You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
296 lines
12 KiB
296 lines
12 KiB
#!/bin/sh
|
|
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
|
|
|
|
# General hardening
|
|
echo "umask 027" >> /etc/profile
|
|
rm /etc/cron.deny 2> /dev/null
|
|
rm /etc/at.deny 2> /dev/null
|
|
echo 'root' > /etc/cron.allow
|
|
echo 'root' > /etc/at.allow
|
|
chown root:root /etc/cron*
|
|
chown root:root /etc/at*
|
|
|
|
echo 'sshd : ALL : ALLOW' > /etc/hosts.allow
|
|
echo 'ALL: LOCAL, 127.0.0.1' >> /etc/hosts.allow
|
|
echo 'ALL: PARANOID' > /etc/hosts.deny
|
|
chmod 644 /etc/hosts.allow
|
|
chmod 644 /etc/hosts.deny
|
|
|
|
# Hide PID 2
|
|
echo 'proc /proc proc defaults,hidepid=2 0 0' >> /etc/fstab
|
|
|
|
# Backup SSH_CONFIG
|
|
mv /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
|
|
|
|
# Harden SSH Settings
|
|
cat <<-EOF > /etc/ssh/sshd_config
|
|
HostKey /etc/ssh/ssh_host_ed25519_key
|
|
HostKey /etc/ssh/ssh_host_rsa_key
|
|
HostKey /etc/ssh/ssh_host_ecdsa_key
|
|
AcceptEnv LANG LC_*
|
|
AllowGroups root sudo
|
|
Banner /etc/issue.net
|
|
ChallengeResponseAuthentication no
|
|
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
|
|
ClientAliveCountMax 0
|
|
ClientAliveInterval 300
|
|
Compression no
|
|
HostbasedAuthentication no
|
|
IgnoreUserKnownHosts yes
|
|
KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
|
|
LoginGraceTime 20
|
|
LogLevel VERBOSE
|
|
Macs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256
|
|
MaxAuthTries 3
|
|
MaxSessions 3
|
|
MaxStartups 10:30:60
|
|
PermitEmptyPasswords no
|
|
PermitRootLogin no
|
|
PubkeyAuthentication yes
|
|
PasswordAuthentication no
|
|
PermitUserEnvironment no
|
|
PrintLastLog yes
|
|
PrintMotd no
|
|
StrictModes yes
|
|
Subsystem sftp internal-sftp
|
|
UseDNS no
|
|
UsePAM yes
|
|
X11Forwarding no
|
|
AllowTcpForwarding no
|
|
EOF
|
|
|
|
# Disable unattended-upgrades to prevent it from holding the dpkg frontend lock
|
|
systemctl disable unattended-upgrades.service
|
|
systemctl stop unattended-upgrades.service
|
|
|
|
# Check for Updates
|
|
apt update
|
|
|
|
# Upgrade Ubuntu packages
|
|
apt upgrade -y
|
|
|
|
# Install needed programs
|
|
apt install -y curl jq apt-transport-https htop debhelper ccze tree debsums ca-certificates software-properties-common dh-make neofetch apparmor apparmor-profiles libpam-cgroup libpam-apparmor apparmor-utils apparmor-easyprof haveged auditd audispd-plugins libpam-cracklib gnutls-bin net-tools
|
|
|
|
# Setup NTP
|
|
timedatectl set-ntp true
|
|
timedatectl set-timezone UTC
|
|
#timedatectl set-timezone America/Los_Angeles
|
|
echo 'servers=0.pool.ntp.org 1.pool.ntp.org 2.pool.ntp.org 3.pool.ntp.org' >> /etc/systemd/timesyncd.conf
|
|
date
|
|
|
|
# Setup Auditd Rules
|
|
cat <<-EOF > /etc/audit/rules.d/server.rules
|
|
# Remove any existing rules
|
|
-D
|
|
# Buffer Size
|
|
-b 8192
|
|
# Ignore errors
|
|
-i
|
|
# Failure Mode
|
|
-f 1
|
|
# Audit the audit logs
|
|
-w /var/log/audit/ -k auditlog
|
|
# Auditd configuration
|
|
-w /etc/audit/ -p wa -k auditconfig
|
|
-w /etc/libaudit.conf -p wa -k auditconfig
|
|
-w /etc/audisp/ -p wa -k audispconfig
|
|
# Monitor for use of audit management tools
|
|
-w /sbin/auditctl -p x -k audittools
|
|
-w /sbin/auditd -p x -k audittools
|
|
# Monitor AppArmor configuration changes
|
|
-w /etc/apparmor/ -p wa -k apparmor
|
|
-w /etc/apparmor.d/ -p wa -k apparmor
|
|
# Monitor usage of AppArmor tools
|
|
-w /sbin/apparmor_parser -p x -k apparmor_tools
|
|
-w /usr/sbin/aa-complain -p x -k apparmor_tools
|
|
-w /usr/sbin/aa-disable -p x -k apparmor_tools
|
|
-w /usr/sbin/aa-enforce -p x -k apparmor_tools
|
|
# Monitor Systemd configuration changes
|
|
-w /etc/systemd/ -p wa -k systemd
|
|
-w /lib/systemd/ -p wa -k systemd
|
|
# Monitor usage of systemd tools
|
|
-w /bin/systemctl -p x -k systemd_tools
|
|
-w /bin/journalctl -p x -k systemd_tools
|
|
# Special files
|
|
-a always,exit -F arch=x86_64 -S mknod -S mknodat -k specialfiles
|
|
-a always,exit -F arch=b32 -S mknod -S mknodat -k specialfiles
|
|
# Mount operations
|
|
-a always,exit -F arch=x86_64 -S mount -F auid>=1000 -F auid!=4294967295 -F key=export
|
|
-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -F key=export
|
|
# Changes to the time
|
|
-a always,exit -F arch=x86_64 -S settimeofday -k audit_time_rules
|
|
-a always,exit -F arch=x86_64 -S adjtimex -k audit_time_rules
|
|
-a always,exit -F arch=x86_64 -S clock_settime -k audit_time_rules
|
|
-a always,exit -F arch=b32 -S settimeofday -k audit_time_rules
|
|
-a always,exit -F arch=b32 -S adjtimex -k audit_time_rules
|
|
-a always,exit -F arch=b32 -S clock_settime -k audit_time_rules
|
|
# Cron configuration & scheduled jobs
|
|
-w /etc/cron.allow -p wa -k cron
|
|
-w /etc/cron.deny -p wa -k cron
|
|
-w /etc/cron.d/ -p wa -k cron
|
|
-w /etc/cron.daily/ -p wa -k cron
|
|
-w /etc/cron.hourly/ -p wa -k cron
|
|
-w /etc/cron.monthly/ -p wa -k cron
|
|
-w /etc/cron.weekly/ -p wa -k cron
|
|
-w /etc/crontab -p wa -k cron
|
|
-w /var/spool/cron/crontabs/ -k cron
|
|
# User, group, password databases
|
|
-w /etc/group -p wa -k audit_rules_usergroup_modification
|
|
-w /etc/passwd -p wa -k audit_rules_usergroup_modification
|
|
-w /etc/gshadow -p wa -k audit_rules_usergroup_modification
|
|
-w /etc/shadow -p wa -k audit_rules_usergroup_modification
|
|
-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification
|
|
# MAC-policy
|
|
-w /etc/selinux/ -p wa -k MAC-policy
|
|
# Monitor usage of passwd
|
|
-w /usr/bin/passwd -p x -k passwd_modification
|
|
# Monitor for use of tools to change group identifiers
|
|
-w /usr/sbin/groupadd -p x -k group_modification
|
|
-w /usr/sbin/groupmod -p x -k group_modification
|
|
-w /usr/sbin/addgroup -p x -k group_modification
|
|
-w /usr/sbin/useradd -p x -k user_modification
|
|
-w /usr/sbin/usermod -p x -k user_modification
|
|
-w /usr/sbin/adduser -p x -k user_modification
|
|
# Monitor module tools
|
|
-w /sbin/insmod -p x -k modules
|
|
-w /sbin/rmmod -p x -k modules
|
|
-w /sbin/modprobe -p x -k modules
|
|
-w /usr/sbin/insmod -p x -k modules
|
|
-w /usr/sbin/rmmod -p x -k modules
|
|
-w /usr/sbin/modprobe -p x -k modules
|
|
# Login configuration and information
|
|
-w /etc/login.defs -p wa -k login
|
|
-w /etc/securetty -p wa -k login
|
|
-w /var/log/faillog -p wa -k login
|
|
-w /var/run/faillock/ -p wa -k logins
|
|
-w /var/log/lastlog -p wa -k login
|
|
-w /var/log/tallylog -p wa -k login
|
|
# Network configuration
|
|
-w /etc/hosts -p wa -k audit_rules_networkconfig_modification
|
|
-w /etc/network/ -p wa -k audit_rules_networkconfig_modification
|
|
-w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification
|
|
# System startup scripts
|
|
-w /etc/inittab -p wa -k init
|
|
-w /etc/init.d/ -p wa -k init
|
|
-w /etc/init/ -p wa -k init
|
|
# Library search paths
|
|
-w /etc/ld.so.conf -p wa -k libpath
|
|
# Local time zone
|
|
-w /etc/localtime -p wa -k localtime
|
|
# Time zone configuration
|
|
-w /etc/timezone -p wa -k audit_time_ruleszone
|
|
# Kernel parameters
|
|
-w /etc/sysctl.conf -p wa -k sysctl
|
|
# Modprobe configuration
|
|
-w /etc/modprobe.conf -p wa -k modprobe
|
|
-w /etc/modprobe.d/ -p wa -k modprobe
|
|
-w /etc/modules -p wa -k modprobe
|
|
# Module manipulations
|
|
-a always,exit -F arch=x86_64 -S init_module -S delete_module -F key=modules
|
|
-a always,exit -F arch=x86_64 -S init_module -F key=modules
|
|
-a always,exit -F arch=b32 -S init_module -S delete_module -F key=modules
|
|
-a always,exit -F arch=b32 -S init_module -F key=modules
|
|
# PAM configuration
|
|
-w /etc/pam.d/ -p wa -k pam
|
|
-w /etc/security/limits.conf -p wa -k pam
|
|
-w /etc/security/pam_env.conf -p wa -k pam
|
|
-w /etc/security/namespace.conf -p wa -k pam
|
|
-w /etc/security/namespace.init -p wa -k pam
|
|
# Postfix configuration
|
|
-w /etc/aliases -p wa -k mail
|
|
-w /etc/postfix/ -p wa -k mail
|
|
# SSH configuration
|
|
-w /etc/ssh/sshd_config -k sshd
|
|
# Changes to hostname
|
|
-a always,exit -F arch=x86_64 -S sethostname -S setdomainname -k audit_rules_networkconfig_modification
|
|
-a always,exit -F arch=b32 -S sethostname -S setdomainname -k audit_rules_networkconfig_modification
|
|
# Changes to issue
|
|
-w /etc/issue -p wa -k audit_rules_networkconfig_modification
|
|
-w /etc/issue.net -p wa -k audit_rules_networkconfig_modification
|
|
# Capture all unauthorized file accesses
|
|
-a always,exit -F arch=x86_64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
|
|
-a always,exit -F arch=x86_64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access
|
|
-a always,exit -F arch=x86_64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
|
|
-a always,exit -F arch=x86_64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access
|
|
-a always,exit -F arch=x86_64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
|
|
-a always,exit -F arch=x86_64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access
|
|
-a always,exit -F arch=x86_64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
|
|
-a always,exit -F arch=x86_64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access
|
|
-a always,exit -F arch=x86_64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access
|
|
-a always,exit -F arch=x86_64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
|
|
-a always,exit -F arch=x86_64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
|
|
-a always,exit -F arch=x86_64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access
|
|
-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
|
|
-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access
|
|
-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
|
|
-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access
|
|
-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
|
|
-a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access
|
|
-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
|
|
-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access
|
|
-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
|
|
-a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access
|
|
-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
|
|
-a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access
|
|
# Monitor for use of process ID change (switching accounts) applications
|
|
-w /bin/su -p x -k actions
|
|
-w /usr/bin/sudo -p x -k actions
|
|
-w /etc/sudoers -p wa -k actions
|
|
-w /etc/sudoers.d -p wa -k actions
|
|
# Make the configuration immutable
|
|
-e 2
|
|
EOF
|
|
|
|
# Setup Apparmor
|
|
echo 'session optional pam_apparmor.so order=user,group,default' > /etc/pam.d/apparmor
|
|
|
|
# Rsyslog enable log shipping to centralized syslog server
|
|
echo '*.* @@10.128.100.2:514' >> /etc/rsyslog.d/50-default.conf
|
|
|
|
# Enable Services
|
|
systemctl enable auditd
|
|
systemctl enable apparmor
|
|
systemctl enable haveged
|
|
systemctl enable unattended-upgrades
|
|
|
|
# Restart Services
|
|
systemctl daemon-reload
|
|
systemctl restart unattended-upgrades
|
|
systemctl restart apparmor
|
|
systemctl restart auditd
|
|
systemctl restart haveged
|
|
systemctl restart rsyslog
|
|
|
|
# Setup SSH Host Keys
|
|
rm /etc/ssh/ssh_host_*
|
|
ssh-keygen -t ecdsa -b 521 -f /etc/ssh/ssh_host_ecdsa_key -N ""
|
|
ssh-keygen -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key -N ""
|
|
ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -N ""
|
|
awk '$5 >= 3071' /etc/ssh/moduli > /etc/ssh/moduli.safe
|
|
mv /etc/ssh/moduli.safe /etc/ssh/moduli
|
|
|
|
# GRUB enable swap and disable root recovery
|
|
echo 'GRUB_CMDLINE_LINUX="cgroup_enable=memory swapaccount=1"' >> /etc/default/grub
|
|
echo 'GRUB_DISABLE_RECOVERY="true"' >> /etc/default/grub
|
|
|
|
# MOTD
|
|
cat <<-EOF > /etc/motd
|
|
########################################################################################################################
|
|
# UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED #
|
|
# You must have explicit, authorized permission to access or configure this device. #
|
|
# Unauthorized attempts and actions to access or use this system may result in civil and/or criminal penalties. #
|
|
# All activities performed on this device are logged and monitored. #
|
|
# Disconnect IMMEDIATELY if you are not an authorized user! #
|
|
########################################################################################################################
|
|
EOF
|
|
|
|
# Disable IPv6 in UFW
|
|
sed -i "/ipv6=/Id" /etc/default/ufw
|
|
echo "IPV6=no" | sudo tee -a /etc/default/ufw
|
|
|
|
# Enable UFW firewall
|
|
ufw allow 22/tcp
|
|
ufw allow 80/tcp
|
|
ufw allow 443/tcp
|
|
ufw enable |