From e3104f037fe64f856c2be85b2e9899653e8a66a3 Mon Sep 17 00:00:00 2001 From: Tommy Date: Tue, 25 Jun 2024 22:24:45 -0700 Subject: [PATCH] POSIX Compliance Signed-off-by: Tommy --- Fedora-Server-40.sh | 6 +-- Fedora-Workstation-40.sh | 6 +-- Proxmox-8.sh | 6 +-- RHEL-9.sh | 26 ++---------- Ubuntu-24.04-Desktop.sh | 6 +-- Ubuntu-24.04-Server.sh | 40 +++---------------- .../unbound.service.d/override-chroot.conf | 34 ++++++++++++++++ .../system/unbound.service.d/override.conf | 25 ++++++++++++ 8 files changed, 80 insertions(+), 69 deletions(-) create mode 100644 etc/systemd/system/unbound.service.d/override-chroot.conf create mode 100644 etc/systemd/system/unbound.service.d/override.conf diff --git a/Fedora-Server-40.sh b/Fedora-Server-40.sh index 07a4185..291ea9c 100644 --- a/Fedora-Server-40.sh +++ b/Fedora-Server-40.sh @@ -1,4 +1,4 @@ -#!/bin/bash +#!/bin/sh # Copyright (C) 2021-2024 Thien Tran # @@ -17,7 +17,7 @@ #Please note that this is how I PERSONALLY setup my computer - I do some stuff such as not using anything to download GNOME extensions from extensions.gnome.org and installing the extensions as a package instead output(){ - echo -e '\e[36m'"$1"'\e[0m'; + printf '\e[1;34m%-6s\e[m\n' "${@}" } unpriv(){ @@ -128,7 +128,7 @@ sudo sed -i 's; interface: 242.242.0.1;# interface: 242.242.0.1;g' /etc/unboun sudo sed -i 's; access-control: 242.242.0.0/16 allow;# access-control: 242.242.0.0/16 allow;g' /etc/unbound/unbound.conf sudo chmod 644 /etc/unbound/unbound.conf sudo mkdir /etc/systemd/system/unbound.service.d -unpriv curl https://raw.githubusercontent.com/TommyTran732/Fedora-CoreOS-Ignition/main/etc/systemd/system/unbound.service.d/override.conf | sudo tee /etc/systemd/system/unbound.service.d/override.conf +unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/systemd/system/unbound.service.d/override.conf | sudo tee /etc/systemd/system/unbound.service.d/override.conf sudo chmod 644 /etc/systemd/system/unbound.service.d/override.conf sudo systemctl enable --now unbound sudo systemctl disable systemd-resolved diff --git a/Fedora-Workstation-40.sh b/Fedora-Workstation-40.sh index 1ce8d5c..4f656ac 100644 --- a/Fedora-Workstation-40.sh +++ b/Fedora-Workstation-40.sh @@ -1,4 +1,4 @@ -#!/bin/bash +#!/bin/sh # Copyright (C) 2021-2024 Thien Tran # @@ -17,7 +17,7 @@ #Please note that this is how I PERSONALLY setup my computer - I do some stuff such as not using anything to download GNOME extensions from extensions.gnome.org and installing the extensions as a package instead output(){ - echo -e '\e[36m'"$1"'\e[0m'; + printf '\e[1;34m%-6s\e[m\n' "${@}" } unpriv(){ @@ -198,7 +198,7 @@ flatpak update -y # Install Microsoft Edge if x86_64 MACHINE_TYPE=$(uname -m) -if [ "${MACHINE_TYPE}" == 'x86_64' ]; then +if [ "${MACHINE_TYPE}" = 'x86_64' ]; then output 'x86_64 machine, installing Microsoft Edge.' echo '[microsoft-edge] name=microsoft-edge diff --git a/Proxmox-8.sh b/Proxmox-8.sh index f5bbd75..8284b61 100644 --- a/Proxmox-8.sh +++ b/Proxmox-8.sh @@ -1,4 +1,4 @@ -#!/bin/bash +#!/bin/sh # Copyright (C) 2021-2024 Thien Tran # @@ -17,7 +17,7 @@ # You need to add either the non-subscription repo or the testing repo from the Proxmox WebUI after running this script. output(){ - echo -e '\e[36m'"$1"'\e[0m'; + printf '\e[1;34m%-6s\e[m\n' "${@}" } # Compliance and updates @@ -65,7 +65,7 @@ apt autoremove -y apt install -y intel-microcode tuned fwupd dropbear-initramfs ### This part assumes that you are using systemd-boot -echo -e "mitigations=auto,nosmt spectre_v2=on spectre_bhi=on spec_store_bypass_disable=on tsx=off kvm.nx_huge_pages=force nosmt=force l1d_flush=on spec_rstack_overflow=safe-ret gather_data_sampling=force reg_file_data_sampling=on random.trust_bootloader=off random.trust_cpu=off intel_iommu=on amd_iommu=force_isolation efi=disable_early_pci_dma iommu=force iommu.passthrough=0 iommu.strict=1 slab_nomerge init_on_alloc=1 init_on_free=1 pti=on vsyscall=none ia32_emulation=0 page_alloc.shuffle=1 randomize_kstack_offset=on debugfs=off $(cat /etc/kernel/cmdline)" > /etc/kernel/cmdline +echo "mitigations=auto,nosmt spectre_v2=on spectre_bhi=on spec_store_bypass_disable=on tsx=off kvm.nx_huge_pages=force nosmt=force l1d_flush=on spec_rstack_overflow=safe-ret gather_data_sampling=force reg_file_data_sampling=on random.trust_bootloader=off random.trust_cpu=off intel_iommu=on amd_iommu=force_isolation efi=disable_early_pci_dma iommu=force iommu.passthrough=0 iommu.strict=1 slab_nomerge init_on_alloc=1 init_on_free=1 pti=on vsyscall=none ia32_emulation=0 page_alloc.shuffle=1 randomize_kstack_offset=on debugfs=off $(cat /etc/kernel/cmdline)" > /etc/kernel/cmdline proxmox-boot-tool refresh ### diff --git a/RHEL-9.sh b/RHEL-9.sh index 9bedacf..5bb38c5 100644 --- a/RHEL-9.sh +++ b/RHEL-9.sh @@ -1,4 +1,4 @@ -#!/bin/bash +#!/bin/sh # Copyright (C) 2021-2024 Thien Tran # @@ -15,11 +15,11 @@ # the License. output(){ - echo -e '\e[36m'"$1"'\e[0m'; + printf '\e[1;34m%-6s\e[m\n' "${@}" } unpriv(){ - sudo -u nobody "$@" + sudo -u nobody "$@" } virtualization=$(systemd-detect-virt) @@ -145,25 +145,7 @@ forward-zone: sudo chmod 644 /etc/unbound/unbound.conf sudo mkdir -p /etc/systemd/system/unbound.service.d -echo $'[Service] -MemoryDenyWriteExecute=true -PrivateDevices=true -PrivateTmp=true -ProtectHome=true -ProtectClock=true -ProtectControlGroups=true -ProtectKernelLogs=true -ProtectKernelModules=true -# This breaks using socket options like \'so-rcvbuf\'. Explicitly disable for visibility. -ProtectKernelTunables=true -ProtectProc=invisible -RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX -RestrictRealtime=true -SystemCallArchitectures=native -SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module mount @obsolete @resources -RestrictNamespaces=yes -LockPersonality=yes' | sudo tee /etc/systemd/system/unbound.service.d/override.conf - +unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/systemd/system/unbound.service.d/override.conf | sudo tee /etc/systemd/system/unbound.service.d/override.conf sudo chmod 644 /etc/systemd/system/unbound.service.d/override.conf sudo systemctl enable --now unbound diff --git a/Ubuntu-24.04-Desktop.sh b/Ubuntu-24.04-Desktop.sh index 2b07f7b..e7e8ff8 100644 --- a/Ubuntu-24.04-Desktop.sh +++ b/Ubuntu-24.04-Desktop.sh @@ -1,4 +1,4 @@ -#!/bin/bash +#!/bin/sh # Copyright (C) 2021-2024 Thien Tran # @@ -17,7 +17,7 @@ #Please note that this is how I PERSONALLY setup my computer - I do some stuff such as not using anything to download GNOME extensions from extensions.gnome.org and installing the extensions as a package instead output(){ - echo -e '\e[36m'"$1"'\e[0m'; + printf '\e[1;34m%-6s\e[m\n' "${@}" } unpriv(){ @@ -177,7 +177,7 @@ fi # Install Microsoft Edge if x86_64 MACHINE_TYPE=$(uname -m) -if [ "${MACHINE_TYPE}" == 'x86_64' ] || [ -f /media/psf/RosettaLinux/rosetta ] || [ -f /media/rosetta/rosetta ]; then +if [ "${MACHINE_TYPE}" = 'x86_64' ] || [ -f /media/psf/RosettaLinux/rosetta ] || [ -f /media/rosetta/rosetta ]; then output 'x86_64 machine, installing Microsoft Edge.' unpriv curl https://packages.microsoft.com/keys/microsoft.asc | gpg --dearmor | sudo tee /usr/share/keyrings/microsoft.gpg chmod 644 /usr/share/keyrings/microsoft.gpg diff --git a/Ubuntu-24.04-Server.sh b/Ubuntu-24.04-Server.sh index a20d011..9155200 100644 --- a/Ubuntu-24.04-Server.sh +++ b/Ubuntu-24.04-Server.sh @@ -1,4 +1,4 @@ -#!/bin/bash +#!/bin/sh # Copyright (C) 2021-2024 Thien Tran # @@ -17,11 +17,11 @@ #Meant to be run on Ubuntu Pro Minimal output(){ - echo -e '\e[36m'"$1"'\e[0m'; + printf '\e[1;34m%-6s\e[m\n' "${@}" } unpriv(){ - sudo -u nobody "$@" + sudo -u nobody "$@" } virtualization=$(systemd-detect-virt) @@ -176,38 +176,8 @@ forward-zone: sudo chmod 644 /etc/unbound/unbound.conf.d/custom.conf -mkdir -p /etc/systemd/system/unbound.service.d -echo $'[Service] -CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_SYS_RESOURCE CAP_NET_RAW -MemoryDenyWriteExecute=true -NoNewPrivileges=true -PrivateDevices=true -PrivateTmp=true -ProtectHome=true -ProtectClock=true -ProtectControlGroups=true -ProtectKernelLogs=true -ProtectKernelModules=true -# This breaks using socket options like \'so-rcvbuf\'. Explicitly disable for visibility. -ProtectKernelTunables=false -ProtectProc=invisible -RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX -RestrictRealtime=true -SystemCallArchitectures=native -SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module mount @obsolete @resources -RestrictNamespaces=yes -LockPersonality=yes -RestrictSUIDSGID=yes -ReadWritePaths=@UNBOUND_RUN_DIR@ @UNBOUND_CHROOT_DIR@ - -# Below rules are needed when chroot is enabled (usually it\'s enabled by default). -# If chroot is disabled like chroot: "" then they may be safely removed. -TemporaryFileSystem=@UNBOUND_CHROOT_DIR@/dev:ro -TemporaryFileSystem=@UNBOUND_CHROOT_DIR@/run:ro -BindReadOnlyPaths=-/run/systemd/notify:@UNBOUND_CHROOT_DIR@/run/systemd/notify -BindReadOnlyPaths=-/dev/urandom:@UNBOUND_CHROOT_DIR@/dev/urandom -BindPaths=-/dev/log:@UNBOUND_CHROOT_DIR@/dev/log' | sudo tee /etc/systemd/system/unbound.service.d/override.conf - +sudo mkdir -p /etc/systemd/system/unbound.service.d +unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/systemd/system/unbound.service.d/override-chroot.conf | sudo tee /etc/systemd/system/unbound.service.d/override.conf sudo chmod 644 /etc/systemd/system/unbound.service.d/override.conf sudo systemctl daemon-reload diff --git a/etc/systemd/system/unbound.service.d/override-chroot.conf b/etc/systemd/system/unbound.service.d/override-chroot.conf new file mode 100644 index 0000000..7726bf4 --- /dev/null +++ b/etc/systemd/system/unbound.service.d/override-chroot.conf @@ -0,0 +1,34 @@ +[Service] +CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_SYS_RESOURCE CAP_NET_RAW +MemoryDenyWriteExecute=true +NoNewPrivileges=true +PrivateDevices=true +PrivateTmp=true +ProtectHome=true +ProtectClock=true +ProtectControlGroups=true +ProtectKernelLogs=true +ProtectKernelModules=true +# This breaks using socket options like 'so-rcvbuf'. Explicitly disable for visibility. +ProtectKernelTunables=false +ProtectProc=invisible +#ProtectSystem=strict +#RuntimeDirectory=unbound +#ConfigurationDirectory=unbound +#StateDirectory=unbound +RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX +RestrictRealtime=true +SystemCallArchitectures=native +SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module mount @obsolete @resources +RestrictNamespaces=yes +LockPersonality=yes +RestrictSUIDSGID=yes +ReadWritePaths=@UNBOUND_RUN_DIR@ @UNBOUND_CHROOT_DIR@ + +# Below rules are needed when chroot is enabled (usually it's enabled by default). +# If chroot is disabled like chroot: "" then they may be safely removed. +TemporaryFileSystem=@UNBOUND_CHROOT_DIR@/dev:ro +TemporaryFileSystem=@UNBOUND_CHROOT_DIR@/run:ro +BindReadOnlyPaths=-/run/systemd/notify:@UNBOUND_CHROOT_DIR@/run/systemd/notify +BindReadOnlyPaths=-/dev/urandom:@UNBOUND_CHROOT_DIR@/dev/urandom +BindPaths=-/dev/log:@UNBOUND_CHROOT_DIR@/dev/log \ No newline at end of file diff --git a/etc/systemd/system/unbound.service.d/override.conf b/etc/systemd/system/unbound.service.d/override.conf new file mode 100644 index 0000000..2d92d56 --- /dev/null +++ b/etc/systemd/system/unbound.service.d/override.conf @@ -0,0 +1,25 @@ +[Service] +CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_SYS_RESOURCE CAP_NET_RAW CAP_DAC_OVERRIDE +MemoryDenyWriteExecute=true +#NoNewPrivileges=true +PrivateDevices=true +PrivateTmp=true +ProtectHome=true +ProtectClock=true +ProtectControlGroups=true +ProtectKernelLogs=true +ProtectKernelModules=true +# This breaks using socket options like 'so-rcvbuf'. +ProtectKernelTunables=true +ProtectProc=invisible +#ProtectSystem=strict +#RuntimeDirectory=unbound +#ConfigurationDirectory=unbound +#StateDirectory=unbound +RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX +RestrictRealtime=true +SystemCallArchitectures=native +SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module mount @obsolete @resources +RestrictNamespaces=yes +LockPersonality=yes +RestrictSUIDSGID=yes \ No newline at end of file