1
0
mirror of https://github.com/tommytran732/Linux-Setup-Scripts synced 2024-11-25 10:41:34 -05:00

Compare commits

..

3 Commits

Author SHA1 Message Date
68b50f15be
Consistency fix for comments
Signed-off-by: Tommy <contact@tommytran.io>
2024-06-06 22:44:25 -07:00
afb3f0e98a
Typo fix 2024-06-06 21:59:38 -07:00
4514fe279a
Add preload file for hmalloc 2024-06-06 21:58:28 -07:00
4 changed files with 46 additions and 42 deletions

View File

@ -110,6 +110,8 @@ sudo dnf remove -y cockpit*
# Install hardened_malloc # Install hardened_malloc
sudo dnf copr enable secureblue/hardened_malloc -y sudo dnf copr enable secureblue/hardened_malloc -y
sudo dnf install -y hardened_malloc sudo dnf install -y hardened_malloc
echo 'libhardened_malloc.so' | sudo tee /etc/ld.so.preload
sudo chmod 644 /etc/ld.so.preload
# Install appropriate virtualization drivers # Install appropriate virtualization drivers
if [ "$virtualization" = 'kvm' ]; then if [ "$virtualization" = 'kvm' ]; then

View File

@ -176,6 +176,8 @@ sudo dnf -y upgrade
# Install hardened_malloc # Install hardened_malloc
sudo dnf copr enable secureblue/hardened_malloc -y sudo dnf copr enable secureblue/hardened_malloc -y
sudo dnf install -y hardened_malloc sudo dnf install -y hardened_malloc
echo 'libhardened_malloc.so' | sudo tee /etc/ld.so.preload
sudo chmod 644 /etc/ld.so.preload
# Install packages that I use # Install packages that I use
sudo dnf -y install adw-gtk3-theme gnome-console gnome-shell-extension-appindicator gnome-shell-extension-blur-my-shell gnome-shell-extension-background-logo sudo dnf -y install adw-gtk3-theme gnome-console gnome-shell-extension-appindicator gnome-shell-extension-blur-my-shell gnome-shell-extension-background-logo

View File

@ -3,30 +3,30 @@
dev.tty.ldisc_autoload = 0 dev.tty.ldisc_autoload = 0
# https://access.redhat.com/solutions/1985633 # https://access.redhat.com/solutions/1985633
# Seems dangerous # Seems dangerous.
fs.binfmt_misc.status = 0 fs.binfmt_misc.status = 0
# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-userspace # https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-userspace
# Enable fs.protected sysctls # Enable fs.protected sysctls.
fs.protected_regular = 2 fs.protected_regular = 2
fs.protected_fifos = 2 fs.protected_fifos = 2
fs.protected_symlinks = 1 fs.protected_symlinks = 1
fs.protected_hardlinks = 1 fs.protected_hardlinks = 1
# https://madaidans-insecurities.github.io/guides/linux-hardening.html#core-dumps # https://madaidans-insecurities.github.io/guides/linux-hardening.html#core-dumps
# Disable coredumps # Disable coredumps.
# For additional safety, disable coredumps using ulimit and systemd too. # For additional safety, disable coredumps using ulimit and systemd too.
kernel.core_pattern=|/bin/false kernel.core_pattern=|/bin/false
fs.suid_dumpable = 0 fs.suid_dumpable = 0
# Restrict dmesg to CAP_SYS_LOG # Restrict dmesg to CAP_SYS_LOG.
# https://www.kernel.org/doc/Documentation/sysctl/kernel.txt # https://www.kernel.org/doc/Documentation/sysctl/kernel.txt
kernel.dmesg_restrict = 1 kernel.dmesg_restrict = 1
# https://www.kernel.org/doc/Documentation/sysctl/kernel.txt # https://www.kernel.org/doc/Documentation/sysctl/kernel.txt
# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-kernel # https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-kernel
# https://kernsec.org/wiki/index.php/Bug_Classes/Kernel_pointer_leak # https://kernsec.org/wiki/index.php/Bug_Classes/Kernel_pointer_leak
# Restrict access to /proc # Restrict access to /proc.
kernel.kptr_restrict = 2 kernel.kptr_restrict = 2
# Not needed, I don't do livepatching and reboot regularly. # Not needed, I don't do livepatching and reboot regularly.
@ -38,10 +38,10 @@ kernel.kexec_load_disabled = 1
kernel.unprivileged_bpf_disabled = 1 kernel.unprivileged_bpf_disabled = 1
net.core.bpf_jit_harden = 2 net.core.bpf_jit_harden = 2
# Docker running as root do not require unpriv user ns, which is dangerous, so we disabe it # Docker running as root do not require unpriv user ns, which is dangerous, so we disabe it.
kernel.unprivileged_userns_clone = 0 kernel.unprivileged_userns_clone = 0
# Needed for gVisor, which is used on almost all of my servers # Needed for gVisor, which is used on almost all of my servers.
kernel.yama.ptrace_scope = 1 kernel.yama.ptrace_scope = 1
# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl # https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl
@ -57,60 +57,60 @@ kernel.perf_event_paranoid = 4
kernel_io_uring_disable = 2 kernel_io_uring_disable = 2
# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-kernel # https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-kernel
# Disable sysrq # Disable sysrq.
kernel.sysrq = 0 kernel.sysrq = 0
# https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2020-09-03/finding/V-217911 # https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2020-09-03/finding/V-217911
# Not running a router here, so no redirects # Not running a router here, so no redirects.
net.ipv4.conf.*.send_redirects = 0 net.ipv4.conf.*.send_redirects = 0
net.ipv4.conf.*.accept_redirects = 0 net.ipv4.conf.*.accept_redirects = 0
net.ipv6.conf.*.accept_redirects = 0 net.ipv6.conf.*.accept_redirects = 0
# Check if the source of the IP address is reachable through the same interface it came in # Check if the source of the IP address is reachable through the same interface it came in.
# Basic IP spoofing mitigation # Basic IP spoofing mitigation.
net.ipv4.conf.*.rp_filter = 1 net.ipv4.conf.*.rp_filter = 1
# Respond to ICMP # Respond to ICMP
net.ipv4.icmp_echo_ignore_all = 0 net.ipv4.icmp_echo_ignore_all = 0
net.ipv6.icmp.echo_ignore_all = 0 net.ipv6.icmp.echo_ignore_all = 0
# Ignore Bogus ICMP responses # Ignore Bogus ICMP responses.
net.ipv4.icmp_ignore_bogus_error_responses = 1 net.ipv4.icmp_ignore_bogus_error_responses = 1
# Enable IP Forwarding # Enable IP Forwarding.
# Almost all of my servers run Docker anyways, and Docker absolutely requires this. # Almost all of my servers run Docker anyways, and Docker absolutely requires this.
net.ipv4.ip_forward = 1 net.ipv4.ip_forward = 1
net.ipv6.conf.all.forwarding = 1 net.ipv6.conf.all.forwarding = 1
# https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2016-06-05/finding/V-38537 # https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2016-06-05/finding/V-38537
# Ignore bogus icmp response # Ignore bogus icmp response.
net.ipv4.icmp_ignore_bogus_error_responses = 1 net.ipv4.icmp_ignore_bogus_error_responses = 1
# Protection against time-wait assasination attacks # Protection against time-wait assasination attacks.
net.ipv4.tcp_rfc1337 = 1 net.ipv4.tcp_rfc1337 = 1
# Enable SYN cookies # Enable SYN cookies.
# Basic SYN flood mitigation # Basic SYN flood mitigation.
net.ipv4.tcp_syncookies = 1 net.ipv4.tcp_syncookies = 1
# https://access.redhat.com/sites/default/files/attachments/20150325_network_performance_tuning.pdf # https://access.redhat.com/sites/default/files/attachments/20150325_network_performance_tuning.pdf
# Make sure TCP timestamp is enabled # Make sure TCP timestamp is enabled.
net.ipv4.tcp_timestamps = 1 net.ipv4.tcp_timestamps = 1
# https://access.redhat.com/sites/default/files/attachments/20150325_network_performance_tuning.pdf # https://access.redhat.com/sites/default/files/attachments/20150325_network_performance_tuning.pdf
# Disable TCP SACK # Disable TCP SACK.
# We have good networking :) # We have good networking :)
net.ipv4.tcp_sack = 0 net.ipv4.tcp_sack = 0
# No SACK, therefore no Duplicated SACK # No SACK, therefore no Duplicated SACK.
net.ipv4.tcp_dsack = 0 net.ipv4.tcp_dsack = 0
# Improve ALSR effectiveness for mmap # Improve ALSR effectiveness for mmap.
vm.mmap_rnd_bits = 32 vm.mmap_rnd_bits = 32
vm.mmap_rnd_compat_bits = 16 vm.mmap_rnd_compat_bits = 16
# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-kernel # https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-kernel
# Restrict userfaultfd to CAP_SYS_PTRACE # Restrict userfaultfd to CAP_SYS_PTRACE.
# https://bugs.archlinux.org/task/62780 # https://bugs.archlinux.org/task/62780
# Interestingly enough, Arch does not even have userfaultfd in their kernel, so it is # Interestingly enough, Arch does not even have userfaultfd in their kernel, so it is
# probably not used in the real world at all. # probably not used in the real world at all.

View File

@ -4,11 +4,11 @@ dev.tty.ldisc_autoload = 0
# https://access.redhat.com/solutions/1985633 # https://access.redhat.com/solutions/1985633
# Seems dangerous. # Seems dangerous.
# Roseta need this though, so if you use it change it to 1 # Roseta need this though, so if you use it change it to 1.
fs.binfmt_misc.status = 0 fs.binfmt_misc.status = 0
# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-userspace # https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-userspace
# Enable fs.protected sysctls # Enable fs.protected sysctls.
fs.protected_regular = 2 fs.protected_regular = 2
fs.protected_fifos = 2 fs.protected_fifos = 2
fs.protected_symlinks = 1 fs.protected_symlinks = 1
@ -20,14 +20,14 @@ fs.protected_hardlinks = 1
kernel.core_pattern=|/bin/false kernel.core_pattern=|/bin/false
fs.suid_dumpable = 0 fs.suid_dumpable = 0
# Restrict dmesg to CAP_SYS_LOG # Restrict dmesg to CAP_SYS_LOG.
# https://www.kernel.org/doc/Documentation/sysctl/kernel.txt # https://www.kernel.org/doc/Documentation/sysctl/kernel.txt
kernel.dmesg_restrict = 1 kernel.dmesg_restrict = 1
# https://www.kernel.org/doc/Documentation/sysctl/kernel.txt # https://www.kernel.org/doc/Documentation/sysctl/kernel.txt
# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-kernel # https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-kernel
# https://kernsec.org/wiki/index.php/Bug_Classes/Kernel_pointer_leak # https://kernsec.org/wiki/index.php/Bug_Classes/Kernel_pointer_leak
# Restrict access to /proc # Restrict access to /proc.
kernel.kptr_restrict = 2 kernel.kptr_restrict = 2
# Not needed, I don't do livepatching and reboot regularly. # Not needed, I don't do livepatching and reboot regularly.
@ -39,7 +39,7 @@ kernel.kexec_load_disabled = 1
kernel.unprivileged_bpf_disabled = 1 kernel.unprivileged_bpf_disabled = 1
net.core.bpf_jit_harden = 2 net.core.bpf_jit_harden = 2
# Needed for Flatpak and Bubblewrap # Needed for Flatpak and Bubblewrap.
kernel.unprivileged_userns_clone = 1 kernel.unprivileged_userns_clone = 1
# Disable ptrace. Not needed on workstations. # Disable ptrace. Not needed on workstations.
@ -56,60 +56,60 @@ kernel.perf_event_paranoid = 4
kernel_io_uring_disable = 2 kernel_io_uring_disable = 2
# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-kernel # https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-kernel
# Disable sysrq # Disable sysrq.
kernel.sysrq = 0 kernel.sysrq = 0
# https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2020-09-03/finding/V-217911 # https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2020-09-03/finding/V-217911
# Not running a router here, so no redirects # Not running a router here, so no redirects.
net.ipv4.conf.*.send_redirects = 0 net.ipv4.conf.*.send_redirects = 0
net.ipv4.conf.*.accept_redirects = 0 net.ipv4.conf.*.accept_redirects = 0
net.ipv6.conf.*.accept_redirects = 0 net.ipv6.conf.*.accept_redirects = 0
# Check if the source of the IP address is reachable through the same interface it came in # Check if the source of the IP address is reachable through the same interface it came in
# Basic IP spoofing mitigation # Basic IP spoofing mitigation.
net.ipv4.conf.*.rp_filter = 1 net.ipv4.conf.*.rp_filter = 1
# Do not respond to ICMP # Do not respond to ICMP.
net.ipv4.icmp_echo_ignore_all = 1 net.ipv4.icmp_echo_ignore_all = 1
net.ipv6.icmp.echo_ignore_all = 1 net.ipv6.icmp.echo_ignore_all = 1
# Ignore Bogus ICMP responses # Ignore Bogus ICMP responses.
net.ipv4.icmp_ignore_bogus_error_responses = 1 net.ipv4.icmp_ignore_bogus_error_responses = 1
# Enable IP Forwarding # Enable IP Forwarding.
# Needed for VM networking and whatnot. # Needed for VM networking and whatnot.
net.ipv4.ip_forward = 1 net.ipv4.ip_forward = 1
net.ipv6.conf.all.forwarding = 1 net.ipv6.conf.all.forwarding = 1
# https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2016-06-05/finding/V-38537 # https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2016-06-05/finding/V-38537
# Ignore bogus icmp response # Ignore bogus icmp response.
net.ipv4.icmp_ignore_bogus_error_responses = 1 net.ipv4.icmp_ignore_bogus_error_responses = 1
# Protection against time-wait assasination attacks # Protection against time-wait assasination attacks.
net.ipv4.tcp_rfc1337 = 1 net.ipv4.tcp_rfc1337 = 1
# Enable SYN cookies # Enable SYN cookies.
# Basic SYN flood mitigation # Basic SYN flood mitigation.
net.ipv4.tcp_syncookies = 1 net.ipv4.tcp_syncookies = 1
# https://access.redhat.com/sites/default/files/attachments/20150325_network_performance_tuning.pdf # https://access.redhat.com/sites/default/files/attachments/20150325_network_performance_tuning.pdf
# Make sure TCP timestamp is enabled # Make sure TCP timestamp is enabled.
net.ipv4.tcp_timestamps = 1 net.ipv4.tcp_timestamps = 1
# https://access.redhat.com/sites/default/files/attachments/20150325_network_performance_tuning.pdf # https://access.redhat.com/sites/default/files/attachments/20150325_network_performance_tuning.pdf
# Disable TCP SACK # Disable TCP SACK.
# We have good networking :) # We have good networking :)
net.ipv4.tcp_sack = 0 net.ipv4.tcp_sack = 0
# No SACK, therefore no Duplicated SACK # No SACK, therefore no Duplicated SACK.
net.ipv4.tcp_dsack = 0 net.ipv4.tcp_dsack = 0
# Improve ALSR effectiveness for mmap # Improve ALSR effectiveness for mmap.
vm.mmap_rnd_bits = 32 vm.mmap_rnd_bits = 32
vm.mmap_rnd_compat_bits = 16 vm.mmap_rnd_compat_bits = 16
# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-kernel # https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-kernel
# Restrict userfaultfd to CAP_SYS_PTRACE # Restrict userfaultfd to CAP_SYS_PTRACE.
# https://bugs.archlinux.org/task/62780 # https://bugs.archlinux.org/task/62780
# Interestingly enough, Arch does not even have userfaultfd in their kernel, so it is # Interestingly enough, Arch does not even have userfaultfd in their kernel, so it is
# probably not used in the real world at all. # probably not used in the real world at all.