1
0
mirror of https://github.com/tommytran732/Linux-Setup-Scripts synced 2024-11-25 10:41:34 -05:00

Compare commits

...

2 Commits

Author SHA1 Message Date
46ea5f81bf
Remove real-ucode
Signed-off-by: Tommy <contact@tommytran.io>
2024-06-09 05:34:13 -07:00
533c8c3e73
Add new secureblue Hardened Malloc for RHEL
Signed-off-by: Tommy <contact@tommytran.io>
2024-06-09 05:31:16 -07:00
3 changed files with 20 additions and 44 deletions

View File

@ -128,6 +128,11 @@ sudo chmod 644 /etc/systemd/system/unbound.service.d/override.conf
sudo systemctl enable --now unbound sudo systemctl enable --now unbound
sudo systemctl disable systemd-resolved sudo systemctl disable systemd-resolved
### Differentiating bare metal and virtual installs
# Enable auto TRIM
sudo systemctl enable fstrim.timer
# Setup fwupd # Setup fwupd
if [ "$virtualization" = 'none' ]; then if [ "$virtualization" = 'none' ]; then
sudo dnf install -y fwupd sudo dnf install -y fwupd
@ -140,11 +145,6 @@ if [ "$virtualization" = 'none' ]; then
sudo systemctl enable --now fwupd-refresh.timer sudo systemctl enable --now fwupd-refresh.timer
fi fi
# Enable auto TRIM
sudo systemctl enable fstrim.timer
### Differentiating bare metal and virtual installs
# Setup tuned # Setup tuned
sudo dnf install -y tuned sudo dnf install -y tuned
sudo systemctl enable --now tuned sudo systemctl enable --now tuned
@ -155,17 +155,6 @@ else
sudo tuned-adm profile virtual-guest sudo tuned-adm profile virtual-guest
fi fi
# Setup real-ucode
MACHINE_TYPE=$(uname -m)
if [ "$virtualization" = 'none' ] && [ "${MACHINE_TYPE}" == 'x86_64' ]; then
sudo dnf install -y 'https://divested.dev/rpm/fedora/divested-release-20231210-2.noarch.rpm'
sudo sed -i 's/^metalink=.*/&?protocol=https/g' /etc/yum.repos.d/divested-release.repo
sudo dnf config-manager --save --setopt=divested.includepkgs=divested-release,real-ucode,microcode_ctl,amd-ucode-firmware
sudo dnf install -y real-ucode
sudo dracut -f
fi
# Setup networking # Setup networking
sudo firewall-cmd --permanent --remove-service=cockpit sudo firewall-cmd --permanent --remove-service=cockpit
sudo firewall-cmd --reload sudo firewall-cmd --reload

View File

@ -219,15 +219,15 @@ gpgkey=https://packages.microsoft.com/keys/microsoft.asc' | sudo tee /etc/yum.re
sudo chmod 644 /usr/local/share/applications/microsoft-edge.desktop sudo chmod 644 /usr/local/share/applications/microsoft-edge.desktop
fi fi
# Setup fwupd
echo 'UriSchemes=file;https' | sudo tee -a /etc/fwupd/fwupd.conf
sudo systemctl restart fwupd
# Enable auto TRIM # Enable auto TRIM
sudo systemctl enable fstrim.timer sudo systemctl enable fstrim.timer
### Differentiating bare metal and virtual installs ### Differentiating bare metal and virtual installs
# Setup fwupd
echo 'UriSchemes=file;https' | sudo tee -a /etc/fwupd/fwupd.conf
sudo systemctl restart fwupd
# Setup tuned # Setup tuned
if [ "$virtualization" = 'none' ]; then if [ "$virtualization" = 'none' ]; then
output "Bare Metal installation. Tuned will not be set up here - PPD should take care of it." output "Bare Metal installation. Tuned will not be set up here - PPD should take care of it."
@ -238,15 +238,6 @@ else
sudo tuned-adm profile virtual-guest sudo tuned-adm profile virtual-guest
fi fi
# Setup real-ucode
if [ "$virtualization" = 'none' ] && [ "${MACHINE_TYPE}" == 'x86_64' ]; then
sudo dnf install -y 'https://divested.dev/rpm/fedora/divested-release-20231210-2.noarch.rpm'
sudo sed -i 's/^metalink=.*/&?protocol=https/g' /etc/yum.repos.d/divested-release.repo
sudo dnf config-manager --save --setopt=divested.includepkgs=divested-release,real-ucode,microcode_ctl,amd-ucode-firmware
sudo dnf install -y real-ucode
sudo dracut -f
fi
# Setup networking # Setup networking
sudo firewall-cmd --set-default-zone=block sudo firewall-cmd --set-default-zone=block
sudo firewall-cmd --permanent --add-service=dhcpv6-client sudo firewall-cmd --permanent --add-service=dhcpv6-client

View File

@ -89,6 +89,12 @@ sudo systemctl enable --now dnf-automatic.timer
# Remove unnecessary packages # Remove unnecessary packages
sudo dnf remove -y cockpit* sudo dnf remove -y cockpit*
# Install hardened_malloc
sudo dnf copr enable secureblue/hardened_malloc -y
sudo dnf install -y hardened_malloc
echo 'libhardened_malloc.so' | sudo tee /etc/ld.so.preload
sudo chmod 644 /etc/ld.so.preload
# Install appropriate virtualization drivers # Install appropriate virtualization drivers
if [ "$virtualization" = 'kvm' ]; then if [ "$virtualization" = 'kvm' ]; then
sudo dnf install -y qemu-guest-agent sudo dnf install -y qemu-guest-agent
@ -160,6 +166,11 @@ sudo systemctl enable --now unbound
#sudo insights-client --collector malware-detection #sudo insights-client --collector malware-detection
#sudo sed -i 's/test_scan: true/test_scan: false/' /etc/insights-client/malware-detection-config.yml #sudo sed -i 's/test_scan: true/test_scan: false/' /etc/insights-client/malware-detection-config.yml
# Enable auto TRIM
sudo systemctl enable fstrim.timer
### Differentiating bare metal and virtual installs
# Setup fwupd # Setup fwupd
if [ "$virtualization" = 'none' ]; then if [ "$virtualization" = 'none' ]; then
sudo dnf install -y fwupd sudo dnf install -y fwupd
@ -172,11 +183,6 @@ if [ "$virtualization" = 'none' ]; then
sudo systemctl enable --now fwupd-refresh.timer sudo systemctl enable --now fwupd-refresh.timer
fi fi
# Enable auto TRIM
sudo systemctl enable fstrim.timer
### Differentiating bare metal and virtual installs
# Setup tuned # Setup tuned
sudo dnf install -y tuned sudo dnf install -y tuned
sudo systemctl enable --now tuned sudo systemctl enable --now tuned
@ -187,16 +193,6 @@ else
sudo tuned-adm profile virtual-guest sudo tuned-adm profile virtual-guest
fi fi
# Setup real-ucode
MACHINE_TYPE=$(uname -m)
if [ "$virtualization" = 'none' ] && [ "${MACHINE_TYPE}" == 'x86_64' ]; then
sudo dnf install -y 'https://divested.dev/rpm/fedora/divested-release-20231210-2.noarch.rpm'
sudo sed -i 's/^metalink=.*/&?protocol=https/g' /etc/yum.repos.d/divested-release.repo
sudo dnf config-manager --save --setopt=divested.includepkgs=divested-release,real-ucode,microcode_ctl,amd-ucode-firmware
sudo dnf install -y real-ucode
sudo dracut -f
fi
# Setup networking # Setup networking
sudo firewall-cmd --permanent --remove-service=cockpit sudo firewall-cmd --permanent --remove-service=cockpit
sudo firewall-cmd --reload sudo firewall-cmd --reload