1
0
mirror of https://github.com/tommytran732/Linux-Setup-Scripts synced 2024-11-09 11:41:33 -05:00

Compare commits

...

6 Commits

Author SHA1 Message Date
1ab3c4de47
Consistency fix 2023-08-22 17:58:32 -07:00
0880786054
Allow openssh instead of 22/tcp on Debian systems 2023-08-22 17:51:33 -07:00
85ada77f4c
Consistency fix 2023-08-22 17:46:56 -07:00
ebf0284c32
apt update and autoremove 2023-08-22 17:35:22 -07:00
80c2957f6c
Add non-free-firmware 2023-08-22 16:54:08 -07:00
ad0de6f2a0
Add notes 2023-08-22 15:49:44 -07:00
5 changed files with 48 additions and 28 deletions

View File

@ -11,11 +11,11 @@ sudo find /etc/apt/sources.list.d -type f -exec sudo sed -i 's/http:/https:/g' {
# Update and install packages # Update and install packages
sudo apt update sudo apt update
sudo apt upgrade -y sudo apt upgrade -y
sudo apt install -y --no-install-recommends tuned unbound resolvconf ufw
# Setup ufw # Setup ufw
sudo apt install ufw -y
sudo ufw enable sudo ufw enable
sudo ufw allow 22/tcp sudo ufw allow OpenSSH
# Harden SSH # Harden SSH
echo 'GSSAPIAuthentication no echo 'GSSAPIAuthentication no
@ -42,6 +42,9 @@ sudo curl https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/s
echo "* hard core 0" | tee -a /etc/security/limits.conf echo "* hard core 0" | tee -a /etc/security/limits.conf
# Setup unbound # Setup unbound
sudo apt instal unbound resolvconf -y
echo 'server: echo 'server:
trust-anchor-signaling: yes trust-anchor-signaling: yes
root-key-sentinel: yes root-key-sentinel: yes
@ -112,6 +115,7 @@ sudo systemctl restart unbound
sudo systemctl disable --now systemd-resolved sudo systemctl disable --now systemd-resolved
# Setup tuned # Setup tuned
sudo dnf install tuned -y
sudo tuned-adm profile virtual-guest sudo tuned-adm profile virtual-guest
# Enable fstrim.timer # Enable fstrim.timer

View File

@ -21,12 +21,13 @@ systemctl restart sshd
# Setup repositories # Setup repositories
sed -i '1 {s/^/#/}' /etc/apt/sources.list.d/pve-enterprise.list sed -i '1 {s/^/#/}' /etc/apt/sources.list.d/pve-enterprise.list
echo 'deb https://deb.debian.org/debian/ bookworm main contrib non-free echo 'deb https://deb.debian.org/debian/ bookworm main contrib non-free non-free-firmware
deb https://deb.debian.org/debian/ bookworm-updates main contrib non-free deb http://deb.debian.org/debian-security/ bookworm-security main contrib non-free non-free-firmware
# security updates deb https://deb.debian.org/debian/ bookworm-updates main contrib non-free non-free-firmware
deb https://security.debian.org bookworm-security main contrib non-free
deb https://deb.debian.org/debian/ bookworm-backports main contrib non-free non-free-firmware
deb http://download.proxmox.com/debian/pve bookworm pve-no-subscription' | tee /etc/apt/sources.list deb http://download.proxmox.com/debian/pve bookworm pve-no-subscription' | tee /etc/apt/sources.list

View File

@ -49,10 +49,10 @@ sudo curl https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/s
sudo systemctl daemon-reload sudo systemctl daemon-reload
sudo systemctl restart irqbalance sudo systemctl restart irqbalance
# Install packages
sudo dnf install tuned unbound yara -y
# Setup unbound # Setup unbound
sudo dnf install unbound -y
echo 'server: echo 'server:
chroot: "" chroot: ""
@ -113,6 +113,8 @@ LockPersonality=yes' | sudo tee /etc/systemd/system/unbound.service.d/override.c
sudo systemctl enable --now unbound sudo systemctl enable --now unbound
# Setup yara
sudo dnf install -y yara
sudo insights-client --collector malware-detection sudo insights-client --collector malware-detection
sudo sed -i 's/test_scan: true/test_scan: false/' /etc/insights-client/malware-detection-config.yml sudo sed -i 's/test_scan: true/test_scan: false/' /etc/insights-client/malware-detection-config.yml
@ -121,7 +123,16 @@ sudo sed -i 's/test_scan: true/test_scan: false/' /etc/insights-client/malware-d
sudo sed -i 's/apply_updates = no/apply_updates = yes\nreboot = when-needed/g' /etc/dnf/automatic.conf sudo sed -i 's/apply_updates = no/apply_updates = yes\nreboot = when-needed/g' /etc/dnf/automatic.conf
sudo systemctl enable --now dnf-automatic.timer sudo systemctl enable --now dnf-automatic.timer
#Setup fwupd
sudo dnf install fwupd -y
mkdir -p /etc/systemd/system/fwupd-refresh.service.d
echo '[Service]
ExecStart=/usr/bin/fwupdmgr update' | tee /etc/systemd/system/fwupd-refresh.service.d/override.conf
sudo systemctl daemon-reload
sudo systemctl enable --now fwupd-refresh.timer
# Setup tuned # Setup tuned
sudo dnf install tuned -y
sudo tuned-adm profile virtual-guest sudo tuned-adm profile virtual-guest
# Enable fstrim.timer # Enable fstrim.timer

View File

@ -1,13 +1,15 @@
#!/bin/bash #!/bin/bash
#Please note that this is how I PERSONALLY setup my computer - I do some stuff such as not using anything to download GNOME extensions from extensions.gnome.org and installing the extensions as a package instead #Please note that this is how I PERSONALLY setup my computer - I do some stuff such as not using anything to download GNOME extensions from extensions.gnome.org and installing the extensions as a package instead
#Customize it to your liking ##The script assumes you already have Ubuntu Pro activated
#Run this script as your admin user, NOT root
# Compliance #Compliance and updates
sudo ua enable usg sudo ua enable usg
sudo apt update -y
sudo apt full-upgrade -y
sudo apt install -y usg sudo apt install -y usg
sudo usg fix cis_level2_workstation sudo apt autoremove -y
sudo usg fix cis_level2_server
# Remove AIDE # Remove AIDE
sudo apt purge -y aide* sudo apt purge -y aide*
@ -22,9 +24,6 @@ sudo sed -ie '/^UMASK\s\+/ s/022/077/' /etc/login.defs
sudo sed -i 's/USERGROUPS_ENAB yes/USERGROUPS_ENAB no/g' /etc/login.defs sudo sed -i 's/USERGROUPS_ENAB yes/USERGROUPS_ENAB no/g' /etc/login.defs
echo "umask 077" | sudo tee --append /etc/profile echo "umask 077" | sudo tee --append /etc/profile
# Make sure the system has curl (minimal installs do not include it)
sudo apt install -y curl
# Setup NTS # Setup NTS
sudo systemctl disable systemd-timesyncd sudo systemctl disable systemd-timesyncd
sudo apt install -y chrony sudo apt install -y chrony
@ -114,4 +113,5 @@ EOF
sudo systemctl restart NetworkManager sudo systemctl restart NetworkManager
# Enable fstrim.timer # Enable fstrim.timer
sudo apt install tuned -y
sudo systemctl enable --now fstrim.timer sudo systemctl enable --now fstrim.timer

View File

@ -1,24 +1,22 @@
#!/bin/bash #!/bin/bash
#Meant to be run on Ubuntu Pro Minimal #Meant to be run on Ubuntu Pro Minimal
#The script assumes you already have Ubuntu Pro activated
#Compliance #Compliance and updates
sudo ua enable usg sudo ua enable usg
sudo apt install -y usg sudo apt update -y
sudo apt full-upgrade -y
sudo apt install -y usg curl libpam-pwquality
sudo apt autoremove -y
sudo usg fix cis_level2_server sudo usg fix cis_level2_server
# Remove AIDE # Remove AIDE
sudo apt purge -y aide* sudo apt purge -y aide*
# Update and install packages
sudo apt update -y
sudo apt full-upgrade -y
sudo apt install -y curl fwupd libpam-pwquality tuned unbound
# Setup NTS # Setup NTS
sudo systemctl disable systemd-timesyncd sudo systemctl disable --now systemd-timesyncd
sudo apt install -y chrony sudo apt install -y chrony
rm -rf /etc/chrony/chrony.conf
sudo curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/chrony.conf -o /etc/chrony/chrony.conf sudo curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/chrony.conf -o /etc/chrony/chrony.conf
sudo systemctl restart chronyd sudo systemctl restart chronyd
@ -27,11 +25,11 @@ sudo systemctl restart chronyd
sudo apt purge -y ufw sudo apt purge -y ufw
sudo snap install ufw sudo snap install ufw
sudo ufw enable sudo ufw enable
sudo ufw allow 22 sudo ufw allow OpenSSH
# Harden SSH # Harden SSH
echo "GSSAPIAuthentication no" | sudo tee /etc/ssh/ssh_config.d/10-custom.conf echo "GSSAPIAuthentication no
echo "VerifyHostKeyDNS yes" | sudo tee -a /etc/ssh/ssh_config.d/10-custom.conf echo "VerifyHostKeyDNS yes" | sudo tee /etc/ssh/ssh_config.d/10-custom.conf
sudo chmod 644 /etc/ssh/ssh_config.d/10-custom.conf sudo chmod 644 /etc/ssh/ssh_config.d/10-custom.conf
sudo mkdir -p /etc/systemd/system/sshd.service.d sudo mkdir -p /etc/systemd/system/sshd.service.d
sudo curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/systemd/system/sshd.service.d/local.conf -o /etc/systemd/system/sshd.service.d/local.conf sudo curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/systemd/system/sshd.service.d/local.conf -o /etc/systemd/system/sshd.service.d/local.conf
@ -39,6 +37,9 @@ sudo systemctl daemon-reload
sudo systemctl restart sshd sudo systemctl restart sshd
# Setup unbound # Setup unbound
sudp apt install -y unbound
echo 'server: echo 'server:
trust-anchor-signaling: yes trust-anchor-signaling: yes
root-key-sentinel: yes root-key-sentinel: yes
@ -121,6 +122,8 @@ sudo systemctl stop whoopsie.service
sudo systemctl disable whoopsie.service sudo systemctl disable whoopsie.service
sudo systemctl mask whoopsie.service sudo systemctl mask whoopsie.service
#Setup fwupd
sudo apt install fwupd -y
mkdir -p /etc/systemd/system/fwupd-refresh.service.d mkdir -p /etc/systemd/system/fwupd-refresh.service.d
echo '[Service] echo '[Service]
ExecStart=/usr/bin/fwupdmgr update' | tee /etc/systemd/system/fwupd-refresh.service.d/override.conf ExecStart=/usr/bin/fwupdmgr update' | tee /etc/systemd/system/fwupd-refresh.service.d/override.conf
@ -128,6 +131,7 @@ sudo systemctl daemon-reload
sudo systemctl enable --now fwupd-refresh.timer sudo systemctl enable --now fwupd-refresh.timer
# Setup tuned # Setup tuned
sudo apt install tuned -y
sudo tuned-adm profile virtual-guest sudo tuned-adm profile virtual-guest
# Enable fstrim.timer # Enable fstrim.timer