1
0
mirror of https://github.com/tommytran732/Linux-Setup-Scripts synced 2024-11-14 14:01:32 -05:00

Compare commits

..

No commits in common. "a2424b179baf1c1c29422a67a06f2923d33dc975" and "63b63e81292f2885b15f4a5d1cc8c8248f650934" have entirely different histories.

7 changed files with 41 additions and 41 deletions

View File

@ -17,7 +17,7 @@
#Run this as your user to set the theme #Run this as your user to set the theme
output(){ output(){
echo -e '\e[36m'"$1"'\e[0m'; echo -e '\e[36m'$1'\e[0m';
} }
#Enable Titlebar buttons #Enable Titlebar buttons

View File

@ -31,7 +31,7 @@ cd /home/"${USER}" || exit
# Setting umask to 077 # Setting umask to 077
umask 077 umask 077
sudo sed -i 's/umask 022/umask 077/g' /etc/bashrc sudo sed -i 's/umask 022/umask 077/g' /etc/bashrc
echo 'umask 077' | sudo tee -a /etc/bashrc echo "umask 077" | sudo tee -a /etc/bashrc
# Make home directory private # Make home directory private
chmod 700 /home/* chmod 700 /home/*
@ -56,8 +56,8 @@ sudo firewall-cmd --reload
sudo firewall-cmd --lockdown-on sudo firewall-cmd --lockdown-on
# Harden SSH # Harden SSH
echo 'GSSAPIAuthentication no' | sudo tee /etc/ssh/ssh_config.d/10-custom.conf echo "GSSAPIAuthentication no" | sudo tee /etc/ssh/ssh_config.d/10-custom.conf
echo 'VerifyHostKeyDNS yes' | sudo tee -a /etc/ssh/ssh_config.d/10-custom.conf echo "VerifyHostKeyDNS yes" | sudo tee -a /etc/ssh/ssh_config.d/10-custom.conf
sudo chmod 644 /etc/ssh/ssh_config.d/10-custom.conf sudo chmod 644 /etc/ssh/ssh_config.d/10-custom.conf
# Security kernel settings # Security kernel settings
@ -66,7 +66,7 @@ unpriv curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/us
unpriv curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/usr/lib/sysctl.d/30_silent-kernel-printk.conf | sudo tee /etc/sysctl.d/30_silent-kernel-printk.conf unpriv curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/usr/lib/sysctl.d/30_silent-kernel-printk.conf | sudo tee /etc/sysctl.d/30_silent-kernel-printk.conf
unpriv curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf | sudo tee /etc/sysctl.d/30_security-misc_kexec-disable.conf unpriv curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf | sudo tee /etc/sysctl.d/30_security-misc_kexec-disable.conf
sudo sed -i 's/kernel.yama.ptrace_scope=2/kernel.yama.ptrace_scope=1/g' /etc/sysctl.d/990-security-misc.conf sudo sed -i 's/kernel.yama.ptrace_scope=2/kernel.yama.ptrace_scope=1/g' /etc/sysctl.d/990-security-misc.conf
sudo grubby --update-kernel=ALL --args='spectre_v2=on spec_store_bypass_disable=on l1tf=full,force mds=full,nosmt tsx=off tsx_async_abort=full,nosmt kvm.nx_huge_pages=force nosmt=force l1d_flush=on mmio_stale_data=full,nosmt random.trust_bootloader=off random.trust_cpu=off intel_iommu=on amd_iommu=isolation_force efi=disable_early_pci_dma iommu=force iommu.passthrough=0 iommu.strict=1 slab_nomerge init_on_alloc=1 init_on_free=1 pti=on vsyscall=none page_alloc.shuffle=1 randomize_kstack_offset=on extra_latent_entropy debugfs=off' sudo grubby --update-kernel=ALL --args='spectre_v2=on spec_store_bypass_disable=on l1tf=full,force mds=full,nosmt tsx=off tsx_async_abort=full,nosmt kvm.nx_huge_pages=force nosmt=force l1d_flush=on mmio_stale_data=full,nosmt random.trust_bootloader=off random.trust_cpu=off intel_iommu=on amd_iommu=on efi=disable_early_pci_dma iommu.passthrough=0 iommu.strict=1 slab_nomerge init_on_alloc=1 init_on_free=1 pti=on vsyscall=none page_alloc.shuffle=1 randomize_kstack_offset=on extra_latent_entropy debugfs=off'
sudo dracut -f sudo dracut -f
sudo sysctl -p sudo sysctl -p
@ -133,7 +133,7 @@ sudo dnf -y install gnome-console git-core gnome-shell-extension-appindicator gn
# Install Microsoft Edge if x86_64 # Install Microsoft Edge if x86_64
MACHINE_TYPE=$(uname -m) MACHINE_TYPE=$(uname -m)
if [ "${MACHINE_TYPE}" == 'x86_64' ]; then if [ "${MACHINE_TYPE}" == 'x86_64' ]; then
output 'x86_64 machine, installing Microsoft Edge.' output "x86_64 machine, installing Microsoft edge."
curl -O https://packages.microsoft.com/keys/microsoft.asc curl -O https://packages.microsoft.com/keys/microsoft.asc
sudo rpm --import microsoft.asc sudo rpm --import microsoft.asc
rm microsoft.asc rm microsoft.asc
@ -159,20 +159,20 @@ sudo systemctl restart fwupd
sudo dnf install tuned -y sudo dnf install tuned -y
virt_type=$(virt-what) virt_type=$(virt-what)
if [ "$virt_type" = '' ]; then if [ "$virt_type" = "" ]; then
output 'Virtualization: Bare Metal.' output "Virtualization: Bare Metal."
elif [ "$virt_type" = 'openvz lxc' ]; then elif [ "$virt_type" = "openvz lxc" ]; then
output 'Virtualization: OpenVZ 7.' output "Virtualization: OpenVZ 7."
elif [ "$virt_type" = 'xen xen-hvm' ]; then elif [ "$virt_type" = "xen xen-hvm" ]; then
output 'Virtualization: Xen-HVM.' output "Virtualization: Xen-HVM."
elif [ "$virt_type" = 'xen xen-hvm aws' ]; then elif [ "$virt_type" = "xen xen-hvm aws" ]; then
output 'Virtualization: Xen-HVM on AWS.' output "Virtualization: Xen-HVM on AWS."
else else
output "Virtualization: $virt_type." output "Virtualization: $virt_type."
fi fi
# Setup tuned # Setup tuned
if [ "$virt_type" = '' ]; then if [ "$virt_type" = "" ]; then
# Don't know whether using tuned would be a good idea on a laptop, power-profiles-daemon should be handling performance tuning IMO. # Don't know whether using tuned would be a good idea on a laptop, power-profiles-daemon should be handling performance tuning IMO.
sudo dnf remove tuned -y sudo dnf remove tuned -y
else else
@ -180,7 +180,7 @@ else
fi fi
# Setup real-ucode # Setup real-ucode
if [ "$virt_type" = '' ]; then if [ "$virt_type" = "" ]; then
sudo dnf install 'https://divested.dev/rpm/fedora/divested-release-20230406-2.noarch.rpm' sudo dnf install 'https://divested.dev/rpm/fedora/divested-release-20230406-2.noarch.rpm'
sudo sed -i 's/^metalink=.*/&?protocol=https/g' /etc/yum.repos.d/divested-release.repo sudo sed -i 's/^metalink=.*/&?protocol=https/g' /etc/yum.repos.d/divested-release.repo
sudo dnf config-manager --save --setopt=divested.includepkgs=divested-release,real-ucode,microcode_ctl,amd-ucode-firmware sudo dnf config-manager --save --setopt=divested.includepkgs=divested-release,real-ucode,microcode_ctl,amd-ucode-firmware
@ -188,4 +188,4 @@ if [ "$virt_type" = '' ]; then
sudo dracut -f sudo dracut -f
fi fi
output 'The script is done. You can also remove gnome-terminal since gnome-console will replace it.' output "The script is done. You can also remove gnome-terminal since gnome-console will replace it."

View File

@ -67,7 +67,7 @@ sudo sysctl -p
sudo update-initramfs -u sudo update-initramfs -u
# Security limit # Security limit
echo '* hard core 0' | tee -a /etc/security/limits.conf echo "* hard core 0" | tee -a /etc/security/limits.conf
# Setup unbound # Setup unbound
@ -147,4 +147,4 @@ sudo dnf install tuned -y
sudo tuned-adm profile virtual-guest sudo tuned-adm profile virtual-guest
# Enable fstrim.timer # Enable fstrim.timer
sudo systemctl enable --now fstrim.timer sudo ystemctl enable --now fstrim.timer

View File

@ -59,7 +59,7 @@ apt upgrade -y
apt install -y --no-install-recommends intel-microcode tuned fwupd dropbear-initramfs apt install -y --no-install-recommends intel-microcode tuned fwupd dropbear-initramfs
### This part assumes that you are using systemd-boot ### This part assumes that you are using systemd-boot
echo -e "spectre_v2=on spec_store_bypass_disable=on l1tf=full,force mds=full,nosmt tsx=off tsx_async_abort=full,nosmt kvm.nx_huge_pages=force nosmt=force l1d_flush=on mmio_stale_data=full,nosmt random.trust_bootloader=off random.trust_cpu=off intel_iommu=on amd_iommu=force_isolation efi=disable_early_pci_dma iommu=force iommu.passthrough=0 iommu.strict=1 slab_nomerge init_on_alloc=1 init_on_free=1 pti=on vsyscall=none page_alloc.shuffle=1 randomize_kstack_offset=on extra_latent_entropy debugfs=off $(cat /etc/kernel/cmdline)" > /etc/kernel/cmdline echo -e "spectre_v2=on spec_store_bypass_disable=on l1tf=full,force mds=full,nosmt tsx=off tsx_async_abort=full,nosmt kvm.nx_huge_pages=force nosmt=force l1d_flush=on mmio_stale_data=full,nosmt random.trust_bootloader=off random.trust_cpu=off intel_iommu=on amd_iommu=on efi=disable_early_pci_dma iommu.passthrough=0 iommu.strict=1 slab_nomerge init_on_alloc=1 init_on_free=1 pti=on vsyscall=none page_alloc.shuffle=1 randomize_kstack_offset=on extra_latent_entropy debugfs=off $(cat /etc/kernel/cmdline)" > /etc/kernel/cmdline
proxmox-boot-tool refresh proxmox-boot-tool refresh
### ###

View File

@ -160,20 +160,20 @@ sudo systemctl enable --now fstrim.timer
sudo dnf install tuned -y sudo dnf install tuned -y
virt_type=$(virt-what) virt_type=$(virt-what)
if [ "$virt_type" = '' ]; then if [ "$virt_type" = "" ]; then
output 'Virtualization: Bare Metal.' output "Virtualization: Bare Metal."
elif [ "$virt_type" = 'openvz lxc' ]; then elif [ "$virt_type" = "openvz lxc" ]; then
output 'Virtualization: OpenVZ 7.' output "Virtualization: OpenVZ 7."
elif [ "$virt_type" = 'xen xen-hvm' ]; then elif [ "$virt_type" = "xen xen-hvm" ]; then
output 'Virtualization: Xen-HVM.' output "Virtualization: Xen-HVM."
elif [ "$virt_type" = 'xen xen-hvm aws' ]; then elif [ "$virt_type" = "xen xen-hvm aws" ]; then
output 'Virtualization: Xen-HVM on AWS.' output "Virtualization: Xen-HVM on AWS."
else else
output "Virtualization: $virt_type." output "Virtualization: $virt_type."
fi fi
# Setup tuned # Setup tuned
if [ "$virt_type" = '' ]; then if [ "$virt_type" = "" ]; then
sudo tuned-adm profile latency-performance sudo tuned-adm profile latency-performance
else else
sudo tuned-adm profile virtual-guest sudo tuned-adm profile virtual-guest
@ -189,7 +189,7 @@ if [ "$virt_type" = "" ]; then
fi fi
# Setup fwupd # Setup fwupd
if [ "$virt_type" = '' ]; then if [ "$virt_type" = "" ]; then
sudo dnf install fwupd -y sudo dnf install fwupd -y
echo 'UriSchemes=file;https' | sudo tee -a /etc/fwupd/fwupd.conf echo 'UriSchemes=file;https' | sudo tee -a /etc/fwupd/fwupd.conf
sudo systemctl restart fwupd sudo systemctl restart fwupd

View File

@ -44,7 +44,7 @@ umask 077
sudo sed -ie '/^DIR_MODE=/ s/=[0-9]*\+/=0700/' /etc/adduser.conf sudo sed -ie '/^DIR_MODE=/ s/=[0-9]*\+/=0700/' /etc/adduser.conf
sudo sed -ie '/^UMASK\s\+/ s/022/077/' /etc/login.defs sudo sed -ie '/^UMASK\s\+/ s/022/077/' /etc/login.defs
sudo sed -i 's/USERGROUPS_ENAB yes/USERGROUPS_ENAB no/g' /etc/login.defs sudo sed -i 's/USERGROUPS_ENAB yes/USERGROUPS_ENAB no/g' /etc/login.defs
echo 'umask 077' | sudo tee --append /etc/profile echo "umask 077" | sudo tee --append /etc/profile
# Setup NTS # Setup NTS
sudo systemctl disable systemd-timesyncd sudo systemctl disable systemd-timesyncd
@ -59,8 +59,8 @@ sudo snap install ufw
sudo ufw enable sudo ufw enable
# Harden SSH # Harden SSH
echo 'GSSAPIAuthentication no echo "GSSAPIAuthentication no" | sudo tee /etc/ssh/ssh_config.d/10-custom.conf
VerifyHostKeyDNS yes' | sudo tee -a /etc/ssh/ssh_config.d/10-custom.conf echo "VerifyHostKeyDNS yes" | sudo tee -a /etc/ssh/ssh_config.d/10-custom.conf
sudo chmod 644 /etc/ssh/ssh_config.d/10-custom.conf sudo chmod 644 /etc/ssh/ssh_config.d/10-custom.conf
# Kernel hardening # Kernel hardening

View File

@ -172,13 +172,13 @@ sudo apt install tuned -y
virt_type=$(virt-what) virt_type=$(virt-what)
if [ "$virt_type" = "" ]; then if [ "$virt_type" = "" ]; then
output 'Virtualization: Bare Metal.' output "Virtualization: Bare Metal."
elif [ "$virt_type" = 'openvz lxc' ]; then elif [ "$virt_type" = "openvz lxc" ]; then
output 'Virtualization: OpenVZ 7.' output "Virtualization: OpenVZ 7."
elif [ "$virt_type" = 'xen xen-hvm' ]; then elif [ "$virt_type" = "xen xen-hvm" ]; then
output 'Virtualization: Xen-HVM.' output "Virtualization: Xen-HVM."
elif [ "$virt_type" = 'xen xen-hvm aws' ]; then elif [ "$virt_type" = "xen xen-hvm aws" ]; then
output 'Virtualization: Xen-HVM on AWS.' output "Virtualization: Xen-HVM on AWS."
else else
output "Virtualization: $virt_type." output "Virtualization: $virt_type."
fi fi
@ -191,7 +191,7 @@ else
fi fi
# Setup fwupd # Setup fwupd
if [ "$virt_type" = '' ]; then if [ "$virt_type" = "" ]; then
sudo apt install fwupd -y sudo apt install fwupd -y
echo 'UriSchemes=file;https' | sudo tee -a /etc/fwupd/fwupd.conf echo 'UriSchemes=file;https' | sudo tee -a /etc/fwupd/fwupd.conf
sudo systemctl restart fwupd sudo systemctl restart fwupd