Make sure home dirs are private

Signed-off-by: Tommy <contact@tommytran.io>
Compliance update
2024-11-09 19:51:34 -05:00 · 2023-12-07 17:26:53 -07:00 · 2023-12-07 17:15:05 -07:00 · 2023-12-07 16:44:55 -07:00 · 2023-12-07 13:35:40 -07:00
6 changed files with 34 additions and 11 deletions
--- a/Fedora-Workstation-38.sh
+++ b/Fedora-Workstation-38.sh
@ -24,9 +24,10 @@ unpriv(){
    sudo -u nobody "$@"
 }

-# Moving to the home directory
-#Note that I always use /home/${USER} because gnome-terminal is wacky and sometimes doesn't load the environment variables in correctly (Right click somewhere in nautilus, click on open in terminal, then hit create new tab and you will see.)
-cd /home/"${USER}" || exit
+# Compliance
+sudo systemctl mask ctrl-alt-del.target
+sudo systemctl mask debug-shell.service
+sudo systemctl mask kdump.service

 # Setting umask to 077
 umask 077
--- a/GCP-Debian-11.sh
+++ b/GCP-Debian-11.sh
@ -22,6 +22,13 @@ unpriv(){
  sudo -u nobody "$@"
 }

+# Compliance
+sudo systemctl mask ctrl-alt-del.target
+sudo systemctl mask debug-shell.service
+
+# Make home directory private
+chmod 700 /home/*
+
 # Setup NTS
 sudo rm -rf /etc/chrony/chrony.conf
 unpriv curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/chrony.conf | sudo tee /etc/chrony/chrony.conf
--- a/Proxmox-8.sh
+++ b/Proxmox-8.sh
@ -20,6 +20,10 @@ output(){
    echo -e '\e[36m'"$1"'\e[0m';
 }

+# Compliance
+systemctl mask ctrl-alt-del.target
+systemctl mask debug-shell.service
+
 # Setup NTS
 rm -rf /etc/chrony/chrony.conf
 curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/chrony.conf | tee /etc/chrony/chrony.conf
--- a/RHEL-Server-9.sh
+++ b/RHEL-Server-9.sh
@ -24,6 +24,13 @@ unpriv(){
  sudo -u nobody "$@"
 }

+# Compliance
+sudo systemctl mask ctrl-alt-del.target
+sudo systemctl mask debug-shell.service
+
+# Make home directory private
+chmod 700 /home/*
+
 # Setup NTS
 sudo curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/chrony.conf -o /etc/chrony.conf

--- a/Ubuntu-22.04-Desktop.sh
+++ b/Ubuntu-22.04-Desktop.sh
@ -33,6 +33,12 @@ sudo apt install -y usg
 sudo apt autoremove -y
 sudo usg fix cis_level2_workstation

+sudo systemctl mask ctrl-alt-del.target
+sudo systemctl mask debug-shell.service
+
+# Make home directory private
+chmod 700 /home/*
+
 # Remove AIDE
 sudo apt purge -y aide*

@ -74,14 +80,6 @@ sudo sysctl -p
 # Rebuild initramfs
 sudo update-initramfs -u

-# Disable telemetry
-sudo systemctl stop apport.service
-sudo systemctl disable apport.service
-sudo systemctl mask apport.service
-sudo systemctl stop whoopsie.service
-sudo systemctl disable whoopsie.service
-sudo systemctl mask whoopsie.service
-
 # Systemd Hardening
 sudo mkdir -p /etc/systemd/system/NetworkManager.service.d
 unpriv curl https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/NetworkManager.service.d/99-brace.conf | sudo tee /etc/systemd/system/NetworkManager.service.d/99-brace.conf
--- a/Ubuntu-22.04-Server.sh
+++ b/Ubuntu-22.04-Server.sh
@ -33,6 +33,12 @@ sudo apt install -y usg curl libpam-pwquality
 sudo apt autoremove -y
 sudo usg fix cis_level2_server

+sudo systemctl mask ctrl-alt-del.target
+sudo systemctl mask debug-shell.service
+
+# Make home directory private
+chmod 700 /home/*
+
 # Remove AIDE
 sudo apt purge -y aide*
Author	SHA1	Message	Date
Tommy	7fd8e73563	Make sure home dirs are private Signed-off-by: Tommy <contact@tommytran.io>	2023-12-07 17:26:53 -07:00
Tommy	5aca397a76	Compliance update Signed-off-by: Tommy <contact@tommytran.io>	2023-12-07 17:15:05 -07:00
Tommy	6a6b775631	Disable ctrl-alt-del Signed-off-by: Tommy <contact@tommytran.io>	2023-12-07 16:44:55 -07:00
Tommy	50766b9ce5	Remove redundant code Signed-off-by: Tommy <contact@tommytran.io>	2023-12-07 13:35:40 -07:00