mirror of
https://github.com/tommytran732/Linux-Setup-Scripts
synced 2024-11-08 03:01:34 -05:00
Improved consistency across distros
This commit is contained in:
parent
59723e61eb
commit
8ae830a175
@ -13,44 +13,53 @@ output(){
|
|||||||
echo -e '\e[36m'$1'\e[0m';
|
echo -e '\e[36m'$1'\e[0m';
|
||||||
}
|
}
|
||||||
|
|
||||||
#Moving to the home directory
|
# Moving to the home directory
|
||||||
#Note that I always use /home/${USER} because gnome-terminal is wacky and sometimes doesn't load the environment variables in correctly (Right click somewhere in nautilus, click on open in terminal, then hit create new tab and you will see.)
|
#Note that I always use /home/${USER} because gnome-terminal is wacky and sometimes doesn't load the environment variables in correctly (Right click somewhere in nautilus, click on open in terminal, then hit create new tab and you will see.)
|
||||||
cd /home/"${USER}" || exit
|
cd /home/"${USER}" || exit
|
||||||
|
|
||||||
#Setting umask to 077
|
# Setting umask to 077
|
||||||
umask 077
|
umask 077
|
||||||
sudo sed -i 's/umask 022/umask 077/g' /etc/bashrc
|
sudo sed -i 's/umask 022/umask 077/g' /etc/bashrc
|
||||||
echo "umask 077" | sudo tee -a /etc/bashrc
|
echo "umask 077" | sudo tee -a /etc/bashrc
|
||||||
|
|
||||||
#Make home directory private
|
# Make home directory private
|
||||||
chmod 700 /home/*
|
chmod 700 /home/*
|
||||||
|
|
||||||
#Security kernel settings
|
# Setup NTS
|
||||||
|
sudo rm -rf /etc/chrony/chrony.conf
|
||||||
|
sudo curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/chrony.conf -o /etc/chrony/chrony.conf
|
||||||
|
echo '# Command-line options for chronyd
|
||||||
|
OPTIONS="-F 1"' | sudo tee /etc/sysconfig/chronyd
|
||||||
|
|
||||||
|
sudo systemctl restart chronyd
|
||||||
|
|
||||||
|
# Setup Firewalld
|
||||||
|
sudo firewall-cmd --permanent --remove-port=1025-65535/udp
|
||||||
|
sudo firewall-cmd --permanent --remove-port=1025-65535/tcp
|
||||||
|
sudo firewall-cmd --permanent --remove-service=mdns
|
||||||
|
sudo firewall-cmd --permanent --remove-service=ssh
|
||||||
|
sudo firewall-cmd --permanent --remove-service=samba-client
|
||||||
|
sudo firewall-cmd --reload
|
||||||
|
|
||||||
|
# Harden SSH
|
||||||
|
echo "GSSAPIAuthentication no" | sudo tee /etc/ssh/ssh_config.d/10-custom.conf
|
||||||
|
echo "VerifyHostKeyDNS yes" | sudo tee -a /etc/ssh/ssh_config.d/10-custom.conf
|
||||||
|
sudo chmod 644 /etc/ssh/ssh_config.d/10-custom.conf
|
||||||
|
|
||||||
|
# Security kernel settings
|
||||||
sudo curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/modprobe.d/30_security-misc.conf -o /etc/modprobe.d/30_security-misc.conf
|
sudo curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/modprobe.d/30_security-misc.conf -o /etc/modprobe.d/30_security-misc.conf
|
||||||
sudo curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_security-misc.conf -o /etc/sysctl.d/30_security-misc.conf
|
sudo curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_security-misc.conf -o /etc/sysctl.d/30_security-misc.conf
|
||||||
sudo curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_silent-kernel-printk.conf -o /etc/sysctl.d/30_silent-kernel-printk.conf
|
sudo curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_silent-kernel-printk.conf -o /etc/sysctl.d/30_silent-kernel-printk.conf
|
||||||
sudo curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_security-misc_kexec-disable.conf -o /etc/sysctl.d/30_security-misc_kexec-disable.conf
|
sudo curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_security-misc_kexec-disable.conf -o /etc/sysctl.d/30_security-misc_kexec-disable.conf
|
||||||
|
|
||||||
#Systemd Hardening
|
# Systemd Hardening
|
||||||
sudo mkdir -p /etc/systemd/system/NetworkManager.service.d
|
sudo mkdir -p /etc/systemd/system/NetworkManager.service.d
|
||||||
sudo curl https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/NetworkManager.service.d/99-brace.conf -o /etc/systemd/system/NetworkManager.service.d/99-brace.conf
|
sudo curl https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/NetworkManager.service.d/99-brace.conf -o /etc/systemd/system/NetworkManager.service.d/99-brace.conf
|
||||||
sudo mkdir -p /etc/systemd/system/irqbalance.service.d
|
sudo mkdir -p /etc/systemd/system/irqbalance.service.d
|
||||||
sudo curl https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/irqbalance.service.d/99-brace.conf -o /etc/systemd/system/irqbalance.service.d/99-brace.conf
|
sudo curl https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/irqbalance.service.d/99-brace.conf -o /etc/systemd/system/irqbalance.service.d/99-brace.conf
|
||||||
sudo mkdir -p /etc/systemd/system/sshd.service.d
|
|
||||||
sudo curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/systemd/system/sshd.service.d/local.conf -o /etc/systemd/system/sshd.service.d/limits.conf
|
|
||||||
|
|
||||||
echo "GSSAPIAuthentication no" | sudo tee /etc/ssh/ssh_config.d/10-custom.conf
|
sudo systemctl restart NetworkManager
|
||||||
echo "VerifyHostKeyDNS yes" | sudo tee -a /etc/ssh/ssh_config.d/10-custom.conf
|
sudo systemctl restart irqbalance
|
||||||
sudo chmod 644 /etc/ssh/ssh_config.d/10-custom.conf
|
|
||||||
|
|
||||||
#Setup NTS
|
|
||||||
sudo rm -rf /etc/chrony/chrony.conf
|
|
||||||
sudo curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/chrony.conf -o /etc/chrony/chrony.conf
|
|
||||||
|
|
||||||
echo '# Command-line options for chronyd
|
|
||||||
OPTIONS="-F 1"' | sudo tee /etc/sysconfig/chronyd
|
|
||||||
|
|
||||||
sudo systemctl restart chronyd
|
|
||||||
|
|
||||||
# Disable automount
|
# Disable automount
|
||||||
echo '[org/gnome/desktop/media-handling]
|
echo '[org/gnome/desktop/media-handling]
|
||||||
@ -62,27 +71,19 @@ org/gnome/desktop/media-handling/automount-open' | sudo tee /etc/dconf/db/local.
|
|||||||
|
|
||||||
sudo dconf update
|
sudo dconf update
|
||||||
|
|
||||||
#Setup Firewalld
|
# Speed up DNF
|
||||||
sudo firewall-cmd --permanent --remove-port=1025-65535/udp
|
|
||||||
sudo firewall-cmd --permanent --remove-port=1025-65535/tcp
|
|
||||||
sudo firewall-cmd --permanent --remove-service=mdns
|
|
||||||
sudo firewall-cmd --permanent --remove-service=ssh
|
|
||||||
sudo firewall-cmd --permanent --remove-service=samba-client
|
|
||||||
sudo firewall-cmd --reload
|
|
||||||
|
|
||||||
#Speed up DNF
|
|
||||||
echo 'fastestmirror=1' | sudo tee -a /etc/dnf/dnf.conf
|
echo 'fastestmirror=1' | sudo tee -a /etc/dnf/dnf.conf
|
||||||
echo 'deltarpm=true' | sudo tee -a /etc/dnf/dnf.conf
|
echo 'deltarpm=true' | sudo tee -a /etc/dnf/dnf.conf
|
||||||
echo 'countme=false' | sudo tee -a /etc/dnf/dnf.conf
|
echo 'countme=false' | sudo tee -a /etc/dnf/dnf.conf
|
||||||
|
|
||||||
#Update packages and firmware
|
# Update packages and firmware
|
||||||
sudo dnf upgrade -y
|
sudo dnf upgrade -y
|
||||||
sudo fwupdmgr get-devices
|
sudo fwupdmgr get-devices
|
||||||
sudo fwupdmgr refresh --force
|
sudo fwupdmgr refresh --force
|
||||||
sudo fwupdmgr get-updates -y
|
sudo fwupdmgr get-updates -y
|
||||||
sudo fwupdmgr update -y
|
sudo fwupdmgr update -y
|
||||||
|
|
||||||
#Remove unneeded packages
|
# Remove unneeded packages
|
||||||
sudo dnf -y remove fedora-bookmarks fedora-chromium-config firefox mozilla-filesystem \
|
sudo dnf -y remove fedora-bookmarks fedora-chromium-config firefox mozilla-filesystem \
|
||||||
#Network + hardware tools
|
#Network + hardware tools
|
||||||
cups nmap-ncat nfs-utils nmap-ncat openssh-server net-snmp-libs net-tools opensc traceroute rsync tcpdump teamd geolite2* mtr dmidecode sgpio \
|
cups nmap-ncat nfs-utils nmap-ncat openssh-server net-snmp-libs net-tools opensc traceroute rsync tcpdump teamd geolite2* mtr dmidecode sgpio \
|
||||||
@ -106,16 +107,19 @@ sudo dnf -y remove fedora-bookmarks fedora-chromium-config firefox mozilla-files
|
|||||||
#other
|
#other
|
||||||
lvm2 rng-tools thermald *perl* yajl
|
lvm2 rng-tools thermald *perl* yajl
|
||||||
|
|
||||||
#Disable openh264 repo
|
# Disable openh264 repo
|
||||||
sudo dnf config-manager --set-disabled fedora-cisco-openh264 -y
|
sudo dnf config-manager --set-disabled fedora-cisco-openh264 -y
|
||||||
|
|
||||||
#Install packages that I use
|
# Install packages that I use
|
||||||
sudo dnf -y install gnome-console git-core flat-remix-theme gnome-shell-extension-appindicator gnome-shell-extension-blur-my-shell gnome-shell-extension-background-logo gnome-shell-extension-dash-to-dock gnome-shell-extension-no-overview
|
sudo dnf -y install gnome-console git-core flat-remix-theme gnome-shell-extension-appindicator gnome-shell-extension-blur-my-shell gnome-shell-extension-background-logo gnome-shell-extension-dash-to-dock gnome-shell-extension-no-overview tuned
|
||||||
|
|
||||||
#Enable auto TRIM
|
# Setup tuned
|
||||||
|
sudo tuned-adm profile latency-performance
|
||||||
|
|
||||||
|
# Enable auto TRIM
|
||||||
sudo systemctl enable fstrim.timer
|
sudo systemctl enable fstrim.timer
|
||||||
|
|
||||||
#Setup BTRFS layout and Timeshift
|
# Setup BTRFS layout and Timeshift
|
||||||
sudo mkdir /btrfs_pool
|
sudo mkdir /btrfs_pool
|
||||||
sudo mount -o subvolid=5 /dev/mapper/${PARTITIONID} /btrfs_pool
|
sudo mount -o subvolid=5 /dev/mapper/${PARTITIONID} /btrfs_pool
|
||||||
sudo mv /btrfs_pool/root /btrfs_pool/@
|
sudo mv /btrfs_pool/root /btrfs_pool/@
|
||||||
@ -127,7 +131,7 @@ sudo echo "UUID=${PARTITIONUUID} /btrfs_pool btrfs subvolid=5,ssd,
|
|||||||
sudo grub2-mkconfig -o /boot/efi/EFI/fedora/grub.cfg
|
sudo grub2-mkconfig -o /boot/efi/EFI/fedora/grub.cfg
|
||||||
sudo dnf -y install timeshift
|
sudo dnf -y install timeshift
|
||||||
|
|
||||||
#Randomize MAC address
|
# andomize MAC address
|
||||||
sudo bash -c 'cat > /etc/NetworkManager/conf.d/00-macrandomize.conf' <<-'EOF'
|
sudo bash -c 'cat > /etc/NetworkManager/conf.d/00-macrandomize.conf' <<-'EOF'
|
||||||
[device]
|
[device]
|
||||||
wifi.scan-rand-mac-address=yes
|
wifi.scan-rand-mac-address=yes
|
||||||
@ -137,7 +141,7 @@ wifi.cloned-mac-address=random
|
|||||||
ethernet.cloned-mac-address=random
|
ethernet.cloned-mac-address=random
|
||||||
EOF
|
EOF
|
||||||
|
|
||||||
#Disable transient hostname
|
# Disable transient hostname
|
||||||
sudo bash -c 'cat > /etc/NetworkManager/conf.d/00-macrandomize.conf' <<-'EOF'
|
sudo bash -c 'cat > /etc/NetworkManager/conf.d/00-macrandomize.conf' <<-'EOF'
|
||||||
[main]
|
[main]
|
||||||
hostname-mode=none
|
hostname-mode=none
|
||||||
|
@ -15,7 +15,4 @@ echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/gviso
|
|||||||
sudo apt update
|
sudo apt update
|
||||||
sudo apt -y --no-install-recommends install runsc
|
sudo apt -y --no-install-recommends install runsc
|
||||||
sudo runsc install
|
sudo runsc install
|
||||||
sudo systemctl restart docker
|
sudo systemctl restart docker
|
||||||
|
|
||||||
# Enable fstrim.timer
|
|
||||||
sudo systemctl enable --now fstrim.timer
|
|
@ -1,24 +1,47 @@
|
|||||||
#!/bin/bash
|
#!/bin/bash
|
||||||
|
|
||||||
echo 'GSSAPIAuthentication no
|
# Setup NTS
|
||||||
VerifyHostKeyDNS yes' | sudo tee /etc/ssh/ssh_config.d/10-custom.conf
|
sudo rm -rf /etc/chrony/chrony.conf
|
||||||
sudo chmod 644 /etc/ssh/ssh_config.d/10-custom.conf
|
sudo curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/chrony.conf -o /etc/chrony/chrony.conf
|
||||||
sudo sed -i 's/#GSSAPIAuthentication no/GSSAPIAuthentication no/g' /etc/ssh/sshd_config
|
sudo systemctl restart chronyd
|
||||||
sudo systemctl restart sshd
|
|
||||||
|
|
||||||
|
# Setup repositories
|
||||||
sudo find /etc/apt/sources.list.d -type f -exec sudo sed -i 's/http:/https:/g' {} \;
|
sudo find /etc/apt/sources.list.d -type f -exec sudo sed -i 's/http:/https:/g' {} \;
|
||||||
|
|
||||||
|
# Update and install packages
|
||||||
sudo apt update
|
sudo apt update
|
||||||
sudo apt upgrade -y
|
sudo apt upgrade -y
|
||||||
sudo apt install -y --no-install-recommends tuned unbound resolvconf ufw
|
sudo apt install -y --no-install-recommends tuned unbound resolvconf ufw
|
||||||
|
|
||||||
|
# Setup ufw
|
||||||
sudo ufw enable
|
sudo ufw enable
|
||||||
sudo ufw allow 22/tcp
|
sudo ufw allow 22/tcp
|
||||||
|
|
||||||
#Setup tuned
|
# Harden SSH
|
||||||
sudo tuned-adm profile virtual-guest
|
echo 'GSSAPIAuthentication no
|
||||||
|
VerifyHostKeyDNS yes' | sudo tee /etc/ssh/ssh_config.d/10-custom.conf
|
||||||
|
sudo chmod 644 /etc/ssh/ssh_config.d/10-custom.conf
|
||||||
|
sudo sed -i 's/#GSSAPIAuthentication no/GSSAPIAuthentication no/g' /etc/ssh/sshd_config
|
||||||
|
sudo mkdir -p /etc/systemd/system/sshd.service.d
|
||||||
|
sudo curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/systemd/system/sshd.service.d/local.conf -o /etc/systemd/system/sshd.service.d/local.conf
|
||||||
|
sudo systemctl daemon-reload
|
||||||
|
sudo systemctl restart sshd
|
||||||
|
|
||||||
#Setup unbound
|
# Kernel Hardening
|
||||||
|
|
||||||
|
sudo curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/modprobe.d/30_security-misc.conf -o /etc/modprobe.d/30_security-misc.conf
|
||||||
|
sudo curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_security-misc.conf -o /etc/sysctl.d/30_security-misc.conf
|
||||||
|
sudo sed -i 's/kernel.yama.ptrace_scope=2/kernel.yama.ptrace_scope=3/g' /etc/sysctl.d/30_security-misc.conf
|
||||||
|
sudo sed -i 's/net.ipv4.icmp_echo_ignore_all=1/net.ipv4.icmp_echo_ignore_all=0/g' /etc/sysctl.d/30_security-misc.conf
|
||||||
|
sudo sed -i 's/net.ipv6.icmp.echo_ignore_all=1/net.ipv6.icmp.echo_ignore_all=0/g' /etc/sysctl.d/30_security-misc.conf
|
||||||
|
sudo curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_silent-kernel-printk.conf -o /etc/sysctl.d/30_silent-kernel-printk.conf
|
||||||
|
sudo curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_security-misc_kexec-disable.conf -o /etc/sysctl.d/30_security-misc_kexec-disable.conf
|
||||||
|
sudo mkdir -p /etc/systemd/system/NetworkManager.service.d
|
||||||
|
sudo curl https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/NetworkManager.service.d/99-brace.conf -o /etc/systemd/system/NetworkManager.service.d/99-brace.conf
|
||||||
|
|
||||||
|
echo "* hard core 0" | tee -a /etc/security/limits.conf
|
||||||
|
|
||||||
|
# Setup unbound
|
||||||
echo 'server:
|
echo 'server:
|
||||||
trust-anchor-signaling: yes
|
trust-anchor-signaling: yes
|
||||||
root-key-sentinel: yes
|
root-key-sentinel: yes
|
||||||
@ -88,24 +111,8 @@ sudo systemctl daemon-reload
|
|||||||
sudo systemctl restart unbound
|
sudo systemctl restart unbound
|
||||||
sudo systemctl disable --now systemd-resolved
|
sudo systemctl disable --now systemd-resolved
|
||||||
|
|
||||||
sudo mkdir -p /etc/systemd/system/sshd.service.d
|
# Setup tuned
|
||||||
sudo curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/systemd/system/sshd.service.d/limits.conf -o /etc/systemd/system/sshd.service.d/limits.conf
|
sudo tuned-adm profile virtual-guest
|
||||||
|
|
||||||
sudo rm -rf /etc/chrony/chrony.conf
|
|
||||||
sudo curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/chrony.conf -o /etc/chrony/chrony.conf
|
|
||||||
sudo systemctl restart chronyd
|
|
||||||
|
|
||||||
sudo curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/modprobe.d/30_security-misc.conf -o /etc/modprobe.d/30_security-misc.conf
|
|
||||||
sudo curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_security-misc.conf -o /etc/sysctl.d/30_security-misc.conf
|
|
||||||
sudo sed -i 's/kernel.yama.ptrace_scope=2/kernel.yama.ptrace_scope=3/g' /etc/sysctl.d/30_security-misc.conf
|
|
||||||
sudo sed -i 's/net.ipv4.icmp_echo_ignore_all=1/net.ipv4.icmp_echo_ignore_all=0/g' /etc/sysctl.d/30_security-misc.conf
|
|
||||||
sudo sed -i 's/net.ipv6.icmp.echo_ignore_all=1/net.ipv6.icmp.echo_ignore_all=0/g' /etc/sysctl.d/30_security-misc.conf
|
|
||||||
sudo curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_silent-kernel-printk.conf -o /etc/sysctl.d/30_silent-kernel-printk.conf
|
|
||||||
sudo curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_security-misc_kexec-disable.conf -o /etc/sysctl.d/30_security-misc_kexec-disable.conf
|
|
||||||
sudo mkdir -p /etc/systemd/system/NetworkManager.service.d
|
|
||||||
sudo curl https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/NetworkManager.service.d/99-brace.conf -o /etc/systemd/system/NetworkManager.service.d/99-brace.conf
|
|
||||||
|
|
||||||
echo "* hard core 0" | tee -a /etc/security/limits.conf
|
|
||||||
|
|
||||||
# Enable fstrim.timer
|
# Enable fstrim.timer
|
||||||
sudo ystemctl enable --now fstrim.timer
|
sudo ystemctl enable --now fstrim.timer
|
||||||
|
23
Proxmox-8.sh
23
Proxmox-8.sh
@ -2,15 +2,23 @@
|
|||||||
|
|
||||||
# You need to add either the non-subscription repo or the testing repo from the Proxmox WebUI after running this script.
|
# You need to add either the non-subscription repo or the testing repo from the Proxmox WebUI after running this script.
|
||||||
|
|
||||||
|
# Setup NTS
|
||||||
|
rm -rf /etc/chrony/chrony.conf
|
||||||
|
curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/chrony.conf -o /etc/chrony/chrony.conf
|
||||||
|
systemctl restart chronyd
|
||||||
|
|
||||||
|
# Harden SSH
|
||||||
echo 'GSSAPIAuthentication no
|
echo 'GSSAPIAuthentication no
|
||||||
VerifyHostKeyDNS yes' | tee /etc/ssh/ssh_config.d/10-custom.conf
|
VerifyHostKeyDNS yes' | tee /etc/ssh/ssh_config.d/10-custom.conf
|
||||||
sudo chmod 644 /etc/ssh/ssh_config.d/10-custom.conf
|
sudo chmod 644 /etc/ssh/ssh_config.d/10-custom.conf
|
||||||
sed -i 's/#PasswordAuthentication yes/PasswordAuthentication no/g' /etc/ssh/sshd_config
|
sed -i 's/#PasswordAuthentication yes/PasswordAuthentication no/g' /etc/ssh/sshd_config
|
||||||
sed -i 's/#GSSAPIAuthentication no/GSSAPIAuthentication no/g' /etc/ssh/sshd_config
|
sed -i 's/#GSSAPIAuthentication no/GSSAPIAuthentication no/g' /etc/ssh/sshd_config
|
||||||
mkdir -p /etc/systemd/system/sshd.service.d
|
mkdir -p /etc/systemd/system/sshd.service.d
|
||||||
curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/systemd/system/sshd.service.d/limits.conf -o /etc/systemd/system/sshd.service.d/limits.conf
|
curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/systemd/system/sshd.service.d/local.conf -o /etc/systemd/system/sshd.service.d/local.conf
|
||||||
|
systemctl daemon-reload
|
||||||
systemctl restart sshd
|
systemctl restart sshd
|
||||||
|
|
||||||
|
# Setup repositories
|
||||||
sed -i '1 {s/^/#/}' /etc/apt/sources.list.d/pve-enterprise.list
|
sed -i '1 {s/^/#/}' /etc/apt/sources.list.d/pve-enterprise.list
|
||||||
|
|
||||||
echo 'deb https://deb.debian.org/debian/ bookworm main contrib non-free
|
echo 'deb https://deb.debian.org/debian/ bookworm main contrib non-free
|
||||||
@ -22,21 +30,17 @@ deb https://security.debian.org bookworm-security main contrib non-free
|
|||||||
|
|
||||||
deb http://download.proxmox.com/debian/pve bookworm pve-no-subscription' | tee /etc/apt/sources.list
|
deb http://download.proxmox.com/debian/pve bookworm pve-no-subscription' | tee /etc/apt/sources.list
|
||||||
|
|
||||||
|
# Update and install packages
|
||||||
apt update
|
apt update
|
||||||
apt upgrade -y
|
apt upgrade -y
|
||||||
apt install -y --no-install-recommends intel-microcode tuned fwupd dropbear-initramfs
|
apt install -y --no-install-recommends intel-microcode tuned fwupd dropbear-initramfs
|
||||||
|
|
||||||
tuned-adm profile virtual-host
|
|
||||||
|
|
||||||
rm -rf /etc/chrony/chrony.conf
|
|
||||||
curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/chrony.conf -o /etc/chrony/chrony.conf
|
|
||||||
systemctl restart chronyd
|
|
||||||
|
|
||||||
### This part assumes that you are using systemd-boot
|
### This part assumes that you are using systemd-boot
|
||||||
echo -e "spectre_v2=on spec_store_bypass_disable=on l1tf=full,force mds=full,nosmt tsx=off tsx_async_abort=full,nosmt kvm.nx_huge_pages=force nosmt=force l1d_flush=on mmio_stale_data=full,nosmt random.trust_bootloader=off random.trust_cpu=off intel_iommu=on amd_iommu=on efi=disable_early_pci_dma iommu.passthrough=0 iommu.strict=1 slab_nomerge init_on_alloc=1 init_on_free=1 pti=on vsyscall=none page_alloc.shuffle=1 randomize_kstack_offset=on extra_latent_entropy debugfs=off $(cat /etc/kernel/cmdline)" > /etc/kernel/cmdline
|
echo -e "spectre_v2=on spec_store_bypass_disable=on l1tf=full,force mds=full,nosmt tsx=off tsx_async_abort=full,nosmt kvm.nx_huge_pages=force nosmt=force l1d_flush=on mmio_stale_data=full,nosmt random.trust_bootloader=off random.trust_cpu=off intel_iommu=on amd_iommu=on efi=disable_early_pci_dma iommu.passthrough=0 iommu.strict=1 slab_nomerge init_on_alloc=1 init_on_free=1 pti=on vsyscall=none page_alloc.shuffle=1 randomize_kstack_offset=on extra_latent_entropy debugfs=off $(cat /etc/kernel/cmdline)" > /etc/kernel/cmdline
|
||||||
proxmox-boot-tool refresh
|
proxmox-boot-tool refresh
|
||||||
###
|
###
|
||||||
|
|
||||||
|
# Kernel hardening
|
||||||
curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/modprobe.d/30_security-misc.conf -o /etc/modprobe.d/30_security-misc.conf
|
curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/modprobe.d/30_security-misc.conf -o /etc/modprobe.d/30_security-misc.conf
|
||||||
curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_security-misc.conf -o /etc/sysctl.d/30_security-misc.conf
|
curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_security-misc.conf -o /etc/sysctl.d/30_security-misc.conf
|
||||||
sed -i 's/kernel.yama.ptrace_scope=2/kernel.yama.ptrace_scope=3/g' /etc/sysctl.d/30_security-misc.conf
|
sed -i 's/kernel.yama.ptrace_scope=2/kernel.yama.ptrace_scope=3/g' /etc/sysctl.d/30_security-misc.conf
|
||||||
@ -50,6 +54,8 @@ echo "* hard core 0" | tee -a /etc/security/limits.conf
|
|||||||
|
|
||||||
sed -i 's/#GSSAPIAuthentication no/GSSAPIAuthentication no/g' /etc/ssh/sshd_config
|
sed -i 's/#GSSAPIAuthentication no/GSSAPIAuthentication no/g' /etc/ssh/sshd_config
|
||||||
|
|
||||||
|
# Setup automatic updates
|
||||||
|
|
||||||
mkdir -p /etc/systemd/system/pve-daily-update.service.d
|
mkdir -p /etc/systemd/system/pve-daily-update.service.d
|
||||||
echo '[Service]
|
echo '[Service]
|
||||||
ExecStart=/usr/bin/pveupgrade' | tee /etc/systemd/system/pve-daily-update.service.d/override.conf
|
ExecStart=/usr/bin/pveupgrade' | tee /etc/systemd/system/pve-daily-update.service.d/override.conf
|
||||||
@ -67,5 +73,8 @@ sed -Ezi.bak "s/(Ext.Msg.show\(\{\s+title: gettext\('No valid sub)/void\(\{ \/\/
|
|||||||
|
|
||||||
systemctl restart pveproxy.service
|
systemctl restart pveproxy.service
|
||||||
|
|
||||||
|
# Setup tuned
|
||||||
|
tuned-adm profile virtual-host
|
||||||
|
|
||||||
# Enable fstrim.timer
|
# Enable fstrim.timer
|
||||||
systemctl enable --now fstrim.timer
|
systemctl enable --now fstrim.timer
|
@ -1,6 +1,20 @@
|
|||||||
#!/bin/bash
|
#!/bin/bash
|
||||||
#Assuming that you are using ANSSI-BP-028
|
#Assuming that you are using ANSSI-BP-028
|
||||||
|
|
||||||
|
# Setup NTS
|
||||||
|
sudo curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/chrony.conf -o /etc/chrony.conf
|
||||||
|
|
||||||
|
echo '# Command-line options for chronyd
|
||||||
|
OPTIONS="-F 1"' | sudo tee /etc/sysconfig/chronyd
|
||||||
|
|
||||||
|
sudo systemctl restart chronyd
|
||||||
|
|
||||||
|
# Setup Firewalld
|
||||||
|
|
||||||
|
sudo firewall-cmd --permanent --remove-service=cockpit
|
||||||
|
sudo firewall-cmd --reload
|
||||||
|
|
||||||
|
# Harden SSH
|
||||||
mkdir -p /etc/ssh/ssh_config.d /etc/ssh/sshd_config.d
|
mkdir -p /etc/ssh/ssh_config.d /etc/ssh/sshd_config.d
|
||||||
echo 'GSSAPIAuthentication no
|
echo 'GSSAPIAuthentication no
|
||||||
VerifyHostKeyDNS yes' | sudo tee /etc/ssh/ssh_config.d/10-custom.conf
|
VerifyHostKeyDNS yes' | sudo tee /etc/ssh/ssh_config.d/10-custom.conf
|
||||||
@ -8,11 +22,37 @@ sudo chmod 644 /etc/ssh/ssh_config.d/10-custom.conf
|
|||||||
echo 'X11Forwarding no
|
echo 'X11Forwarding no
|
||||||
GSSAPIAuthentication no
|
GSSAPIAuthentication no
|
||||||
PasswordAuthentication no' | sudo tee /etc/ssh/sshd_config.d/10-custom.conf
|
PasswordAuthentication no' | sudo tee /etc/ssh/sshd_config.d/10-custom.conf
|
||||||
|
sudo curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/systemd/system/sshd.service.d/local.conf -o /etc/systemd/system/sshd.service.d/local.conf
|
||||||
|
sudo systemctl daemon-reload
|
||||||
sudo systemctl restart sshd
|
sudo systemctl restart sshd
|
||||||
|
|
||||||
sudo dnf install tuned unbound yara -y
|
# Kernel hardening
|
||||||
sudo tuned-adm profile virtual-guest
|
|
||||||
|
|
||||||
|
sudo curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/modprobe.d/30_security-misc.conf -o /etc/modprobe.d/30_security-misc.conf
|
||||||
|
sudo curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_security-misc.conf -o /etc/sysctl.d/30_security-misc.conf
|
||||||
|
sudo sed -i 's/kernel.yama.ptrace_scope=2/kernel.yama.ptrace_scope=3/g' /etc/sysctl.d/30_security-misc.conf
|
||||||
|
sudo sed -i 's/net.ipv4.icmp_echo_ignore_all=1/net.ipv4.icmp_echo_ignore_all=0/g' /etc/sysctl.d/30_security-misc.conf
|
||||||
|
sudo sed -i 's/net.ipv6.icmp.echo_ignore_all=1/net.ipv6.icmp.echo_ignore_all=0/g' /etc/sysctl.d/30_security-misc.conf
|
||||||
|
sudo curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_silent-kernel-printk.conf -o /etc/sysctl.d/30_silent-kernel-printk.conf
|
||||||
|
sudo curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_security-misc_kexec-disable.conf -o /etc/sysctl.d/30_security-misc_kexec-disable.conf
|
||||||
|
sudo sysctl -p
|
||||||
|
|
||||||
|
# Systemd hardening
|
||||||
|
|
||||||
|
sudo mkdir -p /etc/systemd/system/NetworkManager.service.d
|
||||||
|
sudo curl https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/NetworkManager.service.d/99-brace.conf -o /etc/systemd/system/NetworkManager.service.d/99-brace.conf
|
||||||
|
sudo systemctl daemon-reload
|
||||||
|
sudo systemctl restart NetworkManager
|
||||||
|
|
||||||
|
sudo mkdir -p /etc/systemd/system/irqbalance.service.d
|
||||||
|
sudo curl https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/irqbalance.service.d/99-brace.conf -o /etc/systemd/system/irqbalance.service.d/99-brace.conf
|
||||||
|
sudo systemctl daemon-reload
|
||||||
|
sudo systemctl restart irqbalance
|
||||||
|
|
||||||
|
# Install packages
|
||||||
|
sudo dnf install tuned unbound yara -y
|
||||||
|
|
||||||
|
# Setup unbound
|
||||||
echo 'server:
|
echo 'server:
|
||||||
chroot: ""
|
chroot: ""
|
||||||
|
|
||||||
@ -73,44 +113,16 @@ LockPersonality=yes' | sudo tee /etc/systemd/system/unbound.service.d/override.c
|
|||||||
|
|
||||||
sudo systemctl enable --now unbound
|
sudo systemctl enable --now unbound
|
||||||
|
|
||||||
sudo mkdir -p /etc/systemd/system/sshd.service.d
|
|
||||||
sudo curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/systemd/system/sshd.service.d/limits.conf -o /etc/systemd/system/sshd.service.d/limits.conf
|
|
||||||
sudo systemctl restart sshd
|
|
||||||
|
|
||||||
sudo curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/chrony.conf -o /etc/chrony.conf
|
|
||||||
|
|
||||||
echo '# Command-line options for chronyd
|
|
||||||
OPTIONS="-F 1"' | sudo tee /etc/sysconfig/chronyd
|
|
||||||
|
|
||||||
sudo systemctl restart chronyd
|
|
||||||
|
|
||||||
sudo insights-client --collector malware-detection
|
sudo insights-client --collector malware-detection
|
||||||
sudo sed -i 's/test_scan: true/test_scan: false/' /etc/insights-client/malware-detection-config.yml
|
sudo sed -i 's/test_scan: true/test_scan: false/' /etc/insights-client/malware-detection-config.yml
|
||||||
|
|
||||||
sudo curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/modprobe.d/30_security-misc.conf -o /etc/modprobe.d/30_security-misc.conf
|
# Setup automatic updates
|
||||||
sudo curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_security-misc.conf -o /etc/sysctl.d/30_security-misc.conf
|
|
||||||
sudo sed -i 's/kernel.yama.ptrace_scope=2/kernel.yama.ptrace_scope=3/g' /etc/sysctl.d/30_security-misc.conf
|
|
||||||
sudo sed -i 's/net.ipv4.icmp_echo_ignore_all=1/net.ipv4.icmp_echo_ignore_all=0/g' /etc/sysctl.d/30_security-misc.conf
|
|
||||||
sudo sed -i 's/net.ipv6.icmp.echo_ignore_all=1/net.ipv6.icmp.echo_ignore_all=0/g' /etc/sysctl.d/30_security-misc.conf
|
|
||||||
sudo curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_silent-kernel-printk.conf -o /etc/sysctl.d/30_silent-kernel-printk.conf
|
|
||||||
sudo curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_security-misc_kexec-disable.conf -o /etc/sysctl.d/30_security-misc_kexec-disable.conf
|
|
||||||
sudo sysctl -p
|
|
||||||
|
|
||||||
sudo mkdir -p /etc/systemd/system/NetworkManager.service.d
|
|
||||||
sudo curl https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/NetworkManager.service.d/99-brace.conf -o /etc/systemd/system/NetworkManager.service.d/99-brace.conf
|
|
||||||
sudo systemctl daemon-reload
|
|
||||||
sudo systemctl restart NetworkManager
|
|
||||||
|
|
||||||
sudo mkdir -p /etc/systemd/system/irqbalance.service.d
|
|
||||||
sudo curl https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/irqbalance.service.d/99-brace.conf -o /etc/systemd/system/irqbalance.service.d/99-brace.conf
|
|
||||||
sudo systemctl daemon-reload
|
|
||||||
sudo systemctl restart irqbalance
|
|
||||||
|
|
||||||
sudo firewall-cmd --permanent --remove-service=cockpit
|
|
||||||
sudo firewall-cmd --reload
|
|
||||||
|
|
||||||
sudo sed -i 's/apply_updates = no/apply_updates = yes\nreboot = when-needed/g' /etc/dnf/automatic.conf
|
sudo sed -i 's/apply_updates = no/apply_updates = yes\nreboot = when-needed/g' /etc/dnf/automatic.conf
|
||||||
sudo systemctl enable --now dnf-automatic.timer
|
sudo systemctl enable --now dnf-automatic.timer
|
||||||
|
|
||||||
|
# Setup tuned
|
||||||
|
sudo tuned-adm profile virtual-guest
|
||||||
|
|
||||||
# Enable fstrim.timer
|
# Enable fstrim.timer
|
||||||
sudo systemctl enable --now fstrim.timer
|
sudo systemctl enable --now fstrim.timer
|
@ -4,49 +4,57 @@
|
|||||||
#Customize it to your liking
|
#Customize it to your liking
|
||||||
#Run this script as your admin user, NOT root
|
#Run this script as your admin user, NOT root
|
||||||
|
|
||||||
#Compliance
|
# Compliance
|
||||||
sudo ua enable usg
|
sudo ua enable usg
|
||||||
sudo apt install -y usg
|
sudo apt install -y usg
|
||||||
sudo usg fix cis_level2_workstation
|
sudo usg fix cis_level2_workstation
|
||||||
|
|
||||||
#Allow su which is disabled by CIS
|
# Remove AIDE
|
||||||
|
sudo apt purge -y aide*
|
||||||
|
|
||||||
|
# Allow su which is disabled by CIS
|
||||||
sudo sed -i 's/auth required pam_wheel.so use_uid group=sugroup//g' /etc/pam.d/su
|
sudo sed -i 's/auth required pam_wheel.so use_uid group=sugroup//g' /etc/pam.d/su
|
||||||
|
|
||||||
#Setting umask to 077
|
# Setting umask to 077
|
||||||
umask 077
|
umask 077
|
||||||
sudo sed -ie '/^DIR_MODE=/ s/=[0-9]*\+/=0700/' /etc/adduser.conf
|
sudo sed -ie '/^DIR_MODE=/ s/=[0-9]*\+/=0700/' /etc/adduser.conf
|
||||||
sudo sed -ie '/^UMASK\s\+/ s/022/077/' /etc/login.defs
|
sudo sed -ie '/^UMASK\s\+/ s/022/077/' /etc/login.defs
|
||||||
sudo sed -i 's/USERGROUPS_ENAB yes/USERGROUPS_ENAB no/g' /etc/login.defs
|
sudo sed -i 's/USERGROUPS_ENAB yes/USERGROUPS_ENAB no/g' /etc/login.defs
|
||||||
echo "umask 077" | sudo tee --append /etc/profile
|
echo "umask 077" | sudo tee --append /etc/profile
|
||||||
|
|
||||||
#Make sure the system has curl (minimal installs do not include it)
|
# Make sure the system has curl (minimal installs do not include it)
|
||||||
sudo apt install -y curl
|
sudo apt install -y curl
|
||||||
|
|
||||||
#Security kernel settings
|
# Setup NTS
|
||||||
sudo curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/modprobe.d/30_security-misc.conf -o /etc/modprobe.d/30_security-misc.conf
|
|
||||||
sudo curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_security-misc.conf -o /etc/sysctl.d/30_security-misc.conf
|
|
||||||
sudo curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_silent-kernel-printk.conf -o /etc/sysctl.d/30_silent-kernel-printk.conf
|
|
||||||
sudo curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_security-misc_kexec-disable.conf -o /etc/sysctl.d/30_security-misc_kexec-disable.conf
|
|
||||||
|
|
||||||
#Systemd Hardening
|
|
||||||
sudo mkdir -p /etc/systemd/system/NetworkManager.service.d
|
|
||||||
sudo curl https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/NetworkManager.service.d/99-brace.conf -o /etc/systemd/system/NetworkManager.service.d/99-brace.conf
|
|
||||||
sudo mkdir -p /etc/systemd/system/irqbalance.service.d
|
|
||||||
sudo curl https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/irqbalance.service.d/99-brace.conf -o /etc/systemd/system/irqbalance.service.d/99-brace.conf
|
|
||||||
sudo mkdir -p /etc/systemd/system/sshd.service.d
|
|
||||||
sudo curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/systemd/system/sshd.service.d/limits.conf -o /etc/systemd/system/sshd.service.d/limits.conf
|
|
||||||
|
|
||||||
echo "GSSAPIAuthentication no" | sudo tee /etc/ssh/ssh_config.d/10-custom.conf
|
|
||||||
echo "VerifyHostKeyDNS yes" | sudo tee -a /etc/ssh/ssh_config.d/10-custom.conf
|
|
||||||
sudo chmod 644 /etc/ssh/ssh_config.d/10-custom.conf
|
|
||||||
|
|
||||||
#Setup NTS
|
|
||||||
sudo systemctl disable systemd-timesyncd
|
sudo systemctl disable systemd-timesyncd
|
||||||
sudo apt install -y chrony
|
sudo apt install -y chrony
|
||||||
rm -rf /etc/chrony/chrony.conf
|
rm -rf /etc/chrony/chrony.conf
|
||||||
sudo curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/chrony.conf -o /etc/chrony/chrony.conf
|
sudo curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/chrony.conf -o /etc/chrony/chrony.conf
|
||||||
sudo systemctl restart chronyd
|
sudo systemctl restart chronyd
|
||||||
|
|
||||||
|
# Setup UFW
|
||||||
|
#UFW Snap is strictly confined, unlike its .deb counterpart
|
||||||
|
sudo apt purge -y ufw
|
||||||
|
sudo snap install ufw
|
||||||
|
sudo ufw enable
|
||||||
|
|
||||||
|
# Harden SSH
|
||||||
|
echo "GSSAPIAuthentication no" | sudo tee /etc/ssh/ssh_config.d/10-custom.conf
|
||||||
|
echo "VerifyHostKeyDNS yes" | sudo tee -a /etc/ssh/ssh_config.d/10-custom.conf
|
||||||
|
sudo chmod 644 /etc/ssh/ssh_config.d/10-custom.conf
|
||||||
|
|
||||||
|
# Kernel hardening
|
||||||
|
sudo curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/modprobe.d/30_security-misc.conf -o /etc/modprobe.d/30_security-misc.conf
|
||||||
|
sudo curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_security-misc.conf -o /etc/sysctl.d/30_security-misc.conf
|
||||||
|
sudo curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_silent-kernel-printk.conf -o /etc/sysctl.d/30_silent-kernel-printk.conf
|
||||||
|
sudo curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_security-misc_kexec-disable.conf -o /etc/sysctl.d/30_security-misc_kexec-disable.conf
|
||||||
|
|
||||||
|
# Systemd Hardening
|
||||||
|
sudo mkdir -p /etc/systemd/system/NetworkManager.service.d
|
||||||
|
sudo curl https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/NetworkManager.service.d/99-brace.conf -o /etc/systemd/system/NetworkManager.service.d/99-brace.conf
|
||||||
|
sudo mkdir -p /etc/systemd/system/irqbalance.service.d
|
||||||
|
sudo curl https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/irqbalance.service.d/99-brace.conf -o /etc/systemd/system/irqbalance.service.d/99-brace.conf
|
||||||
|
|
||||||
# Disable automount
|
# Disable automount
|
||||||
|
|
||||||
sudo mkdir -p /etc/dconf/db/local.d/locks/
|
sudo mkdir -p /etc/dconf/db/local.d/locks/
|
||||||
@ -60,13 +68,7 @@ org/gnome/desktop/media-handling/automount-open' | sudo tee /etc/dconf/db/local.
|
|||||||
|
|
||||||
sudo dconf update
|
sudo dconf update
|
||||||
|
|
||||||
#Setup UFW
|
# Disable crash reports
|
||||||
#UFW Snap is strictly confined, unlike its .deb counterpart
|
|
||||||
sudo apt purge -y ufw
|
|
||||||
sudo snap install ufw
|
|
||||||
sudo ufw enable
|
|
||||||
|
|
||||||
#Disable crash reports
|
|
||||||
echo '[com/ubuntu/update-notifier]
|
echo '[com/ubuntu/update-notifier]
|
||||||
show-apport-crashes=false' | sudo tee /etc/dconf/db/local.d/disable-apport-crashes
|
show-apport-crashes=false' | sudo tee /etc/dconf/db/local.d/disable-apport-crashes
|
||||||
|
|
||||||
@ -82,7 +84,7 @@ sudo systemctl stop whoopsie.service
|
|||||||
sudo systemctl disable whoopsie.service
|
sudo systemctl disable whoopsie.service
|
||||||
sudo systemctl mask whoopsie.service
|
sudo systemctl mask whoopsie.service
|
||||||
|
|
||||||
#Update packages and firmware
|
# Update packages and firmware
|
||||||
sudo apt update -y
|
sudo apt update -y
|
||||||
sudo apt full-upgrade -y
|
sudo apt full-upgrade -y
|
||||||
sudo fwupdmgr get-devices
|
sudo fwupdmgr get-devices
|
||||||
@ -90,16 +92,16 @@ sudo fwupdmgr refresh --force
|
|||||||
sudo fwupdmgr get-updates -y
|
sudo fwupdmgr get-updates -y
|
||||||
sudo fwupdmgr update -y
|
sudo fwupdmgr update -y
|
||||||
|
|
||||||
#Remove unneeded packages
|
# Remove unneeded packages
|
||||||
sudo apt purge -y cups* eog gedit firefox* gnome-calculator gnome-characters* gnome-font-viewer gnome-logs gnome-power-manager gnome-shell-extension-prefs seahorse tcpdump whoopsie
|
sudo apt purge -y cups* eog gedit firefox* gnome-calculator gnome-characters* gnome-font-viewer gnome-logs gnome-power-manager gnome-shell-extension-prefs seahorse tcpdump whoopsie
|
||||||
sudo apt autoremove -y
|
sudo apt autoremove -y
|
||||||
sudo snap remove firefox
|
sudo snap remove firefox
|
||||||
|
|
||||||
#Install packages that I use
|
# Install packages that I use
|
||||||
sudo apt install -y git-core gnome-text-editor
|
sudo apt install -y git-core gnome-text-editor
|
||||||
sudo snap install eog
|
sudo snap install eog
|
||||||
|
|
||||||
#Randomize MAC address
|
# Randomize MAC address
|
||||||
sudo bash -c 'cat > /etc/NetworkManager/conf.d/00-macrandomize.conf' <<-'EOF'
|
sudo bash -c 'cat > /etc/NetworkManager/conf.d/00-macrandomize.conf' <<-'EOF'
|
||||||
[device]
|
[device]
|
||||||
wifi.scan-rand-mac-address=yes
|
wifi.scan-rand-mac-address=yes
|
||||||
|
@ -7,15 +7,38 @@ sudo ua enable usg
|
|||||||
sudo apt install -y usg
|
sudo apt install -y usg
|
||||||
sudo usg fix cis_level2_server
|
sudo usg fix cis_level2_server
|
||||||
|
|
||||||
#Install packages
|
# Remove AIDE
|
||||||
|
sudo apt purge -y aide*
|
||||||
|
|
||||||
|
# Update and install packages
|
||||||
sudo apt update -y
|
sudo apt update -y
|
||||||
sudo apt full-upgrade -y
|
sudo apt full-upgrade -y
|
||||||
sudo apt install -y curl fwupd libpam-pwquality tuned unbound
|
sudo apt install -y curl fwupd libpam-pwquality tuned unbound
|
||||||
|
|
||||||
#Setup tuned
|
# Setup NTS
|
||||||
sudo tuned-adm profile virtual-guest
|
sudo systemctl disable systemd-timesyncd
|
||||||
|
sudo apt install -y chrony
|
||||||
|
rm -rf /etc/chrony/chrony.conf
|
||||||
|
sudo curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/chrony.conf -o /etc/chrony/chrony.conf
|
||||||
|
sudo systemctl restart chronyd
|
||||||
|
|
||||||
#Setup unbound
|
# Setup UFW
|
||||||
|
# UFW Snap is strictly confined, unlike its .deb counterpart
|
||||||
|
sudo apt purge -y ufw
|
||||||
|
sudo snap install ufw
|
||||||
|
sudo ufw enable
|
||||||
|
sudo ufw allow 22
|
||||||
|
|
||||||
|
# Harden SSH
|
||||||
|
echo "GSSAPIAuthentication no" | sudo tee /etc/ssh/ssh_config.d/10-custom.conf
|
||||||
|
echo "VerifyHostKeyDNS yes" | sudo tee -a /etc/ssh/ssh_config.d/10-custom.conf
|
||||||
|
sudo chmod 644 /etc/ssh/ssh_config.d/10-custom.conf
|
||||||
|
sudo mkdir -p /etc/systemd/system/sshd.service.d
|
||||||
|
sudo curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/systemd/system/sshd.service.d/local.conf -o /etc/systemd/system/sshd.service.d/local.conf
|
||||||
|
sudo systemctl daemon-reload
|
||||||
|
sudo systemctl restart sshd
|
||||||
|
|
||||||
|
# Setup unbound
|
||||||
echo 'server:
|
echo 'server:
|
||||||
trust-anchor-signaling: yes
|
trust-anchor-signaling: yes
|
||||||
root-key-sentinel: yes
|
root-key-sentinel: yes
|
||||||
@ -85,30 +108,12 @@ sudo systemctl daemon-reload
|
|||||||
sudo systemctl restart unbound
|
sudo systemctl restart unbound
|
||||||
sudo systemctl disable --now systemd-resolved
|
sudo systemctl disable --now systemd-resolved
|
||||||
|
|
||||||
#Security kernel settings
|
# Kernel hardening
|
||||||
sudo curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/modprobe.d/30_security-misc.conf -o /etc/modprobe.d/30_security-misc.conf
|
sudo curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/modprobe.d/30_security-misc.conf -o /etc/modprobe.d/30_security-misc.conf
|
||||||
sudo curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_security-misc.conf -o /etc/sysctl.d/30_security-misc.conf
|
sudo curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_security-misc.conf -o /etc/sysctl.d/30_security-misc.conf
|
||||||
sudo curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_silent-kernel-printk.conf -o /etc/sysctl.d/30_silent-kernel-printk.conf
|
sudo curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_silent-kernel-printk.conf -o /etc/sysctl.d/30_silent-kernel-printk.conf
|
||||||
sudo curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_security-misc_kexec-disable.conf -o /etc/sysctl.d/30_security-misc_kexec-disable.conf
|
sudo curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_security-misc_kexec-disable.conf -o /etc/sysctl.d/30_security-misc_kexec-disable.conf
|
||||||
|
|
||||||
echo "GSSAPIAuthentication no" | sudo tee /etc/ssh/ssh_config.d/10-custom.conf
|
|
||||||
echo "VerifyHostKeyDNS yes" | sudo tee -a /etc/ssh/ssh_config.d/10-custom.conf
|
|
||||||
sudo chmod 644 /etc/ssh/ssh_config.d/10-custom.conf
|
|
||||||
|
|
||||||
#Setup NTS
|
|
||||||
sudo systemctl disable systemd-timesyncd
|
|
||||||
sudo apt install -y chrony
|
|
||||||
rm -rf /etc/chrony/chrony.conf
|
|
||||||
sudo curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/chrony.conf -o /etc/chrony/chrony.conf
|
|
||||||
sudo systemctl restart chronyd
|
|
||||||
|
|
||||||
#Setup UFW
|
|
||||||
#UFW Snap is strictly confined, unlike its .deb counterpart
|
|
||||||
sudo apt purge -y ufw
|
|
||||||
sudo snap install ufw
|
|
||||||
sudo ufw enable
|
|
||||||
sudo ufw allow 22
|
|
||||||
|
|
||||||
sudo systemctl stop apport.service
|
sudo systemctl stop apport.service
|
||||||
sudo systemctl disable apport.service
|
sudo systemctl disable apport.service
|
||||||
sudo systemctl mask apport.service
|
sudo systemctl mask apport.service
|
||||||
@ -122,5 +127,8 @@ ExecStart=/usr/bin/fwupdmgr update' | tee /etc/systemd/system/fwupd-refresh.serv
|
|||||||
sudo systemctl daemon-reload
|
sudo systemctl daemon-reload
|
||||||
sudo systemctl enable --now fwupd-refresh.timer
|
sudo systemctl enable --now fwupd-refresh.timer
|
||||||
|
|
||||||
|
# Setup tuned
|
||||||
|
sudo tuned-adm profile virtual-guest
|
||||||
|
|
||||||
# Enable fstrim.timer
|
# Enable fstrim.timer
|
||||||
sudo systemctl enable --now fstrim.timer
|
sudo systemctl enable --now fstrim.timer
|
||||||
|
Loading…
Reference in New Issue
Block a user