Add 'cloud_setup.sh'

6 months ago · 5caabac915
parent 0c55ce1f02
commit 5caabac915
1 changed files with 300 additions and 0 deletions
--- a/cloud_setup.sh
+++ b/cloud_setup.sh
@ -0,0 +1,300 @@
+#!/bin/sh
+PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+
+# General hardening
+echo "umask 027" >> /etc/profile
+rm /etc/cron.deny 2> /dev/null
+rm /etc/at.deny 2> /dev/null
+echo 'root' > /etc/cron.allow
+echo 'root' > /etc/at.allow
+chown root:root /etc/cron*
+chown root:root /etc/at*
+echo 'sshd : ALL : ALLOW' > /etc/hosts.allow
+echo 'ALL: LOCAL, 127.0.0.1' >> /etc/hosts.allow
+echo 'ALL: PARANOID' > /etc/hosts.deny
+chmod 644 /etc/hosts.allow
+chmod 644 /etc/hosts.deny
+
+# Hide PID 2
+echo 'proc /proc proc defaults,hidepid=2 0 0' >> /etc/fstab
+
+# Disable unattended-upgrades to prevent it from holding the dpkg frontend lock
+systemctl daemon-reload
+systemctl disable unattended-upgrades.service
+systemctl stop unattended-upgrades.service
+
+# Check for Updates
+apt update
+
+# Upgrade Ubuntu packages
+apt upgrade -y
+
+# Install needed programs
+apt install -y curl jq apt-transport-https htop debhelper ccze tree debsums ca-certificates software-properties-common dh-make neofetch apparmor apparmor-profiles libpam-cgroup libpam-apparmor apparmor-utils apparmor-easyprof haveged auditd audispd-plugins apparmor-profiles-extra autoconf-archive openssh-server fail2ban gnu-standards net-tools gnutls-bin
+
+# Setup NTP
+timedatectl set-ntp true
+#timedatectl set-timezone UTC
+timedatectl set-timezone America/Los_Angeles
+echo 'servers=0.pool.ntp.org 1.pool.ntp.org 2.pool.ntp.org 3.pool.ntp.org' >> /etc/systemd/timesyncd.conf
+date
+
+# Backup SSH_CONFIG
+mv /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
+
+# Harden SSH Settings
+cat <<-EOF > /etc/ssh/sshd_config
+HostKey /etc/ssh/ssh_host_ed25519_key
+HostKey /etc/ssh/ssh_host_rsa_key
+HostKey /etc/ssh/ssh_host_ecdsa_key
+AcceptEnv LANG LC_*
+AllowGroups root sudo
+Banner /etc/issue.net
+ChallengeResponseAuthentication no
+Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
+ClientAliveCountMax 0
+ClientAliveInterval 300
+Compression no
+HostbasedAuthentication no
+IgnoreUserKnownHosts yes
+KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256                                                                                                        
+LoginGraceTime 20
+LogLevel VERBOSE
+Macs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256
+MaxAuthTries 3
+MaxSessions 3
+MaxStartups 10:30:60
+PermitEmptyPasswords no
+PermitRootLogin no
+PubkeyAuthentication yes
+PasswordAuthentication no
+PermitUserEnvironment no
+PrintLastLog yes
+PrintMotd no
+StrictModes yes
+Subsystem sftp internal-sftp
+UseDNS no
+UsePAM yes
+X11Forwarding no
+AllowTcpForwarding no
+EOF
+
+# Setup Auditd Rules
+cat <<-EOF > /etc/audit/rules.d/server.rules
+# Remove any existing rules
+-D
+# Buffer Size
+-b 8192
+# Ignore errors
+-i
+# Failure Mode
+-f 1
+# Audit the audit logs
+-w /var/log/audit/ -k auditlog
+# Auditd configuration
+-w /etc/audit/ -p wa -k auditconfig
+-w /etc/libaudit.conf -p wa -k auditconfig
+-w /etc/audisp/ -p wa -k audispconfig
+# Monitor for use of audit management tools
+-w /sbin/auditctl -p x -k audittools
+-w /sbin/auditd -p x -k audittools
+# Monitor AppArmor configuration changes
+-w /etc/apparmor/ -p wa -k apparmor
+-w /etc/apparmor.d/ -p wa -k apparmor
+# Monitor usage of AppArmor tools
+-w /sbin/apparmor_parser -p x -k apparmor_tools
+-w /usr/sbin/aa-complain -p x -k apparmor_tools
+-w /usr/sbin/aa-disable -p x -k apparmor_tools
+-w /usr/sbin/aa-enforce -p x -k apparmor_tools
+# Monitor Systemd configuration changes
+-w /etc/systemd/ -p wa -k systemd
+-w /lib/systemd/ -p wa -k systemd
+# Monitor usage of systemd tools
+-w /bin/systemctl -p x -k systemd_tools
+-w /bin/journalctl -p x -k systemd_tools
+# Special files
+-a always,exit -F arch=x86_64 -S mknod -S mknodat -k specialfiles
+-a always,exit -F arch=b32 -S mknod -S mknodat -k specialfiles
+# Mount operations
+-a always,exit -F arch=x86_64 -S mount -F auid>=1000 -F auid!=4294967295 -F key=export
+-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -F key=export
+# Changes to the time
+-a always,exit -F arch=x86_64 -S settimeofday -k audit_time_rules
+-a always,exit -F arch=x86_64 -S adjtimex -k audit_time_rules
+-a always,exit -F arch=x86_64 -S clock_settime -k audit_time_rules
+-a always,exit -F arch=b32 -S settimeofday -k audit_time_rules
+-a always,exit -F arch=b32 -S adjtimex -k audit_time_rules
+-a always,exit -F arch=b32 -S clock_settime -k audit_time_rules
+# Cron configuration & scheduled jobs
+-w /etc/cron.allow -p wa -k cron
+-w /etc/cron.deny -p wa -k cron
+-w /etc/cron.d/ -p wa -k cron
+-w /etc/cron.daily/ -p wa -k cron
+-w /etc/cron.hourly/ -p wa -k cron
+-w /etc/cron.monthly/ -p wa -k cron
+-w /etc/cron.weekly/ -p wa -k cron
+-w /etc/crontab -p wa -k cron
+-w /var/spool/cron/crontabs/ -k cron
+# User, group, password databases
+-w /etc/group -p wa -k audit_rules_usergroup_modification
+-w /etc/passwd -p wa -k audit_rules_usergroup_modification
+-w /etc/gshadow -p wa -k audit_rules_usergroup_modification
+-w /etc/shadow -p wa -k audit_rules_usergroup_modification
+-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification
+# MAC-policy
+-w /etc/selinux/ -p wa -k MAC-policy
+# Monitor usage of passwd
+-w /usr/bin/passwd -p x -k passwd_modification
+# Monitor for use of tools to change group identifiers
+-w /usr/sbin/groupadd -p x -k group_modification
+-w /usr/sbin/groupmod -p x -k group_modification
+-w /usr/sbin/addgroup -p x -k group_modification
+-w /usr/sbin/useradd -p x -k user_modification
+-w /usr/sbin/usermod -p x -k user_modification
+-w /usr/sbin/adduser -p x -k user_modification
+# Monitor module tools
+-w /sbin/insmod -p x -k modules
+-w /sbin/rmmod -p x -k modules
+-w /sbin/modprobe -p x -k modules
+-w /usr/sbin/insmod -p x -k modules
+-w /usr/sbin/rmmod -p x -k modules
+-w /usr/sbin/modprobe -p x -k modules
+# Login configuration and information
+-w /etc/login.defs -p wa -k login
+-w /etc/securetty -p wa -k login
+-w /var/log/faillog -p wa -k login
+-w /var/run/faillock/ -p wa -k logins
+-w /var/log/lastlog -p wa -k login
+-w /var/log/tallylog -p wa -k login
+# Network configuration
+-w /etc/hosts -p wa -k audit_rules_networkconfig_modification
+-w /etc/network/ -p wa -k audit_rules_networkconfig_modification
+-w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification
+# System startup scripts
+-w /etc/inittab -p wa -k init
+-w /etc/init.d/ -p wa -k init
+-w /etc/init/ -p wa -k init
+# Library search paths
+-w /etc/ld.so.conf -p wa -k libpath
+# Local time zone
+-w /etc/localtime -p wa -k localtime
+# Time zone configuration
+-w /etc/timezone -p wa -k audit_time_ruleszone
+# Kernel parameters
+-w /etc/sysctl.conf -p wa -k sysctl
+# Modprobe configuration
+-w /etc/modprobe.conf -p wa -k modprobe
+-w /etc/modprobe.d/ -p wa -k modprobe
+-w /etc/modules -p wa -k modprobe
+# Module manipulations
+-a always,exit -F arch=x86_64 -S init_module -S delete_module -F key=modules
+-a always,exit -F arch=x86_64 -S init_module -F key=modules
+-a always,exit -F arch=b32 -S init_module -S delete_module -F key=modules
+-a always,exit -F arch=b32 -S init_module -F key=modules
+# PAM configuration
+-w /etc/pam.d/ -p wa -k pam
+-w /etc/security/limits.conf -p wa -k pam
+-w /etc/security/pam_env.conf -p wa -k pam
+-w /etc/security/namespace.conf -p wa -k pam
+-w /etc/security/namespace.init -p wa -k pam
+# Postfix configuration
+-w /etc/aliases -p wa -k mail
+-w /etc/postfix/ -p wa -k mail
+# SSH configuration
+-w /etc/ssh/sshd_config -k sshd
+# Changes to hostname
+-a always,exit -F arch=x86_64 -S sethostname -S setdomainname -k audit_rules_networkconfig_modification
+-a always,exit -F arch=b32 -S sethostname -S setdomainname -k audit_rules_networkconfig_modification
+# Changes to issue
+-w /etc/issue -p wa -k audit_rules_networkconfig_modification
+-w /etc/issue.net -p wa -k audit_rules_networkconfig_modification
+# Capture all unauthorized file accesses
+-a always,exit -F arch=x86_64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
+-a always,exit -F arch=x86_64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access
+-a always,exit -F arch=x86_64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
+-a always,exit -F arch=x86_64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access
+-a always,exit -F arch=x86_64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
+-a always,exit -F arch=x86_64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access
+-a always,exit -F arch=x86_64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
+-a always,exit -F arch=x86_64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access
+-a always,exit -F arch=x86_64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access
+-a always,exit -F arch=x86_64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
+-a always,exit -F arch=x86_64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
+-a always,exit -F arch=x86_64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access
+-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
+-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access
+-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
+-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access
+-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
+-a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access
+-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
+-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access
+-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
+-a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access
+-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
+-a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access
+# Monitor for use of process ID change (switching accounts) applications
+-w /bin/su -p x -k actions
+-w /usr/bin/sudo -p x -k actions
+-w /etc/sudoers -p wa -k actions
+-w /etc/sudoers.d -p wa -k actions
+# Make the configuration immutable
+-e 2
+EOF
+
+# Setup Apparmor
+echo 'session optional pam_apparmor.so order=user,group,default' > /etc/pam.d/apparmor
+
+# Rsyslog enable log shipping to centralized syslog server
+echo '*.* @@10.16.100.253:514' >> /etc/rsyslog.d/50-default.conf
+
+# Disable IPv6 in UFW
+sed -i "/ipv6=/Id" /etc/default/ufw
+echo "IPV6=no" | sudo tee -a /etc/default/ufw
+
+# Enable UFW firewall
+ufw allow 22/tcp
+ufw allow from 10.16.100.125 to any port 10050 proto tcp
+ufw allow 12800:12801/tcp
+ufw enable 
+
+# Enable Services
+systemctl enable auditd
+systemctl enable apparmor
+systemctl enable haveged
+systemctl enable ssh
+systemctl enable fail2ban
+systemctl enable unattended-upgrades
+
+# Restart Services
+systemctl daemon-reload
+systemctl restart ssh
+systemctl restart fail2ban
+systemctl restart unattended-upgrades
+systemctl restart apparmor
+systemctl restart auditd
+systemctl restart haveged
+systemctl restart rsyslog 
+
+# Setup SSH Host Keys
+rm /etc/ssh/ssh_host_*
+ssh-keygen -t ecdsa -b 521 -f /etc/ssh/ssh_host_ecdsa_key -N ""
+ssh-keygen -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key -N ""
+ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -N ""
+awk '$5 >= 3071' /etc/ssh/moduli > /etc/ssh/moduli.safe
+mv /etc/ssh/moduli.safe /etc/ssh/moduli
+
+# GRUB enable swap and disable root recovery
+echo 'GRUB_CMDLINE_LINUX="cgroup_enable=memory swapaccount=1"' >> /etc/default/grub
+echo 'GRUB_DISABLE_RECOVERY="true"' >> /etc/default/grub
+
+# MOTD
+cat <<-EOF > /etc/motd
+########################################################################################################################
+#                                UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED                                      #
+#                  You must have explicit, authorized permission to access or configure this device.                   #
+#   Unauthorized attempts and actions to access or use this system may result in civil and/or criminal penalties.      #
+#                        All activities performed on this device are logged and monitored.                             #
+#                            Disconnect IMMEDIATELY if you are not an authorized user!                                 #
+########################################################################################################################
+EOF