mirror of
https://github.com/tommytran732/Linux-Setup-Scripts
synced 2024-11-25 02:31:34 -05:00
Compare commits
No commits in common. "88918cf7dc07d81a2d93efdb31627a78d3755d36" and "acf3e6ae11bb79e698573e87f9188c6651b5aa63" have entirely different histories.
88918cf7dc
...
acf3e6ae11
@ -63,10 +63,20 @@ sudo systemctl daemon-reload
|
||||
sudo systemctl restart sshd
|
||||
|
||||
# Security kernel settings
|
||||
unpriv curl https://raw.githubusercontent.com/secureblue/secureblue/live/config/files/usr/etc/modprobe.d/blacklist.conf | sudo tee /etc/modprobe.d/server-blacklist.conf
|
||||
sudo chmod 644 /etc/modprobe.d/server-blacklist.conf
|
||||
unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/sysctl.d/99-server.conf | sudo tee /etc/sysctl.d/99-server.conf
|
||||
sudo chmod 644 /etc/sysctl.d/99-server.conf
|
||||
unpriv curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/modprobe.d/30_security-misc.conf | sudo tee /etc/modprobe.d/30_security-misc.conf
|
||||
sudo chmod 644 /etc/modprobe.d/30_security-misc.conf
|
||||
sudo sed -i 's/#[[:space:]]*install msr/install msr/g' /etc/modprobe.d/30_security-misc.conf
|
||||
sudo sed -i 's/#[[:space:]]*install bluetooth/install bluetooth/g' /etc/modprobe.d/30_security-misc.conf
|
||||
sudo sed -i 's/#[[:space:]]*install btusb/install btusb/g' /etc/modprobe.d/30_security-misc.conf
|
||||
unpriv curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/usr/lib/sysctl.d/990-security-misc.conf | sudo tee /etc/sysctl.d/990-security-misc.conf
|
||||
sudo chmod 644 /etc/sysctl.d/990-security-misc.conf
|
||||
sudo sed -i 's/kernel\.yama\.ptrace_scope[[:space:]]*=.*/kernel.yama.ptrace_scope=3/g' /etc/sysctl.d/990-security-misc.conf
|
||||
sudo sed -i 's/net\.ipv4\.icmp_echo_ignore_all[[:space:]]*=.*/net.ipv4.icmp_echo_ignore_all=0/g' /etc/sysctl.d/990-security-misc.conf
|
||||
sudo sed -i 's/net\.ipv6\.icmp.echo_ignore_all[[:space:]]*=.*/net.ipv6.icmp.echo_ignore_all=0/g' /etc/sysctl.d/990-security-misc.conf
|
||||
unpriv curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/usr/lib/sysctl.d/30_silent-kernel-printk.conf | sudo tee /etc/sysctl.d/30_silent-kernel-printk.conf
|
||||
sudo chmod 644 /etc/sysctl.d/30_silent-kernel-printk.conf
|
||||
unpriv curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf | sudo tee /etc/sysctl.d/30_security-misc_kexec-disable.conf
|
||||
sudo chmod 644 /etc/sysctl.d/30_security-misc_kexec-disable.conf
|
||||
sudo dracut -f
|
||||
sudo sysctl -p
|
||||
|
||||
@ -78,11 +88,7 @@ else
|
||||
fi
|
||||
|
||||
# Disable coredump
|
||||
umask 022
|
||||
unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/security/limits.d/30-disable-coredump.conf | sudo tee /etc/security/limits.d/30-disable-coredump.conf
|
||||
mkdir -p /etc/systemd/coredump.conf.d
|
||||
unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/systemd/coredump.conf.d/disable.conf | sudo tee /etc/systemd/coredump.conf.d/disable.conf
|
||||
umask 077
|
||||
|
||||
# Setup ZRAM
|
||||
unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/systemd/zram-generator.conf | sudo tee /etc/systemd/zram-generator.conf
|
||||
@ -99,10 +105,6 @@ sudo systemctl enable --now dnf-automatic.timer
|
||||
# Remove unnecessary packages
|
||||
sudo dnf remove -y cockpit*
|
||||
|
||||
# Install hardened_malloc
|
||||
sudo dnf copr enable secureblue/hardened_malloc -y
|
||||
sudo dnf install -y hardened_malloc
|
||||
|
||||
# Install appropriate virtualization drivers
|
||||
if [ "$virtualization" = 'kvm' ]; then
|
||||
sudo dnf install -y qemu-guest-agent
|
||||
@ -148,9 +150,22 @@ MACHINE_TYPE=$(uname -m)
|
||||
if [ "$virtualization" = 'none' ] || [ "${MACHINE_TYPE}" == 'x86_64' ]; then
|
||||
sudo dnf install -y 'https://divested.dev/rpm/fedora/divested-release-20231210-2.noarch.rpm'
|
||||
sudo sed -i 's/^metalink=.*/&?protocol=https/g' /etc/yum.repos.d/divested-release.repo
|
||||
sudo dnf config-manager --save --setopt=divested.includepkgs=divested-release,real-ucode,microcode_ctl,amd-ucode-firmware
|
||||
sudo dnf install -y real-ucode
|
||||
sudo dracut -f
|
||||
if [ "${MACHINE_TYPE}" != 'x86_64' ]; then
|
||||
sudo dnf config-manager --save --setopt=divested.includepkgs=divested-release,real-ucode,microcode_ctl,amd-ucode-firmware
|
||||
sudo dnf install -y real-ucode
|
||||
sudo dracut -f
|
||||
elif [ "$virtualization" != 'none' ]; then
|
||||
sudo dnf config-manager --save --setopt=divested.includepkgs=divested-release,hardened_malloc
|
||||
sudo dnf install -y hardened_malloc
|
||||
else
|
||||
sudo dnf config-manager --save --setopt=divested.includepkgs=divested-release,real-ucode,microcode_ctl,amd-ucode-firmware,hardened_malloc
|
||||
sudo dnf install -y real-ucode hardened_malloc
|
||||
echo 'libhardened_malloc.so' | sudo tee /etc/ld.so.preload
|
||||
sudo dracut -f
|
||||
fi
|
||||
elif [ "${MACHINE_TYPE}" == 'aarch64' ]; then
|
||||
sudo dnf copr enable secureblue/hardened_malloc -y
|
||||
sudo dnf install -y hardened_malloc
|
||||
fi
|
||||
|
||||
# Setup networking
|
||||
|
||||
@ -62,14 +62,16 @@ unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/m
|
||||
sudo chmod 644 /etc/ssh/ssh_config.d/10-custom.conf
|
||||
|
||||
# Security kernel settings
|
||||
if [ "${virtualization}" = 'parallels' ]; then
|
||||
unpriv curl https://raw.githubusercontent.com/TommyTran732/Kernel-Module-Blacklist/main/etc/modprobe.d/workstation-blacklist.conf | sudo tee /etc/modprobe.d/workstation-blacklist.conf
|
||||
else
|
||||
unpriv curl https://raw.githubusercontent.com/secureblue/secureblue/live/config/files/usr/etc/modprobe.d/blacklist.conf | sudo tee /etc/modprobe.d/workstation-blacklist.conf
|
||||
fi
|
||||
sudo chmod 644 /etc/modprobe.d/workstation-blacklist.conf
|
||||
unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/sysctl.d/99-workstation.conf | sudo tee /etc/sysctl.d/99-workstation.conf
|
||||
sudo chmod 644 /etc/sysctl.d/99-workstation.conf
|
||||
unpriv curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/modprobe.d/30_security-misc.conf | sudo tee /etc/modprobe.d/30_security-misc.conf
|
||||
sudo chmod 644 /etc/modprobe.d/30_security-misc.conf
|
||||
sudo sed -i 's/#[[:space:]]*install msr/install msr/g' /etc/modprobe.d/30_security-misc.conf
|
||||
unpriv curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/usr/lib/sysctl.d/990-security-misc.conf | sudo tee /etc/sysctl.d/990-security-misc.conf
|
||||
sudo chmod 644 /etc/sysctl.d/990-security-misc.conf
|
||||
sudo sed -i 's/kernel\.yama\.ptrace_scope[[:space:]]*=.*/kernel.yama.ptrace_scope=3/g' /etc/sysctl.d/990-security-misc.conf
|
||||
unpriv curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/usr/lib/sysctl.d/30_silent-kernel-printk.conf | sudo tee /etc/sysctl.d/30_silent-kernel-printk.conf
|
||||
sudo chmod 644 /etc/sysctl.d/30_silent-kernel-printk.conf
|
||||
unpriv curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf | sudo tee /etc/sysctl.d/30_security-misc_kexec-disable.conf
|
||||
sudo chmod 644 /etc/sysctl.d/30_security-misc_kexec-disable.conf
|
||||
sudo dracut -f
|
||||
sudo sysctl -p
|
||||
|
||||
@ -89,11 +91,7 @@ else
|
||||
fi
|
||||
|
||||
# Disable coredump
|
||||
umask 022
|
||||
unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/security/limits.d/30-disable-coredump.conf | sudo tee /etc/security/limits.d/30-disable-coredump.conf
|
||||
mkdir -p /etc/systemd/coredump.conf.d
|
||||
unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/systemd/coredump.conf.d/disable.conf | sudo tee /etc/systemd/coredump.conf.d/disable.conf
|
||||
umask 077
|
||||
|
||||
# Disable XWayland
|
||||
umask 022
|
||||
@ -164,10 +162,6 @@ sudo dnf config-manager --set-disabled fedora-cisco-openh264
|
||||
# Update packages
|
||||
sudo dnf -y upgrade
|
||||
|
||||
# Install hardened_malloc
|
||||
sudo dnf copr enable secureblue/hardened_malloc -y
|
||||
sudo dnf install -y hardened_malloc
|
||||
|
||||
# Install packages that I use
|
||||
sudo dnf -y install adw-gtk3-theme gnome-console gnome-shell-extension-appindicator gnome-shell-extension-blur-my-shell gnome-shell-extension-background-logo
|
||||
|
||||
@ -224,13 +218,26 @@ else
|
||||
sudo tuned-adm profile virtual-guest
|
||||
fi
|
||||
|
||||
# Setup real-ucode
|
||||
# Setup real-ucode and hardened_malloc
|
||||
if [ "$virtualization" = 'none' ] || [ "${MACHINE_TYPE}" == 'x86_64' ]; then
|
||||
sudo dnf install -y 'https://divested.dev/rpm/fedora/divested-release-20231210-2.noarch.rpm'
|
||||
sudo sed -i 's/^metalink=.*/&?protocol=https/g' /etc/yum.repos.d/divested-release.repo
|
||||
sudo dnf config-manager --save --setopt=divested.includepkgs=divested-release,real-ucode,microcode_ctl,amd-ucode-firmware
|
||||
sudo dnf install -y real-ucode
|
||||
sudo dracut -f
|
||||
if [ "${MACHINE_TYPE}" != 'x86_64' ]; then
|
||||
sudo dnf config-manager --save --setopt=divested.includepkgs=divested-release,real-ucode,microcode_ctl,amd-ucode-firmware
|
||||
sudo dnf install -y real-ucode
|
||||
sudo dracut -f
|
||||
elif [ "$virtualization" != 'none' ]; then
|
||||
sudo dnf config-manager --save --setopt=divested.includepkgs=divested-release,hardened_malloc
|
||||
sudo dnf install -y hardened_malloc
|
||||
else
|
||||
sudo dnf config-manager --save --setopt=divested.includepkgs=divested-release,real-ucode,microcode_ctl,amd-ucode-firmware,hardened_malloc
|
||||
sudo dnf install -y real-ucode hardened_malloc
|
||||
echo 'libhardened_malloc.so' | sudo tee /etc/ld.so.preload
|
||||
sudo dracut -f
|
||||
fi
|
||||
elif [ "${MACHINE_TYPE}" == 'aarch64' ]; then
|
||||
sudo dnf copr enable secureblue/hardened_malloc -y
|
||||
sudo dnf install -y hardened_malloc
|
||||
fi
|
||||
|
||||
# Setup networking
|
||||
|
||||
22
Proxmox-8.sh
22
Proxmox-8.sh
@ -73,23 +73,23 @@ proxmox-boot-tool refresh
|
||||
###
|
||||
|
||||
# Kernel hardening
|
||||
curl https://raw.githubusercontent.com/secureblue/secureblue/live/config/files/usr/etc/modprobe.d/blacklist.conf | tee /etc/modprobe.d/server-blacklist.conf
|
||||
chmod 644 /etc/modprobe.d/server-blacklist.conf
|
||||
sed -i 's/kernel_io_uring_disable = 2/#ernel_io_uring_disable = 2/g'
|
||||
curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/sysctl.d/99-server.conf | tee /etc/sysctl.d/99-server.conf
|
||||
chmod 644 /etc/sysctl.d/99-server.conf
|
||||
dracut -f
|
||||
curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/modprobe.d/30_security-misc.conf -o /etc/modprobe.d/30_security-misc.conf
|
||||
sudo sed -i 's/#[[:space:]]*install msr/install msr/g' /etc/modprobe.d/30_security-misc.conf
|
||||
sed -i 's/#[[:space:]]*install bluetooth/install bluetooth/g' /etc/modprobe.d/30_security-misc.conf
|
||||
sed -i 's/#[[:space:]]*install btusb/install btusb/g' /etc/modprobe.d/30_security-misc.conf
|
||||
curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/usr/lib/sysctl.d/990-security-misc.conf -o /etc/sysctl.d/990-security-misc.conf
|
||||
sed -i 's/kernel\.yama\.ptrace_scope[[:space:]]*=.*/kernel.yama.ptrace_scope=3/g' /etc/sysctl.d/990-security-misc.conf
|
||||
sed -i 's/net\.ipv4\.icmp_echo_ignore_all[[:space:]]*=.*/net.ipv4.icmp_echo_ignore_all=0/g' /etc/sysctl.d/990-security-misc.conf
|
||||
sed -i 's/net\.ipv6\.icmp.echo_ignore_all[[:space:]]*=.*/net.ipv6.icmp.echo_ignore_all=0/g' /etc/sysctl.d/990-security-misc.conf
|
||||
curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/usr/lib/sysctl.d/30_silent-kernel-printk.conf -o /etc/sysctl.d/30_silent-kernel-printk.conf
|
||||
curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf -o /etc/sysctl.d/30_security-misc_kexec-disable.conf
|
||||
sysctl -p
|
||||
|
||||
# Rebuild initramfs
|
||||
update-initramfs -u
|
||||
|
||||
# Disable coredump
|
||||
umask 022
|
||||
unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/security/limits.d/30-disable-coredump.conf | sudo tee /etc/security/limits.d/30-disable-coredump.conf
|
||||
mkdir -p /etc/systemd/coredump.conf.d
|
||||
unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/systemd/coredump.conf.d/disable.conf | sudo tee /etc/systemd/coredump.conf.d/disable.conf
|
||||
umask 077
|
||||
curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/security/limits.d/30-disable-coredump.conf | sudo tee /etc/security/limits.d/30-disable-coredump.conf
|
||||
|
||||
# Harden SSH
|
||||
sed -i 's/#GSSAPIAuthentication no/GSSAPIAuthentication no/g' /etc/ssh/sshd_config
|
||||
|
||||
22
RHEL-9.sh
22
RHEL-9.sh
@ -57,21 +57,27 @@ sudo systemctl daemon-reload
|
||||
sudo systemctl restart sshd
|
||||
|
||||
# Security kernel settings
|
||||
unpriv curl https://raw.githubusercontent.com/secureblue/secureblue/live/config/files/usr/etc/modprobe.d/blacklist.conf | sudo tee /etc/modprobe.d/server-blacklist.conf
|
||||
sudo chmod 644 /etc/modprobe.d/server-blacklist.conf
|
||||
unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/sysctl.d/99-server.conf | sudo tee /etc/sysctl.d/99-server.conf
|
||||
sudo chmod 644 /etc/sysctl.d/99-server.conf
|
||||
unpriv curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/modprobe.d/30_security-misc.conf | sudo tee /etc/modprobe.d/30_security-misc.conf
|
||||
sudo chmod 644 /etc/modprobe.d/30_security-misc.conf
|
||||
sudo sed -i 's/#[[:space:]]*install msr/install msr/g' /etc/modprobe.d/30_security-misc.conf
|
||||
sudo sed -i 's/#[[:space:]]*install bluetooth/install bluetooth/g' /etc/modprobe.d/30_security-misc.conf
|
||||
sudo sed -i 's/#[[:space:]]*install btusb/install btusb/g' /etc/modprobe.d/30_security-misc.conf
|
||||
unpriv curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/usr/lib/sysctl.d/990-security-misc.conf | sudo tee /etc/sysctl.d/990-security-misc.conf
|
||||
sudo chmod 644 /etc/sysctl.d/990-security-misc.conf
|
||||
sudo sed -i 's/kernel\.yama\.ptrace_scope[[:space:]]*=.*/kernel.yama.ptrace_scope=3/g' /etc/sysctl.d/990-security-misc.conf
|
||||
sudo sed -i 's/net\.ipv4\.icmp_echo_ignore_all[[:space:]]*=.*/net.ipv4.icmp_echo_ignore_all=0/g' /etc/sysctl.d/990-security-misc.conf
|
||||
sudo sed -i 's/net\.ipv6\.icmp.echo_ignore_all[[:space:]]*=.*/net.ipv6.icmp.echo_ignore_all=0/g' /etc/sysctl.d/990-security-misc.conf
|
||||
unpriv curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/usr/lib/sysctl.d/30_silent-kernel-printk.conf | sudo tee /etc/sysctl.d/30_silent-kernel-printk.conf
|
||||
sudo chmod 644 /etc/sysctl.d/30_silent-kernel-printk.conf
|
||||
unpriv curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf | sudo tee /etc/sysctl.d/30_security-misc_kexec-disable.conf
|
||||
sudo chmod 644 /etc/sysctl.d/30_security-misc_kexec-disable.conf
|
||||
sudo dracut -f
|
||||
sudo sysctl -p
|
||||
|
||||
sudo grubby --update-kernel=ALL --args='mitigations=auto,nosmt spectre_v2=on spectre_bhi=on spec_store_bypass_disable=on tsx=off kvm.nx_huge_pages=force nosmt=force l1d_flush=on spec_rstack_overflow=safe-ret gather_data_sampling=force reg_file_data_sampling=on random.trust_bootloader=off random.trust_cpu=off intel_iommu=on amd_iommu=force_isolation efi=disable_early_pci_dma iommu=force iommu.passthrough=0 iommu.strict=1 slab_nomerge init_on_alloc=1 init_on_free=1 pti=on vsyscall=none ia32_emulation=0 page_alloc.shuffle=1 randomize_kstack_offset=on debugfs=off lockdown=confidentiality module.sig_enforce=1 console=tty0 console=ttyS0,115200'
|
||||
|
||||
# Disable coredump
|
||||
umask 022
|
||||
unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/security/limits.d/30-disable-coredump.conf | sudo tee /etc/security/limits.d/30-disable-coredump.conf
|
||||
mkdir -p /etc/systemd/coredump.conf.d
|
||||
unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/systemd/coredump.conf.d/disable.conf | sudo tee /etc/systemd/coredump.conf.d/disable.conf
|
||||
umask 077
|
||||
|
||||
# Setup DNF
|
||||
unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/dnf/dnf.conf | sudo tee /etc/dnf/dnf.conf
|
||||
|
||||
@ -52,27 +52,24 @@ fi
|
||||
unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/ssh/ssh_config.d/10-custom.conf | sudo tee /etc/ssh/ssh_config.d/10-custom.conf
|
||||
sudo chmod 644 /etc/ssh/ssh_config.d/10-custom.conf
|
||||
|
||||
# Security kernel settings
|
||||
if [ "${virtualization}" = 'parallels' ]; then
|
||||
unpriv curl https://raw.githubusercontent.com/TommyTran732/Kernel-Module-Blacklist/main/etc/modprobe.d/workstation-blacklist.conf | sudo tee /etc/modprobe.d/workstation-blacklist.conf
|
||||
else
|
||||
unpriv curl https://raw.githubusercontent.com/secureblue/secureblue/live/config/files/usr/etc/modprobe.d/blacklist.conf | sudo tee /etc/modprobe.d/workstation-blacklist.conf
|
||||
fi
|
||||
sudo chmod 644 /etc/modprobe.d/workstation-blacklist.conf
|
||||
unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/sysctl.d/99-workstation.conf | sudo tee /etc/sysctl.d/99-workstation.conf
|
||||
sudo chmod 644 /etc/sysctl.d/99-workstation.conf
|
||||
sudo dracut -f
|
||||
# Kernel hardening
|
||||
unpriv curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/modprobe.d/30_security-misc.conf | sudo tee /etc/modprobe.d/30_security-misc.conf
|
||||
sudo chmod 644 /etc/modprobe.d/30_security-misc.conf
|
||||
sudo sed -i 's/#[[:space:]]*install msr/install msr/g' /etc/modprobe.d/30_security-misc.conf
|
||||
unpriv curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/usr/lib/sysctl.d/990-security-misc.conf | sudo tee /etc/sysctl.d/990-security-misc.conf
|
||||
sudo chmod 644 /etc/sysctl.d/990-security-misc.conf
|
||||
unpriv curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/usr/lib/sysctl.d/30_silent-kernel-printk.conf | sudo tee /etc/sysctl.d/30_silent-kernel-printk.conf
|
||||
sudo chmod 644 /etc/sysctl.d/30_silent-kernel-printk.conf
|
||||
unpriv curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf | sudo tee /etc/sysctl.d/30_security-misc_kexec-disable.conf
|
||||
sudo chmod 644 /etc/sysctl.d/30_security-misc_kexec-disable.conf
|
||||
sudo sed -i 's/kernel\.yama\.ptrace_scope[[:space:]]*=.*/kernel.yama.ptrace_scope=3/g' /etc/sysctl.d/990-security-misc.conf
|
||||
sudo sysctl -p
|
||||
|
||||
# Rebuild initramfs
|
||||
sudo update-initramfs -u
|
||||
|
||||
# Disable coredump
|
||||
umask 022
|
||||
unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/security/limits.d/30-disable-coredump.conf | sudo tee /etc/security/limits.d/30-disable-coredump.conf
|
||||
mkdir -p /etc/systemd/coredump.conf.d
|
||||
unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/systemd/coredump.conf.d/disable.conf | sudo tee /etc/systemd/coredump.conf.d/disable.conf
|
||||
umask 077
|
||||
|
||||
# Update GRUB config
|
||||
sed -i 's/splash/splash mitigations=auto,nosmt spectre_v2=on spectre_bhi=on spec_store_bypass_disable=on tsx=off kvm.nx_huge_pages=force nosmt=force l1d_flush=on spec_rstack_overflow=safe-ret gather_data_sampling=force reg_file_data_sampling=on random.trust_bootloader=off random.trust_cpu=off intel_iommu=on amd_iommu=force_isolation efi=disable_early_pci_dma iommu=force iommu.passthrough=0 iommu.strict=1 slab_nomerge init_on_alloc=1 init_on_free=1 pti=on vsyscall=none ia32_emulation=0 page_alloc.shuffle=1 randomize_kstack_offset=on debugfs=off/g' /etc/default/grub
|
||||
|
||||
@ -57,23 +57,24 @@ unpriv curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/sys
|
||||
sudo systemctl daemon-reload
|
||||
sudo systemctl restart ssh
|
||||
|
||||
# Security kernel settings
|
||||
unpriv curl https://raw.githubusercontent.com/secureblue/secureblue/live/config/files/usr/etc/modprobe.d/blacklist.conf | sudo tee /etc/modprobe.d/server-blacklist.conf
|
||||
sudo chmod 644 /etc/modprobe.d/server-blacklist.conf
|
||||
unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/sysctl.d/99-server.conf | sudo tee /etc/sysctl.d/99-server.conf
|
||||
sudo chmod 644 /etc/sysctl.d/99-server.conf
|
||||
sudo dracut -f
|
||||
# Kernel hardening
|
||||
unpriv curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/modprobe.d/30_security-misc.conf | sudo tee /etc/modprobe.d/30_security-misc.conf
|
||||
sudo sed -i 's/#[[:space:]]*install msr/install msr/g' /etc/modprobe.d/30_security-misc.conf
|
||||
sudo sed -i 's/#[[:space:]]*install bluetooth/install bluetooth/g' /etc/modprobe.d/30_security-misc.conf
|
||||
sudo sed -i 's/#[[:space:]]*install btusb/install btusb/g' /etc/modprobe.d/30_security-misc.conf
|
||||
unpriv curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/usr/lib/sysctl.d/990-security-misc.conf | sudo tee /etc/sysctl.d/990-security-misc.conf
|
||||
sudo sed -i 's/kernel.yama.ptrace_scope[[:space:]]*=.*/kernel.yama.ptrace_scope=3/g' /etc/sysctl.d/990-security-misc.conf
|
||||
sudo sed -i 's/net\.ipv4\.icmp_echo_ignore_all[[:space:]]*=.*/net.ipv4.icmp_echo_ignore_all=0/g' /etc/sysctl.d/990-security-misc.conf
|
||||
sudo sed -i 's/net\.ipv6\.icmp.echo_ignore_all[[:space:]]*=.*/net.ipv6.icmp.echo_ignore_all=0/g' /etc/sysctl.d/990-security-misc.conf
|
||||
unpriv curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/usr/lib/sysctl.d/30_silent-kernel-printk.conf | sudo tee /etc/sysctl.d/30_silent-kernel-printk.conf
|
||||
unpriv curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf | sudo tee /etc/sysctl.d/30_security-misc_kexec-disable.conf
|
||||
sudo sysctl -p
|
||||
|
||||
# Rebuild initramfs
|
||||
sudo update-initramfs -u
|
||||
|
||||
# Disable coredump
|
||||
umask 022
|
||||
unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/security/limits.d/30-disable-coredump.conf | sudo tee /etc/security/limits.d/30-disable-coredump.conf
|
||||
mkdir -p /etc/systemd/coredump.conf.d
|
||||
unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/systemd/coredump.conf.d/disable.conf | sudo tee /etc/systemd/coredump.conf.d/disable.conf
|
||||
umask 077
|
||||
|
||||
# Update GRUB config
|
||||
if [ ! -d /boot/efi/EFI/ZBM ]; then
|
||||
|
||||
@ -1,114 +0,0 @@
|
||||
|
||||
# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl
|
||||
dev.tty.ldisc_autoload = 0
|
||||
|
||||
# https://access.redhat.com/solutions/1985633
|
||||
# Seems dangerous
|
||||
fs.binfmt_misc.status = 0
|
||||
|
||||
# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-userspace
|
||||
# Enable fs.protected sysctls
|
||||
fs.protected_regular = 2
|
||||
fs.protected_fifos = 2
|
||||
fs.protected_symlinks = 1
|
||||
fs.protected_hardlinks = 1
|
||||
|
||||
# https://madaidans-insecurities.github.io/guides/linux-hardening.html#core-dumps
|
||||
# Disable coredumps
|
||||
# For additional safety, disable coredumps using ulimit and systemd too.
|
||||
kernel.core_pattern=|/bin/false
|
||||
fs.suid_dumpable = 0
|
||||
|
||||
# Restrict dmesg to CAP_SYS_LOG
|
||||
# https://www.kernel.org/doc/Documentation/sysctl/kernel.txt
|
||||
kernel.dmesg_restrict = 1
|
||||
|
||||
# https://www.kernel.org/doc/Documentation/sysctl/kernel.txt
|
||||
# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-kernel
|
||||
# https://kernsec.org/wiki/index.php/Bug_Classes/Kernel_pointer_leak
|
||||
# Restrict access to /proc
|
||||
kernel.kptr_restrict = 2
|
||||
|
||||
# Not needed, I don't do livepatching and reboot regularly.
|
||||
# On Ubuntu LTS just sed this to be 0 if you use livepatch.
|
||||
kernel.kexec_load_disabled = 1
|
||||
|
||||
# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl
|
||||
# Basically, restrict eBPF to CAP_BPF.
|
||||
kernel.unprivileged_bpf_disabled = 1
|
||||
net.core.bpf_jit_harden = 2
|
||||
|
||||
# Docker running as root do not require unpriv user ns, which is dangerous, so we disabe it
|
||||
kernel.unprivileged_userns_clone = 0
|
||||
|
||||
# Needed for gVisor, which is used on almost all of my servers
|
||||
kernel.yama.ptrace_scope = 1
|
||||
|
||||
# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl
|
||||
# Restrict performance events from unprivileged users as much as possible.
|
||||
# We are using 4 here, since Ubuntu supports such a level.
|
||||
# Official Linux kernel documentation only says >= so it probably will work.
|
||||
kernel.perf_event_paranoid = 4
|
||||
|
||||
# https://github.com/containerd/containerd/issues/9048
|
||||
# Disable io_uring, a very sus feature.
|
||||
# Note that this will make using Proxmox extremely annoying though, so you might wanna comment this out
|
||||
# on a Proxmox node.
|
||||
kernel_io_uring_disable = 2
|
||||
|
||||
# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-kernel
|
||||
# Disable sysrq
|
||||
kernel.sysrq = 0
|
||||
|
||||
# https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2020-09-03/finding/V-217911
|
||||
# Not running a router here, so no redirects
|
||||
net.ipv4.conf.*.send_redirects = 0
|
||||
net.ipv4.conf.*.accept_redirects = 0
|
||||
net.ipv6.conf.*.accept_redirects = 0
|
||||
|
||||
# Check if the source of the IP address is reachable through the same interface it came in
|
||||
# Basic IP spoofing mitigation
|
||||
net.ipv4.conf.*.rp_filter = 1
|
||||
|
||||
# Respond to ICMP
|
||||
net.ipv4.icmp_echo_ignore_all = 1
|
||||
net.ipv6.icmp.echo_ignore_all = 1
|
||||
|
||||
# Enable IP Forwarding
|
||||
# Almost all of my servers run Docker anyways, and Docker absolutely requires this.
|
||||
net.ipv4.ip_forward = 1
|
||||
net.ipv6.conf.all.forwarding = 1
|
||||
|
||||
# https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2016-06-05/finding/V-38537
|
||||
# Ignore bogus icmp response
|
||||
net.ipv4.icmp_ignore_bogus_error_responses = 1
|
||||
|
||||
# Protection against time-wait assasination attacks
|
||||
net.ipv4.tcp_rfc1337 = 1
|
||||
|
||||
# Enable SYN cookies
|
||||
# Basic SYN flood mitigation
|
||||
net.ipv4.tcp_syncookies = 1
|
||||
|
||||
# https://access.redhat.com/sites/default/files/attachments/20150325_network_performance_tuning.pdf
|
||||
# Make sure TCP timestamp is enabled
|
||||
net.ipv4.tcp_timestamps = 1
|
||||
|
||||
# https://access.redhat.com/sites/default/files/attachments/20150325_network_performance_tuning.pdf
|
||||
# Disable TCP SACK
|
||||
# We have good networking :)
|
||||
net.ipv4.tcp_sack = 0
|
||||
|
||||
# No SACK, therefore no Duplicated SACK
|
||||
net.ipv4.tcp_dsack = 0
|
||||
|
||||
# Improve ALSR effectiveness for mmap
|
||||
vm.mmap_rnd_bits = 32
|
||||
vm.mmap_rnd_compat_bits = 16
|
||||
|
||||
# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-kernel
|
||||
# Restrict userfaultfd to CAP_SYS_PTRACE
|
||||
# https://bugs.archlinux.org/task/62780
|
||||
# Interestingly enough, Arch does not even have userfaultfd in their kernel, so it is
|
||||
# probably not used in the real world at all.
|
||||
vm.unprivileged_userfaultfd = 0
|
||||
@ -1,114 +0,0 @@
|
||||
|
||||
# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl
|
||||
dev.tty.ldisc_autoload = 0
|
||||
|
||||
# https://access.redhat.com/solutions/1985633
|
||||
# Seems dangerous
|
||||
fs.binfmt_misc.status = 0
|
||||
|
||||
# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-userspace
|
||||
# Enable fs.protected sysctls
|
||||
fs.protected_regular = 2
|
||||
fs.protected_fifos = 2
|
||||
fs.protected_symlinks = 1
|
||||
fs.protected_hardlinks = 1
|
||||
|
||||
# https://madaidans-insecurities.github.io/guides/linux-hardening.html#core-dumps
|
||||
# Disable coredumps
|
||||
# For additional safety, disable coredumps using ulimit and systemd too.
|
||||
kernel.core_pattern=|/bin/false
|
||||
fs.suid_dumpable = 0
|
||||
|
||||
# Restrict dmesg to CAP_SYS_LOG
|
||||
# https://www.kernel.org/doc/Documentation/sysctl/kernel.txt
|
||||
kernel.dmesg_restrict = 1
|
||||
|
||||
# https://www.kernel.org/doc/Documentation/sysctl/kernel.txt
|
||||
# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-kernel
|
||||
# https://kernsec.org/wiki/index.php/Bug_Classes/Kernel_pointer_leak
|
||||
# Restrict access to /proc
|
||||
kernel.kptr_restrict = 2
|
||||
|
||||
# Not needed, I don't do livepatching and reboot regularly.
|
||||
# On a workstation, this shouldn't be used at all. Don't live patch, just reboot.
|
||||
kernel.kexec_load_disabled = 1
|
||||
|
||||
# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl
|
||||
# Basically, restrict eBPF to CAP_BPF.
|
||||
kernel.unprivileged_bpf_disabled = 1
|
||||
net.core.bpf_jit_harden = 2
|
||||
|
||||
# Needed for Flatpak and Bubblewrap
|
||||
kernel.unprivileged_userns_clone = 1
|
||||
|
||||
# Disable ptrace. Not needed on workstations.
|
||||
kernel.yama.ptrace_scope = 3
|
||||
|
||||
# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl
|
||||
# Restrict performance events from unprivileged users as much as possible.
|
||||
# We are using 4 here, since Ubuntu supports such a level.
|
||||
# Official Linux kernel documentation only says >= so it probably will work.
|
||||
kernel.perf_event_paranoid = 4
|
||||
|
||||
# https://github.com/containerd/containerd/issues/9048
|
||||
# Disable io_uring, a very sus feature.
|
||||
# Note that this will make using Proxmox extremely annoying though, so you might wanna comment this out
|
||||
# on a Proxmox node.
|
||||
kernel_io_uring_disable = 2
|
||||
|
||||
# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-kernel
|
||||
# Disable sysrq
|
||||
kernel.sysrq = 0
|
||||
|
||||
# https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2020-09-03/finding/V-217911
|
||||
# Not running a router here, so no redirects
|
||||
net.ipv4.conf.*.send_redirects = 0
|
||||
net.ipv4.conf.*.accept_redirects = 0
|
||||
net.ipv6.conf.*.accept_redirects = 0
|
||||
|
||||
# Check if the source of the IP address is reachable through the same interface it came in
|
||||
# Basic IP spoofing mitigation
|
||||
net.ipv4.conf.*.rp_filter = 1
|
||||
|
||||
# Do not respond to ICMP
|
||||
net.ipv4.icmp_echo_ignore_all = 1
|
||||
net.ipv6.icmp.echo_ignore_all = 1
|
||||
|
||||
# Enable IP Forwarding
|
||||
# Needed for VM networking and whatnot.
|
||||
net.ipv4.ip_forward = 1
|
||||
net.ipv6.conf.all.forwarding = 1
|
||||
|
||||
# https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2016-06-05/finding/V-38537
|
||||
# Ignore bogus icmp response
|
||||
net.ipv4.icmp_ignore_bogus_error_responses = 1
|
||||
|
||||
# Protection against time-wait assasination attacks
|
||||
net.ipv4.tcp_rfc1337 = 1
|
||||
|
||||
# Enable SYN cookies
|
||||
# Basic SYN flood mitigation
|
||||
net.ipv4.tcp_syncookies = 1
|
||||
|
||||
# https://access.redhat.com/sites/default/files/attachments/20150325_network_performance_tuning.pdf
|
||||
# Make sure TCP timestamp is enabled
|
||||
net.ipv4.tcp_timestamps = 1
|
||||
|
||||
# https://access.redhat.com/sites/default/files/attachments/20150325_network_performance_tuning.pdf
|
||||
# Disable TCP SACK
|
||||
# We have good networking :)
|
||||
net.ipv4.tcp_sack = 0
|
||||
|
||||
# No SACK, therefore no Duplicated SACK
|
||||
net.ipv4.tcp_dsack = 0
|
||||
|
||||
# Improve ALSR effectiveness for mmap
|
||||
vm.mmap_rnd_bits = 32
|
||||
vm.mmap_rnd_compat_bits = 16
|
||||
|
||||
# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-kernel
|
||||
# Restrict userfaultfd to CAP_SYS_PTRACE
|
||||
# https://bugs.archlinux.org/task/62780
|
||||
# Interestingly enough, Arch does not even have userfaultfd in their kernel, so it is
|
||||
# probably not used in the real world at all.
|
||||
vm.unprivileged_userfaultfd = 0
|
||||
@ -1,2 +0,0 @@
|
||||
[Coredump]
|
||||
Storage=none
|
||||
Loading…
Reference in New Issue
Block a user