conf | tee /etc/systemd/coredump.conf.d/disable.conf
|
||||||
umask 077
|
|
||||||
|
|
||||||
# Harden SSH
|
# Harden SSH
|
||||||
sed -i 's/#GSSAPIAuthentication no/GSSAPIAuthentication no/g' /etc/ssh/sshd_config
|
sed -i 's/#GSSAPIAuthentication no/GSSAPIAuthentication no/g' /etc/ssh/sshd_config
|
||||||
|
16
RHEL-9.sh
16
RHEL-9.sh
@ -40,7 +40,9 @@ sudo chmod 700 /home/*
|
|||||||
|
|
||||||
# Setup NTS
|
# Setup NTS
|
||||||
unpriv curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/chrony.conf | sudo tee /etc/chrony.conf
|
unpriv curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/chrony.conf | sudo tee /etc/chrony.conf
|
||||||
|
sudo chmod 644 /etc/chrony.conf
|
||||||
unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/sysconfig/chronyd | sudo tee /etc/sysconfig/chronyd
|
unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/sysconfig/chronyd | sudo tee /etc/sysconfig/chronyd
|
||||||
|
sudo chmod 644 /etc/sysconfig/chronyd
|
||||||
|
|
||||||
sudo systemctl restart chronyd
|
sudo systemctl restart chronyd
|
||||||
|
|
||||||
@ -67,14 +69,15 @@ sudo sysctl -p
|
|||||||
sudo grubby --update-kernel=ALL --args='mitigations=auto,nosmt spectre_v2=on spectre_bhi=on spec_store_bypass_disable=on tsx=off kvm.nx_huge_pages=force nosmt=force l1d_flush=on spec_rstack_overflow=safe-ret gather_data_sampling=force reg_file_data_sampling=on random.trust_bootloader=off random.trust_cpu=off intel_iommu=on amd_iommu=force_isolation efi=disable_early_pci_dma iommu=force iommu.passthrough=0 iommu.strict=1 slab_nomerge init_on_alloc=1 init_on_free=1 pti=on vsyscall=none ia32_emulation=0 page_alloc.shuffle=1 randomize_kstack_offset=on debugfs=off lockdown=confidentiality module.sig_enforce=1 console=tty0 console=ttyS0,115200'
|
sudo grubby --update-kernel=ALL --args='mitigations=auto,nosmt spectre_v2=on spectre_bhi=on spec_store_bypass_disable=on tsx=off kvm.nx_huge_pages=force nosmt=force l1d_flush=on spec_rstack_overflow=safe-ret gather_data_sampling=force reg_file_data_sampling=on random.trust_bootloader=off random.trust_cpu=off intel_iommu=on amd_iommu=force_isolation efi=disable_early_pci_dma iommu=force iommu.passthrough=0 iommu.strict=1 slab_nomerge init_on_alloc=1 init_on_free=1 pti=on vsyscall=none ia32_emulation=0 page_alloc.shuffle=1 randomize_kstack_offset=on debugfs=off lockdown=confidentiality module.sig_enforce=1 console=tty0 console=ttyS0,115200'
|
||||||
|
|
||||||
# Disable coredump
|
# Disable coredump
|
||||||
umask 022
|
|
||||||
unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/security/limits.d/30-disable-coredump.conf | sudo tee /etc/security/limits.d/30-disable-coredump.conf
|
unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/security/limits.d/30-disable-coredump.conf | sudo tee /etc/security/limits.d/30-disable-coredump.conf
|
||||||
|
sudo chmod 644 /etc/security/limits.d/30-disable-coredump.conf
|
||||||
sudo mkdir -p /etc/systemd/coredump.conf.d
|
sudo mkdir -p /etc/systemd/coredump.conf.d
|
||||||
unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/systemd/coredump.conf.d/disable.conf | sudo tee /etc/systemd/coredump.conf.d/disable.conf
|
unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/systemd/coredump.conf.d/disable.conf | sudo tee /etc/systemd/coredump.conf.d/disable.conf
|
||||||
umask 077
|
sudo chmod 644 /etc/systemd/coredump.conf.d/disable.conf
|
||||||
|
|
||||||
# Setup DNF
|
# Setup DNF
|
||||||
unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/dnf/dnf.conf | sudo tee /etc/dnf/dnf.conf
|
unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/dnf/dnf.conf | sudo tee /etc/dnf/dnf.conf
|
||||||
|
sudo chmod 644 /etc/dnf/dnf.conf
|
||||||
sudo sed -i 's/^metalink=.*/&\&protocol=https/g' /etc/yum.repos.d/*
|
sudo sed -i 's/^metalink=.*/&\&protocol=https/g' /etc/yum.repos.d/*
|
||||||
|
|
||||||
# Setup automatic updates
|
# Setup automatic updates
|
||||||
@ -124,6 +127,8 @@ forward-zone:
|
|||||||
forward-addr: 2606:4700:4700::1112@853#security.cloudflare-dns.com
|
forward-addr: 2606:4700:4700::1112@853#security.cloudflare-dns.com
|
||||||
forward-addr: 2606:4700:4700::1002@853#security.cloudflare-dns.com' | sudo tee /etc/unbound/unbound.conf
|
forward-addr: 2606:4700:4700::1002@853#security.cloudflare-dns.com' | sudo tee /etc/unbound/unbound.conf
|
||||||
|
|
||||||
|
sudo chmod 644 /etc/unbound/unbound.conf
|
||||||
|
|
||||||
mkdir -p /etc/systemd/system/unbound.service.d
|
mkdir -p /etc/systemd/system/unbound.service.d
|
||||||
echo $'[Service]
|
echo $'[Service]
|
||||||
MemoryDenyWriteExecute=true
|
MemoryDenyWriteExecute=true
|
||||||
@ -144,6 +149,8 @@ SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module mount @obsolete
|
|||||||
RestrictNamespaces=yes
|
RestrictNamespaces=yes
|
||||||
LockPersonality=yes' | sudo tee /etc/systemd/system/unbound.service.d/override.conf
|
LockPersonality=yes' | sudo tee /etc/systemd/system/unbound.service.d/override.conf
|
||||||
|
|
||||||
|
sudo chmod 644 /etc/systemd/system/unbound.service.d/override.conf
|
||||||
|
|
||||||
sudo systemctl enable --now unbound
|
sudo systemctl enable --now unbound
|
||||||
|
|
||||||
# Setup yara
|
# Setup yara
|
||||||
@ -158,6 +165,7 @@ if [ "$virtualization" = 'none' ]; then
|
|||||||
sudo systemctl restart fwupd
|
sudo systemctl restart fwupd
|
||||||
mkdir -p /etc/systemd/system/fwupd-refresh.service.d
|
mkdir -p /etc/systemd/system/fwupd-refresh.service.d
|
||||||
unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/systemd/system/fwupd-refresh.service.d/override.conf | sudo tee /etc/systemd/system/fwupd-refresh.service.d/override.conf
|
unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/systemd/system/fwupd-refresh.service.d/override.conf | sudo tee /etc/systemd/system/fwupd-refresh.service.d/override.conf
|
||||||
|
sudo chmod 644 /etc/systemd/system/fwupd-refresh.service.d/override.conf
|
||||||
sudo systemctl daemon-reload
|
sudo systemctl daemon-reload
|
||||||
sudo systemctl enable --now fwupd-refresh.timer
|
sudo systemctl enable --now fwupd-refresh.timer
|
||||||
fi
|
fi
|
||||||
@ -206,18 +214,22 @@ sudo firewall-cmd --lockdown-on
|
|||||||
|
|
||||||
sudo mkdir -p /etc/systemd/system/NetworkManager.service.d
|
sudo mkdir -p /etc/systemd/system/NetworkManager.service.d
|
||||||
unpriv curl https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/NetworkManager.service.d/99-brace.conf | sudo tee /etc/systemd/system/NetworkManager.service.d/99-brace.conf
|
unpriv curl https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/NetworkManager.service.d/99-brace.conf | sudo tee /etc/systemd/system/NetworkManager.service.d/99-brace.conf
|
||||||
|
sudo chmod 644 /etc/systemd/system/NetworkManager.service.d/99-brace.conf
|
||||||
sudo systemctl daemon-reload
|
sudo systemctl daemon-reload
|
||||||
sudo systemctl restart NetworkManager
|
sudo systemctl restart NetworkManager
|
||||||
|
|
||||||
# irqbalance hardening
|
# irqbalance hardening
|
||||||
sudo mkdir -p /etc/systemd/system/irqbalance.service.d
|
sudo mkdir -p /etc/systemd/system/irqbalance.service.d
|
||||||
unpriv curl https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/irqbalance.service.d/99-brace.conf | sudo tee /etc/systemd/system/irqbalance.service.d/99-brace.conf
|
unpriv curl https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/irqbalance.service.d/99-brace.conf | sudo tee /etc/systemd/system/irqbalance.service.d/99-brace.conf
|
||||||
|
sudo chmod 644 /etc/systemd/system/irqbalance.service.d/99-brace.conf
|
||||||
sudo systemctl daemon-reload
|
sudo systemctl daemon-reload
|
||||||
sudo systemctl restart irqbalance
|
sudo systemctl restart irqbalance
|
||||||
|
|
||||||
# Setup notices
|
# Setup notices
|
||||||
unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/issue | sudo tee /etc/issue
|
unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/issue | sudo tee /etc/issue
|
||||||
|
sudo chmod 644 /etc/issue
|
||||||
unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/issue | sudo tee /etc/issue.net
|
unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/issue | sudo tee /etc/issue.net
|
||||||
|
sudo chmod 644 /etc/issue.net
|
||||||
|
|
||||||
# Final notes to the user
|
# Final notes to the user
|
||||||
output 'Server setup complete. To use unbound for DNS, you need to run the following commands:'
|
output 'Server setup complete. To use unbound for DNS, you need to run the following commands:'
|
||||||
|
Loading…
Reference in New Issue
Block a user