1
0
mirror of https://github.com/tommytran732/Linux-Setup-Scripts synced 2024-11-22 01:21:33 -05:00

Compare commits

...

7 Commits

Author SHA1 Message Date
5c7a2850e6
RHEL needs tls cert bundle config
Signed-off-by: Tommy <contact@tommytran.io>
2024-06-07 22:11:31 -07:00
a0a21ba29d
Add missing sudo
Signed-off-by: Tommy <contact@tommytran.io>
2024-06-07 21:29:56 -07:00
517c1ed2dc
Fix real-ucode condition
Signed-off-by: Tommy <contact@tommytran.io>
2024-06-07 21:20:30 -07:00
da8b818d76
Typo fix
Signed-off-by: Tommy <contact@tommytran.io>
2024-06-07 21:09:39 -07:00
740b9d9af6
Comment out yara
Signed-off-by: Tommy <contact@tommytran.io>
2024-06-07 20:41:02 -07:00
80422768f1
SecureBlue hmalloc does not currently support RHEL
Signed-off-by: Tommy <contact@tommytran.io>
2024-06-07 20:37:29 -07:00
c61c69752f
Make sure chrony is installed on RHEL
Signed-off-by: Tommy <contact@tommytran.io>
2024-06-07 20:30:02 -07:00
3 changed files with 9 additions and 13 deletions

View File

@ -158,7 +158,7 @@ fi
# Setup real-ucode # Setup real-ucode
MACHINE_TYPE=$(uname -m) MACHINE_TYPE=$(uname -m)
if [ "$virtualization" = 'none' ] || [ "${MACHINE_TYPE}" == 'x86_64' ]; then if [ "$virtualization" = 'none' ] && [ "${MACHINE_TYPE}" == 'x86_64' ]; then
sudo dnf install -y 'https://divested.dev/rpm/fedora/divested-release-20231210-2.noarch.rpm' sudo dnf install -y 'https://divested.dev/rpm/fedora/divested-release-20231210-2.noarch.rpm'
sudo sed -i 's/^metalink=.*/&?protocol=https/g' /etc/yum.repos.d/divested-release.repo sudo sed -i 's/^metalink=.*/&?protocol=https/g' /etc/yum.repos.d/divested-release.repo
sudo dnf config-manager --save --setopt=divested.includepkgs=divested-release,real-ucode,microcode_ctl,amd-ucode-firmware sudo dnf config-manager --save --setopt=divested.includepkgs=divested-release,real-ucode,microcode_ctl,amd-ucode-firmware

View File

@ -239,7 +239,7 @@ else
fi fi
# Setup real-ucode # Setup real-ucode
if [ "$virtualization" = 'none' ] || [ "${MACHINE_TYPE}" == 'x86_64' ]; then if [ "$virtualization" = 'none' ] && [ "${MACHINE_TYPE}" == 'x86_64' ]; then
sudo dnf install -y 'https://divested.dev/rpm/fedora/divested-release-20231210-2.noarch.rpm' sudo dnf install -y 'https://divested.dev/rpm/fedora/divested-release-20231210-2.noarch.rpm'
sudo sed -i 's/^metalink=.*/&?protocol=https/g' /etc/yum.repos.d/divested-release.repo sudo sed -i 's/^metalink=.*/&?protocol=https/g' /etc/yum.repos.d/divested-release.repo
sudo dnf config-manager --save --setopt=divested.includepkgs=divested-release,real-ucode,microcode_ctl,amd-ucode-firmware sudo dnf config-manager --save --setopt=divested.includepkgs=divested-release,real-ucode,microcode_ctl,amd-ucode-firmware

View File

@ -39,6 +39,7 @@ sudo sed -i 's/umask 022/umask 077/g' /etc/bashrc
sudo chmod 700 /home/* sudo chmod 700 /home/*
# Setup NTS # Setup NTS
sudo dnf install -y chrony
unpriv curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/chrony.conf | sudo tee /etc/chrony.conf unpriv curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/chrony.conf | sudo tee /etc/chrony.conf
sudo chmod 644 /etc/chrony.conf sudo chmod 644 /etc/chrony.conf
unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/sysconfig/chronyd | sudo tee /etc/sysconfig/chronyd unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/sysconfig/chronyd | sudo tee /etc/sysconfig/chronyd
@ -88,12 +89,6 @@ sudo systemctl enable --now dnf-automatic.timer
# Remove unnecessary packages # Remove unnecessary packages
sudo dnf remove -y cockpit* sudo dnf remove -y cockpit*
# Install hardened_malloc
sudo dnf copr enable secureblue/hardened_malloc -y
sudo dnf install -y hardened_malloc
echo 'libhardened_malloc.so' | sudo tee /etc/ld.so.preload
sudo chmod 644 /etc/ld.so.preload
# Install appropriate virtualization drivers # Install appropriate virtualization drivers
if [ "$virtualization" = 'kvm' ]; then if [ "$virtualization" = 'kvm' ]; then
sudo dnf install -y qemu-guest-agent sudo dnf install -y qemu-guest-agent
@ -107,6 +102,7 @@ echo 'server:
auto-trust-anchor-file: "/var/lib/unbound/root.key" auto-trust-anchor-file: "/var/lib/unbound/root.key"
trust-anchor-signaling: yes trust-anchor-signaling: yes
root-key-sentinel: yes root-key-sentinel: yes
tls-cert-bundle: "/etc/ssl/cert.pem"
tls-ciphers: "PROFILE=SYSTEM" tls-ciphers: "PROFILE=SYSTEM"
hide-http-user-agent: yes hide-http-user-agent: yes
hide-identity: yes hide-identity: yes
@ -135,7 +131,7 @@ forward-zone:
sudo chmod 644 /etc/unbound/unbound.conf sudo chmod 644 /etc/unbound/unbound.conf
mkdir -p /etc/systemd/system/unbound.service.d sudo mkdir -p /etc/systemd/system/unbound.service.d
echo $'[Service] echo $'[Service]
MemoryDenyWriteExecute=true MemoryDenyWriteExecute=true
PrivateDevices=true PrivateDevices=true
@ -160,9 +156,9 @@ sudo chmod 644 /etc/systemd/system/unbound.service.d/override.conf
sudo systemctl enable --now unbound sudo systemctl enable --now unbound
# Setup yara # Setup yara
sudo dnf install -y yara #sudo dnf install -y yara
sudo insights-client --collector malware-detection #sudo insights-client --collector malware-detection
sudo sed -i 's/test_scan: true/test_scan: false/' /etc/insights-client/malware-detection-config.yml #sudo sed -i 's/test_scan: true/test_scan: false/' /etc/insights-client/malware-detection-config.yml
# Setup fwupd # Setup fwupd
if [ "$virtualization" = 'none' ]; then if [ "$virtualization" = 'none' ]; then
@ -193,7 +189,7 @@ fi
# Setup real-ucode # Setup real-ucode
MACHINE_TYPE=$(uname -m) MACHINE_TYPE=$(uname -m)
if [ "$virtualization" = 'none' ] || [ "${MACHINE_TYPE}" == 'x86_64' ]; then if [ "$virtualization" = 'none' ] && [ "${MACHINE_TYPE}" == 'x86_64' ]; then
sudo dnf install -y 'https://divested.dev/rpm/fedora/divested-release-20231210-2.noarch.rpm' sudo dnf install -y 'https://divested.dev/rpm/fedora/divested-release-20231210-2.noarch.rpm'
sudo sed -i 's/^metalink=.*/&?protocol=https/g' /etc/yum.repos.d/divested-release.repo sudo sed -i 's/^metalink=.*/&?protocol=https/g' /etc/yum.repos.d/divested-release.repo
sudo dnf config-manager --save --setopt=divested.includepkgs=divested-release,real-ucode,microcode_ctl,amd-ucode-firmware sudo dnf config-manager --save --setopt=divested.includepkgs=divested-release,real-ucode,microcode_ctl,amd-ucode-firmware