mirror of
https://github.com/tommytran732/Linux-Setup-Scripts
synced 2024-11-24 10:11:34 -05:00
Compare commits
6 Commits
5cc40052cc
...
1ab3c4de47
Author | SHA1 | Date | |
---|---|---|---|
1ab3c4de47 | |||
0880786054 | |||
85ada77f4c | |||
ebf0284c32 | |||
80c2957f6c | |||
ad0de6f2a0 |
@ -11,11 +11,11 @@ sudo find /etc/apt/sources.list.d -type f -exec sudo sed -i 's/http:/https:/g' {
|
|||||||
# Update and install packages
|
# Update and install packages
|
||||||
sudo apt update
|
sudo apt update
|
||||||
sudo apt upgrade -y
|
sudo apt upgrade -y
|
||||||
sudo apt install -y --no-install-recommends tuned unbound resolvconf ufw
|
|
||||||
|
|
||||||
# Setup ufw
|
# Setup ufw
|
||||||
|
sudo apt install ufw -y
|
||||||
sudo ufw enable
|
sudo ufw enable
|
||||||
sudo ufw allow 22/tcp
|
sudo ufw allow OpenSSH
|
||||||
|
|
||||||
# Harden SSH
|
# Harden SSH
|
||||||
echo 'GSSAPIAuthentication no
|
echo 'GSSAPIAuthentication no
|
||||||
@ -42,6 +42,9 @@ sudo curl https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/s
|
|||||||
echo "* hard core 0" | tee -a /etc/security/limits.conf
|
echo "* hard core 0" | tee -a /etc/security/limits.conf
|
||||||
|
|
||||||
# Setup unbound
|
# Setup unbound
|
||||||
|
|
||||||
|
sudo apt instal unbound resolvconf -y
|
||||||
|
|
||||||
echo 'server:
|
echo 'server:
|
||||||
trust-anchor-signaling: yes
|
trust-anchor-signaling: yes
|
||||||
root-key-sentinel: yes
|
root-key-sentinel: yes
|
||||||
@ -112,6 +115,7 @@ sudo systemctl restart unbound
|
|||||||
sudo systemctl disable --now systemd-resolved
|
sudo systemctl disable --now systemd-resolved
|
||||||
|
|
||||||
# Setup tuned
|
# Setup tuned
|
||||||
|
sudo dnf install tuned -y
|
||||||
sudo tuned-adm profile virtual-guest
|
sudo tuned-adm profile virtual-guest
|
||||||
|
|
||||||
# Enable fstrim.timer
|
# Enable fstrim.timer
|
||||||
|
@ -21,12 +21,13 @@ systemctl restart sshd
|
|||||||
# Setup repositories
|
# Setup repositories
|
||||||
sed -i '1 {s/^/#/}' /etc/apt/sources.list.d/pve-enterprise.list
|
sed -i '1 {s/^/#/}' /etc/apt/sources.list.d/pve-enterprise.list
|
||||||
|
|
||||||
echo 'deb https://deb.debian.org/debian/ bookworm main contrib non-free
|
echo 'deb https://deb.debian.org/debian/ bookworm main contrib non-free non-free-firmware
|
||||||
|
|
||||||
deb https://deb.debian.org/debian/ bookworm-updates main contrib non-free
|
deb http://deb.debian.org/debian-security/ bookworm-security main contrib non-free non-free-firmware
|
||||||
|
|
||||||
# security updates
|
deb https://deb.debian.org/debian/ bookworm-updates main contrib non-free non-free-firmware
|
||||||
deb https://security.debian.org bookworm-security main contrib non-free
|
|
||||||
|
deb https://deb.debian.org/debian/ bookworm-backports main contrib non-free non-free-firmware
|
||||||
|
|
||||||
deb http://download.proxmox.com/debian/pve bookworm pve-no-subscription' | tee /etc/apt/sources.list
|
deb http://download.proxmox.com/debian/pve bookworm pve-no-subscription' | tee /etc/apt/sources.list
|
||||||
|
|
||||||
|
@ -49,10 +49,10 @@ sudo curl https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/s
|
|||||||
sudo systemctl daemon-reload
|
sudo systemctl daemon-reload
|
||||||
sudo systemctl restart irqbalance
|
sudo systemctl restart irqbalance
|
||||||
|
|
||||||
# Install packages
|
|
||||||
sudo dnf install tuned unbound yara -y
|
|
||||||
|
|
||||||
# Setup unbound
|
# Setup unbound
|
||||||
|
|
||||||
|
sudo dnf install unbound -y
|
||||||
|
|
||||||
echo 'server:
|
echo 'server:
|
||||||
chroot: ""
|
chroot: ""
|
||||||
|
|
||||||
@ -113,6 +113,8 @@ LockPersonality=yes' | sudo tee /etc/systemd/system/unbound.service.d/override.c
|
|||||||
|
|
||||||
sudo systemctl enable --now unbound
|
sudo systemctl enable --now unbound
|
||||||
|
|
||||||
|
# Setup yara
|
||||||
|
sudo dnf install -y yara
|
||||||
sudo insights-client --collector malware-detection
|
sudo insights-client --collector malware-detection
|
||||||
sudo sed -i 's/test_scan: true/test_scan: false/' /etc/insights-client/malware-detection-config.yml
|
sudo sed -i 's/test_scan: true/test_scan: false/' /etc/insights-client/malware-detection-config.yml
|
||||||
|
|
||||||
@ -121,7 +123,16 @@ sudo sed -i 's/test_scan: true/test_scan: false/' /etc/insights-client/malware-d
|
|||||||
sudo sed -i 's/apply_updates = no/apply_updates = yes\nreboot = when-needed/g' /etc/dnf/automatic.conf
|
sudo sed -i 's/apply_updates = no/apply_updates = yes\nreboot = when-needed/g' /etc/dnf/automatic.conf
|
||||||
sudo systemctl enable --now dnf-automatic.timer
|
sudo systemctl enable --now dnf-automatic.timer
|
||||||
|
|
||||||
|
#Setup fwupd
|
||||||
|
sudo dnf install fwupd -y
|
||||||
|
mkdir -p /etc/systemd/system/fwupd-refresh.service.d
|
||||||
|
echo '[Service]
|
||||||
|
ExecStart=/usr/bin/fwupdmgr update' | tee /etc/systemd/system/fwupd-refresh.service.d/override.conf
|
||||||
|
sudo systemctl daemon-reload
|
||||||
|
sudo systemctl enable --now fwupd-refresh.timer
|
||||||
|
|
||||||
# Setup tuned
|
# Setup tuned
|
||||||
|
sudo dnf install tuned -y
|
||||||
sudo tuned-adm profile virtual-guest
|
sudo tuned-adm profile virtual-guest
|
||||||
|
|
||||||
# Enable fstrim.timer
|
# Enable fstrim.timer
|
||||||
|
@ -1,13 +1,15 @@
|
|||||||
#!/bin/bash
|
#!/bin/bash
|
||||||
|
|
||||||
#Please note that this is how I PERSONALLY setup my computer - I do some stuff such as not using anything to download GNOME extensions from extensions.gnome.org and installing the extensions as a package instead
|
#Please note that this is how I PERSONALLY setup my computer - I do some stuff such as not using anything to download GNOME extensions from extensions.gnome.org and installing the extensions as a package instead
|
||||||
#Customize it to your liking
|
##The script assumes you already have Ubuntu Pro activated
|
||||||
#Run this script as your admin user, NOT root
|
|
||||||
|
|
||||||
# Compliance
|
#Compliance and updates
|
||||||
sudo ua enable usg
|
sudo ua enable usg
|
||||||
|
sudo apt update -y
|
||||||
|
sudo apt full-upgrade -y
|
||||||
sudo apt install -y usg
|
sudo apt install -y usg
|
||||||
sudo usg fix cis_level2_workstation
|
sudo apt autoremove -y
|
||||||
|
sudo usg fix cis_level2_server
|
||||||
|
|
||||||
# Remove AIDE
|
# Remove AIDE
|
||||||
sudo apt purge -y aide*
|
sudo apt purge -y aide*
|
||||||
@ -22,9 +24,6 @@ sudo sed -ie '/^UMASK\s\+/ s/022/077/' /etc/login.defs
|
|||||||
sudo sed -i 's/USERGROUPS_ENAB yes/USERGROUPS_ENAB no/g' /etc/login.defs
|
sudo sed -i 's/USERGROUPS_ENAB yes/USERGROUPS_ENAB no/g' /etc/login.defs
|
||||||
echo "umask 077" | sudo tee --append /etc/profile
|
echo "umask 077" | sudo tee --append /etc/profile
|
||||||
|
|
||||||
# Make sure the system has curl (minimal installs do not include it)
|
|
||||||
sudo apt install -y curl
|
|
||||||
|
|
||||||
# Setup NTS
|
# Setup NTS
|
||||||
sudo systemctl disable systemd-timesyncd
|
sudo systemctl disable systemd-timesyncd
|
||||||
sudo apt install -y chrony
|
sudo apt install -y chrony
|
||||||
@ -114,4 +113,5 @@ EOF
|
|||||||
sudo systemctl restart NetworkManager
|
sudo systemctl restart NetworkManager
|
||||||
|
|
||||||
# Enable fstrim.timer
|
# Enable fstrim.timer
|
||||||
|
sudo apt install tuned -y
|
||||||
sudo systemctl enable --now fstrim.timer
|
sudo systemctl enable --now fstrim.timer
|
@ -1,24 +1,22 @@
|
|||||||
#!/bin/bash
|
#!/bin/bash
|
||||||
|
|
||||||
#Meant to be run on Ubuntu Pro Minimal
|
#Meant to be run on Ubuntu Pro Minimal
|
||||||
|
#The script assumes you already have Ubuntu Pro activated
|
||||||
|
|
||||||
#Compliance
|
#Compliance and updates
|
||||||
sudo ua enable usg
|
sudo ua enable usg
|
||||||
sudo apt install -y usg
|
sudo apt update -y
|
||||||
|
sudo apt full-upgrade -y
|
||||||
|
sudo apt install -y usg curl libpam-pwquality
|
||||||
|
sudo apt autoremove -y
|
||||||
sudo usg fix cis_level2_server
|
sudo usg fix cis_level2_server
|
||||||
|
|
||||||
# Remove AIDE
|
# Remove AIDE
|
||||||
sudo apt purge -y aide*
|
sudo apt purge -y aide*
|
||||||
|
|
||||||
# Update and install packages
|
|
||||||
sudo apt update -y
|
|
||||||
sudo apt full-upgrade -y
|
|
||||||
sudo apt install -y curl fwupd libpam-pwquality tuned unbound
|
|
||||||
|
|
||||||
# Setup NTS
|
# Setup NTS
|
||||||
sudo systemctl disable systemd-timesyncd
|
sudo systemctl disable --now systemd-timesyncd
|
||||||
sudo apt install -y chrony
|
sudo apt install -y chrony
|
||||||
rm -rf /etc/chrony/chrony.conf
|
|
||||||
sudo curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/chrony.conf -o /etc/chrony/chrony.conf
|
sudo curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/chrony.conf -o /etc/chrony/chrony.conf
|
||||||
sudo systemctl restart chronyd
|
sudo systemctl restart chronyd
|
||||||
|
|
||||||
@ -27,11 +25,11 @@ sudo systemctl restart chronyd
|
|||||||
sudo apt purge -y ufw
|
sudo apt purge -y ufw
|
||||||
sudo snap install ufw
|
sudo snap install ufw
|
||||||
sudo ufw enable
|
sudo ufw enable
|
||||||
sudo ufw allow 22
|
sudo ufw allow OpenSSH
|
||||||
|
|
||||||
# Harden SSH
|
# Harden SSH
|
||||||
echo "GSSAPIAuthentication no" | sudo tee /etc/ssh/ssh_config.d/10-custom.conf
|
echo "GSSAPIAuthentication no
|
||||||
echo "VerifyHostKeyDNS yes" | sudo tee -a /etc/ssh/ssh_config.d/10-custom.conf
|
echo "VerifyHostKeyDNS yes" | sudo tee /etc/ssh/ssh_config.d/10-custom.conf
|
||||||
sudo chmod 644 /etc/ssh/ssh_config.d/10-custom.conf
|
sudo chmod 644 /etc/ssh/ssh_config.d/10-custom.conf
|
||||||
sudo mkdir -p /etc/systemd/system/sshd.service.d
|
sudo mkdir -p /etc/systemd/system/sshd.service.d
|
||||||
sudo curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/systemd/system/sshd.service.d/local.conf -o /etc/systemd/system/sshd.service.d/local.conf
|
sudo curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/systemd/system/sshd.service.d/local.conf -o /etc/systemd/system/sshd.service.d/local.conf
|
||||||
@ -39,6 +37,9 @@ sudo systemctl daemon-reload
|
|||||||
sudo systemctl restart sshd
|
sudo systemctl restart sshd
|
||||||
|
|
||||||
# Setup unbound
|
# Setup unbound
|
||||||
|
|
||||||
|
sudp apt install -y unbound
|
||||||
|
|
||||||
echo 'server:
|
echo 'server:
|
||||||
trust-anchor-signaling: yes
|
trust-anchor-signaling: yes
|
||||||
root-key-sentinel: yes
|
root-key-sentinel: yes
|
||||||
@ -121,6 +122,8 @@ sudo systemctl stop whoopsie.service
|
|||||||
sudo systemctl disable whoopsie.service
|
sudo systemctl disable whoopsie.service
|
||||||
sudo systemctl mask whoopsie.service
|
sudo systemctl mask whoopsie.service
|
||||||
|
|
||||||
|
#Setup fwupd
|
||||||
|
sudo apt install fwupd -y
|
||||||
mkdir -p /etc/systemd/system/fwupd-refresh.service.d
|
mkdir -p /etc/systemd/system/fwupd-refresh.service.d
|
||||||
echo '[Service]
|
echo '[Service]
|
||||||
ExecStart=/usr/bin/fwupdmgr update' | tee /etc/systemd/system/fwupd-refresh.service.d/override.conf
|
ExecStart=/usr/bin/fwupdmgr update' | tee /etc/systemd/system/fwupd-refresh.service.d/override.conf
|
||||||
@ -128,6 +131,7 @@ sudo systemctl daemon-reload
|
|||||||
sudo systemctl enable --now fwupd-refresh.timer
|
sudo systemctl enable --now fwupd-refresh.timer
|
||||||
|
|
||||||
# Setup tuned
|
# Setup tuned
|
||||||
|
sudo apt install tuned -y
|
||||||
sudo tuned-adm profile virtual-guest
|
sudo tuned-adm profile virtual-guest
|
||||||
|
|
||||||
# Enable fstrim.timer
|
# Enable fstrim.timer
|
||||||
|
Loading…
Reference in New Issue
Block a user