Improved consistency across distros

Fedora-Workstation-38.sh

@@ -13,44 +13,53 @@ output(){
     echo -e '\e[36m'$1'\e[0m';
 }
 
-#Moving to the home directory
+# Moving to the home directory
 #Note that I always use /home/${USER} because gnome-terminal is wacky and sometimes doesn't load the environment variables in correctly (Right click somewhere in nautilus, click on open in terminal, then hit create new tab and you will see.)
 cd /home/"${USER}" || exit
 
-#Setting umask to 077
+# Setting umask to 077
 umask 077
 sudo sed -i 's/umask 022/umask 077/g' /etc/bashrc
 echo "umask 077" | sudo tee -a /etc/bashrc
 
-#Make home directory private
+# Make home directory private
 chmod 700 /home/*
 
-#Security kernel settings
+# Setup NTS
+sudo rm -rf /etc/chrony/chrony.conf
+sudo curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/chrony.conf -o /etc/chrony/chrony.conf
+echo '# Command-line options for chronyd
+OPTIONS="-F 1"' | sudo tee /etc/sysconfig/chronyd
+
+sudo systemctl restart chronyd
+
+# Setup Firewalld
+sudo firewall-cmd --permanent --remove-port=1025-65535/udp
+sudo firewall-cmd --permanent --remove-port=1025-65535/tcp
+sudo firewall-cmd --permanent --remove-service=mdns
+sudo firewall-cmd --permanent --remove-service=ssh
+sudo firewall-cmd --permanent --remove-service=samba-client
+sudo firewall-cmd --reload
+
+# Harden SSH
+echo "GSSAPIAuthentication no" | sudo tee /etc/ssh/ssh_config.d/10-custom.conf
+echo "VerifyHostKeyDNS yes" | sudo tee -a /etc/ssh/ssh_config.d/10-custom.conf
+sudo chmod 644 /etc/ssh/ssh_config.d/10-custom.conf
+
+# Security kernel settings
 sudo curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/modprobe.d/30_security-misc.conf -o /etc/modprobe.d/30_security-misc.conf
 sudo curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_security-misc.conf -o /etc/sysctl.d/30_security-misc.conf
 sudo curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_silent-kernel-printk.conf -o /etc/sysctl.d/30_silent-kernel-printk.conf
 sudo curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_security-misc_kexec-disable.conf -o /etc/sysctl.d/30_security-misc_kexec-disable.conf
 
-#Systemd Hardening
+# Systemd Hardening
 sudo mkdir -p /etc/systemd/system/NetworkManager.service.d
 sudo curl https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/NetworkManager.service.d/99-brace.conf -o /etc/systemd/system/NetworkManager.service.d/99-brace.conf
 sudo mkdir -p /etc/systemd/system/irqbalance.service.d
 sudo curl https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/irqbalance.service.d/99-brace.conf -o /etc/systemd/system/irqbalance.service.d/99-brace.conf
-sudo mkdir -p /etc/systemd/system/sshd.service.d
-sudo curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/systemd/system/sshd.service.d/local.conf -o /etc/systemd/system/sshd.service.d/limits.conf
 
-echo "GSSAPIAuthentication no" | sudo tee /etc/ssh/ssh_config.d/10-custom.conf
+sudo systemctl restart NetworkManager
-echo "VerifyHostKeyDNS yes" | sudo tee -a /etc/ssh/ssh_config.d/10-custom.conf
+sudo systemctl restart irqbalance
-sudo chmod 644 /etc/ssh/ssh_config.d/10-custom.conf
-
-#Setup NTS
-sudo rm -rf /etc/chrony/chrony.conf
-sudo curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/chrony.conf -o /etc/chrony/chrony.conf
-
-echo '# Command-line options for chronyd
-OPTIONS="-F 1"' | sudo tee /etc/sysconfig/chronyd
-
-sudo systemctl restart chronyd
 
 # Disable automount
 echo '[org/gnome/desktop/media-handling]
@@ -62,27 +71,19 @@ org/gnome/desktop/media-handling/automount-open' | sudo tee /etc/dconf/db/local.
 
 sudo dconf update
 
-#Setup Firewalld
+# Speed up DNF
-sudo firewall-cmd --permanent --remove-port=1025-65535/udp
-sudo firewall-cmd --permanent --remove-port=1025-65535/tcp
-sudo firewall-cmd --permanent --remove-service=mdns
-sudo firewall-cmd --permanent --remove-service=ssh
-sudo firewall-cmd --permanent --remove-service=samba-client
-sudo firewall-cmd --reload
-
-#Speed up DNF
 echo 'fastestmirror=1' | sudo tee -a /etc/dnf/dnf.conf
 echo 'deltarpm=true' | sudo tee -a /etc/dnf/dnf.conf
 echo 'countme=false' | sudo tee -a /etc/dnf/dnf.conf
 
-#Update packages and firmware
+# Update packages and firmware
 sudo dnf upgrade -y
 sudo fwupdmgr get-devices
 sudo fwupdmgr refresh --force
 sudo fwupdmgr get-updates -y
 sudo fwupdmgr update -y
 
-#Remove unneeded packages
+# Remove unneeded packages
 sudo dnf -y remove fedora-bookmarks fedora-chromium-config firefox mozilla-filesystem \
     #Network + hardware tools
     cups nmap-ncat nfs-utils nmap-ncat openssh-server net-snmp-libs net-tools opensc traceroute rsync tcpdump teamd geolite2* mtr dmidecode sgpio \
@@ -106,16 +107,19 @@ sudo dnf -y remove fedora-bookmarks fedora-chromium-config firefox mozilla-files
     #other
     lvm2 rng-tools thermald *perl* yajl
 
-#Disable openh264 repo
+# Disable openh264 repo
 sudo dnf config-manager --set-disabled fedora-cisco-openh264 -y
 
-#Install packages that I use
+# Install packages that I use
-sudo dnf -y install gnome-console git-core flat-remix-theme gnome-shell-extension-appindicator gnome-shell-extension-blur-my-shell gnome-shell-extension-background-logo gnome-shell-extension-dash-to-dock gnome-shell-extension-no-overview
+sudo dnf -y install gnome-console git-core flat-remix-theme gnome-shell-extension-appindicator gnome-shell-extension-blur-my-shell gnome-shell-extension-background-logo gnome-shell-extension-dash-to-dock gnome-shell-extension-no-overview tuned
 
-#Enable auto TRIM
+# Setup tuned
+sudo tuned-adm profile latency-performance
+
+# Enable auto TRIM
 sudo systemctl enable fstrim.timer
 
-#Setup BTRFS layout and Timeshift
+# Setup BTRFS layout and Timeshift
 sudo mkdir /btrfs_pool
 sudo mount -o subvolid=5 /dev/mapper/${PARTITIONID} /btrfs_pool
 sudo mv /btrfs_pool/root /btrfs_pool/@
@@ -127,7 +131,7 @@ sudo echo "UUID=${PARTITIONUUID} /btrfs_pool             btrfs   subvolid=5,ssd,
 sudo grub2-mkconfig -o /boot/efi/EFI/fedora/grub.cfg
 sudo dnf -y install timeshift
 
-#Randomize MAC address
+# andomize MAC address
 sudo bash -c 'cat > /etc/NetworkManager/conf.d/00-macrandomize.conf' <<-'EOF'
 [device]
 wifi.scan-rand-mac-address=yes
@@ -137,7 +141,7 @@ wifi.cloned-mac-address=random
 ethernet.cloned-mac-address=random
 EOF
 
-#Disable transient hostname
+# Disable transient hostname
 sudo bash -c 'cat > /etc/NetworkManager/conf.d/00-macrandomize.conf' <<-'EOF'
 [main]
 hostname-mode=none

GCP-Debian-11-Docker.sh

@@ -15,7 +15,4 @@ echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/gviso
 sudo apt update 
 sudo apt -y --no-install-recommends install runsc
 sudo runsc install
-sudo systemctl restart docker
+sudo systemctl restart docker
-
-# Enable fstrim.timer
-sudo systemctl enable --now fstrim.timer

GCP-Debian-11.sh

@@ -1,24 +1,47 @@
 #!/bin/bash
 
-echo 'GSSAPIAuthentication no
+# Setup NTS
-VerifyHostKeyDNS yes' | sudo tee /etc/ssh/ssh_config.d/10-custom.conf
+sudo rm -rf /etc/chrony/chrony.conf
-sudo chmod 644 /etc/ssh/ssh_config.d/10-custom.conf
+sudo curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/chrony.conf -o /etc/chrony/chrony.conf
-sudo sed -i 's/#GSSAPIAuthentication no/GSSAPIAuthentication no/g' /etc/ssh/sshd_config
+sudo systemctl restart chronyd
-sudo systemctl restart sshd
 
+# Setup repositories
 sudo find /etc/apt/sources.list.d -type f -exec sudo sed -i 's/http:/https:/g' {} \;
 
+# Update and install packages
 sudo apt update
 sudo apt upgrade -y
 sudo apt install -y --no-install-recommends tuned unbound resolvconf ufw
 
+# Setup ufw
 sudo ufw enable
 sudo ufw allow 22/tcp
 
-#Setup tuned
+# Harden SSH
-sudo tuned-adm profile virtual-guest
+echo 'GSSAPIAuthentication no
+VerifyHostKeyDNS yes' | sudo tee /etc/ssh/ssh_config.d/10-custom.conf
+sudo chmod 644 /etc/ssh/ssh_config.d/10-custom.conf
+sudo sed -i 's/#GSSAPIAuthentication no/GSSAPIAuthentication no/g' /etc/ssh/sshd_config
+sudo mkdir -p /etc/systemd/system/sshd.service.d
+sudo curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/systemd/system/sshd.service.d/local.conf -o /etc/systemd/system/sshd.service.d/local.conf
+sudo systemctl daemon-reload
+sudo systemctl restart sshd
 
-#Setup unbound
+# Kernel Hardening
+
+sudo curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/modprobe.d/30_security-misc.conf -o /etc/modprobe.d/30_security-misc.conf
+sudo curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_security-misc.conf -o /etc/sysctl.d/30_security-misc.conf
+sudo sed -i 's/kernel.yama.ptrace_scope=2/kernel.yama.ptrace_scope=3/g' /etc/sysctl.d/30_security-misc.conf
+sudo sed -i 's/net.ipv4.icmp_echo_ignore_all=1/net.ipv4.icmp_echo_ignore_all=0/g' /etc/sysctl.d/30_security-misc.conf
+sudo sed -i 's/net.ipv6.icmp.echo_ignore_all=1/net.ipv6.icmp.echo_ignore_all=0/g' /etc/sysctl.d/30_security-misc.conf
+sudo curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_silent-kernel-printk.conf -o /etc/sysctl.d/30_silent-kernel-printk.conf
+sudo curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_security-misc_kexec-disable.conf -o /etc/sysctl.d/30_security-misc_kexec-disable.conf
+sudo mkdir -p /etc/systemd/system/NetworkManager.service.d
+sudo curl https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/NetworkManager.service.d/99-brace.conf -o /etc/systemd/system/NetworkManager.service.d/99-brace.conf
+
+echo "* hard core 0" | tee -a /etc/security/limits.conf
+
+# Setup unbound
 echo 'server:
   trust-anchor-signaling: yes
   root-key-sentinel: yes
@@ -88,24 +111,8 @@ sudo systemctl daemon-reload
 sudo systemctl restart unbound
 sudo systemctl disable --now systemd-resolved
 
-sudo mkdir -p /etc/systemd/system/sshd.service.d
+# Setup tuned
-sudo curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/systemd/system/sshd.service.d/limits.conf -o /etc/systemd/system/sshd.service.d/limits.conf
+sudo tuned-adm profile virtual-guest
-
-sudo rm -rf /etc/chrony/chrony.conf
-sudo curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/chrony.conf -o /etc/chrony/chrony.conf
-sudo systemctl restart chronyd
-
-sudo curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/modprobe.d/30_security-misc.conf -o /etc/modprobe.d/30_security-misc.conf
-sudo curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_security-misc.conf -o /etc/sysctl.d/30_security-misc.conf
-sudo sed -i 's/kernel.yama.ptrace_scope=2/kernel.yama.ptrace_scope=3/g' /etc/sysctl.d/30_security-misc.conf
-sudo sed -i 's/net.ipv4.icmp_echo_ignore_all=1/net.ipv4.icmp_echo_ignore_all=0/g' /etc/sysctl.d/30_security-misc.conf
-sudo sed -i 's/net.ipv6.icmp.echo_ignore_all=1/net.ipv6.icmp.echo_ignore_all=0/g' /etc/sysctl.d/30_security-misc.conf
-sudo curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_silent-kernel-printk.conf -o /etc/sysctl.d/30_silent-kernel-printk.conf
-sudo curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_security-misc_kexec-disable.conf -o /etc/sysctl.d/30_security-misc_kexec-disable.conf
-sudo mkdir -p /etc/systemd/system/NetworkManager.service.d
-sudo curl https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/NetworkManager.service.d/99-brace.conf -o /etc/systemd/system/NetworkManager.service.d/99-brace.conf
-
-echo "* hard core 0" | tee -a /etc/security/limits.conf
 
 # Enable fstrim.timer
 sudo ystemctl enable --now fstrim.timer

Proxmox-8.sh

@@ -2,15 +2,23 @@
 
 # You need to add either the non-subscription repo or the testing repo from the Proxmox WebUI after running this script.
 
+# Setup NTS
+rm -rf /etc/chrony/chrony.conf
+curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/chrony.conf -o /etc/chrony/chrony.conf
+systemctl restart chronyd
+
+# Harden SSH
 echo 'GSSAPIAuthentication no
 VerifyHostKeyDNS yes' | tee /etc/ssh/ssh_config.d/10-custom.conf
 sudo chmod 644 /etc/ssh/ssh_config.d/10-custom.conf
 sed -i 's/#PasswordAuthentication yes/PasswordAuthentication no/g' /etc/ssh/sshd_config
 sed -i 's/#GSSAPIAuthentication no/GSSAPIAuthentication no/g' /etc/ssh/sshd_config
 mkdir -p /etc/systemd/system/sshd.service.d
-curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/systemd/system/sshd.service.d/limits.conf -o /etc/systemd/system/sshd.service.d/limits.conf
+curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/systemd/system/sshd.service.d/local.conf -o /etc/systemd/system/sshd.service.d/local.conf
+systemctl daemon-reload
 systemctl restart sshd
 
+# Setup repositories
 sed -i '1 {s/^/#/}' /etc/apt/sources.list.d/pve-enterprise.list
 
 echo 'deb https://deb.debian.org/debian/ bookworm main contrib non-free
@@ -22,21 +30,17 @@ deb https://security.debian.org bookworm-security main contrib non-free
 
 deb http://download.proxmox.com/debian/pve bookworm pve-no-subscription' | tee /etc/apt/sources.list
 
+# Update and install packages
 apt update
 apt upgrade -y
 apt install -y --no-install-recommends intel-microcode tuned fwupd dropbear-initramfs
 
-tuned-adm profile virtual-host
-
-rm -rf /etc/chrony/chrony.conf
-curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/chrony.conf -o /etc/chrony/chrony.conf
-systemctl restart chronyd
-
 ### This part assumes that you are using systemd-boot
 echo -e "spectre_v2=on spec_store_bypass_disable=on l1tf=full,force mds=full,nosmt tsx=off tsx_async_abort=full,nosmt kvm.nx_huge_pages=force nosmt=force l1d_flush=on mmio_stale_data=full,nosmt random.trust_bootloader=off random.trust_cpu=off intel_iommu=on amd_iommu=on efi=disable_early_pci_dma iommu.passthrough=0 iommu.strict=1 slab_nomerge init_on_alloc=1 init_on_free=1 pti=on vsyscall=none page_alloc.shuffle=1 randomize_kstack_offset=on extra_latent_entropy debugfs=off $(cat /etc/kernel/cmdline)" > /etc/kernel/cmdline
 proxmox-boot-tool refresh
 ###
 
+# Kernel hardening
 curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/modprobe.d/30_security-misc.conf -o /etc/modprobe.d/30_security-misc.conf
 curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_security-misc.conf -o /etc/sysctl.d/30_security-misc.conf
 sed -i 's/kernel.yama.ptrace_scope=2/kernel.yama.ptrace_scope=3/g' /etc/sysctl.d/30_security-misc.conf
@@ -50,6 +54,8 @@ echo "* hard core 0" | tee -a /etc/security/limits.conf
 
 sed -i 's/#GSSAPIAuthentication no/GSSAPIAuthentication no/g' /etc/ssh/sshd_config
 
+# Setup automatic updates
+
 mkdir -p /etc/systemd/system/pve-daily-update.service.d
 echo '[Service]
 ExecStart=/usr/bin/pveupgrade' | tee /etc/systemd/system/pve-daily-update.service.d/override.conf
@@ -67,5 +73,8 @@ sed -Ezi.bak "s/(Ext.Msg.show\(\{\s+title: gettext\('No valid sub)/void\(\{ \/\/
 
 systemctl restart pveproxy.service
 
+# Setup tuned
+tuned-adm profile virtual-host
+
 # Enable fstrim.timer
 systemctl enable --now fstrim.timer

RHEL-Server-9.sh

@@ -1,6 +1,20 @@
 #!/bin/bash
 #Assuming that you are using ANSSI-BP-028
 
+# Setup NTS
+sudo curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/chrony.conf -o /etc/chrony.conf
+
+echo '# Command-line options for chronyd
+OPTIONS="-F 1"' | sudo tee /etc/sysconfig/chronyd
+
+sudo systemctl restart chronyd
+
+# Setup Firewalld
+
+sudo firewall-cmd --permanent --remove-service=cockpit
+sudo firewall-cmd --reload
+
+# Harden SSH
 mkdir -p /etc/ssh/ssh_config.d /etc/ssh/sshd_config.d
 echo 'GSSAPIAuthentication no
 VerifyHostKeyDNS yes' | sudo tee /etc/ssh/ssh_config.d/10-custom.conf
@@ -8,11 +22,37 @@ sudo chmod 644 /etc/ssh/ssh_config.d/10-custom.conf
 echo 'X11Forwarding no
 GSSAPIAuthentication no
 PasswordAuthentication no' | sudo tee /etc/ssh/sshd_config.d/10-custom.conf
+sudo curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/systemd/system/sshd.service.d/local.conf -o /etc/systemd/system/sshd.service.d/local.conf
+sudo systemctl daemon-reload
 sudo systemctl restart sshd
 
-sudo dnf install tuned unbound yara -y
+# Kernel hardening
-sudo tuned-adm profile virtual-guest
 
+sudo curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/modprobe.d/30_security-misc.conf -o /etc/modprobe.d/30_security-misc.conf
+sudo curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_security-misc.conf -o /etc/sysctl.d/30_security-misc.conf
+sudo sed -i 's/kernel.yama.ptrace_scope=2/kernel.yama.ptrace_scope=3/g' /etc/sysctl.d/30_security-misc.conf
+sudo sed -i 's/net.ipv4.icmp_echo_ignore_all=1/net.ipv4.icmp_echo_ignore_all=0/g' /etc/sysctl.d/30_security-misc.conf
+sudo sed -i 's/net.ipv6.icmp.echo_ignore_all=1/net.ipv6.icmp.echo_ignore_all=0/g' /etc/sysctl.d/30_security-misc.conf
+sudo curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_silent-kernel-printk.conf -o /etc/sysctl.d/30_silent-kernel-printk.conf
+sudo curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_security-misc_kexec-disable.conf -o /etc/sysctl.d/30_security-misc_kexec-disable.conf
+sudo sysctl -p
+
+# Systemd hardening
+
+sudo mkdir -p /etc/systemd/system/NetworkManager.service.d
+sudo curl https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/NetworkManager.service.d/99-brace.conf -o /etc/systemd/system/NetworkManager.service.d/99-brace.conf
+sudo systemctl daemon-reload
+sudo systemctl restart NetworkManager
+
+sudo mkdir -p /etc/systemd/system/irqbalance.service.d
+sudo curl https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/irqbalance.service.d/99-brace.conf -o /etc/systemd/system/irqbalance.service.d/99-brace.conf
+sudo systemctl daemon-reload
+sudo systemctl restart irqbalance
+
+# Install packages
+sudo dnf install tuned unbound yara -y
+
+# Setup unbound
 echo 'server:
   chroot: ""
 
@@ -73,44 +113,16 @@ LockPersonality=yes' | sudo tee /etc/systemd/system/unbound.service.d/override.c
 
 sudo systemctl enable --now unbound
 
-sudo mkdir -p /etc/systemd/system/sshd.service.d
-sudo curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/systemd/system/sshd.service.d/limits.conf -o /etc/systemd/system/sshd.service.d/limits.conf
-sudo systemctl restart sshd
-
-sudo curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/chrony.conf -o /etc/chrony.conf
-
-echo '# Command-line options for chronyd
-OPTIONS="-F 1"' | sudo tee /etc/sysconfig/chronyd
-
-sudo systemctl restart chronyd
-
 sudo insights-client --collector malware-detection
 sudo sed -i 's/test_scan: true/test_scan: false/' /etc/insights-client/malware-detection-config.yml
 
-sudo curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/modprobe.d/30_security-misc.conf -o /etc/modprobe.d/30_security-misc.conf
+# Setup automatic updates
-sudo curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_security-misc.conf -o /etc/sysctl.d/30_security-misc.conf
-sudo sed -i 's/kernel.yama.ptrace_scope=2/kernel.yama.ptrace_scope=3/g' /etc/sysctl.d/30_security-misc.conf
-sudo sed -i 's/net.ipv4.icmp_echo_ignore_all=1/net.ipv4.icmp_echo_ignore_all=0/g' /etc/sysctl.d/30_security-misc.conf
-sudo sed -i 's/net.ipv6.icmp.echo_ignore_all=1/net.ipv6.icmp.echo_ignore_all=0/g' /etc/sysctl.d/30_security-misc.conf
-sudo curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_silent-kernel-printk.conf -o /etc/sysctl.d/30_silent-kernel-printk.conf
-sudo curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_security-misc_kexec-disable.conf -o /etc/sysctl.d/30_security-misc_kexec-disable.conf
-sudo sysctl -p
-
-sudo mkdir -p /etc/systemd/system/NetworkManager.service.d
-sudo curl https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/NetworkManager.service.d/99-brace.conf -o /etc/systemd/system/NetworkManager.service.d/99-brace.conf
-sudo systemctl daemon-reload
-sudo systemctl restart NetworkManager
-
-sudo mkdir -p /etc/systemd/system/irqbalance.service.d
-sudo curl https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/irqbalance.service.d/99-brace.conf -o /etc/systemd/system/irqbalance.service.d/99-brace.conf
-sudo systemctl daemon-reload
-sudo systemctl restart irqbalance
-
-sudo firewall-cmd --permanent --remove-service=cockpit
-sudo firewall-cmd --reload
 
 sudo sed -i 's/apply_updates = no/apply_updates = yes\nreboot = when-needed/g' /etc/dnf/automatic.conf
 sudo systemctl enable --now dnf-automatic.timer
 
+# Setup tuned
+sudo tuned-adm profile virtual-guest
+
 # Enable fstrim.timer
 sudo systemctl enable --now fstrim.timer

Ubuntu-22.04-Desktop.sh

@@ -4,49 +4,57 @@
 #Customize it to your liking
 #Run this script as your admin user, NOT root
 
-#Compliance
+# Compliance
 sudo ua enable usg
 sudo apt install -y usg
 sudo usg fix cis_level2_workstation
 
-#Allow su which is disabled by CIS 
+# Remove AIDE
+sudo apt purge -y aide*
+
+# Allow su which is disabled by CIS 
 sudo sed -i 's/auth required pam_wheel.so use_uid group=sugroup//g' /etc/pam.d/su
 
-#Setting umask to 077
+# Setting umask to 077
 umask 077
 sudo sed -ie '/^DIR_MODE=/ s/=[0-9]*\+/=0700/' /etc/adduser.conf
 sudo sed -ie '/^UMASK\s\+/ s/022/077/' /etc/login.defs
 sudo sed -i 's/USERGROUPS_ENAB yes/USERGROUPS_ENAB no/g' /etc/login.defs
 echo "umask 077" | sudo tee --append /etc/profile
 
-#Make sure the system has curl (minimal installs do not include it)
+# Make sure the system has curl (minimal installs do not include it)
 sudo apt install -y curl
 
-#Security kernel settings
+# Setup NTS
-sudo curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/modprobe.d/30_security-misc.conf -o /etc/modprobe.d/30_security-misc.conf
-sudo curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_security-misc.conf -o /etc/sysctl.d/30_security-misc.conf
-sudo curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_silent-kernel-printk.conf -o /etc/sysctl.d/30_silent-kernel-printk.conf
-sudo curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_security-misc_kexec-disable.conf -o /etc/sysctl.d/30_security-misc_kexec-disable.conf
-
-#Systemd Hardening
-sudo mkdir -p /etc/systemd/system/NetworkManager.service.d
-sudo curl https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/NetworkManager.service.d/99-brace.conf -o /etc/systemd/system/NetworkManager.service.d/99-brace.conf
-sudo mkdir -p /etc/systemd/system/irqbalance.service.d
-sudo curl https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/irqbalance.service.d/99-brace.conf -o /etc/systemd/system/irqbalance.service.d/99-brace.conf
-sudo mkdir -p /etc/systemd/system/sshd.service.d
-sudo curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/systemd/system/sshd.service.d/limits.conf -o /etc/systemd/system/sshd.service.d/limits.conf
-
-echo "GSSAPIAuthentication no" | sudo tee /etc/ssh/ssh_config.d/10-custom.conf
-echo "VerifyHostKeyDNS yes" | sudo tee -a /etc/ssh/ssh_config.d/10-custom.conf
-sudo chmod 644 /etc/ssh/ssh_config.d/10-custom.conf
-
-#Setup NTS
 sudo systemctl disable systemd-timesyncd
 sudo apt install -y chrony
 rm -rf /etc/chrony/chrony.conf
 sudo curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/chrony.conf -o /etc/chrony/chrony.conf
 sudo systemctl restart chronyd
 
+# Setup UFW
+#UFW Snap is strictly confined, unlike its .deb counterpart
+sudo apt purge -y ufw
+sudo snap install ufw
+sudo ufw enable
+
+# Harden SSH
+echo "GSSAPIAuthentication no" | sudo tee /etc/ssh/ssh_config.d/10-custom.conf
+echo "VerifyHostKeyDNS yes" | sudo tee -a /etc/ssh/ssh_config.d/10-custom.conf
+sudo chmod 644 /etc/ssh/ssh_config.d/10-custom.conf
+
+# Kernel hardening
+sudo curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/modprobe.d/30_security-misc.conf -o /etc/modprobe.d/30_security-misc.conf
+sudo curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_security-misc.conf -o /etc/sysctl.d/30_security-misc.conf
+sudo curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_silent-kernel-printk.conf -o /etc/sysctl.d/30_silent-kernel-printk.conf
+sudo curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_security-misc_kexec-disable.conf -o /etc/sysctl.d/30_security-misc_kexec-disable.conf
+
+# Systemd Hardening
+sudo mkdir -p /etc/systemd/system/NetworkManager.service.d
+sudo curl https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/NetworkManager.service.d/99-brace.conf -o /etc/systemd/system/NetworkManager.service.d/99-brace.conf
+sudo mkdir -p /etc/systemd/system/irqbalance.service.d
+sudo curl https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/irqbalance.service.d/99-brace.conf -o /etc/systemd/system/irqbalance.service.d/99-brace.conf
+
 # Disable automount
 
 sudo mkdir -p /etc/dconf/db/local.d/locks/
@@ -60,13 +68,7 @@ org/gnome/desktop/media-handling/automount-open' | sudo tee /etc/dconf/db/local.
 
 sudo dconf update
 
-#Setup UFW
+# Disable crash reports
-#UFW Snap is strictly confined, unlike its .deb counterpart
-sudo apt purge -y ufw
-sudo snap install ufw
-sudo ufw enable
-
-#Disable crash reports
 echo '[com/ubuntu/update-notifier]
 show-apport-crashes=false' | sudo tee /etc/dconf/db/local.d/disable-apport-crashes
 
@@ -82,7 +84,7 @@ sudo systemctl stop whoopsie.service
 sudo systemctl disable whoopsie.service
 sudo systemctl mask whoopsie.service
 
-#Update packages and firmware
+# Update packages and firmware
 sudo apt update -y
 sudo apt full-upgrade -y
 sudo fwupdmgr get-devices
@@ -90,16 +92,16 @@ sudo fwupdmgr refresh --force
 sudo fwupdmgr get-updates -y
 sudo fwupdmgr update -y
 
-#Remove unneeded packages
+# Remove unneeded packages
 sudo apt purge -y cups* eog gedit firefox* gnome-calculator gnome-characters* gnome-font-viewer gnome-logs gnome-power-manager gnome-shell-extension-prefs seahorse tcpdump whoopsie
 sudo apt autoremove -y
 sudo snap remove firefox
 
-#Install packages that I use
+# Install packages that I use
 sudo apt install -y git-core gnome-text-editor
 sudo snap install eog
 
-#Randomize MAC address
+# Randomize MAC address
 sudo bash -c 'cat > /etc/NetworkManager/conf.d/00-macrandomize.conf' <<-'EOF'
 [device]
 wifi.scan-rand-mac-address=yes

Ubuntu-22.04-Server.sh

@@ -7,15 +7,38 @@ sudo ua enable usg
 sudo apt install -y usg
 sudo usg fix cis_level2_server
 
-#Install packages
+# Remove AIDE
+sudo apt purge -y aide*
+
+# Update and install packages
 sudo apt update -y
 sudo apt full-upgrade -y
 sudo apt install -y curl fwupd libpam-pwquality tuned unbound
 
-#Setup tuned
+# Setup NTS
-sudo tuned-adm profile virtual-guest
+sudo systemctl disable systemd-timesyncd
+sudo apt install -y chrony
+rm -rf /etc/chrony/chrony.conf
+sudo curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/chrony.conf -o /etc/chrony/chrony.conf
+sudo systemctl restart chronyd
 
-#Setup unbound
+# Setup UFW
+# UFW Snap is strictly confined, unlike its .deb counterpart
+sudo apt purge -y ufw
+sudo snap install ufw
+sudo ufw enable
+sudo ufw allow 22
+
+# Harden SSH
+echo "GSSAPIAuthentication no" | sudo tee /etc/ssh/ssh_config.d/10-custom.conf
+echo "VerifyHostKeyDNS yes" | sudo tee -a /etc/ssh/ssh_config.d/10-custom.conf
+sudo chmod 644 /etc/ssh/ssh_config.d/10-custom.conf
+sudo mkdir -p /etc/systemd/system/sshd.service.d
+sudo curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/systemd/system/sshd.service.d/local.conf -o /etc/systemd/system/sshd.service.d/local.conf
+sudo systemctl daemon-reload
+sudo systemctl restart sshd
+
+# Setup unbound
 echo 'server:
   trust-anchor-signaling: yes
   root-key-sentinel: yes
@@ -85,30 +108,12 @@ sudo systemctl daemon-reload
 sudo systemctl restart unbound
 sudo systemctl disable --now systemd-resolved
 
-#Security kernel settings
+# Kernel hardening
 sudo curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/modprobe.d/30_security-misc.conf -o /etc/modprobe.d/30_security-misc.conf
 sudo curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_security-misc.conf -o /etc/sysctl.d/30_security-misc.conf
 sudo curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_silent-kernel-printk.conf -o /etc/sysctl.d/30_silent-kernel-printk.conf
 sudo curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_security-misc_kexec-disable.conf -o /etc/sysctl.d/30_security-misc_kexec-disable.conf
 
-echo "GSSAPIAuthentication no" | sudo tee /etc/ssh/ssh_config.d/10-custom.conf
-echo "VerifyHostKeyDNS yes" | sudo tee -a /etc/ssh/ssh_config.d/10-custom.conf
-sudo chmod 644 /etc/ssh/ssh_config.d/10-custom.conf
-
-#Setup NTS
-sudo systemctl disable systemd-timesyncd
-sudo apt install -y chrony
-rm -rf /etc/chrony/chrony.conf
-sudo curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/chrony.conf -o /etc/chrony/chrony.conf
-sudo systemctl restart chronyd
-
-#Setup UFW
-#UFW Snap is strictly confined, unlike its .deb counterpart
-sudo apt purge -y ufw
-sudo snap install ufw
-sudo ufw enable
-sudo ufw allow 22
-
 sudo systemctl stop apport.service
 sudo systemctl disable apport.service
 sudo systemctl mask apport.service
@@ -122,5 +127,8 @@ ExecStart=/usr/bin/fwupdmgr update' | tee /etc/systemd/system/fwupd-refresh.serv
 sudo systemctl daemon-reload
 sudo systemctl enable --now fwupd-refresh.timer
 
+# Setup tuned
+sudo tuned-adm profile virtual-guest
+
 # Enable fstrim.timer
 sudo systemctl enable --now fstrim.timer