mirror of
https://github.com/tommytran732/Linux-Setup-Scripts
synced 2024-11-22 09:31:34 -05:00
Compare commits
No commits in common. "68b50f15bee6afbf20b5951a89ad0a71806fc54f" and "b219184e6da52af8df08c3470f34a1b380284242" have entirely different histories.
68b50f15be
...
b219184e6d
@ -110,8 +110,6 @@ sudo dnf remove -y cockpit*
|
|||||||
# Install hardened_malloc
|
# Install hardened_malloc
|
||||||
sudo dnf copr enable secureblue/hardened_malloc -y
|
sudo dnf copr enable secureblue/hardened_malloc -y
|
||||||
sudo dnf install -y hardened_malloc
|
sudo dnf install -y hardened_malloc
|
||||||
echo 'libhardened_malloc.so' | sudo tee /etc/ld.so.preload
|
|
||||||
sudo chmod 644 /etc/ld.so.preload
|
|
||||||
|
|
||||||
# Install appropriate virtualization drivers
|
# Install appropriate virtualization drivers
|
||||||
if [ "$virtualization" = 'kvm' ]; then
|
if [ "$virtualization" = 'kvm' ]; then
|
||||||
|
@ -176,8 +176,6 @@ sudo dnf -y upgrade
|
|||||||
# Install hardened_malloc
|
# Install hardened_malloc
|
||||||
sudo dnf copr enable secureblue/hardened_malloc -y
|
sudo dnf copr enable secureblue/hardened_malloc -y
|
||||||
sudo dnf install -y hardened_malloc
|
sudo dnf install -y hardened_malloc
|
||||||
echo 'libhardened_malloc.so' | sudo tee /etc/ld.so.preload
|
|
||||||
sudo chmod 644 /etc/ld.so.preload
|
|
||||||
|
|
||||||
# Install packages that I use
|
# Install packages that I use
|
||||||
sudo dnf -y install adw-gtk3-theme gnome-console gnome-shell-extension-appindicator gnome-shell-extension-blur-my-shell gnome-shell-extension-background-logo
|
sudo dnf -y install adw-gtk3-theme gnome-console gnome-shell-extension-appindicator gnome-shell-extension-blur-my-shell gnome-shell-extension-background-logo
|
||||||
|
@ -3,30 +3,30 @@
|
|||||||
dev.tty.ldisc_autoload = 0
|
dev.tty.ldisc_autoload = 0
|
||||||
|
|
||||||
# https://access.redhat.com/solutions/1985633
|
# https://access.redhat.com/solutions/1985633
|
||||||
# Seems dangerous.
|
# Seems dangerous
|
||||||
fs.binfmt_misc.status = 0
|
fs.binfmt_misc.status = 0
|
||||||
|
|
||||||
# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-userspace
|
# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-userspace
|
||||||
# Enable fs.protected sysctls.
|
# Enable fs.protected sysctls
|
||||||
fs.protected_regular = 2
|
fs.protected_regular = 2
|
||||||
fs.protected_fifos = 2
|
fs.protected_fifos = 2
|
||||||
fs.protected_symlinks = 1
|
fs.protected_symlinks = 1
|
||||||
fs.protected_hardlinks = 1
|
fs.protected_hardlinks = 1
|
||||||
|
|
||||||
# https://madaidans-insecurities.github.io/guides/linux-hardening.html#core-dumps
|
# https://madaidans-insecurities.github.io/guides/linux-hardening.html#core-dumps
|
||||||
# Disable coredumps.
|
# Disable coredumps
|
||||||
# For additional safety, disable coredumps using ulimit and systemd too.
|
# For additional safety, disable coredumps using ulimit and systemd too.
|
||||||
kernel.core_pattern=|/bin/false
|
kernel.core_pattern=|/bin/false
|
||||||
fs.suid_dumpable = 0
|
fs.suid_dumpable = 0
|
||||||
|
|
||||||
# Restrict dmesg to CAP_SYS_LOG.
|
# Restrict dmesg to CAP_SYS_LOG
|
||||||
# https://www.kernel.org/doc/Documentation/sysctl/kernel.txt
|
# https://www.kernel.org/doc/Documentation/sysctl/kernel.txt
|
||||||
kernel.dmesg_restrict = 1
|
kernel.dmesg_restrict = 1
|
||||||
|
|
||||||
# https://www.kernel.org/doc/Documentation/sysctl/kernel.txt
|
# https://www.kernel.org/doc/Documentation/sysctl/kernel.txt
|
||||||
# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-kernel
|
# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-kernel
|
||||||
# https://kernsec.org/wiki/index.php/Bug_Classes/Kernel_pointer_leak
|
# https://kernsec.org/wiki/index.php/Bug_Classes/Kernel_pointer_leak
|
||||||
# Restrict access to /proc.
|
# Restrict access to /proc
|
||||||
kernel.kptr_restrict = 2
|
kernel.kptr_restrict = 2
|
||||||
|
|
||||||
# Not needed, I don't do livepatching and reboot regularly.
|
# Not needed, I don't do livepatching and reboot regularly.
|
||||||
@ -38,10 +38,10 @@ kernel.kexec_load_disabled = 1
|
|||||||
kernel.unprivileged_bpf_disabled = 1
|
kernel.unprivileged_bpf_disabled = 1
|
||||||
net.core.bpf_jit_harden = 2
|
net.core.bpf_jit_harden = 2
|
||||||
|
|
||||||
# Docker running as root do not require unpriv user ns, which is dangerous, so we disabe it.
|
# Docker running as root do not require unpriv user ns, which is dangerous, so we disabe it
|
||||||
kernel.unprivileged_userns_clone = 0
|
kernel.unprivileged_userns_clone = 0
|
||||||
|
|
||||||
# Needed for gVisor, which is used on almost all of my servers.
|
# Needed for gVisor, which is used on almost all of my servers
|
||||||
kernel.yama.ptrace_scope = 1
|
kernel.yama.ptrace_scope = 1
|
||||||
|
|
||||||
# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl
|
# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl
|
||||||
@ -57,60 +57,60 @@ kernel.perf_event_paranoid = 4
|
|||||||
kernel_io_uring_disable = 2
|
kernel_io_uring_disable = 2
|
||||||
|
|
||||||
# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-kernel
|
# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-kernel
|
||||||
# Disable sysrq.
|
# Disable sysrq
|
||||||
kernel.sysrq = 0
|
kernel.sysrq = 0
|
||||||
|
|
||||||
# https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2020-09-03/finding/V-217911
|
# https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2020-09-03/finding/V-217911
|
||||||
# Not running a router here, so no redirects.
|
# Not running a router here, so no redirects
|
||||||
net.ipv4.conf.*.send_redirects = 0
|
net.ipv4.conf.*.send_redirects = 0
|
||||||
net.ipv4.conf.*.accept_redirects = 0
|
net.ipv4.conf.*.accept_redirects = 0
|
||||||
net.ipv6.conf.*.accept_redirects = 0
|
net.ipv6.conf.*.accept_redirects = 0
|
||||||
|
|
||||||
# Check if the source of the IP address is reachable through the same interface it came in.
|
# Check if the source of the IP address is reachable through the same interface it came in
|
||||||
# Basic IP spoofing mitigation.
|
# Basic IP spoofing mitigation
|
||||||
net.ipv4.conf.*.rp_filter = 1
|
net.ipv4.conf.*.rp_filter = 1
|
||||||
|
|
||||||
# Respond to ICMP
|
# Respond to ICMP
|
||||||
net.ipv4.icmp_echo_ignore_all = 0
|
net.ipv4.icmp_echo_ignore_all = 0
|
||||||
net.ipv6.icmp.echo_ignore_all = 0
|
net.ipv6.icmp.echo_ignore_all = 0
|
||||||
|
|
||||||
# Ignore Bogus ICMP responses.
|
# Ignore Bogus ICMP responses
|
||||||
net.ipv4.icmp_ignore_bogus_error_responses = 1
|
net.ipv4.icmp_ignore_bogus_error_responses = 1
|
||||||
|
|
||||||
# Enable IP Forwarding.
|
# Enable IP Forwarding
|
||||||
# Almost all of my servers run Docker anyways, and Docker absolutely requires this.
|
# Almost all of my servers run Docker anyways, and Docker absolutely requires this.
|
||||||
net.ipv4.ip_forward = 1
|
net.ipv4.ip_forward = 1
|
||||||
net.ipv6.conf.all.forwarding = 1
|
net.ipv6.conf.all.forwarding = 1
|
||||||
|
|
||||||
# https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2016-06-05/finding/V-38537
|
# https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2016-06-05/finding/V-38537
|
||||||
# Ignore bogus icmp response.
|
# Ignore bogus icmp response
|
||||||
net.ipv4.icmp_ignore_bogus_error_responses = 1
|
net.ipv4.icmp_ignore_bogus_error_responses = 1
|
||||||
|
|
||||||
# Protection against time-wait assasination attacks.
|
# Protection against time-wait assasination attacks
|
||||||
net.ipv4.tcp_rfc1337 = 1
|
net.ipv4.tcp_rfc1337 = 1
|
||||||
|
|
||||||
# Enable SYN cookies.
|
# Enable SYN cookies
|
||||||
# Basic SYN flood mitigation.
|
# Basic SYN flood mitigation
|
||||||
net.ipv4.tcp_syncookies = 1
|
net.ipv4.tcp_syncookies = 1
|
||||||
|
|
||||||
# https://access.redhat.com/sites/default/files/attachments/20150325_network_performance_tuning.pdf
|
# https://access.redhat.com/sites/default/files/attachments/20150325_network_performance_tuning.pdf
|
||||||
# Make sure TCP timestamp is enabled.
|
# Make sure TCP timestamp is enabled
|
||||||
net.ipv4.tcp_timestamps = 1
|
net.ipv4.tcp_timestamps = 1
|
||||||
|
|
||||||
# https://access.redhat.com/sites/default/files/attachments/20150325_network_performance_tuning.pdf
|
# https://access.redhat.com/sites/default/files/attachments/20150325_network_performance_tuning.pdf
|
||||||
# Disable TCP SACK.
|
# Disable TCP SACK
|
||||||
# We have good networking :)
|
# We have good networking :)
|
||||||
net.ipv4.tcp_sack = 0
|
net.ipv4.tcp_sack = 0
|
||||||
|
|
||||||
# No SACK, therefore no Duplicated SACK.
|
# No SACK, therefore no Duplicated SACK
|
||||||
net.ipv4.tcp_dsack = 0
|
net.ipv4.tcp_dsack = 0
|
||||||
|
|
||||||
# Improve ALSR effectiveness for mmap.
|
# Improve ALSR effectiveness for mmap
|
||||||
vm.mmap_rnd_bits = 32
|
vm.mmap_rnd_bits = 32
|
||||||
vm.mmap_rnd_compat_bits = 16
|
vm.mmap_rnd_compat_bits = 16
|
||||||
|
|
||||||
# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-kernel
|
# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-kernel
|
||||||
# Restrict userfaultfd to CAP_SYS_PTRACE.
|
# Restrict userfaultfd to CAP_SYS_PTRACE
|
||||||
# https://bugs.archlinux.org/task/62780
|
# https://bugs.archlinux.org/task/62780
|
||||||
# Interestingly enough, Arch does not even have userfaultfd in their kernel, so it is
|
# Interestingly enough, Arch does not even have userfaultfd in their kernel, so it is
|
||||||
# probably not used in the real world at all.
|
# probably not used in the real world at all.
|
||||||
|
@ -4,11 +4,11 @@ dev.tty.ldisc_autoload = 0
|
|||||||
|
|
||||||
# https://access.redhat.com/solutions/1985633
|
# https://access.redhat.com/solutions/1985633
|
||||||
# Seems dangerous.
|
# Seems dangerous.
|
||||||
# Roseta need this though, so if you use it change it to 1.
|
# Roseta need this though, so if you use it change it to 1
|
||||||
fs.binfmt_misc.status = 0
|
fs.binfmt_misc.status = 0
|
||||||
|
|
||||||
# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-userspace
|
# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-userspace
|
||||||
# Enable fs.protected sysctls.
|
# Enable fs.protected sysctls
|
||||||
fs.protected_regular = 2
|
fs.protected_regular = 2
|
||||||
fs.protected_fifos = 2
|
fs.protected_fifos = 2
|
||||||
fs.protected_symlinks = 1
|
fs.protected_symlinks = 1
|
||||||
@ -20,14 +20,14 @@ fs.protected_hardlinks = 1
|
|||||||
kernel.core_pattern=|/bin/false
|
kernel.core_pattern=|/bin/false
|
||||||
fs.suid_dumpable = 0
|
fs.suid_dumpable = 0
|
||||||
|
|
||||||
# Restrict dmesg to CAP_SYS_LOG.
|
# Restrict dmesg to CAP_SYS_LOG
|
||||||
# https://www.kernel.org/doc/Documentation/sysctl/kernel.txt
|
# https://www.kernel.org/doc/Documentation/sysctl/kernel.txt
|
||||||
kernel.dmesg_restrict = 1
|
kernel.dmesg_restrict = 1
|
||||||
|
|
||||||
# https://www.kernel.org/doc/Documentation/sysctl/kernel.txt
|
# https://www.kernel.org/doc/Documentation/sysctl/kernel.txt
|
||||||
# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-kernel
|
# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-kernel
|
||||||
# https://kernsec.org/wiki/index.php/Bug_Classes/Kernel_pointer_leak
|
# https://kernsec.org/wiki/index.php/Bug_Classes/Kernel_pointer_leak
|
||||||
# Restrict access to /proc.
|
# Restrict access to /proc
|
||||||
kernel.kptr_restrict = 2
|
kernel.kptr_restrict = 2
|
||||||
|
|
||||||
# Not needed, I don't do livepatching and reboot regularly.
|
# Not needed, I don't do livepatching and reboot regularly.
|
||||||
@ -39,7 +39,7 @@ kernel.kexec_load_disabled = 1
|
|||||||
kernel.unprivileged_bpf_disabled = 1
|
kernel.unprivileged_bpf_disabled = 1
|
||||||
net.core.bpf_jit_harden = 2
|
net.core.bpf_jit_harden = 2
|
||||||
|
|
||||||
# Needed for Flatpak and Bubblewrap.
|
# Needed for Flatpak and Bubblewrap
|
||||||
kernel.unprivileged_userns_clone = 1
|
kernel.unprivileged_userns_clone = 1
|
||||||
|
|
||||||
# Disable ptrace. Not needed on workstations.
|
# Disable ptrace. Not needed on workstations.
|
||||||
@ -56,60 +56,60 @@ kernel.perf_event_paranoid = 4
|
|||||||
kernel_io_uring_disable = 2
|
kernel_io_uring_disable = 2
|
||||||
|
|
||||||
# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-kernel
|
# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-kernel
|
||||||
# Disable sysrq.
|
# Disable sysrq
|
||||||
kernel.sysrq = 0
|
kernel.sysrq = 0
|
||||||
|
|
||||||
# https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2020-09-03/finding/V-217911
|
# https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2020-09-03/finding/V-217911
|
||||||
# Not running a router here, so no redirects.
|
# Not running a router here, so no redirects
|
||||||
net.ipv4.conf.*.send_redirects = 0
|
net.ipv4.conf.*.send_redirects = 0
|
||||||
net.ipv4.conf.*.accept_redirects = 0
|
net.ipv4.conf.*.accept_redirects = 0
|
||||||
net.ipv6.conf.*.accept_redirects = 0
|
net.ipv6.conf.*.accept_redirects = 0
|
||||||
|
|
||||||
# Check if the source of the IP address is reachable through the same interface it came in
|
# Check if the source of the IP address is reachable through the same interface it came in
|
||||||
# Basic IP spoofing mitigation.
|
# Basic IP spoofing mitigation
|
||||||
net.ipv4.conf.*.rp_filter = 1
|
net.ipv4.conf.*.rp_filter = 1
|
||||||
|
|
||||||
# Do not respond to ICMP.
|
# Do not respond to ICMP
|
||||||
net.ipv4.icmp_echo_ignore_all = 1
|
net.ipv4.icmp_echo_ignore_all = 1
|
||||||
net.ipv6.icmp.echo_ignore_all = 1
|
net.ipv6.icmp.echo_ignore_all = 1
|
||||||
|
|
||||||
# Ignore Bogus ICMP responses.
|
# Ignore Bogus ICMP responses
|
||||||
net.ipv4.icmp_ignore_bogus_error_responses = 1
|
net.ipv4.icmp_ignore_bogus_error_responses = 1
|
||||||
|
|
||||||
# Enable IP Forwarding.
|
# Enable IP Forwarding
|
||||||
# Needed for VM networking and whatnot.
|
# Needed for VM networking and whatnot.
|
||||||
net.ipv4.ip_forward = 1
|
net.ipv4.ip_forward = 1
|
||||||
net.ipv6.conf.all.forwarding = 1
|
net.ipv6.conf.all.forwarding = 1
|
||||||
|
|
||||||
# https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2016-06-05/finding/V-38537
|
# https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2016-06-05/finding/V-38537
|
||||||
# Ignore bogus icmp response.
|
# Ignore bogus icmp response
|
||||||
net.ipv4.icmp_ignore_bogus_error_responses = 1
|
net.ipv4.icmp_ignore_bogus_error_responses = 1
|
||||||
|
|
||||||
# Protection against time-wait assasination attacks.
|
# Protection against time-wait assasination attacks
|
||||||
net.ipv4.tcp_rfc1337 = 1
|
net.ipv4.tcp_rfc1337 = 1
|
||||||
|
|
||||||
# Enable SYN cookies.
|
# Enable SYN cookies
|
||||||
# Basic SYN flood mitigation.
|
# Basic SYN flood mitigation
|
||||||
net.ipv4.tcp_syncookies = 1
|
net.ipv4.tcp_syncookies = 1
|
||||||
|
|
||||||
# https://access.redhat.com/sites/default/files/attachments/20150325_network_performance_tuning.pdf
|
# https://access.redhat.com/sites/default/files/attachments/20150325_network_performance_tuning.pdf
|
||||||
# Make sure TCP timestamp is enabled.
|
# Make sure TCP timestamp is enabled
|
||||||
net.ipv4.tcp_timestamps = 1
|
net.ipv4.tcp_timestamps = 1
|
||||||
|
|
||||||
# https://access.redhat.com/sites/default/files/attachments/20150325_network_performance_tuning.pdf
|
# https://access.redhat.com/sites/default/files/attachments/20150325_network_performance_tuning.pdf
|
||||||
# Disable TCP SACK.
|
# Disable TCP SACK
|
||||||
# We have good networking :)
|
# We have good networking :)
|
||||||
net.ipv4.tcp_sack = 0
|
net.ipv4.tcp_sack = 0
|
||||||
|
|
||||||
# No SACK, therefore no Duplicated SACK.
|
# No SACK, therefore no Duplicated SACK
|
||||||
net.ipv4.tcp_dsack = 0
|
net.ipv4.tcp_dsack = 0
|
||||||
|
|
||||||
# Improve ALSR effectiveness for mmap.
|
# Improve ALSR effectiveness for mmap
|
||||||
vm.mmap_rnd_bits = 32
|
vm.mmap_rnd_bits = 32
|
||||||
vm.mmap_rnd_compat_bits = 16
|
vm.mmap_rnd_compat_bits = 16
|
||||||
|
|
||||||
# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-kernel
|
# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-kernel
|
||||||
# Restrict userfaultfd to CAP_SYS_PTRACE.
|
# Restrict userfaultfd to CAP_SYS_PTRACE
|
||||||
# https://bugs.archlinux.org/task/62780
|
# https://bugs.archlinux.org/task/62780
|
||||||
# Interestingly enough, Arch does not even have userfaultfd in their kernel, so it is
|
# Interestingly enough, Arch does not even have userfaultfd in their kernel, so it is
|
||||||
# probably not used in the real world at all.
|
# probably not used in the real world at all.
|
||||||
|
Loading…
Reference in New Issue
Block a user