Improved consistency across distros

2024-11-08 11:11:34 -05:00 · 2023-08-16 03:22:28 -07:00 · 2023-08-16 03:22:28 -07:00 · 8ae830a175
commit 8ae830a175
parent 59723e61eb
7 changed files with 204 additions and 165 deletions
--- a/Fedora-Workstation-38.sh
+++ b/Fedora-Workstation-38.sh
@ -13,44 +13,53 @@ output(){
    echo -e '\e[36m'$1'\e[0m';
 }
-#Moving to the home directory
+# Moving to the home directory
 #Note that I always use /home/${USER} because gnome-terminal is wacky and sometimes doesn't load the environment variables in correctly (Right click somewhere in nautilus, click on open in terminal, then hit create new tab and you will see.)
 cd /home/"${USER}" || exit
-#Setting umask to 077
+# Setting umask to 077
 umask 077
 sudo sed -i 's/umask 022/umask 077/g' /etc/bashrc
 echo "umask 077" | sudo tee -a /etc/bashrc
-#Make home directory private
+# Make home directory private
 chmod 700 /home/*
-#Security kernel settings
+# Setup NTS
 sudo rm -rf /etc/chrony/chrony.conf
 sudo curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/chrony.conf -o /etc/chrony/chrony.conf
 echo '# Command-line options for chronyd
 OPTIONS="-F 1"' | sudo tee /etc/sysconfig/chronyd
 sudo systemctl restart chronyd
 # Setup Firewalld
 sudo firewall-cmd --permanent --remove-port=1025-65535/udp
 sudo firewall-cmd --permanent --remove-port=1025-65535/tcp
 sudo firewall-cmd --permanent --remove-service=mdns
 sudo firewall-cmd --permanent --remove-service=ssh
 sudo firewall-cmd --permanent --remove-service=samba-client
 sudo firewall-cmd --reload
 # Harden SSH
 echo "GSSAPIAuthentication no" | sudo tee /etc/ssh/ssh_config.d/10-custom.conf
 echo "VerifyHostKeyDNS yes" | sudo tee -a /etc/ssh/ssh_config.d/10-custom.conf
 sudo chmod 644 /etc/ssh/ssh_config.d/10-custom.conf
 # Security kernel settings
 sudo curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/modprobe.d/30_security-misc.conf -o /etc/modprobe.d/30_security-misc.conf
 sudo curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_security-misc.conf -o /etc/sysctl.d/30_security-misc.conf
 sudo curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_silent-kernel-printk.conf -o /etc/sysctl.d/30_silent-kernel-printk.conf
 sudo curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_security-misc_kexec-disable.conf -o /etc/sysctl.d/30_security-misc_kexec-disable.conf
-#Systemd Hardening
+# Systemd Hardening
 sudo mkdir -p /etc/systemd/system/NetworkManager.service.d
 sudo curl https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/NetworkManager.service.d/99-brace.conf -o /etc/systemd/system/NetworkManager.service.d/99-brace.conf
 sudo mkdir -p /etc/systemd/system/irqbalance.service.d
 sudo curl https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/irqbalance.service.d/99-brace.conf -o /etc/systemd/system/irqbalance.service.d/99-brace.conf
 sudo mkdir -p /etc/systemd/system/sshd.service.d
 sudo curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/systemd/system/sshd.service.d/local.conf -o /etc/systemd/system/sshd.service.d/limits.conf
-echo "GSSAPIAuthentication no" | sudo tee /etc/ssh/ssh_config.d/10-custom.conf
+sudo systemctl restart NetworkManager
-echo "VerifyHostKeyDNS yes" | sudo tee -a /etc/ssh/ssh_config.d/10-custom.conf
+sudo systemctl restart irqbalance
 sudo chmod 644 /etc/ssh/ssh_config.d/10-custom.conf
 #Setup NTS
 sudo rm -rf /etc/chrony/chrony.conf
 sudo curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/chrony.conf -o /etc/chrony/chrony.conf
 echo '# Command-line options for chronyd
 OPTIONS="-F 1"' | sudo tee /etc/sysconfig/chronyd
 sudo systemctl restart chronyd
 # Disable automount
 echo '[org/gnome/desktop/media-handling]
@ -62,27 +71,19 @@ org/gnome/desktop/media-handling/automount-open' | sudo tee /etc/dconf/db/local.
 sudo dconf update
-#Setup Firewalld
+# Speed up DNF
 sudo firewall-cmd --permanent --remove-port=1025-65535/udp
 sudo firewall-cmd --permanent --remove-port=1025-65535/tcp
 sudo firewall-cmd --permanent --remove-service=mdns
 sudo firewall-cmd --permanent --remove-service=ssh
 sudo firewall-cmd --permanent --remove-service=samba-client
 sudo firewall-cmd --reload
 #Speed up DNF
 echo 'fastestmirror=1' | sudo tee -a /etc/dnf/dnf.conf
 echo 'deltarpm=true' | sudo tee -a /etc/dnf/dnf.conf
 echo 'countme=false' | sudo tee -a /etc/dnf/dnf.conf
-#Update packages and firmware
+# Update packages and firmware
 sudo dnf upgrade -y
 sudo fwupdmgr get-devices
 sudo fwupdmgr refresh --force
 sudo fwupdmgr get-updates -y
 sudo fwupdmgr update -y
-#Remove unneeded packages
+# Remove unneeded packages
 sudo dnf -y remove fedora-bookmarks fedora-chromium-config firefox mozilla-filesystem \
    #Network + hardware tools
    cups nmap-ncat nfs-utils nmap-ncat openssh-server net-snmp-libs net-tools opensc traceroute rsync tcpdump teamd geolite2* mtr dmidecode sgpio \
@ -106,16 +107,19 @@ sudo dnf -y remove fedora-bookmarks fedora-chromium-config firefox mozilla-files
    #other
    lvm2 rng-tools thermald *perl* yajl
-#Disable openh264 repo
+# Disable openh264 repo
 sudo dnf config-manager --set-disabled fedora-cisco-openh264 -y
-#Install packages that I use
+# Install packages that I use
-sudo dnf -y install gnome-console git-core flat-remix-theme gnome-shell-extension-appindicator gnome-shell-extension-blur-my-shell gnome-shell-extension-background-logo gnome-shell-extension-dash-to-dock gnome-shell-extension-no-overview
+sudo dnf -y install gnome-console git-core flat-remix-theme gnome-shell-extension-appindicator gnome-shell-extension-blur-my-shell gnome-shell-extension-background-logo gnome-shell-extension-dash-to-dock gnome-shell-extension-no-overview tuned
-#Enable auto TRIM
+# Setup tuned
 sudo tuned-adm profile latency-performance
 # Enable auto TRIM
 sudo systemctl enable fstrim.timer
-#Setup BTRFS layout and Timeshift
+# Setup BTRFS layout and Timeshift
 sudo mkdir /btrfs_pool
 sudo mount -o subvolid=5 /dev/mapper/${PARTITIONID} /btrfs_pool
 sudo mv /btrfs_pool/root /btrfs_pool/@
@ -127,7 +131,7 @@ sudo echo "UUID=${PARTITIONUUID} /btrfs_pool             btrfs   subvolid=5,ssd,
 sudo grub2-mkconfig -o /boot/efi/EFI/fedora/grub.cfg
 sudo dnf -y install timeshift
-#Randomize MAC address
+# andomize MAC address
 sudo bash -c 'cat > /etc/NetworkManager/conf.d/00-macrandomize.conf' <<-'EOF'
 [device]
 wifi.scan-rand-mac-address=yes
@ -137,7 +141,7 @@ wifi.cloned-mac-address=random
 ethernet.cloned-mac-address=random
 EOF
-#Disable transient hostname
+# Disable transient hostname
 sudo bash -c 'cat > /etc/NetworkManager/conf.d/00-macrandomize.conf' <<-'EOF'
 [main]
 hostname-mode=none
--- a/GCP-Debian-11-Docker.sh
+++ b/GCP-Debian-11-Docker.sh
@ -16,6 +16,3 @@ sudo apt update
 sudo apt -y --no-install-recommends install runsc
 sudo runsc install
 sudo systemctl restart docker
 # Enable fstrim.timer
 sudo systemctl enable --now fstrim.timer
--- a/GCP-Debian-11.sh
+++ b/GCP-Debian-11.sh
@ -1,24 +1,47 @@
 #!/bin/bash
-echo 'GSSAPIAuthentication no
+# Setup NTS
-VerifyHostKeyDNS yes' | sudo tee /etc/ssh/ssh_config.d/10-custom.conf
+sudo rm -rf /etc/chrony/chrony.conf
-sudo chmod 644 /etc/ssh/ssh_config.d/10-custom.conf
+sudo curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/chrony.conf -o /etc/chrony/chrony.conf
-sudo sed -i 's/#GSSAPIAuthentication no/GSSAPIAuthentication no/g' /etc/ssh/sshd_config
+sudo systemctl restart chronyd
 sudo systemctl restart sshd
 # Setup repositories
 sudo find /etc/apt/sources.list.d -type f -exec sudo sed -i 's/http:/https:/g' {} \;
 # Update and install packages
 sudo apt update
 sudo apt upgrade -y
 sudo apt install -y --no-install-recommends tuned unbound resolvconf ufw
 # Setup ufw
 sudo ufw enable
 sudo ufw allow 22/tcp
-#Setup tuned
+# Harden SSH
-sudo tuned-adm profile virtual-guest
+echo 'GSSAPIAuthentication no
 VerifyHostKeyDNS yes' | sudo tee /etc/ssh/ssh_config.d/10-custom.conf
 sudo chmod 644 /etc/ssh/ssh_config.d/10-custom.conf
 sudo sed -i 's/#GSSAPIAuthentication no/GSSAPIAuthentication no/g' /etc/ssh/sshd_config
 sudo mkdir -p /etc/systemd/system/sshd.service.d
 sudo curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/systemd/system/sshd.service.d/local.conf -o /etc/systemd/system/sshd.service.d/local.conf
 sudo systemctl daemon-reload
 sudo systemctl restart sshd
-#Setup unbound
+# Kernel Hardening
 sudo curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/modprobe.d/30_security-misc.conf -o /etc/modprobe.d/30_security-misc.conf
 sudo curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_security-misc.conf -o /etc/sysctl.d/30_security-misc.conf
 sudo sed -i 's/kernel.yama.ptrace_scope=2/kernel.yama.ptrace_scope=3/g' /etc/sysctl.d/30_security-misc.conf
 sudo sed -i 's/net.ipv4.icmp_echo_ignore_all=1/net.ipv4.icmp_echo_ignore_all=0/g' /etc/sysctl.d/30_security-misc.conf
 sudo sed -i 's/net.ipv6.icmp.echo_ignore_all=1/net.ipv6.icmp.echo_ignore_all=0/g' /etc/sysctl.d/30_security-misc.conf
 sudo curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_silent-kernel-printk.conf -o /etc/sysctl.d/30_silent-kernel-printk.conf
 sudo curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_security-misc_kexec-disable.conf -o /etc/sysctl.d/30_security-misc_kexec-disable.conf
 sudo mkdir -p /etc/systemd/system/NetworkManager.service.d
 sudo curl https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/NetworkManager.service.d/99-brace.conf -o /etc/systemd/system/NetworkManager.service.d/99-brace.conf
 echo "* hard core 0" | tee -a /etc/security/limits.conf
 # Setup unbound
 echo 'server:
  trust-anchor-signaling: yes
  root-key-sentinel: yes
@ -88,24 +111,8 @@ sudo systemctl daemon-reload
 sudo systemctl restart unbound
 sudo systemctl disable --now systemd-resolved
-sudo mkdir -p /etc/systemd/system/sshd.service.d
+# Setup tuned
-sudo curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/systemd/system/sshd.service.d/limits.conf -o /etc/systemd/system/sshd.service.d/limits.conf
+sudo tuned-adm profile virtual-guest
 sudo rm -rf /etc/chrony/chrony.conf
 sudo curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/chrony.conf -o /etc/chrony/chrony.conf
 sudo systemctl restart chronyd
 sudo curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/modprobe.d/30_security-misc.conf -o /etc/modprobe.d/30_security-misc.conf
 sudo curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_security-misc.conf -o /etc/sysctl.d/30_security-misc.conf
 sudo sed -i 's/kernel.yama.ptrace_scope=2/kernel.yama.ptrace_scope=3/g' /etc/sysctl.d/30_security-misc.conf
 sudo sed -i 's/net.ipv4.icmp_echo_ignore_all=1/net.ipv4.icmp_echo_ignore_all=0/g' /etc/sysctl.d/30_security-misc.conf
 sudo sed -i 's/net.ipv6.icmp.echo_ignore_all=1/net.ipv6.icmp.echo_ignore_all=0/g' /etc/sysctl.d/30_security-misc.conf
 sudo curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_silent-kernel-printk.conf -o /etc/sysctl.d/30_silent-kernel-printk.conf
 sudo curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_security-misc_kexec-disable.conf -o /etc/sysctl.d/30_security-misc_kexec-disable.conf
 sudo mkdir -p /etc/systemd/system/NetworkManager.service.d
 sudo curl https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/NetworkManager.service.d/99-brace.conf -o /etc/systemd/system/NetworkManager.service.d/99-brace.conf
 echo "* hard core 0" | tee -a /etc/security/limits.conf
 # Enable fstrim.timer
 sudo ystemctl enable --now fstrim.timer
--- a/Proxmox-8.sh
+++ b/Proxmox-8.sh
@ -2,15 +2,23 @@
 # You need to add either the non-subscription repo or the testing repo from the Proxmox WebUI after running this script.
 # Setup NTS
 rm -rf /etc/chrony/chrony.conf
 curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/chrony.conf -o /etc/chrony/chrony.conf
 systemctl restart chronyd
 # Harden SSH
 echo 'GSSAPIAuthentication no
 VerifyHostKeyDNS yes' | tee /etc/ssh/ssh_config.d/10-custom.conf
 sudo chmod 644 /etc/ssh/ssh_config.d/10-custom.conf
 sed -i 's/#PasswordAuthentication yes/PasswordAuthentication no/g' /etc/ssh/sshd_config
 sed -i 's/#GSSAPIAuthentication no/GSSAPIAuthentication no/g' /etc/ssh/sshd_config
 mkdir -p /etc/systemd/system/sshd.service.d
-curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/systemd/system/sshd.service.d/limits.conf -o /etc/systemd/system/sshd.service.d/limits.conf
+curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/systemd/system/sshd.service.d/local.conf -o /etc/systemd/system/sshd.service.d/local.conf
 systemctl daemon-reload
 systemctl restart sshd
 # Setup repositories
 sed -i '1 {s/^/#/}' /etc/apt/sources.list.d/pve-enterprise.list
 echo 'deb https://deb.debian.org/debian/ bookworm main contrib non-free
@ -22,21 +30,17 @@ deb https://security.debian.org bookworm-security main contrib non-free
 deb http://download.proxmox.com/debian/pve bookworm pve-no-subscription' | tee /etc/apt/sources.list
 # Update and install packages
 apt update
 apt upgrade -y
 apt install -y --no-install-recommends intel-microcode tuned fwupd dropbear-initramfs
 tuned-adm profile virtual-host
 rm -rf /etc/chrony/chrony.conf
 curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/chrony.conf -o /etc/chrony/chrony.conf
 systemctl restart chronyd
 ### This part assumes that you are using systemd-boot
 echo -e "spectre_v2=on spec_store_bypass_disable=on l1tf=full,force mds=full,nosmt tsx=off tsx_async_abort=full,nosmt kvm.nx_huge_pages=force nosmt=force l1d_flush=on mmio_stale_data=full,nosmt random.trust_bootloader=off random.trust_cpu=off intel_iommu=on amd_iommu=on efi=disable_early_pci_dma iommu.passthrough=0 iommu.strict=1 slab_nomerge init_on_alloc=1 init_on_free=1 pti=on vsyscall=none page_alloc.shuffle=1 randomize_kstack_offset=on extra_latent_entropy debugfs=off $(cat /etc/kernel/cmdline)" > /etc/kernel/cmdline
 proxmox-boot-tool refresh
 ###
 # Kernel hardening
 curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/modprobe.d/30_security-misc.conf -o /etc/modprobe.d/30_security-misc.conf
 curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_security-misc.conf -o /etc/sysctl.d/30_security-misc.conf
 sed -i 's/kernel.yama.ptrace_scope=2/kernel.yama.ptrace_scope=3/g' /etc/sysctl.d/30_security-misc.conf
@ -50,6 +54,8 @@ echo "* hard core 0" | tee -a /etc/security/limits.conf
 sed -i 's/#GSSAPIAuthentication no/GSSAPIAuthentication no/g' /etc/ssh/sshd_config
 # Setup automatic updates
 mkdir -p /etc/systemd/system/pve-daily-update.service.d
 echo '[Service]
 ExecStart=/usr/bin/pveupgrade' | tee /etc/systemd/system/pve-daily-update.service.d/override.conf
@ -67,5 +73,8 @@ sed -Ezi.bak "s/(Ext.Msg.show\(\{\s+title: gettext\('No valid sub)/void\(\{ \/\/
 systemctl restart pveproxy.service
 # Setup tuned
 tuned-adm profile virtual-host
 # Enable fstrim.timer
 systemctl enable --now fstrim.timer
--- a/RHEL-Server-9.sh
+++ b/RHEL-Server-9.sh
@ -1,6 +1,20 @@
 #!/bin/bash
 #Assuming that you are using ANSSI-BP-028
 # Setup NTS
 sudo curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/chrony.conf -o /etc/chrony.conf
 echo '# Command-line options for chronyd
 OPTIONS="-F 1"' | sudo tee /etc/sysconfig/chronyd
 sudo systemctl restart chronyd
 # Setup Firewalld
 sudo firewall-cmd --permanent --remove-service=cockpit
 sudo firewall-cmd --reload
 # Harden SSH
 mkdir -p /etc/ssh/ssh_config.d /etc/ssh/sshd_config.d
 echo 'GSSAPIAuthentication no
 VerifyHostKeyDNS yes' | sudo tee /etc/ssh/ssh_config.d/10-custom.conf
@ -8,11 +22,37 @@ sudo chmod 644 /etc/ssh/ssh_config.d/10-custom.conf
 echo 'X11Forwarding no
 GSSAPIAuthentication no
 PasswordAuthentication no' | sudo tee /etc/ssh/sshd_config.d/10-custom.conf
 sudo curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/systemd/system/sshd.service.d/local.conf -o /etc/systemd/system/sshd.service.d/local.conf
 sudo systemctl daemon-reload
 sudo systemctl restart sshd
-sudo dnf install tuned unbound yara -y
+# Kernel hardening
 sudo tuned-adm profile virtual-guest
 sudo curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/modprobe.d/30_security-misc.conf -o /etc/modprobe.d/30_security-misc.conf
 sudo curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_security-misc.conf -o /etc/sysctl.d/30_security-misc.conf
 sudo sed -i 's/kernel.yama.ptrace_scope=2/kernel.yama.ptrace_scope=3/g' /etc/sysctl.d/30_security-misc.conf
 sudo sed -i 's/net.ipv4.icmp_echo_ignore_all=1/net.ipv4.icmp_echo_ignore_all=0/g' /etc/sysctl.d/30_security-misc.conf
 sudo sed -i 's/net.ipv6.icmp.echo_ignore_all=1/net.ipv6.icmp.echo_ignore_all=0/g' /etc/sysctl.d/30_security-misc.conf
 sudo curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_silent-kernel-printk.conf -o /etc/sysctl.d/30_silent-kernel-printk.conf
 sudo curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_security-misc_kexec-disable.conf -o /etc/sysctl.d/30_security-misc_kexec-disable.conf
 sudo sysctl -p
 # Systemd hardening
 sudo mkdir -p /etc/systemd/system/NetworkManager.service.d
 sudo curl https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/NetworkManager.service.d/99-brace.conf -o /etc/systemd/system/NetworkManager.service.d/99-brace.conf
 sudo systemctl daemon-reload
 sudo systemctl restart NetworkManager
 sudo mkdir -p /etc/systemd/system/irqbalance.service.d
 sudo curl https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/irqbalance.service.d/99-brace.conf -o /etc/systemd/system/irqbalance.service.d/99-brace.conf
 sudo systemctl daemon-reload
 sudo systemctl restart irqbalance
 # Install packages
 sudo dnf install tuned unbound yara -y
 # Setup unbound
 echo 'server:
  chroot: ""
@ -73,44 +113,16 @@ LockPersonality=yes' | sudo tee /etc/systemd/system/unbound.service.d/override.c
 sudo systemctl enable --now unbound
 sudo mkdir -p /etc/systemd/system/sshd.service.d
 sudo curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/systemd/system/sshd.service.d/limits.conf -o /etc/systemd/system/sshd.service.d/limits.conf
 sudo systemctl restart sshd
 sudo curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/chrony.conf -o /etc/chrony.conf
 echo '# Command-line options for chronyd
 OPTIONS="-F 1"' | sudo tee /etc/sysconfig/chronyd
 sudo systemctl restart chronyd
 sudo insights-client --collector malware-detection
 sudo sed -i 's/test_scan: true/test_scan: false/' /etc/insights-client/malware-detection-config.yml
-sudo curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/modprobe.d/30_security-misc.conf -o /etc/modprobe.d/30_security-misc.conf
+# Setup automatic updates
 sudo curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_security-misc.conf -o /etc/sysctl.d/30_security-misc.conf
 sudo sed -i 's/kernel.yama.ptrace_scope=2/kernel.yama.ptrace_scope=3/g' /etc/sysctl.d/30_security-misc.conf
 sudo sed -i 's/net.ipv4.icmp_echo_ignore_all=1/net.ipv4.icmp_echo_ignore_all=0/g' /etc/sysctl.d/30_security-misc.conf
 sudo sed -i 's/net.ipv6.icmp.echo_ignore_all=1/net.ipv6.icmp.echo_ignore_all=0/g' /etc/sysctl.d/30_security-misc.conf
 sudo curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_silent-kernel-printk.conf -o /etc/sysctl.d/30_silent-kernel-printk.conf
 sudo curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_security-misc_kexec-disable.conf -o /etc/sysctl.d/30_security-misc_kexec-disable.conf
 sudo sysctl -p
 sudo mkdir -p /etc/systemd/system/NetworkManager.service.d
 sudo curl https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/NetworkManager.service.d/99-brace.conf -o /etc/systemd/system/NetworkManager.service.d/99-brace.conf
 sudo systemctl daemon-reload
 sudo systemctl restart NetworkManager
 sudo mkdir -p /etc/systemd/system/irqbalance.service.d
 sudo curl https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/irqbalance.service.d/99-brace.conf -o /etc/systemd/system/irqbalance.service.d/99-brace.conf
 sudo systemctl daemon-reload
 sudo systemctl restart irqbalance
 sudo firewall-cmd --permanent --remove-service=cockpit
 sudo firewall-cmd --reload
 sudo sed -i 's/apply_updates = no/apply_updates = yes\nreboot = when-needed/g' /etc/dnf/automatic.conf
 sudo systemctl enable --now dnf-automatic.timer
 # Setup tuned
 sudo tuned-adm profile virtual-guest
 # Enable fstrim.timer
 sudo systemctl enable --now fstrim.timer
--- a/Ubuntu-22.04-Desktop.sh
+++ b/Ubuntu-22.04-Desktop.sh
@ -4,49 +4,57 @@
 #Customize it to your liking
 #Run this script as your admin user, NOT root
-#Compliance
+# Compliance
 sudo ua enable usg
 sudo apt install -y usg
 sudo usg fix cis_level2_workstation
-#Allow su which is disabled by CIS 
+# Remove AIDE
 sudo apt purge -y aide*
 # Allow su which is disabled by CIS 
 sudo sed -i 's/auth required pam_wheel.so use_uid group=sugroup//g' /etc/pam.d/su
-#Setting umask to 077
+# Setting umask to 077
 umask 077
 sudo sed -ie '/^DIR_MODE=/ s/=[0-9]*\+/=0700/' /etc/adduser.conf
 sudo sed -ie '/^UMASK\s\+/ s/022/077/' /etc/login.defs
 sudo sed -i 's/USERGROUPS_ENAB yes/USERGROUPS_ENAB no/g' /etc/login.defs
 echo "umask 077" | sudo tee --append /etc/profile
-#Make sure the system has curl (minimal installs do not include it)
+# Make sure the system has curl (minimal installs do not include it)
 sudo apt install -y curl
-#Security kernel settings
+# Setup NTS
 sudo curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/modprobe.d/30_security-misc.conf -o /etc/modprobe.d/30_security-misc.conf
 sudo curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_security-misc.conf -o /etc/sysctl.d/30_security-misc.conf
 sudo curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_silent-kernel-printk.conf -o /etc/sysctl.d/30_silent-kernel-printk.conf
 sudo curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_security-misc_kexec-disable.conf -o /etc/sysctl.d/30_security-misc_kexec-disable.conf
 #Systemd Hardening
 sudo mkdir -p /etc/systemd/system/NetworkManager.service.d
 sudo curl https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/NetworkManager.service.d/99-brace.conf -o /etc/systemd/system/NetworkManager.service.d/99-brace.conf
 sudo mkdir -p /etc/systemd/system/irqbalance.service.d
 sudo curl https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/irqbalance.service.d/99-brace.conf -o /etc/systemd/system/irqbalance.service.d/99-brace.conf
 sudo mkdir -p /etc/systemd/system/sshd.service.d
 sudo curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/systemd/system/sshd.service.d/limits.conf -o /etc/systemd/system/sshd.service.d/limits.conf
 echo "GSSAPIAuthentication no" | sudo tee /etc/ssh/ssh_config.d/10-custom.conf
 echo "VerifyHostKeyDNS yes" | sudo tee -a /etc/ssh/ssh_config.d/10-custom.conf
 sudo chmod 644 /etc/ssh/ssh_config.d/10-custom.conf
 #Setup NTS
 sudo systemctl disable systemd-timesyncd
 sudo apt install -y chrony
 rm -rf /etc/chrony/chrony.conf
 sudo curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/chrony.conf -o /etc/chrony/chrony.conf
 sudo systemctl restart chronyd
 # Setup UFW
 #UFW Snap is strictly confined, unlike its .deb counterpart
 sudo apt purge -y ufw
 sudo snap install ufw
 sudo ufw enable
 # Harden SSH
 echo "GSSAPIAuthentication no" | sudo tee /etc/ssh/ssh_config.d/10-custom.conf
 echo "VerifyHostKeyDNS yes" | sudo tee -a /etc/ssh/ssh_config.d/10-custom.conf
 sudo chmod 644 /etc/ssh/ssh_config.d/10-custom.conf
 # Kernel hardening
 sudo curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/modprobe.d/30_security-misc.conf -o /etc/modprobe.d/30_security-misc.conf
 sudo curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_security-misc.conf -o /etc/sysctl.d/30_security-misc.conf
 sudo curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_silent-kernel-printk.conf -o /etc/sysctl.d/30_silent-kernel-printk.conf
 sudo curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_security-misc_kexec-disable.conf -o /etc/sysctl.d/30_security-misc_kexec-disable.conf
 # Systemd Hardening
 sudo mkdir -p /etc/systemd/system/NetworkManager.service.d
 sudo curl https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/NetworkManager.service.d/99-brace.conf -o /etc/systemd/system/NetworkManager.service.d/99-brace.conf
 sudo mkdir -p /etc/systemd/system/irqbalance.service.d
 sudo curl https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/irqbalance.service.d/99-brace.conf -o /etc/systemd/system/irqbalance.service.d/99-brace.conf
 # Disable automount
 sudo mkdir -p /etc/dconf/db/local.d/locks/
@ -60,13 +68,7 @@ org/gnome/desktop/media-handling/automount-open' | sudo tee /etc/dconf/db/local.
 sudo dconf update
-#Setup UFW
+# Disable crash reports
 #UFW Snap is strictly confined, unlike its .deb counterpart
 sudo apt purge -y ufw
 sudo snap install ufw
 sudo ufw enable
 #Disable crash reports
 echo '[com/ubuntu/update-notifier]
 show-apport-crashes=false' | sudo tee /etc/dconf/db/local.d/disable-apport-crashes
@ -82,7 +84,7 @@ sudo systemctl stop whoopsie.service
 sudo systemctl disable whoopsie.service
 sudo systemctl mask whoopsie.service
-#Update packages and firmware
+# Update packages and firmware
 sudo apt update -y
 sudo apt full-upgrade -y
 sudo fwupdmgr get-devices
@ -90,16 +92,16 @@ sudo fwupdmgr refresh --force
 sudo fwupdmgr get-updates -y
 sudo fwupdmgr update -y
-#Remove unneeded packages
+# Remove unneeded packages
 sudo apt purge -y cups* eog gedit firefox* gnome-calculator gnome-characters* gnome-font-viewer gnome-logs gnome-power-manager gnome-shell-extension-prefs seahorse tcpdump whoopsie
 sudo apt autoremove -y
 sudo snap remove firefox
-#Install packages that I use
+# Install packages that I use
 sudo apt install -y git-core gnome-text-editor
 sudo snap install eog
-#Randomize MAC address
+# Randomize MAC address
 sudo bash -c 'cat > /etc/NetworkManager/conf.d/00-macrandomize.conf' <<-'EOF'
 [device]
 wifi.scan-rand-mac-address=yes
--- a/Ubuntu-22.04-Server.sh
+++ b/Ubuntu-22.04-Server.sh
@ -7,15 +7,38 @@ sudo ua enable usg
 sudo apt install -y usg
 sudo usg fix cis_level2_server
-#Install packages
+# Remove AIDE
 sudo apt purge -y aide*
 # Update and install packages
 sudo apt update -y
 sudo apt full-upgrade -y
 sudo apt install -y curl fwupd libpam-pwquality tuned unbound
-#Setup tuned
+# Setup NTS
-sudo tuned-adm profile virtual-guest
+sudo systemctl disable systemd-timesyncd
 sudo apt install -y chrony
 rm -rf /etc/chrony/chrony.conf
 sudo curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/chrony.conf -o /etc/chrony/chrony.conf
 sudo systemctl restart chronyd
-#Setup unbound
+# Setup UFW
 # UFW Snap is strictly confined, unlike its .deb counterpart
 sudo apt purge -y ufw
 sudo snap install ufw
 sudo ufw enable
 sudo ufw allow 22
 # Harden SSH
 echo "GSSAPIAuthentication no" | sudo tee /etc/ssh/ssh_config.d/10-custom.conf
 echo "VerifyHostKeyDNS yes" | sudo tee -a /etc/ssh/ssh_config.d/10-custom.conf
 sudo chmod 644 /etc/ssh/ssh_config.d/10-custom.conf
 sudo mkdir -p /etc/systemd/system/sshd.service.d
 sudo curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/systemd/system/sshd.service.d/local.conf -o /etc/systemd/system/sshd.service.d/local.conf
 sudo systemctl daemon-reload
 sudo systemctl restart sshd
 # Setup unbound
 echo 'server:
  trust-anchor-signaling: yes
  root-key-sentinel: yes
@ -85,30 +108,12 @@ sudo systemctl daemon-reload
 sudo systemctl restart unbound
 sudo systemctl disable --now systemd-resolved
-#Security kernel settings
+# Kernel hardening
 sudo curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/modprobe.d/30_security-misc.conf -o /etc/modprobe.d/30_security-misc.conf
 sudo curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_security-misc.conf -o /etc/sysctl.d/30_security-misc.conf
 sudo curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_silent-kernel-printk.conf -o /etc/sysctl.d/30_silent-kernel-printk.conf
 sudo curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_security-misc_kexec-disable.conf -o /etc/sysctl.d/30_security-misc_kexec-disable.conf
 echo "GSSAPIAuthentication no" | sudo tee /etc/ssh/ssh_config.d/10-custom.conf
 echo "VerifyHostKeyDNS yes" | sudo tee -a /etc/ssh/ssh_config.d/10-custom.conf
 sudo chmod 644 /etc/ssh/ssh_config.d/10-custom.conf
 #Setup NTS
 sudo systemctl disable systemd-timesyncd
 sudo apt install -y chrony
 rm -rf /etc/chrony/chrony.conf
 sudo curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/chrony.conf -o /etc/chrony/chrony.conf
 sudo systemctl restart chronyd
 #Setup UFW
 #UFW Snap is strictly confined, unlike its .deb counterpart
 sudo apt purge -y ufw
 sudo snap install ufw
 sudo ufw enable
 sudo ufw allow 22
 sudo systemctl stop apport.service
 sudo systemctl disable apport.service
 sudo systemctl mask apport.service
@ -122,5 +127,8 @@ ExecStart=/usr/bin/fwupdmgr update' | tee /etc/systemd/system/fwupd-refresh.serv
 sudo systemctl daemon-reload
 sudo systemctl enable --now fwupd-refresh.timer
 # Setup tuned
 sudo tuned-adm profile virtual-guest
 # Enable fstrim.timer
 sudo systemctl enable --now fstrim.timer