mirror of
https://github.com/tommytran732/Linux-Setup-Scripts
synced 2024-11-21 17:11:33 -05:00
Compare commits
6 Commits
5cc40052cc
...
1ab3c4de47
| Author | SHA1 | Date | |
|---|---|---|---|
| 1ab3c4de47 | |||
| 0880786054 | |||
| 85ada77f4c | |||
| ebf0284c32 | |||
| 80c2957f6c | |||
| ad0de6f2a0 |
@ -11,11 +11,11 @@ sudo find /etc/apt/sources.list.d -type f -exec sudo sed -i 's/http:/https:/g' {
|
||||
# Update and install packages
|
||||
sudo apt update
|
||||
sudo apt upgrade -y
|
||||
sudo apt install -y --no-install-recommends tuned unbound resolvconf ufw
|
||||
|
||||
# Setup ufw
|
||||
sudo apt install ufw -y
|
||||
sudo ufw enable
|
||||
sudo ufw allow 22/tcp
|
||||
sudo ufw allow OpenSSH
|
||||
|
||||
# Harden SSH
|
||||
echo 'GSSAPIAuthentication no
|
||||
@ -42,6 +42,9 @@ sudo curl https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/s
|
||||
echo "* hard core 0" | tee -a /etc/security/limits.conf
|
||||
|
||||
# Setup unbound
|
||||
|
||||
sudo apt instal unbound resolvconf -y
|
||||
|
||||
echo 'server:
|
||||
trust-anchor-signaling: yes
|
||||
root-key-sentinel: yes
|
||||
@ -112,6 +115,7 @@ sudo systemctl restart unbound
|
||||
sudo systemctl disable --now systemd-resolved
|
||||
|
||||
# Setup tuned
|
||||
sudo dnf install tuned -y
|
||||
sudo tuned-adm profile virtual-guest
|
||||
|
||||
# Enable fstrim.timer
|
||||
|
||||
@ -21,12 +21,13 @@ systemctl restart sshd
|
||||
# Setup repositories
|
||||
sed -i '1 {s/^/#/}' /etc/apt/sources.list.d/pve-enterprise.list
|
||||
|
||||
echo 'deb https://deb.debian.org/debian/ bookworm main contrib non-free
|
||||
echo 'deb https://deb.debian.org/debian/ bookworm main contrib non-free non-free-firmware
|
||||
|
||||
deb https://deb.debian.org/debian/ bookworm-updates main contrib non-free
|
||||
deb http://deb.debian.org/debian-security/ bookworm-security main contrib non-free non-free-firmware
|
||||
|
||||
# security updates
|
||||
deb https://security.debian.org bookworm-security main contrib non-free
|
||||
deb https://deb.debian.org/debian/ bookworm-updates main contrib non-free non-free-firmware
|
||||
|
||||
deb https://deb.debian.org/debian/ bookworm-backports main contrib non-free non-free-firmware
|
||||
|
||||
deb http://download.proxmox.com/debian/pve bookworm pve-no-subscription' | tee /etc/apt/sources.list
|
||||
|
||||
|
||||
@ -49,10 +49,10 @@ sudo curl https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/s
|
||||
sudo systemctl daemon-reload
|
||||
sudo systemctl restart irqbalance
|
||||
|
||||
# Install packages
|
||||
sudo dnf install tuned unbound yara -y
|
||||
|
||||
# Setup unbound
|
||||
|
||||
sudo dnf install unbound -y
|
||||
|
||||
echo 'server:
|
||||
chroot: ""
|
||||
|
||||
@ -113,6 +113,8 @@ LockPersonality=yes' | sudo tee /etc/systemd/system/unbound.service.d/override.c
|
||||
|
||||
sudo systemctl enable --now unbound
|
||||
|
||||
# Setup yara
|
||||
sudo dnf install -y yara
|
||||
sudo insights-client --collector malware-detection
|
||||
sudo sed -i 's/test_scan: true/test_scan: false/' /etc/insights-client/malware-detection-config.yml
|
||||
|
||||
@ -121,7 +123,16 @@ sudo sed -i 's/test_scan: true/test_scan: false/' /etc/insights-client/malware-d
|
||||
sudo sed -i 's/apply_updates = no/apply_updates = yes\nreboot = when-needed/g' /etc/dnf/automatic.conf
|
||||
sudo systemctl enable --now dnf-automatic.timer
|
||||
|
||||
#Setup fwupd
|
||||
sudo dnf install fwupd -y
|
||||
mkdir -p /etc/systemd/system/fwupd-refresh.service.d
|
||||
echo '[Service]
|
||||
ExecStart=/usr/bin/fwupdmgr update' | tee /etc/systemd/system/fwupd-refresh.service.d/override.conf
|
||||
sudo systemctl daemon-reload
|
||||
sudo systemctl enable --now fwupd-refresh.timer
|
||||
|
||||
# Setup tuned
|
||||
sudo dnf install tuned -y
|
||||
sudo tuned-adm profile virtual-guest
|
||||
|
||||
# Enable fstrim.timer
|
||||
|
||||
@ -1,13 +1,15 @@
|
||||
#!/bin/bash
|
||||
|
||||
#Please note that this is how I PERSONALLY setup my computer - I do some stuff such as not using anything to download GNOME extensions from extensions.gnome.org and installing the extensions as a package instead
|
||||
#Customize it to your liking
|
||||
#Run this script as your admin user, NOT root
|
||||
##The script assumes you already have Ubuntu Pro activated
|
||||
|
||||
# Compliance
|
||||
#Compliance and updates
|
||||
sudo ua enable usg
|
||||
sudo apt update -y
|
||||
sudo apt full-upgrade -y
|
||||
sudo apt install -y usg
|
||||
sudo usg fix cis_level2_workstation
|
||||
sudo apt autoremove -y
|
||||
sudo usg fix cis_level2_server
|
||||
|
||||
# Remove AIDE
|
||||
sudo apt purge -y aide*
|
||||
@ -22,9 +24,6 @@ sudo sed -ie '/^UMASK\s\+/ s/022/077/' /etc/login.defs
|
||||
sudo sed -i 's/USERGROUPS_ENAB yes/USERGROUPS_ENAB no/g' /etc/login.defs
|
||||
echo "umask 077" | sudo tee --append /etc/profile
|
||||
|
||||
# Make sure the system has curl (minimal installs do not include it)
|
||||
sudo apt install -y curl
|
||||
|
||||
# Setup NTS
|
||||
sudo systemctl disable systemd-timesyncd
|
||||
sudo apt install -y chrony
|
||||
@ -114,4 +113,5 @@ EOF
|
||||
sudo systemctl restart NetworkManager
|
||||
|
||||
# Enable fstrim.timer
|
||||
sudo apt install tuned -y
|
||||
sudo systemctl enable --now fstrim.timer
|
||||
@ -1,24 +1,22 @@
|
||||
#!/bin/bash
|
||||
|
||||
#Meant to be run on Ubuntu Pro Minimal
|
||||
#The script assumes you already have Ubuntu Pro activated
|
||||
|
||||
#Compliance
|
||||
#Compliance and updates
|
||||
sudo ua enable usg
|
||||
sudo apt install -y usg
|
||||
sudo apt update -y
|
||||
sudo apt full-upgrade -y
|
||||
sudo apt install -y usg curl libpam-pwquality
|
||||
sudo apt autoremove -y
|
||||
sudo usg fix cis_level2_server
|
||||
|
||||
# Remove AIDE
|
||||
sudo apt purge -y aide*
|
||||
|
||||
# Update and install packages
|
||||
sudo apt update -y
|
||||
sudo apt full-upgrade -y
|
||||
sudo apt install -y curl fwupd libpam-pwquality tuned unbound
|
||||
|
||||
# Setup NTS
|
||||
sudo systemctl disable systemd-timesyncd
|
||||
sudo systemctl disable --now systemd-timesyncd
|
||||
sudo apt install -y chrony
|
||||
rm -rf /etc/chrony/chrony.conf
|
||||
sudo curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/chrony.conf -o /etc/chrony/chrony.conf
|
||||
sudo systemctl restart chronyd
|
||||
|
||||
@ -27,11 +25,11 @@ sudo systemctl restart chronyd
|
||||
sudo apt purge -y ufw
|
||||
sudo snap install ufw
|
||||
sudo ufw enable
|
||||
sudo ufw allow 22
|
||||
sudo ufw allow OpenSSH
|
||||
|
||||
# Harden SSH
|
||||
echo "GSSAPIAuthentication no" | sudo tee /etc/ssh/ssh_config.d/10-custom.conf
|
||||
echo "VerifyHostKeyDNS yes" | sudo tee -a /etc/ssh/ssh_config.d/10-custom.conf
|
||||
echo "GSSAPIAuthentication no
|
||||
echo "VerifyHostKeyDNS yes" | sudo tee /etc/ssh/ssh_config.d/10-custom.conf
|
||||
sudo chmod 644 /etc/ssh/ssh_config.d/10-custom.conf
|
||||
sudo mkdir -p /etc/systemd/system/sshd.service.d
|
||||
sudo curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/systemd/system/sshd.service.d/local.conf -o /etc/systemd/system/sshd.service.d/local.conf
|
||||
@ -39,6 +37,9 @@ sudo systemctl daemon-reload
|
||||
sudo systemctl restart sshd
|
||||
|
||||
# Setup unbound
|
||||
|
||||
sudp apt install -y unbound
|
||||
|
||||
echo 'server:
|
||||
trust-anchor-signaling: yes
|
||||
root-key-sentinel: yes
|
||||
@ -121,6 +122,8 @@ sudo systemctl stop whoopsie.service
|
||||
sudo systemctl disable whoopsie.service
|
||||
sudo systemctl mask whoopsie.service
|
||||
|
||||
#Setup fwupd
|
||||
sudo apt install fwupd -y
|
||||
mkdir -p /etc/systemd/system/fwupd-refresh.service.d
|
||||
echo '[Service]
|
||||
ExecStart=/usr/bin/fwupdmgr update' | tee /etc/systemd/system/fwupd-refresh.service.d/override.conf
|
||||
@ -128,6 +131,7 @@ sudo systemctl daemon-reload
|
||||
sudo systemctl enable --now fwupd-refresh.timer
|
||||
|
||||
# Setup tuned
|
||||
sudo apt install tuned -y
|
||||
sudo tuned-adm profile virtual-guest
|
||||
|
||||
# Enable fstrim.timer
|
||||
|
||||
Loading…
Reference in New Issue
Block a user