mirror of
https://github.com/tommytran732/Linux-Setup-Scripts
synced 2024-11-13 21:41:33 -05:00
Compare commits
2 Commits
63b63e8129
...
a2424b179b
Author | SHA1 | Date | |
---|---|---|---|
a2424b179b | |||
e8aec0c4e8 |
@ -17,7 +17,7 @@
|
||||
#Run this as your user to set the theme
|
||||
|
||||
output(){
|
||||
echo -e '\e[36m'$1'\e[0m';
|
||||
echo -e '\e[36m'"$1"'\e[0m';
|
||||
}
|
||||
|
||||
#Enable Titlebar buttons
|
||||
|
@ -31,7 +31,7 @@ cd /home/"${USER}" || exit
|
||||
# Setting umask to 077
|
||||
umask 077
|
||||
sudo sed -i 's/umask 022/umask 077/g' /etc/bashrc
|
||||
echo "umask 077" | sudo tee -a /etc/bashrc
|
||||
echo 'umask 077' | sudo tee -a /etc/bashrc
|
||||
|
||||
# Make home directory private
|
||||
chmod 700 /home/*
|
||||
@ -56,8 +56,8 @@ sudo firewall-cmd --reload
|
||||
sudo firewall-cmd --lockdown-on
|
||||
|
||||
# Harden SSH
|
||||
echo "GSSAPIAuthentication no" | sudo tee /etc/ssh/ssh_config.d/10-custom.conf
|
||||
echo "VerifyHostKeyDNS yes" | sudo tee -a /etc/ssh/ssh_config.d/10-custom.conf
|
||||
echo 'GSSAPIAuthentication no' | sudo tee /etc/ssh/ssh_config.d/10-custom.conf
|
||||
echo 'VerifyHostKeyDNS yes' | sudo tee -a /etc/ssh/ssh_config.d/10-custom.conf
|
||||
sudo chmod 644 /etc/ssh/ssh_config.d/10-custom.conf
|
||||
|
||||
# Security kernel settings
|
||||
@ -66,7 +66,7 @@ unpriv curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/us
|
||||
unpriv curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/usr/lib/sysctl.d/30_silent-kernel-printk.conf | sudo tee /etc/sysctl.d/30_silent-kernel-printk.conf
|
||||
unpriv curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf | sudo tee /etc/sysctl.d/30_security-misc_kexec-disable.conf
|
||||
sudo sed -i 's/kernel.yama.ptrace_scope=2/kernel.yama.ptrace_scope=1/g' /etc/sysctl.d/990-security-misc.conf
|
||||
sudo grubby --update-kernel=ALL --args='spectre_v2=on spec_store_bypass_disable=on l1tf=full,force mds=full,nosmt tsx=off tsx_async_abort=full,nosmt kvm.nx_huge_pages=force nosmt=force l1d_flush=on mmio_stale_data=full,nosmt random.trust_bootloader=off random.trust_cpu=off intel_iommu=on amd_iommu=on efi=disable_early_pci_dma iommu.passthrough=0 iommu.strict=1 slab_nomerge init_on_alloc=1 init_on_free=1 pti=on vsyscall=none page_alloc.shuffle=1 randomize_kstack_offset=on extra_latent_entropy debugfs=off'
|
||||
sudo grubby --update-kernel=ALL --args='spectre_v2=on spec_store_bypass_disable=on l1tf=full,force mds=full,nosmt tsx=off tsx_async_abort=full,nosmt kvm.nx_huge_pages=force nosmt=force l1d_flush=on mmio_stale_data=full,nosmt random.trust_bootloader=off random.trust_cpu=off intel_iommu=on amd_iommu=isolation_force efi=disable_early_pci_dma iommu=force iommu.passthrough=0 iommu.strict=1 slab_nomerge init_on_alloc=1 init_on_free=1 pti=on vsyscall=none page_alloc.shuffle=1 randomize_kstack_offset=on extra_latent_entropy debugfs=off'
|
||||
sudo dracut -f
|
||||
sudo sysctl -p
|
||||
|
||||
@ -133,7 +133,7 @@ sudo dnf -y install gnome-console git-core gnome-shell-extension-appindicator gn
|
||||
# Install Microsoft Edge if x86_64
|
||||
MACHINE_TYPE=$(uname -m)
|
||||
if [ "${MACHINE_TYPE}" == 'x86_64' ]; then
|
||||
output "x86_64 machine, installing Microsoft edge."
|
||||
output 'x86_64 machine, installing Microsoft Edge.'
|
||||
curl -O https://packages.microsoft.com/keys/microsoft.asc
|
||||
sudo rpm --import microsoft.asc
|
||||
rm microsoft.asc
|
||||
@ -159,20 +159,20 @@ sudo systemctl restart fwupd
|
||||
sudo dnf install tuned -y
|
||||
|
||||
virt_type=$(virt-what)
|
||||
if [ "$virt_type" = "" ]; then
|
||||
output "Virtualization: Bare Metal."
|
||||
elif [ "$virt_type" = "openvz lxc" ]; then
|
||||
output "Virtualization: OpenVZ 7."
|
||||
elif [ "$virt_type" = "xen xen-hvm" ]; then
|
||||
output "Virtualization: Xen-HVM."
|
||||
elif [ "$virt_type" = "xen xen-hvm aws" ]; then
|
||||
output "Virtualization: Xen-HVM on AWS."
|
||||
if [ "$virt_type" = '' ]; then
|
||||
output 'Virtualization: Bare Metal.'
|
||||
elif [ "$virt_type" = 'openvz lxc' ]; then
|
||||
output 'Virtualization: OpenVZ 7.'
|
||||
elif [ "$virt_type" = 'xen xen-hvm' ]; then
|
||||
output 'Virtualization: Xen-HVM.'
|
||||
elif [ "$virt_type" = 'xen xen-hvm aws' ]; then
|
||||
output 'Virtualization: Xen-HVM on AWS.'
|
||||
else
|
||||
output "Virtualization: $virt_type."
|
||||
fi
|
||||
|
||||
# Setup tuned
|
||||
if [ "$virt_type" = "" ]; then
|
||||
if [ "$virt_type" = '' ]; then
|
||||
# Don't know whether using tuned would be a good idea on a laptop, power-profiles-daemon should be handling performance tuning IMO.
|
||||
sudo dnf remove tuned -y
|
||||
else
|
||||
@ -180,7 +180,7 @@ else
|
||||
fi
|
||||
|
||||
# Setup real-ucode
|
||||
if [ "$virt_type" = "" ]; then
|
||||
if [ "$virt_type" = '' ]; then
|
||||
sudo dnf install 'https://divested.dev/rpm/fedora/divested-release-20230406-2.noarch.rpm'
|
||||
sudo sed -i 's/^metalink=.*/&?protocol=https/g' /etc/yum.repos.d/divested-release.repo
|
||||
sudo dnf config-manager --save --setopt=divested.includepkgs=divested-release,real-ucode,microcode_ctl,amd-ucode-firmware
|
||||
@ -188,4 +188,4 @@ if [ "$virt_type" = "" ]; then
|
||||
sudo dracut -f
|
||||
fi
|
||||
|
||||
output "The script is done. You can also remove gnome-terminal since gnome-console will replace it."
|
||||
output 'The script is done. You can also remove gnome-terminal since gnome-console will replace it.'
|
||||
|
@ -67,7 +67,7 @@ sudo sysctl -p
|
||||
sudo update-initramfs -u
|
||||
|
||||
# Security limit
|
||||
echo "* hard core 0" | tee -a /etc/security/limits.conf
|
||||
echo '* hard core 0' | tee -a /etc/security/limits.conf
|
||||
|
||||
# Setup unbound
|
||||
|
||||
@ -147,4 +147,4 @@ sudo dnf install tuned -y
|
||||
sudo tuned-adm profile virtual-guest
|
||||
|
||||
# Enable fstrim.timer
|
||||
sudo ystemctl enable --now fstrim.timer
|
||||
sudo systemctl enable --now fstrim.timer
|
||||
|
@ -59,7 +59,7 @@ apt upgrade -y
|
||||
apt install -y --no-install-recommends intel-microcode tuned fwupd dropbear-initramfs
|
||||
|
||||
### This part assumes that you are using systemd-boot
|
||||
echo -e "spectre_v2=on spec_store_bypass_disable=on l1tf=full,force mds=full,nosmt tsx=off tsx_async_abort=full,nosmt kvm.nx_huge_pages=force nosmt=force l1d_flush=on mmio_stale_data=full,nosmt random.trust_bootloader=off random.trust_cpu=off intel_iommu=on amd_iommu=on efi=disable_early_pci_dma iommu.passthrough=0 iommu.strict=1 slab_nomerge init_on_alloc=1 init_on_free=1 pti=on vsyscall=none page_alloc.shuffle=1 randomize_kstack_offset=on extra_latent_entropy debugfs=off $(cat /etc/kernel/cmdline)" > /etc/kernel/cmdline
|
||||
echo -e "spectre_v2=on spec_store_bypass_disable=on l1tf=full,force mds=full,nosmt tsx=off tsx_async_abort=full,nosmt kvm.nx_huge_pages=force nosmt=force l1d_flush=on mmio_stale_data=full,nosmt random.trust_bootloader=off random.trust_cpu=off intel_iommu=on amd_iommu=force_isolation efi=disable_early_pci_dma iommu=force iommu.passthrough=0 iommu.strict=1 slab_nomerge init_on_alloc=1 init_on_free=1 pti=on vsyscall=none page_alloc.shuffle=1 randomize_kstack_offset=on extra_latent_entropy debugfs=off $(cat /etc/kernel/cmdline)" > /etc/kernel/cmdline
|
||||
proxmox-boot-tool refresh
|
||||
###
|
||||
|
||||
|
@ -160,20 +160,20 @@ sudo systemctl enable --now fstrim.timer
|
||||
sudo dnf install tuned -y
|
||||
|
||||
virt_type=$(virt-what)
|
||||
if [ "$virt_type" = "" ]; then
|
||||
output "Virtualization: Bare Metal."
|
||||
elif [ "$virt_type" = "openvz lxc" ]; then
|
||||
output "Virtualization: OpenVZ 7."
|
||||
elif [ "$virt_type" = "xen xen-hvm" ]; then
|
||||
output "Virtualization: Xen-HVM."
|
||||
elif [ "$virt_type" = "xen xen-hvm aws" ]; then
|
||||
output "Virtualization: Xen-HVM on AWS."
|
||||
if [ "$virt_type" = '' ]; then
|
||||
output 'Virtualization: Bare Metal.'
|
||||
elif [ "$virt_type" = 'openvz lxc' ]; then
|
||||
output 'Virtualization: OpenVZ 7.'
|
||||
elif [ "$virt_type" = 'xen xen-hvm' ]; then
|
||||
output 'Virtualization: Xen-HVM.'
|
||||
elif [ "$virt_type" = 'xen xen-hvm aws' ]; then
|
||||
output 'Virtualization: Xen-HVM on AWS.'
|
||||
else
|
||||
output "Virtualization: $virt_type."
|
||||
fi
|
||||
|
||||
# Setup tuned
|
||||
if [ "$virt_type" = "" ]; then
|
||||
if [ "$virt_type" = '' ]; then
|
||||
sudo tuned-adm profile latency-performance
|
||||
else
|
||||
sudo tuned-adm profile virtual-guest
|
||||
@ -189,7 +189,7 @@ if [ "$virt_type" = "" ]; then
|
||||
fi
|
||||
|
||||
# Setup fwupd
|
||||
if [ "$virt_type" = "" ]; then
|
||||
if [ "$virt_type" = '' ]; then
|
||||
sudo dnf install fwupd -y
|
||||
echo 'UriSchemes=file;https' | sudo tee -a /etc/fwupd/fwupd.conf
|
||||
sudo systemctl restart fwupd
|
||||
|
@ -44,7 +44,7 @@ umask 077
|
||||
sudo sed -ie '/^DIR_MODE=/ s/=[0-9]*\+/=0700/' /etc/adduser.conf
|
||||
sudo sed -ie '/^UMASK\s\+/ s/022/077/' /etc/login.defs
|
||||
sudo sed -i 's/USERGROUPS_ENAB yes/USERGROUPS_ENAB no/g' /etc/login.defs
|
||||
echo "umask 077" | sudo tee --append /etc/profile
|
||||
echo 'umask 077' | sudo tee --append /etc/profile
|
||||
|
||||
# Setup NTS
|
||||
sudo systemctl disable systemd-timesyncd
|
||||
@ -59,8 +59,8 @@ sudo snap install ufw
|
||||
sudo ufw enable
|
||||
|
||||
# Harden SSH
|
||||
echo "GSSAPIAuthentication no" | sudo tee /etc/ssh/ssh_config.d/10-custom.conf
|
||||
echo "VerifyHostKeyDNS yes" | sudo tee -a /etc/ssh/ssh_config.d/10-custom.conf
|
||||
echo 'GSSAPIAuthentication no
|
||||
VerifyHostKeyDNS yes' | sudo tee -a /etc/ssh/ssh_config.d/10-custom.conf
|
||||
sudo chmod 644 /etc/ssh/ssh_config.d/10-custom.conf
|
||||
|
||||
# Kernel hardening
|
||||
|
@ -172,13 +172,13 @@ sudo apt install tuned -y
|
||||
|
||||
virt_type=$(virt-what)
|
||||
if [ "$virt_type" = "" ]; then
|
||||
output "Virtualization: Bare Metal."
|
||||
elif [ "$virt_type" = "openvz lxc" ]; then
|
||||
output "Virtualization: OpenVZ 7."
|
||||
elif [ "$virt_type" = "xen xen-hvm" ]; then
|
||||
output "Virtualization: Xen-HVM."
|
||||
elif [ "$virt_type" = "xen xen-hvm aws" ]; then
|
||||
output "Virtualization: Xen-HVM on AWS."
|
||||
output 'Virtualization: Bare Metal.'
|
||||
elif [ "$virt_type" = 'openvz lxc' ]; then
|
||||
output 'Virtualization: OpenVZ 7.'
|
||||
elif [ "$virt_type" = 'xen xen-hvm' ]; then
|
||||
output 'Virtualization: Xen-HVM.'
|
||||
elif [ "$virt_type" = 'xen xen-hvm aws' ]; then
|
||||
output 'Virtualization: Xen-HVM on AWS.'
|
||||
else
|
||||
output "Virtualization: $virt_type."
|
||||
fi
|
||||
@ -191,7 +191,7 @@ else
|
||||
fi
|
||||
|
||||
# Setup fwupd
|
||||
if [ "$virt_type" = "" ]; then
|
||||
if [ "$virt_type" = '' ]; then
|
||||
sudo apt install fwupd -y
|
||||
echo 'UriSchemes=file;https' | sudo tee -a /etc/fwupd/fwupd.conf
|
||||
sudo systemctl restart fwupd
|
||||
|
Loading…
Reference in New Issue
Block a user