Lightemerald/linux-scripts
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

small changes

Browse Source
This commit is contained in:
Lightemerald
2025-12-19 22:03:12 +01:00
parent ae38a6b655
commit 4b476e8782
1 changed files with 8 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
debian-hardening.sh
View File

@@ -433,7 +433,7 @@ sudo systemctl enable --now unattended-upgrades || true
# [FILE-7524] Ensuring file permissions
log "Enforcing file permissions for SSH & cron..."
sudo chmod -R 640 /var/log/ || true
#sudo chmod -R 640 /var/log/ || true
sudo chmod 600 /etc/crontab || true
sudo chmod 700 /etc/cron.* || true
sudo chmod -R 700 /etc/cron.d/ || true
@@ -473,7 +473,7 @@ set_pwq "enforcing" 1
# Add pam_pwquality to /etc/pam.d/common-password if not present
if ! grep -q "pam_pwquality.so" /etc/pam.d/common-password 2>/dev/null; then
sudo sed -i "/pam_unix.so/ i password requisite pam_pwquality.so retry=3" /etc/pam.d/common-password || true
sudo sed -i "/pam_unix.so/ i password requisite pam_pwquality.so" /etc/pam.d/common-password || true
fi
# [AUTH-9286] Password aging
@@ -482,19 +482,19 @@ sudo sed -i 's/^PASS_MAX_DAYS.*/PASS_MAX_DAYS 90/' /etc/login.defs || true
# [AUTH-9328] Default umask
if sudo grep -Eq '^[[:space:]]*#?[[:space:]]*UMASK\b' /etc/login.defs 2>/dev/null; then
sudo sed -ri "s|^[[:space:]]*#?[[:space:]]*UMASK[[:space:]]+.*|UMASK 077|" /etc/login.defs || true
sudo sed -ri "s|^[[:space:]]*#?[[:space:]]*UMASK[[:space:]]+.*|UMASK 027|" /etc/login.defs || true
else
echo 'UMASK 077' | sudo tee -a /etc/login.defs > /dev/null
echo 'UMASK 027' | sudo tee -a /etc/login.defs > /dev/null
fi
if grep -qE '^[[:space:]]*#?[[:space:]]*umask' /etc/bash.bashrc 2>/dev/null; then
sudo sed -i 's/^[[:space:]]*#\?[[:space:]]*umask.*/umask 077/' /etc/bash.bashrc || true
sudo sed -i 's/^[[:space:]]*#\?[[:space:]]*umask.*/umask 027/' /etc/bash.bashrc || true
else
echo 'umask 077' | sudo tee -a /etc/bash.bashrc > /dev/null
echo 'umask 027' | sudo tee -a /etc/bash.bashrc > /dev/null
fi
if grep -qE '^[[:space:]]*#?[[:space:]]*umask' /etc/profile 2>/dev/null; then
sudo sed -i 's/^[[:space:]]*#\?[[:space:]]*umask.*/umask 077/' /etc/profile || true
sudo sed -i 's/^[[:space:]]*#\?[[:space:]]*umask.*/umask 027/' /etc/profile || true
else
echo 'umask 077' | sudo tee -a /etc/profile > /dev/null
echo 'umask 027' | sudo tee -a /etc/profile > /dev/null
fi
# [AUTH-9408] Logging of failed login attempts is enabled