1
0
mirror of https://github.com/tommytran732/Linux-Setup-Scripts synced 2024-11-08 11:11:34 -05:00

Improved consistency across distros

This commit is contained in:
Tommy 2023-08-16 03:22:28 -07:00 committed by GitHub
parent 59723e61eb
commit 8ae830a175
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
7 changed files with 204 additions and 165 deletions

View File

@ -13,44 +13,53 @@ output(){
echo -e '\e[36m'$1'\e[0m'; echo -e '\e[36m'$1'\e[0m';
} }
#Moving to the home directory # Moving to the home directory
#Note that I always use /home/${USER} because gnome-terminal is wacky and sometimes doesn't load the environment variables in correctly (Right click somewhere in nautilus, click on open in terminal, then hit create new tab and you will see.) #Note that I always use /home/${USER} because gnome-terminal is wacky and sometimes doesn't load the environment variables in correctly (Right click somewhere in nautilus, click on open in terminal, then hit create new tab and you will see.)
cd /home/"${USER}" || exit cd /home/"${USER}" || exit
#Setting umask to 077 # Setting umask to 077
umask 077 umask 077
sudo sed -i 's/umask 022/umask 077/g' /etc/bashrc sudo sed -i 's/umask 022/umask 077/g' /etc/bashrc
echo "umask 077" | sudo tee -a /etc/bashrc echo "umask 077" | sudo tee -a /etc/bashrc
#Make home directory private # Make home directory private
chmod 700 /home/* chmod 700 /home/*
#Security kernel settings # Setup NTS
sudo rm -rf /etc/chrony/chrony.conf
sudo curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/chrony.conf -o /etc/chrony/chrony.conf
echo '# Command-line options for chronyd
OPTIONS="-F 1"' | sudo tee /etc/sysconfig/chronyd
sudo systemctl restart chronyd
# Setup Firewalld
sudo firewall-cmd --permanent --remove-port=1025-65535/udp
sudo firewall-cmd --permanent --remove-port=1025-65535/tcp
sudo firewall-cmd --permanent --remove-service=mdns
sudo firewall-cmd --permanent --remove-service=ssh
sudo firewall-cmd --permanent --remove-service=samba-client
sudo firewall-cmd --reload
# Harden SSH
echo "GSSAPIAuthentication no" | sudo tee /etc/ssh/ssh_config.d/10-custom.conf
echo "VerifyHostKeyDNS yes" | sudo tee -a /etc/ssh/ssh_config.d/10-custom.conf
sudo chmod 644 /etc/ssh/ssh_config.d/10-custom.conf
# Security kernel settings
sudo curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/modprobe.d/30_security-misc.conf -o /etc/modprobe.d/30_security-misc.conf sudo curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/modprobe.d/30_security-misc.conf -o /etc/modprobe.d/30_security-misc.conf
sudo curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_security-misc.conf -o /etc/sysctl.d/30_security-misc.conf sudo curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_security-misc.conf -o /etc/sysctl.d/30_security-misc.conf
sudo curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_silent-kernel-printk.conf -o /etc/sysctl.d/30_silent-kernel-printk.conf sudo curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_silent-kernel-printk.conf -o /etc/sysctl.d/30_silent-kernel-printk.conf
sudo curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_security-misc_kexec-disable.conf -o /etc/sysctl.d/30_security-misc_kexec-disable.conf sudo curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_security-misc_kexec-disable.conf -o /etc/sysctl.d/30_security-misc_kexec-disable.conf
#Systemd Hardening # Systemd Hardening
sudo mkdir -p /etc/systemd/system/NetworkManager.service.d sudo mkdir -p /etc/systemd/system/NetworkManager.service.d
sudo curl https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/NetworkManager.service.d/99-brace.conf -o /etc/systemd/system/NetworkManager.service.d/99-brace.conf sudo curl https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/NetworkManager.service.d/99-brace.conf -o /etc/systemd/system/NetworkManager.service.d/99-brace.conf
sudo mkdir -p /etc/systemd/system/irqbalance.service.d sudo mkdir -p /etc/systemd/system/irqbalance.service.d
sudo curl https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/irqbalance.service.d/99-brace.conf -o /etc/systemd/system/irqbalance.service.d/99-brace.conf sudo curl https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/irqbalance.service.d/99-brace.conf -o /etc/systemd/system/irqbalance.service.d/99-brace.conf
sudo mkdir -p /etc/systemd/system/sshd.service.d
sudo curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/systemd/system/sshd.service.d/local.conf -o /etc/systemd/system/sshd.service.d/limits.conf
echo "GSSAPIAuthentication no" | sudo tee /etc/ssh/ssh_config.d/10-custom.conf sudo systemctl restart NetworkManager
echo "VerifyHostKeyDNS yes" | sudo tee -a /etc/ssh/ssh_config.d/10-custom.conf sudo systemctl restart irqbalance
sudo chmod 644 /etc/ssh/ssh_config.d/10-custom.conf
#Setup NTS
sudo rm -rf /etc/chrony/chrony.conf
sudo curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/chrony.conf -o /etc/chrony/chrony.conf
echo '# Command-line options for chronyd
OPTIONS="-F 1"' | sudo tee /etc/sysconfig/chronyd
sudo systemctl restart chronyd
# Disable automount # Disable automount
echo '[org/gnome/desktop/media-handling] echo '[org/gnome/desktop/media-handling]
@ -62,27 +71,19 @@ org/gnome/desktop/media-handling/automount-open' | sudo tee /etc/dconf/db/local.
sudo dconf update sudo dconf update
#Setup Firewalld # Speed up DNF
sudo firewall-cmd --permanent --remove-port=1025-65535/udp
sudo firewall-cmd --permanent --remove-port=1025-65535/tcp
sudo firewall-cmd --permanent --remove-service=mdns
sudo firewall-cmd --permanent --remove-service=ssh
sudo firewall-cmd --permanent --remove-service=samba-client
sudo firewall-cmd --reload
#Speed up DNF
echo 'fastestmirror=1' | sudo tee -a /etc/dnf/dnf.conf echo 'fastestmirror=1' | sudo tee -a /etc/dnf/dnf.conf
echo 'deltarpm=true' | sudo tee -a /etc/dnf/dnf.conf echo 'deltarpm=true' | sudo tee -a /etc/dnf/dnf.conf
echo 'countme=false' | sudo tee -a /etc/dnf/dnf.conf echo 'countme=false' | sudo tee -a /etc/dnf/dnf.conf
#Update packages and firmware # Update packages and firmware
sudo dnf upgrade -y sudo dnf upgrade -y
sudo fwupdmgr get-devices sudo fwupdmgr get-devices
sudo fwupdmgr refresh --force sudo fwupdmgr refresh --force
sudo fwupdmgr get-updates -y sudo fwupdmgr get-updates -y
sudo fwupdmgr update -y sudo fwupdmgr update -y
#Remove unneeded packages # Remove unneeded packages
sudo dnf -y remove fedora-bookmarks fedora-chromium-config firefox mozilla-filesystem \ sudo dnf -y remove fedora-bookmarks fedora-chromium-config firefox mozilla-filesystem \
#Network + hardware tools #Network + hardware tools
cups nmap-ncat nfs-utils nmap-ncat openssh-server net-snmp-libs net-tools opensc traceroute rsync tcpdump teamd geolite2* mtr dmidecode sgpio \ cups nmap-ncat nfs-utils nmap-ncat openssh-server net-snmp-libs net-tools opensc traceroute rsync tcpdump teamd geolite2* mtr dmidecode sgpio \
@ -106,16 +107,19 @@ sudo dnf -y remove fedora-bookmarks fedora-chromium-config firefox mozilla-files
#other #other
lvm2 rng-tools thermald *perl* yajl lvm2 rng-tools thermald *perl* yajl
#Disable openh264 repo # Disable openh264 repo
sudo dnf config-manager --set-disabled fedora-cisco-openh264 -y sudo dnf config-manager --set-disabled fedora-cisco-openh264 -y
#Install packages that I use # Install packages that I use
sudo dnf -y install gnome-console git-core flat-remix-theme gnome-shell-extension-appindicator gnome-shell-extension-blur-my-shell gnome-shell-extension-background-logo gnome-shell-extension-dash-to-dock gnome-shell-extension-no-overview sudo dnf -y install gnome-console git-core flat-remix-theme gnome-shell-extension-appindicator gnome-shell-extension-blur-my-shell gnome-shell-extension-background-logo gnome-shell-extension-dash-to-dock gnome-shell-extension-no-overview tuned
#Enable auto TRIM # Setup tuned
sudo tuned-adm profile latency-performance
# Enable auto TRIM
sudo systemctl enable fstrim.timer sudo systemctl enable fstrim.timer
#Setup BTRFS layout and Timeshift # Setup BTRFS layout and Timeshift
sudo mkdir /btrfs_pool sudo mkdir /btrfs_pool
sudo mount -o subvolid=5 /dev/mapper/${PARTITIONID} /btrfs_pool sudo mount -o subvolid=5 /dev/mapper/${PARTITIONID} /btrfs_pool
sudo mv /btrfs_pool/root /btrfs_pool/@ sudo mv /btrfs_pool/root /btrfs_pool/@
@ -127,7 +131,7 @@ sudo echo "UUID=${PARTITIONUUID} /btrfs_pool btrfs subvolid=5,ssd,
sudo grub2-mkconfig -o /boot/efi/EFI/fedora/grub.cfg sudo grub2-mkconfig -o /boot/efi/EFI/fedora/grub.cfg
sudo dnf -y install timeshift sudo dnf -y install timeshift
#Randomize MAC address # andomize MAC address
sudo bash -c 'cat > /etc/NetworkManager/conf.d/00-macrandomize.conf' <<-'EOF' sudo bash -c 'cat > /etc/NetworkManager/conf.d/00-macrandomize.conf' <<-'EOF'
[device] [device]
wifi.scan-rand-mac-address=yes wifi.scan-rand-mac-address=yes
@ -137,7 +141,7 @@ wifi.cloned-mac-address=random
ethernet.cloned-mac-address=random ethernet.cloned-mac-address=random
EOF EOF
#Disable transient hostname # Disable transient hostname
sudo bash -c 'cat > /etc/NetworkManager/conf.d/00-macrandomize.conf' <<-'EOF' sudo bash -c 'cat > /etc/NetworkManager/conf.d/00-macrandomize.conf' <<-'EOF'
[main] [main]
hostname-mode=none hostname-mode=none

View File

@ -16,6 +16,3 @@ sudo apt update
sudo apt -y --no-install-recommends install runsc sudo apt -y --no-install-recommends install runsc
sudo runsc install sudo runsc install
sudo systemctl restart docker sudo systemctl restart docker
# Enable fstrim.timer
sudo systemctl enable --now fstrim.timer

View File

@ -1,24 +1,47 @@
#!/bin/bash #!/bin/bash
echo 'GSSAPIAuthentication no # Setup NTS
VerifyHostKeyDNS yes' | sudo tee /etc/ssh/ssh_config.d/10-custom.conf sudo rm -rf /etc/chrony/chrony.conf
sudo chmod 644 /etc/ssh/ssh_config.d/10-custom.conf sudo curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/chrony.conf -o /etc/chrony/chrony.conf
sudo sed -i 's/#GSSAPIAuthentication no/GSSAPIAuthentication no/g' /etc/ssh/sshd_config sudo systemctl restart chronyd
sudo systemctl restart sshd
# Setup repositories
sudo find /etc/apt/sources.list.d -type f -exec sudo sed -i 's/http:/https:/g' {} \; sudo find /etc/apt/sources.list.d -type f -exec sudo sed -i 's/http:/https:/g' {} \;
# Update and install packages
sudo apt update sudo apt update
sudo apt upgrade -y sudo apt upgrade -y
sudo apt install -y --no-install-recommends tuned unbound resolvconf ufw sudo apt install -y --no-install-recommends tuned unbound resolvconf ufw
# Setup ufw
sudo ufw enable sudo ufw enable
sudo ufw allow 22/tcp sudo ufw allow 22/tcp
#Setup tuned # Harden SSH
sudo tuned-adm profile virtual-guest echo 'GSSAPIAuthentication no
VerifyHostKeyDNS yes' | sudo tee /etc/ssh/ssh_config.d/10-custom.conf
sudo chmod 644 /etc/ssh/ssh_config.d/10-custom.conf
sudo sed -i 's/#GSSAPIAuthentication no/GSSAPIAuthentication no/g' /etc/ssh/sshd_config
sudo mkdir -p /etc/systemd/system/sshd.service.d
sudo curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/systemd/system/sshd.service.d/local.conf -o /etc/systemd/system/sshd.service.d/local.conf
sudo systemctl daemon-reload
sudo systemctl restart sshd
#Setup unbound # Kernel Hardening
sudo curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/modprobe.d/30_security-misc.conf -o /etc/modprobe.d/30_security-misc.conf
sudo curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_security-misc.conf -o /etc/sysctl.d/30_security-misc.conf
sudo sed -i 's/kernel.yama.ptrace_scope=2/kernel.yama.ptrace_scope=3/g' /etc/sysctl.d/30_security-misc.conf
sudo sed -i 's/net.ipv4.icmp_echo_ignore_all=1/net.ipv4.icmp_echo_ignore_all=0/g' /etc/sysctl.d/30_security-misc.conf
sudo sed -i 's/net.ipv6.icmp.echo_ignore_all=1/net.ipv6.icmp.echo_ignore_all=0/g' /etc/sysctl.d/30_security-misc.conf
sudo curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_silent-kernel-printk.conf -o /etc/sysctl.d/30_silent-kernel-printk.conf
sudo curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_security-misc_kexec-disable.conf -o /etc/sysctl.d/30_security-misc_kexec-disable.conf
sudo mkdir -p /etc/systemd/system/NetworkManager.service.d
sudo curl https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/NetworkManager.service.d/99-brace.conf -o /etc/systemd/system/NetworkManager.service.d/99-brace.conf
echo "* hard core 0" | tee -a /etc/security/limits.conf
# Setup unbound
echo 'server: echo 'server:
trust-anchor-signaling: yes trust-anchor-signaling: yes
root-key-sentinel: yes root-key-sentinel: yes
@ -88,24 +111,8 @@ sudo systemctl daemon-reload
sudo systemctl restart unbound sudo systemctl restart unbound
sudo systemctl disable --now systemd-resolved sudo systemctl disable --now systemd-resolved
sudo mkdir -p /etc/systemd/system/sshd.service.d # Setup tuned
sudo curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/systemd/system/sshd.service.d/limits.conf -o /etc/systemd/system/sshd.service.d/limits.conf sudo tuned-adm profile virtual-guest
sudo rm -rf /etc/chrony/chrony.conf
sudo curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/chrony.conf -o /etc/chrony/chrony.conf
sudo systemctl restart chronyd
sudo curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/modprobe.d/30_security-misc.conf -o /etc/modprobe.d/30_security-misc.conf
sudo curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_security-misc.conf -o /etc/sysctl.d/30_security-misc.conf
sudo sed -i 's/kernel.yama.ptrace_scope=2/kernel.yama.ptrace_scope=3/g' /etc/sysctl.d/30_security-misc.conf
sudo sed -i 's/net.ipv4.icmp_echo_ignore_all=1/net.ipv4.icmp_echo_ignore_all=0/g' /etc/sysctl.d/30_security-misc.conf
sudo sed -i 's/net.ipv6.icmp.echo_ignore_all=1/net.ipv6.icmp.echo_ignore_all=0/g' /etc/sysctl.d/30_security-misc.conf
sudo curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_silent-kernel-printk.conf -o /etc/sysctl.d/30_silent-kernel-printk.conf
sudo curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_security-misc_kexec-disable.conf -o /etc/sysctl.d/30_security-misc_kexec-disable.conf
sudo mkdir -p /etc/systemd/system/NetworkManager.service.d
sudo curl https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/NetworkManager.service.d/99-brace.conf -o /etc/systemd/system/NetworkManager.service.d/99-brace.conf
echo "* hard core 0" | tee -a /etc/security/limits.conf
# Enable fstrim.timer # Enable fstrim.timer
sudo ystemctl enable --now fstrim.timer sudo ystemctl enable --now fstrim.timer

View File

@ -2,15 +2,23 @@
# You need to add either the non-subscription repo or the testing repo from the Proxmox WebUI after running this script. # You need to add either the non-subscription repo or the testing repo from the Proxmox WebUI after running this script.
# Setup NTS
rm -rf /etc/chrony/chrony.conf
curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/chrony.conf -o /etc/chrony/chrony.conf
systemctl restart chronyd
# Harden SSH
echo 'GSSAPIAuthentication no echo 'GSSAPIAuthentication no
VerifyHostKeyDNS yes' | tee /etc/ssh/ssh_config.d/10-custom.conf VerifyHostKeyDNS yes' | tee /etc/ssh/ssh_config.d/10-custom.conf
sudo chmod 644 /etc/ssh/ssh_config.d/10-custom.conf sudo chmod 644 /etc/ssh/ssh_config.d/10-custom.conf
sed -i 's/#PasswordAuthentication yes/PasswordAuthentication no/g' /etc/ssh/sshd_config sed -i 's/#PasswordAuthentication yes/PasswordAuthentication no/g' /etc/ssh/sshd_config
sed -i 's/#GSSAPIAuthentication no/GSSAPIAuthentication no/g' /etc/ssh/sshd_config sed -i 's/#GSSAPIAuthentication no/GSSAPIAuthentication no/g' /etc/ssh/sshd_config
mkdir -p /etc/systemd/system/sshd.service.d mkdir -p /etc/systemd/system/sshd.service.d
curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/systemd/system/sshd.service.d/limits.conf -o /etc/systemd/system/sshd.service.d/limits.conf curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/systemd/system/sshd.service.d/local.conf -o /etc/systemd/system/sshd.service.d/local.conf
systemctl daemon-reload
systemctl restart sshd systemctl restart sshd
# Setup repositories
sed -i '1 {s/^/#/}' /etc/apt/sources.list.d/pve-enterprise.list sed -i '1 {s/^/#/}' /etc/apt/sources.list.d/pve-enterprise.list
echo 'deb https://deb.debian.org/debian/ bookworm main contrib non-free echo 'deb https://deb.debian.org/debian/ bookworm main contrib non-free
@ -22,21 +30,17 @@ deb https://security.debian.org bookworm-security main contrib non-free
deb http://download.proxmox.com/debian/pve bookworm pve-no-subscription' | tee /etc/apt/sources.list deb http://download.proxmox.com/debian/pve bookworm pve-no-subscription' | tee /etc/apt/sources.list
# Update and install packages
apt update apt update
apt upgrade -y apt upgrade -y
apt install -y --no-install-recommends intel-microcode tuned fwupd dropbear-initramfs apt install -y --no-install-recommends intel-microcode tuned fwupd dropbear-initramfs
tuned-adm profile virtual-host
rm -rf /etc/chrony/chrony.conf
curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/chrony.conf -o /etc/chrony/chrony.conf
systemctl restart chronyd
### This part assumes that you are using systemd-boot ### This part assumes that you are using systemd-boot
echo -e "spectre_v2=on spec_store_bypass_disable=on l1tf=full,force mds=full,nosmt tsx=off tsx_async_abort=full,nosmt kvm.nx_huge_pages=force nosmt=force l1d_flush=on mmio_stale_data=full,nosmt random.trust_bootloader=off random.trust_cpu=off intel_iommu=on amd_iommu=on efi=disable_early_pci_dma iommu.passthrough=0 iommu.strict=1 slab_nomerge init_on_alloc=1 init_on_free=1 pti=on vsyscall=none page_alloc.shuffle=1 randomize_kstack_offset=on extra_latent_entropy debugfs=off $(cat /etc/kernel/cmdline)" > /etc/kernel/cmdline echo -e "spectre_v2=on spec_store_bypass_disable=on l1tf=full,force mds=full,nosmt tsx=off tsx_async_abort=full,nosmt kvm.nx_huge_pages=force nosmt=force l1d_flush=on mmio_stale_data=full,nosmt random.trust_bootloader=off random.trust_cpu=off intel_iommu=on amd_iommu=on efi=disable_early_pci_dma iommu.passthrough=0 iommu.strict=1 slab_nomerge init_on_alloc=1 init_on_free=1 pti=on vsyscall=none page_alloc.shuffle=1 randomize_kstack_offset=on extra_latent_entropy debugfs=off $(cat /etc/kernel/cmdline)" > /etc/kernel/cmdline
proxmox-boot-tool refresh proxmox-boot-tool refresh
### ###
# Kernel hardening
curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/modprobe.d/30_security-misc.conf -o /etc/modprobe.d/30_security-misc.conf curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/modprobe.d/30_security-misc.conf -o /etc/modprobe.d/30_security-misc.conf
curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_security-misc.conf -o /etc/sysctl.d/30_security-misc.conf curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_security-misc.conf -o /etc/sysctl.d/30_security-misc.conf
sed -i 's/kernel.yama.ptrace_scope=2/kernel.yama.ptrace_scope=3/g' /etc/sysctl.d/30_security-misc.conf sed -i 's/kernel.yama.ptrace_scope=2/kernel.yama.ptrace_scope=3/g' /etc/sysctl.d/30_security-misc.conf
@ -50,6 +54,8 @@ echo "* hard core 0" | tee -a /etc/security/limits.conf
sed -i 's/#GSSAPIAuthentication no/GSSAPIAuthentication no/g' /etc/ssh/sshd_config sed -i 's/#GSSAPIAuthentication no/GSSAPIAuthentication no/g' /etc/ssh/sshd_config
# Setup automatic updates
mkdir -p /etc/systemd/system/pve-daily-update.service.d mkdir -p /etc/systemd/system/pve-daily-update.service.d
echo '[Service] echo '[Service]
ExecStart=/usr/bin/pveupgrade' | tee /etc/systemd/system/pve-daily-update.service.d/override.conf ExecStart=/usr/bin/pveupgrade' | tee /etc/systemd/system/pve-daily-update.service.d/override.conf
@ -67,5 +73,8 @@ sed -Ezi.bak "s/(Ext.Msg.show\(\{\s+title: gettext\('No valid sub)/void\(\{ \/\/
systemctl restart pveproxy.service systemctl restart pveproxy.service
# Setup tuned
tuned-adm profile virtual-host
# Enable fstrim.timer # Enable fstrim.timer
systemctl enable --now fstrim.timer systemctl enable --now fstrim.timer

View File

@ -1,6 +1,20 @@
#!/bin/bash #!/bin/bash
#Assuming that you are using ANSSI-BP-028 #Assuming that you are using ANSSI-BP-028
# Setup NTS
sudo curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/chrony.conf -o /etc/chrony.conf
echo '# Command-line options for chronyd
OPTIONS="-F 1"' | sudo tee /etc/sysconfig/chronyd
sudo systemctl restart chronyd
# Setup Firewalld
sudo firewall-cmd --permanent --remove-service=cockpit
sudo firewall-cmd --reload
# Harden SSH
mkdir -p /etc/ssh/ssh_config.d /etc/ssh/sshd_config.d mkdir -p /etc/ssh/ssh_config.d /etc/ssh/sshd_config.d
echo 'GSSAPIAuthentication no echo 'GSSAPIAuthentication no
VerifyHostKeyDNS yes' | sudo tee /etc/ssh/ssh_config.d/10-custom.conf VerifyHostKeyDNS yes' | sudo tee /etc/ssh/ssh_config.d/10-custom.conf
@ -8,11 +22,37 @@ sudo chmod 644 /etc/ssh/ssh_config.d/10-custom.conf
echo 'X11Forwarding no echo 'X11Forwarding no
GSSAPIAuthentication no GSSAPIAuthentication no
PasswordAuthentication no' | sudo tee /etc/ssh/sshd_config.d/10-custom.conf PasswordAuthentication no' | sudo tee /etc/ssh/sshd_config.d/10-custom.conf
sudo curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/systemd/system/sshd.service.d/local.conf -o /etc/systemd/system/sshd.service.d/local.conf
sudo systemctl daemon-reload
sudo systemctl restart sshd sudo systemctl restart sshd
sudo dnf install tuned unbound yara -y # Kernel hardening
sudo tuned-adm profile virtual-guest
sudo curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/modprobe.d/30_security-misc.conf -o /etc/modprobe.d/30_security-misc.conf
sudo curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_security-misc.conf -o /etc/sysctl.d/30_security-misc.conf
sudo sed -i 's/kernel.yama.ptrace_scope=2/kernel.yama.ptrace_scope=3/g' /etc/sysctl.d/30_security-misc.conf
sudo sed -i 's/net.ipv4.icmp_echo_ignore_all=1/net.ipv4.icmp_echo_ignore_all=0/g' /etc/sysctl.d/30_security-misc.conf
sudo sed -i 's/net.ipv6.icmp.echo_ignore_all=1/net.ipv6.icmp.echo_ignore_all=0/g' /etc/sysctl.d/30_security-misc.conf
sudo curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_silent-kernel-printk.conf -o /etc/sysctl.d/30_silent-kernel-printk.conf
sudo curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_security-misc_kexec-disable.conf -o /etc/sysctl.d/30_security-misc_kexec-disable.conf
sudo sysctl -p
# Systemd hardening
sudo mkdir -p /etc/systemd/system/NetworkManager.service.d
sudo curl https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/NetworkManager.service.d/99-brace.conf -o /etc/systemd/system/NetworkManager.service.d/99-brace.conf
sudo systemctl daemon-reload
sudo systemctl restart NetworkManager
sudo mkdir -p /etc/systemd/system/irqbalance.service.d
sudo curl https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/irqbalance.service.d/99-brace.conf -o /etc/systemd/system/irqbalance.service.d/99-brace.conf
sudo systemctl daemon-reload
sudo systemctl restart irqbalance
# Install packages
sudo dnf install tuned unbound yara -y
# Setup unbound
echo 'server: echo 'server:
chroot: "" chroot: ""
@ -73,44 +113,16 @@ LockPersonality=yes' | sudo tee /etc/systemd/system/unbound.service.d/override.c
sudo systemctl enable --now unbound sudo systemctl enable --now unbound
sudo mkdir -p /etc/systemd/system/sshd.service.d
sudo curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/systemd/system/sshd.service.d/limits.conf -o /etc/systemd/system/sshd.service.d/limits.conf
sudo systemctl restart sshd
sudo curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/chrony.conf -o /etc/chrony.conf
echo '# Command-line options for chronyd
OPTIONS="-F 1"' | sudo tee /etc/sysconfig/chronyd
sudo systemctl restart chronyd
sudo insights-client --collector malware-detection sudo insights-client --collector malware-detection
sudo sed -i 's/test_scan: true/test_scan: false/' /etc/insights-client/malware-detection-config.yml sudo sed -i 's/test_scan: true/test_scan: false/' /etc/insights-client/malware-detection-config.yml
sudo curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/modprobe.d/30_security-misc.conf -o /etc/modprobe.d/30_security-misc.conf # Setup automatic updates
sudo curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_security-misc.conf -o /etc/sysctl.d/30_security-misc.conf
sudo sed -i 's/kernel.yama.ptrace_scope=2/kernel.yama.ptrace_scope=3/g' /etc/sysctl.d/30_security-misc.conf
sudo sed -i 's/net.ipv4.icmp_echo_ignore_all=1/net.ipv4.icmp_echo_ignore_all=0/g' /etc/sysctl.d/30_security-misc.conf
sudo sed -i 's/net.ipv6.icmp.echo_ignore_all=1/net.ipv6.icmp.echo_ignore_all=0/g' /etc/sysctl.d/30_security-misc.conf
sudo curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_silent-kernel-printk.conf -o /etc/sysctl.d/30_silent-kernel-printk.conf
sudo curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_security-misc_kexec-disable.conf -o /etc/sysctl.d/30_security-misc_kexec-disable.conf
sudo sysctl -p
sudo mkdir -p /etc/systemd/system/NetworkManager.service.d
sudo curl https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/NetworkManager.service.d/99-brace.conf -o /etc/systemd/system/NetworkManager.service.d/99-brace.conf
sudo systemctl daemon-reload
sudo systemctl restart NetworkManager
sudo mkdir -p /etc/systemd/system/irqbalance.service.d
sudo curl https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/irqbalance.service.d/99-brace.conf -o /etc/systemd/system/irqbalance.service.d/99-brace.conf
sudo systemctl daemon-reload
sudo systemctl restart irqbalance
sudo firewall-cmd --permanent --remove-service=cockpit
sudo firewall-cmd --reload
sudo sed -i 's/apply_updates = no/apply_updates = yes\nreboot = when-needed/g' /etc/dnf/automatic.conf sudo sed -i 's/apply_updates = no/apply_updates = yes\nreboot = when-needed/g' /etc/dnf/automatic.conf
sudo systemctl enable --now dnf-automatic.timer sudo systemctl enable --now dnf-automatic.timer
# Setup tuned
sudo tuned-adm profile virtual-guest
# Enable fstrim.timer # Enable fstrim.timer
sudo systemctl enable --now fstrim.timer sudo systemctl enable --now fstrim.timer

View File

@ -4,49 +4,57 @@
#Customize it to your liking #Customize it to your liking
#Run this script as your admin user, NOT root #Run this script as your admin user, NOT root
#Compliance # Compliance
sudo ua enable usg sudo ua enable usg
sudo apt install -y usg sudo apt install -y usg
sudo usg fix cis_level2_workstation sudo usg fix cis_level2_workstation
#Allow su which is disabled by CIS # Remove AIDE
sudo apt purge -y aide*
# Allow su which is disabled by CIS
sudo sed -i 's/auth required pam_wheel.so use_uid group=sugroup//g' /etc/pam.d/su sudo sed -i 's/auth required pam_wheel.so use_uid group=sugroup//g' /etc/pam.d/su
#Setting umask to 077 # Setting umask to 077
umask 077 umask 077
sudo sed -ie '/^DIR_MODE=/ s/=[0-9]*\+/=0700/' /etc/adduser.conf sudo sed -ie '/^DIR_MODE=/ s/=[0-9]*\+/=0700/' /etc/adduser.conf
sudo sed -ie '/^UMASK\s\+/ s/022/077/' /etc/login.defs sudo sed -ie '/^UMASK\s\+/ s/022/077/' /etc/login.defs
sudo sed -i 's/USERGROUPS_ENAB yes/USERGROUPS_ENAB no/g' /etc/login.defs sudo sed -i 's/USERGROUPS_ENAB yes/USERGROUPS_ENAB no/g' /etc/login.defs
echo "umask 077" | sudo tee --append /etc/profile echo "umask 077" | sudo tee --append /etc/profile
#Make sure the system has curl (minimal installs do not include it) # Make sure the system has curl (minimal installs do not include it)
sudo apt install -y curl sudo apt install -y curl
#Security kernel settings # Setup NTS
sudo curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/modprobe.d/30_security-misc.conf -o /etc/modprobe.d/30_security-misc.conf
sudo curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_security-misc.conf -o /etc/sysctl.d/30_security-misc.conf
sudo curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_silent-kernel-printk.conf -o /etc/sysctl.d/30_silent-kernel-printk.conf
sudo curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_security-misc_kexec-disable.conf -o /etc/sysctl.d/30_security-misc_kexec-disable.conf
#Systemd Hardening
sudo mkdir -p /etc/systemd/system/NetworkManager.service.d
sudo curl https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/NetworkManager.service.d/99-brace.conf -o /etc/systemd/system/NetworkManager.service.d/99-brace.conf
sudo mkdir -p /etc/systemd/system/irqbalance.service.d
sudo curl https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/irqbalance.service.d/99-brace.conf -o /etc/systemd/system/irqbalance.service.d/99-brace.conf
sudo mkdir -p /etc/systemd/system/sshd.service.d
sudo curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/systemd/system/sshd.service.d/limits.conf -o /etc/systemd/system/sshd.service.d/limits.conf
echo "GSSAPIAuthentication no" | sudo tee /etc/ssh/ssh_config.d/10-custom.conf
echo "VerifyHostKeyDNS yes" | sudo tee -a /etc/ssh/ssh_config.d/10-custom.conf
sudo chmod 644 /etc/ssh/ssh_config.d/10-custom.conf
#Setup NTS
sudo systemctl disable systemd-timesyncd sudo systemctl disable systemd-timesyncd
sudo apt install -y chrony sudo apt install -y chrony
rm -rf /etc/chrony/chrony.conf rm -rf /etc/chrony/chrony.conf
sudo curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/chrony.conf -o /etc/chrony/chrony.conf sudo curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/chrony.conf -o /etc/chrony/chrony.conf
sudo systemctl restart chronyd sudo systemctl restart chronyd
# Setup UFW
#UFW Snap is strictly confined, unlike its .deb counterpart
sudo apt purge -y ufw
sudo snap install ufw
sudo ufw enable
# Harden SSH
echo "GSSAPIAuthentication no" | sudo tee /etc/ssh/ssh_config.d/10-custom.conf
echo "VerifyHostKeyDNS yes" | sudo tee -a /etc/ssh/ssh_config.d/10-custom.conf
sudo chmod 644 /etc/ssh/ssh_config.d/10-custom.conf
# Kernel hardening
sudo curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/modprobe.d/30_security-misc.conf -o /etc/modprobe.d/30_security-misc.conf
sudo curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_security-misc.conf -o /etc/sysctl.d/30_security-misc.conf
sudo curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_silent-kernel-printk.conf -o /etc/sysctl.d/30_silent-kernel-printk.conf
sudo curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_security-misc_kexec-disable.conf -o /etc/sysctl.d/30_security-misc_kexec-disable.conf
# Systemd Hardening
sudo mkdir -p /etc/systemd/system/NetworkManager.service.d
sudo curl https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/NetworkManager.service.d/99-brace.conf -o /etc/systemd/system/NetworkManager.service.d/99-brace.conf
sudo mkdir -p /etc/systemd/system/irqbalance.service.d
sudo curl https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/irqbalance.service.d/99-brace.conf -o /etc/systemd/system/irqbalance.service.d/99-brace.conf
# Disable automount # Disable automount
sudo mkdir -p /etc/dconf/db/local.d/locks/ sudo mkdir -p /etc/dconf/db/local.d/locks/
@ -60,13 +68,7 @@ org/gnome/desktop/media-handling/automount-open' | sudo tee /etc/dconf/db/local.
sudo dconf update sudo dconf update
#Setup UFW # Disable crash reports
#UFW Snap is strictly confined, unlike its .deb counterpart
sudo apt purge -y ufw
sudo snap install ufw
sudo ufw enable
#Disable crash reports
echo '[com/ubuntu/update-notifier] echo '[com/ubuntu/update-notifier]
show-apport-crashes=false' | sudo tee /etc/dconf/db/local.d/disable-apport-crashes show-apport-crashes=false' | sudo tee /etc/dconf/db/local.d/disable-apport-crashes
@ -82,7 +84,7 @@ sudo systemctl stop whoopsie.service
sudo systemctl disable whoopsie.service sudo systemctl disable whoopsie.service
sudo systemctl mask whoopsie.service sudo systemctl mask whoopsie.service
#Update packages and firmware # Update packages and firmware
sudo apt update -y sudo apt update -y
sudo apt full-upgrade -y sudo apt full-upgrade -y
sudo fwupdmgr get-devices sudo fwupdmgr get-devices
@ -90,16 +92,16 @@ sudo fwupdmgr refresh --force
sudo fwupdmgr get-updates -y sudo fwupdmgr get-updates -y
sudo fwupdmgr update -y sudo fwupdmgr update -y
#Remove unneeded packages # Remove unneeded packages
sudo apt purge -y cups* eog gedit firefox* gnome-calculator gnome-characters* gnome-font-viewer gnome-logs gnome-power-manager gnome-shell-extension-prefs seahorse tcpdump whoopsie sudo apt purge -y cups* eog gedit firefox* gnome-calculator gnome-characters* gnome-font-viewer gnome-logs gnome-power-manager gnome-shell-extension-prefs seahorse tcpdump whoopsie
sudo apt autoremove -y sudo apt autoremove -y
sudo snap remove firefox sudo snap remove firefox
#Install packages that I use # Install packages that I use
sudo apt install -y git-core gnome-text-editor sudo apt install -y git-core gnome-text-editor
sudo snap install eog sudo snap install eog
#Randomize MAC address # Randomize MAC address
sudo bash -c 'cat > /etc/NetworkManager/conf.d/00-macrandomize.conf' <<-'EOF' sudo bash -c 'cat > /etc/NetworkManager/conf.d/00-macrandomize.conf' <<-'EOF'
[device] [device]
wifi.scan-rand-mac-address=yes wifi.scan-rand-mac-address=yes

View File

@ -7,15 +7,38 @@ sudo ua enable usg
sudo apt install -y usg sudo apt install -y usg
sudo usg fix cis_level2_server sudo usg fix cis_level2_server
#Install packages # Remove AIDE
sudo apt purge -y aide*
# Update and install packages
sudo apt update -y sudo apt update -y
sudo apt full-upgrade -y sudo apt full-upgrade -y
sudo apt install -y curl fwupd libpam-pwquality tuned unbound sudo apt install -y curl fwupd libpam-pwquality tuned unbound
#Setup tuned # Setup NTS
sudo tuned-adm profile virtual-guest sudo systemctl disable systemd-timesyncd
sudo apt install -y chrony
rm -rf /etc/chrony/chrony.conf
sudo curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/chrony.conf -o /etc/chrony/chrony.conf
sudo systemctl restart chronyd
#Setup unbound # Setup UFW
# UFW Snap is strictly confined, unlike its .deb counterpart
sudo apt purge -y ufw
sudo snap install ufw
sudo ufw enable
sudo ufw allow 22
# Harden SSH
echo "GSSAPIAuthentication no" | sudo tee /etc/ssh/ssh_config.d/10-custom.conf
echo "VerifyHostKeyDNS yes" | sudo tee -a /etc/ssh/ssh_config.d/10-custom.conf
sudo chmod 644 /etc/ssh/ssh_config.d/10-custom.conf
sudo mkdir -p /etc/systemd/system/sshd.service.d
sudo curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/systemd/system/sshd.service.d/local.conf -o /etc/systemd/system/sshd.service.d/local.conf
sudo systemctl daemon-reload
sudo systemctl restart sshd
# Setup unbound
echo 'server: echo 'server:
trust-anchor-signaling: yes trust-anchor-signaling: yes
root-key-sentinel: yes root-key-sentinel: yes
@ -85,30 +108,12 @@ sudo systemctl daemon-reload
sudo systemctl restart unbound sudo systemctl restart unbound
sudo systemctl disable --now systemd-resolved sudo systemctl disable --now systemd-resolved
#Security kernel settings # Kernel hardening
sudo curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/modprobe.d/30_security-misc.conf -o /etc/modprobe.d/30_security-misc.conf sudo curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/modprobe.d/30_security-misc.conf -o /etc/modprobe.d/30_security-misc.conf
sudo curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_security-misc.conf -o /etc/sysctl.d/30_security-misc.conf sudo curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_security-misc.conf -o /etc/sysctl.d/30_security-misc.conf
sudo curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_silent-kernel-printk.conf -o /etc/sysctl.d/30_silent-kernel-printk.conf sudo curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_silent-kernel-printk.conf -o /etc/sysctl.d/30_silent-kernel-printk.conf
sudo curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_security-misc_kexec-disable.conf -o /etc/sysctl.d/30_security-misc_kexec-disable.conf sudo curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_security-misc_kexec-disable.conf -o /etc/sysctl.d/30_security-misc_kexec-disable.conf
echo "GSSAPIAuthentication no" | sudo tee /etc/ssh/ssh_config.d/10-custom.conf
echo "VerifyHostKeyDNS yes" | sudo tee -a /etc/ssh/ssh_config.d/10-custom.conf
sudo chmod 644 /etc/ssh/ssh_config.d/10-custom.conf
#Setup NTS
sudo systemctl disable systemd-timesyncd
sudo apt install -y chrony
rm -rf /etc/chrony/chrony.conf
sudo curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/chrony.conf -o /etc/chrony/chrony.conf
sudo systemctl restart chronyd
#Setup UFW
#UFW Snap is strictly confined, unlike its .deb counterpart
sudo apt purge -y ufw
sudo snap install ufw
sudo ufw enable
sudo ufw allow 22
sudo systemctl stop apport.service sudo systemctl stop apport.service
sudo systemctl disable apport.service sudo systemctl disable apport.service
sudo systemctl mask apport.service sudo systemctl mask apport.service
@ -122,5 +127,8 @@ ExecStart=/usr/bin/fwupdmgr update' | tee /etc/systemd/system/fwupd-refresh.serv
sudo systemctl daemon-reload sudo systemctl daemon-reload
sudo systemctl enable --now fwupd-refresh.timer sudo systemctl enable --now fwupd-refresh.timer
# Setup tuned
sudo tuned-adm profile virtual-guest
# Enable fstrim.timer # Enable fstrim.timer
sudo systemctl enable --now fstrim.timer sudo systemctl enable --now fstrim.timer