From 7672345a8925c6d689c8029c6973fc59f6363a41 Mon Sep 17 00:00:00 2001 From: Tommy Date: Tue, 13 Feb 2024 17:16:33 -0700 Subject: [PATCH] Consistency fixes Signed-off-by: Tommy --- Fedora-Workstation-39.sh | 3 +++ GCP-Debian-11.sh | 12 +++++++----- Kali-Linux.sh | 7 +++++++ Proxmox-8.sh | 11 ++++++++--- RHEL-Server-9.sh | 5 ++++- Ubuntu-22.04-Server.sh | 3 +++ Ubuntu-23.10-Desktop.sh | 3 +++ etc/security/limits.d/30-disable-coredump.conf | 1 + 8 files changed, 36 insertions(+), 9 deletions(-) create mode 100644 etc/security/limits.d/30-disable-coredump.conf diff --git a/Fedora-Workstation-39.sh b/Fedora-Workstation-39.sh index 924bc9f..6eb280b 100644 --- a/Fedora-Workstation-39.sh +++ b/Fedora-Workstation-39.sh @@ -75,6 +75,9 @@ sudo dracut -f sudo sysctl -p sudo grubby --update-kernel=ALL --args='mitigations=auto,nosmt spectre_v2=on spec_store_bypass_disable=on tsx=off kvm.nx_huge_pages=force nosmt=force l1d_flush=on spec_rstack_overflow=safe-ret random.trust_bootloader=off random.trust_cpu=off intel_iommu=on amd_iommu=isolation_force efi=disable_early_pci_dma iommu=force iommu.passthrough=0 iommu.strict=1 slab_nomerge init_on_alloc=1 init_on_free=1 pti=on vsyscall=none ia32_emulation=0 page_alloc.shuffle=1 randomize_kstack_offset=on extra_latent_entropy debugfs=off' +# Disable coredump +unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/security/limits.d/30-disable-coredump.conf | sudo tee /etc/security/limits.d/30-disable-coredump.conf + # Systemd Hardening sudo mkdir -p /etc/systemd/system/NetworkManager.service.d unpriv curl https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/NetworkManager.service.d/99-brace.conf | sudo tee /etc/systemd/system/NetworkManager.service.d/99-brace.conf diff --git a/GCP-Debian-11.sh b/GCP-Debian-11.sh index a112508..57596ce 100644 --- a/GCP-Debian-11.sh +++ b/GCP-Debian-11.sh @@ -74,20 +74,22 @@ unpriv curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/us sudo chmod 644 /etc/sysctl.d/30_silent-kernel-printk.conf unpriv curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf | sudo tee /etc/sysctl.d/30_security-misc_kexec-disable.conf sudo chmod 644 /etc/sysctl.d/30_security-misc_kexec-disable.conf -sudo mkdir -p /etc/systemd/system/NetworkManager.service.d -curl https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/NetworkManager.service.d/99-brace.conf | sudo tee /etc/systemd/system/NetworkManager.service.d/99-brace.conf sudo sysctl -p # Rebuild initramfs sudo update-initramfs -u +# Disable coredump +unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/security/limits.d/30-disable-coredump.conf | sudo tee /etc/security/limits.d/30-disable-coredump.conf + +# System Hardening +sudo mkdir -p /etc/systemd/system/NetworkManager.service.d +curl https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/NetworkManager.service.d/99-brace.conf | sudo tee /etc/systemd/system/NetworkManager.service.d/99-brace.conf + # Update GRUB config echo 'GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mitigations=auto,nosmt spectre_v2=on spec_store_bypass_disable=on tsx=off kvm.nx_huge_pages=force nosmt=force l1d_flush=on spec_rstack_overflow=safe-ret random.trust_bootloader=off random.trust_cpu=off intel_iommu=on amd_iommu=isolation_force efi=disable_early_pci_dma iommu=force iommu.passthrough=0 iommu.strict=1 slab_nomerge init_on_alloc=1 init_on_free=1 pti=on vsyscall=none ia32_emulation=0 page_alloc.shuffle=1 randomize_kstack_offset=on extra_latent_entropy debugfs=off"' | sudo tee -a /etc/grub.d/40_custom sudo update-grub -# Security limit -echo '* hard core 0' | tee -a /etc/security/limits.conf - # Setup tuned sudo dnf install tuned -y sudo tuned-adm profile virtual-guest diff --git a/Kali-Linux.sh b/Kali-Linux.sh index 1ea69b6..f093107 100644 --- a/Kali-Linux.sh +++ b/Kali-Linux.sh @@ -48,6 +48,13 @@ sudo sysctl -p # Rebuild initramfs sudo update-initramfs -u +# Disable coredump +unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/security/limits.d/30-disable-coredump.conf | sudo tee /etc/security/limits.d/30-disable-coredump.conf + +# System Hardening +sudo mkdir -p /etc/systemd/system/NetworkManager.service.d +curl https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/NetworkManager.service.d/99-brace.conf | sudo tee /etc/systemd/system/NetworkManager.service.d/99-brace.conf + # Update GRUB config echo 'GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mitigations=auto,nosmt spectre_v2=on spec_store_bypass_disable=on tsx=off kvm.nx_huge_pages=force nosmt=force l1d_flush=on spec_rstack_overflow=safe-ret random.trust_bootloader=off random.trust_cpu=off intel_iommu=on amd_iommu=isolation_force efi=disable_early_pci_dma iommu=force iommu.passthrough=0 iommu.strict=1 slab_nomerge init_on_alloc=1 init_on_free=1 pti=on vsyscall=none ia32_emulation=0 page_alloc.shuffle=1 randomize_kstack_offset=on extra_latent_entropy debugfs=off"' | sudo tee -a /etc/grub.d/40_custom sudo update-grub diff --git a/Proxmox-8.sh b/Proxmox-8.sh index 0ec216a..68e26a7 100644 --- a/Proxmox-8.sh +++ b/Proxmox-8.sh @@ -82,10 +82,15 @@ sed -i 's/net.ipv4.icmp_echo_ignore_all=1/net.ipv4.icmp_echo_ignore_all=0/g' /et sed -i 's/net.ipv6.icmp.echo_ignore_all=1/net.ipv6.icmp.echo_ignore_all=0/g' /etc/sysctl.d/990-security-misc.conf curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/usr/lib/sysctl.d/30_silent-kernel-printk.conf -o /etc/sysctl.d/30_silent-kernel-printk.conf curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf -o /etc/sysctl.d/30_security-misc_kexec-disable.conf -mkdir -p /etc/systemd/system/NetworkManager.service.d -curl https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/NetworkManager.service.d/99-brace.conf -o /etc/systemd/system/NetworkManager.service.d/99-brace.conf -echo "* hard core 0" | tee -a /etc/security/limits.conf +sysctl -p +# Rebuild initramfs +update-initramfs -u + +# Disable coredump +curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/security/limits.d/30-disable-coredump.conf | sudo tee /etc/security/limits.d/30-disable-coredump.conf + +# Harden SSH sed -i 's/#GSSAPIAuthentication no/GSSAPIAuthentication no/g' /etc/ssh/sshd_config # Setup automatic updates diff --git a/RHEL-Server-9.sh b/RHEL-Server-9.sh index 6d2ee22..5b9f002 100644 --- a/RHEL-Server-9.sh +++ b/RHEL-Server-9.sh @@ -68,7 +68,10 @@ sudo dracut -f sudo sysctl -p sudo grubby --update-kernel=ALL --args='mitigations=auto,nosmt spectre_v2=on spec_store_bypass_disable=on tsx=off kvm.nx_huge_pages=force nosmt=force l1d_flush=on spec_rstack_overflow=safe-ret random.trust_bootloader=off random.trust_cpu=off intel_iommu=on amd_iommu=isolation_force efi=disable_early_pci_dma iommu=force iommu.passthrough=0 iommu.strict=1 slab_nomerge init_on_alloc=1 init_on_free=1 pti=on vsyscall=none ia32_emulation=0 page_alloc.shuffle=1 randomize_kstack_offset=on extra_latent_entropy debugfs=off' -# Systemd hardening +# Disable coredump +unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/security/limits.d/30-disable-coredump.conf | sudo tee /etc/security/limits.d/30-disable-coredump.conf + +# Systemd Hardening sudo mkdir -p /etc/systemd/system/NetworkManager.service.d unpriv curl https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/NetworkManager.service.d/99-brace.conf | sudo tee /etc/systemd/system/NetworkManager.service.d/99-brace.conf diff --git a/Ubuntu-22.04-Server.sh b/Ubuntu-22.04-Server.sh index 2b76784..78a3c90 100644 --- a/Ubuntu-22.04-Server.sh +++ b/Ubuntu-22.04-Server.sh @@ -83,6 +83,9 @@ sudo sysctl -p # Rebuild initramfs sudo update-initramfs -u +# Disable coredump +unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/security/limits.d/30-disable-coredump.conf | sudo tee /etc/security/limits.d/30-disable-coredump.conf + # Update GRUB config if [ ! -d /boot/efi/EFI/ZBM ]; then echo 'GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mitigations=auto,nosmt spectre_v2=on spec_store_bypass_disable=on tsx=off kvm.nx_huge_pages=force nosmt=force l1d_flush=on spec_rstack_overflow=safe-ret random.trust_bootloader=off random.trust_cpu=off intel_iommu=on amd_iommu=isolation_force efi=disable_early_pci_dma iommu=force iommu.passthrough=0 iommu.strict=1 slab_nomerge init_on_alloc=1 init_on_free=1 pti=on vsyscall=none ia32_emulation=0 page_alloc.shuffle=1 randomize_kstack_offset=on extra_latent_entropy debugfs=off"' | sudo tee -a /etc/grub.d/40_custom diff --git a/Ubuntu-23.10-Desktop.sh b/Ubuntu-23.10-Desktop.sh index a00997d..d5cb40a 100644 --- a/Ubuntu-23.10-Desktop.sh +++ b/Ubuntu-23.10-Desktop.sh @@ -84,6 +84,9 @@ sudo sysctl -p # Rebuild initramfs sudo update-initramfs -u +# Disable coredump +unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/security/limits.d/30-disable-coredump.conf | sudo tee /etc/security/limits.d/30-disable-coredump.conf + # Update GRUB config echo 'GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mitigations=auto,nosmt spectre_v2=on spec_store_bypass_disable=on tsx=off kvm.nx_huge_pages=force nosmt=force l1d_flush=on spec_rstack_overflow=safe-ret random.trust_bootloader=off random.trust_cpu=off intel_iommu=on amd_iommu=isolation_force efi=disable_early_pci_dma iommu=force iommu.passthrough=0 iommu.strict=1 slab_nomerge init_on_alloc=1 init_on_free=1 pti=on vsyscall=none ia32_emulation=0 page_alloc.shuffle=1 randomize_kstack_offset=on extra_latent_entropy debugfs=off"' | sudo tee -a /etc/grub.d/40_custom sudo update-grub diff --git a/etc/security/limits.d/30-disable-coredump.conf b/etc/security/limits.d/30-disable-coredump.conf new file mode 100644 index 0000000..527b136 --- /dev/null +++ b/etc/security/limits.d/30-disable-coredump.conf @@ -0,0 +1 @@ +* hard core 0 \ No newline at end of file