From 85ada77f4cc4d2218922f0166963892060fa5a38 Mon Sep 17 00:00:00 2001 From: Tommy Date: Tue, 22 Aug 2023 17:46:56 -0700 Subject: [PATCH] Consistency fix --- GCP-Debian-11.sh | 6 +++++- RHEL-Server-9.sh | 17 ++++++++++++++--- Ubuntu-22.04-Desktop.sh | 14 ++++++-------- Ubuntu-22.04-Server.sh | 22 ++++++++++++---------- 4 files changed, 37 insertions(+), 22 deletions(-) diff --git a/GCP-Debian-11.sh b/GCP-Debian-11.sh index a31f184..2143704 100644 --- a/GCP-Debian-11.sh +++ b/GCP-Debian-11.sh @@ -11,9 +11,9 @@ sudo find /etc/apt/sources.list.d -type f -exec sudo sed -i 's/http:/https:/g' { # Update and install packages sudo apt update sudo apt upgrade -y -sudo apt install -y --no-install-recommends tuned unbound resolvconf ufw # Setup ufw +sudo apt install ufw -y sudo ufw enable sudo ufw allow 22/tcp @@ -42,6 +42,9 @@ sudo curl https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/s echo "* hard core 0" | tee -a /etc/security/limits.conf # Setup unbound + +sudo apt instal unbound resolvconf -y + echo 'server: trust-anchor-signaling: yes root-key-sentinel: yes @@ -112,6 +115,7 @@ sudo systemctl restart unbound sudo systemctl disable --now systemd-resolved # Setup tuned +sudo dnf install tuned -y sudo tuned-adm profile virtual-guest # Enable fstrim.timer diff --git a/RHEL-Server-9.sh b/RHEL-Server-9.sh index be0ade9..c1ea57d 100644 --- a/RHEL-Server-9.sh +++ b/RHEL-Server-9.sh @@ -49,10 +49,10 @@ sudo curl https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/s sudo systemctl daemon-reload sudo systemctl restart irqbalance -# Install packages -sudo dnf install tuned unbound yara -y - # Setup unbound + +sudo dnf install unbound -y + echo 'server: chroot: "" @@ -113,6 +113,8 @@ LockPersonality=yes' | sudo tee /etc/systemd/system/unbound.service.d/override.c sudo systemctl enable --now unbound +# Setup yara +sudo dnf install -y yara sudo insights-client --collector malware-detection sudo sed -i 's/test_scan: true/test_scan: false/' /etc/insights-client/malware-detection-config.yml @@ -121,7 +123,16 @@ sudo sed -i 's/test_scan: true/test_scan: false/' /etc/insights-client/malware-d sudo sed -i 's/apply_updates = no/apply_updates = yes\nreboot = when-needed/g' /etc/dnf/automatic.conf sudo systemctl enable --now dnf-automatic.timer +#Setup fwupd +sudo dnf install fwupd -y +mkdir -p /etc/systemd/system/fwupd-refresh.service.d +echo '[Service] +ExecStart=/usr/bin/fwupdmgr update' | tee /etc/systemd/system/fwupd-refresh.service.d/override.conf +sudo systemctl daemon-reload +sudo systemctl enable --now fwupd-refresh.timer + # Setup tuned +sudo dnf install tuned -y sudo tuned-adm profile virtual-guest # Enable fstrim.timer diff --git a/Ubuntu-22.04-Desktop.sh b/Ubuntu-22.04-Desktop.sh index 97050f5..20bb492 100644 --- a/Ubuntu-22.04-Desktop.sh +++ b/Ubuntu-22.04-Desktop.sh @@ -3,10 +3,13 @@ #Please note that this is how I PERSONALLY setup my computer - I do some stuff such as not using anything to download GNOME extensions from extensions.gnome.org and installing the extensions as a package instead ##The script assumes you already have Ubuntu Pro activated -# Compliance +#Compliance and updates sudo ua enable usg +sudo apt update -y +sudo apt full-upgrade -y sudo apt install -y usg -sudo usg fix cis_level2_workstation +sudo apt autoremove -y +sudo usg fix cis_level2_server # Remove AIDE sudo apt purge -y aide* @@ -21,12 +24,6 @@ sudo sed -ie '/^UMASK\s\+/ s/022/077/' /etc/login.defs sudo sed -i 's/USERGROUPS_ENAB yes/USERGROUPS_ENAB no/g' /etc/login.defs echo "umask 077" | sudo tee --append /etc/profile -# Update and install packages -sudo apt update -y -sudo apt full-upgrade -y -sudo apt install -y curl -sudo apt autoremove -y - # Setup NTS sudo systemctl disable systemd-timesyncd sudo apt install -y chrony @@ -116,4 +113,5 @@ EOF sudo systemctl restart NetworkManager # Enable fstrim.timer +sudo apt install tuned -y sudo systemctl enable --now fstrim.timer \ No newline at end of file diff --git a/Ubuntu-22.04-Server.sh b/Ubuntu-22.04-Server.sh index e88862e..0663317 100644 --- a/Ubuntu-22.04-Server.sh +++ b/Ubuntu-22.04-Server.sh @@ -3,24 +3,20 @@ #Meant to be run on Ubuntu Pro Minimal #The script assumes you already have Ubuntu Pro activated -#Compliance +#Compliance and updates sudo ua enable usg -sudo apt install -y usg +sudo apt update -y +sudo apt full-upgrade -y +sudo apt install -y usg curl libpam-pwquality +sudo apt autoremove -y sudo usg fix cis_level2_server # Remove AIDE sudo apt purge -y aide* -# Update and install packages -sudo apt update -y -sudo apt full-upgrade -y -sudo apt install -y curl fwupd libpam-pwquality tuned unbound -sudo apt autoremove -y - # Setup NTS -sudo systemctl disable systemd-timesyncd +sudo systemctl disable --now systemd-timesyncd sudo apt install -y chrony -rm -rf /etc/chrony/chrony.conf sudo curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/chrony.conf -o /etc/chrony/chrony.conf sudo systemctl restart chronyd @@ -41,6 +37,9 @@ sudo systemctl daemon-reload sudo systemctl restart sshd # Setup unbound + +sudp apt install -y unbound + echo 'server: trust-anchor-signaling: yes root-key-sentinel: yes @@ -123,6 +122,8 @@ sudo systemctl stop whoopsie.service sudo systemctl disable whoopsie.service sudo systemctl mask whoopsie.service +#Setup fwupd +sudo apt install fwupd -y mkdir -p /etc/systemd/system/fwupd-refresh.service.d echo '[Service] ExecStart=/usr/bin/fwupdmgr update' | tee /etc/systemd/system/fwupd-refresh.service.d/override.conf @@ -130,6 +131,7 @@ sudo systemctl daemon-reload sudo systemctl enable --now fwupd-refresh.timer # Setup tuned +sudo apt install tuned -y sudo tuned-adm profile virtual-guest # Enable fstrim.timer