#!/bin/sh PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin # General hardening echo "umask 027" >> /etc/profile rm /etc/cron.deny 2> /dev/null rm /etc/at.deny 2> /dev/null echo 'root' > /etc/cron.allow echo 'root' > /etc/at.allow chown root:root /etc/cron* chown root:root /etc/at* echo 'sshd : ALL : ALLOW' > /etc/hosts.allow echo 'ALL: LOCAL, 127.0.0.1' >> /etc/hosts.allow echo 'ALL: PARANOID' > /etc/hosts.deny chmod 644 /etc/hosts.allow chmod 644 /etc/hosts.deny # Hide PID 2 echo 'proc /proc proc defaults,hidepid=2 0 0' >> /etc/fstab # Backup SSH_CONFIG mv /etc/ssh/sshd_config /etc/ssh/sshd_config.bak # Harden SSH Settings cat <<-EOF > /etc/ssh/sshd_config HostKey /etc/ssh/ssh_host_ed25519_key HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_ecdsa_key AcceptEnv LANG LC_* AllowGroups root sudo Banner /etc/issue.net ChallengeResponseAuthentication no Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr ClientAliveCountMax 0 ClientAliveInterval 300 Compression no HostbasedAuthentication no IgnoreUserKnownHosts yes KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256 LoginGraceTime 20 LogLevel VERBOSE Macs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256 MaxAuthTries 3 MaxSessions 3 MaxStartups 10:30:60 PermitEmptyPasswords no PermitRootLogin no PubkeyAuthentication yes PasswordAuthentication no PermitUserEnvironment no PrintLastLog yes PrintMotd no StrictModes yes Subsystem sftp internal-sftp UseDNS no UsePAM yes X11Forwarding no AllowTcpForwarding yes EOF # Disable unattended-upgrades to prevent it from holding the dpkg frontend lock sudo systemctl disable unattended-upgrades.service sudo systemctl stop unattended-upgrades.service # Check for Updates sudo apt update # Install needed programs sudo apt install -y curl jq apt-transport-https htop debhelper ccze tree debsums ca-certificates software-properties-common dh-make dh-systemd neofetch apparmor apparmor-profiles libpam-cgroup libpam-apparmor libpam-tmpdir apparmor-utils apparmor-easyprof haveged auditd libpam-cracklib # Setup NTP timedatectl set-ntp true timedatectl set-timezone America/Los_Angeles echo 'servers=0.pool.ntp.org 1.pool.ntp.org 2.pool.ntp.org 3.pool.ntp.org' >> /etc/systemd/timesyncd.conf date # Setup Auditd Rules cat <<-EOF > /etc/audit/rules.d/server.rules # Remove any existing rules -D # Buffer Size -b 8192 # Ignore errors -i # Failure Mode -f 1 # Audit the audit logs -w /var/log/audit/ -k auditlog # Auditd configuration -w /etc/audit/ -p wa -k auditconfig -w /etc/libaudit.conf -p wa -k auditconfig -w /etc/audisp/ -p wa -k audispconfig # Monitor for use of audit management tools -w /sbin/auditctl -p x -k audittools -w /sbin/auditd -p x -k audittools # Monitor AppArmor configuration changes -w /etc/apparmor/ -p wa -k apparmor -w /etc/apparmor.d/ -p wa -k apparmor # Monitor usage of AppArmor tools -w /sbin/apparmor_parser -p x -k apparmor_tools -w /usr/sbin/aa-complain -p x -k apparmor_tools -w /usr/sbin/aa-disable -p x -k apparmor_tools -w /usr/sbin/aa-enforce -p x -k apparmor_tools # Monitor Systemd configuration changes -w /etc/systemd/ -p wa -k systemd -w /lib/systemd/ -p wa -k systemd # Monitor usage of systemd tools -w /bin/systemctl -p x -k systemd_tools -w /bin/journalctl -p x -k systemd_tools # Special files -a always,exit -F arch=x86_64 -S mknod -S mknodat -k specialfiles -a always,exit -F arch=b32 -S mknod -S mknodat -k specialfiles # Mount operations -a always,exit -F arch=x86_64 -S mount -F auid>=1000 -F auid!=4294967295 -F key=export -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -F key=export # Changes to the time -a always,exit -F arch=x86_64 -S settimeofday -k audit_time_rules -a always,exit -F arch=x86_64 -S adjtimex -k audit_time_rules -a always,exit -F arch=x86_64 -S clock_settime -k audit_time_rules -a always,exit -F arch=b32 -S settimeofday -k audit_time_rules -a always,exit -F arch=b32 -S adjtimex -k audit_time_rules -a always,exit -F arch=b32 -S clock_settime -k audit_time_rules # Cron configuration & scheduled jobs -w /etc/cron.allow -p wa -k cron -w /etc/cron.deny -p wa -k cron -w /etc/cron.d/ -p wa -k cron -w /etc/cron.daily/ -p wa -k cron -w /etc/cron.hourly/ -p wa -k cron -w /etc/cron.monthly/ -p wa -k cron -w /etc/cron.weekly/ -p wa -k cron -w /etc/crontab -p wa -k cron -w /var/spool/cron/crontabs/ -k cron # User, group, password databases -w /etc/group -p wa -k audit_rules_usergroup_modification -w /etc/passwd -p wa -k audit_rules_usergroup_modification -w /etc/gshadow -p wa -k audit_rules_usergroup_modification -w /etc/shadow -p wa -k audit_rules_usergroup_modification -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification # MAC-policy -w /etc/selinux/ -p wa -k MAC-policy # Monitor usage of passwd -w /usr/bin/passwd -p x -k passwd_modification # Monitor for use of tools to change group identifiers -w /usr/sbin/groupadd -p x -k group_modification -w /usr/sbin/groupmod -p x -k group_modification -w /usr/sbin/addgroup -p x -k group_modification -w /usr/sbin/useradd -p x -k user_modification -w /usr/sbin/usermod -p x -k user_modification -w /usr/sbin/adduser -p x -k user_modification # Monitor module tools -w /sbin/insmod -p x -k modules -w /sbin/rmmod -p x -k modules -w /sbin/modprobe -p x -k modules -w /usr/sbin/insmod -p x -k modules -w /usr/sbin/rmmod -p x -k modules -w /usr/sbin/modprobe -p x -k modules # Login configuration and information -w /etc/login.defs -p wa -k login -w /etc/securetty -p wa -k login -w /var/log/faillog -p wa -k login -w /var/run/faillock/ -p wa -k logins -w /var/log/lastlog -p wa -k login -w /var/log/tallylog -p wa -k login # Network configuration -w /etc/hosts -p wa -k audit_rules_networkconfig_modification -w /etc/network/ -p wa -k audit_rules_networkconfig_modification -w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification # System startup scripts -w /etc/inittab -p wa -k init -w /etc/init.d/ -p wa -k init -w /etc/init/ -p wa -k init # Library search paths -w /etc/ld.so.conf -p wa -k libpath # Local time zone -w /etc/localtime -p wa -k localtime # Time zone configuration -w /etc/timezone -p wa -k audit_time_ruleszone # Kernel parameters -w /etc/sysctl.conf -p wa -k sysctl # Modprobe configuration -w /etc/modprobe.conf -p wa -k modprobe -w /etc/modprobe.d/ -p wa -k modprobe -w /etc/modules -p wa -k modprobe # Module manipulations -a always,exit -F arch=x86_64 -S init_module -S delete_module -F key=modules -a always,exit -F arch=x86_64 -S init_module -F key=modules -a always,exit -F arch=b32 -S init_module -S delete_module -F key=modules -a always,exit -F arch=b32 -S init_module -F key=modules # PAM configuration -w /etc/pam.d/ -p wa -k pam -w /etc/security/limits.conf -p wa -k pam -w /etc/security/pam_env.conf -p wa -k pam -w /etc/security/namespace.conf -p wa -k pam -w /etc/security/namespace.init -p wa -k pam # Postfix configuration -w /etc/aliases -p wa -k mail -w /etc/postfix/ -p wa -k mail # SSH configuration -w /etc/ssh/sshd_config -k sshd # Changes to hostname -a always,exit -F arch=x86_64 -S sethostname -S setdomainname -k audit_rules_networkconfig_modification -a always,exit -F arch=b32 -S sethostname -S setdomainname -k audit_rules_networkconfig_modification # Changes to issue -w /etc/issue -p wa -k audit_rules_networkconfig_modification -w /etc/issue.net -p wa -k audit_rules_networkconfig_modification # Capture all unauthorized file accesses -a always,exit -F arch=x86_64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=x86_64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=x86_64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=x86_64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=x86_64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=x86_64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=x86_64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=x86_64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=x86_64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=x86_64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=x86_64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=x86_64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access # Monitor for use of process ID change (switching accounts) applications -w /bin/su -p x -k actions -w /usr/bin/sudo -p x -k actions -w /etc/sudoers -p wa -k actions -w /etc/sudoers.d -p wa -k actions # Make the configuration immutable -e 2 EOF # Setup Apparmor echo 'session optional pam_apparmor.so order=user,group,default' > /etc/pam.d/apparmor # Enable Services sudo systemctl enable auditd sudo systemctl enable apparmor sudo systemctl enable haveged sudo systemctl enable unattended-upgrades # Setup SSH Host Keys rm /etc/ssh/ssh_host_* ssh-keygen -t ecdsa -b 521 -f /etc/ssh/ssh_host_ecdsa_key -N "" ssh-keygen -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key -N "" ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -N "" awk '$5 >= 3071' /etc/ssh/moduli > /etc/ssh/moduli.safe mv /etc/ssh/moduli.safe /etc/ssh/moduli # GRUB enable swap and disable root recovery echo 'GRUB_CMDLINE_LINUX="cgroup_enable=memory swapaccount=1"' >> /etc/default/grub echo 'GRUB_DISABLE_RECOVERY="true"' >> /etc/default/grub echo '######################################################################################################################### UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED ## You must have explicit, authorized permission to access or configure this device. ## Unauthorized attempts and actions to access or use this system may result in civil and/or criminal penalties. ## All activities performed on this device are logged and monitored. ## Disconnect IMMEDIATELY if you are not an authorized user! #########################################################################################################################' > /etc/motd