Lightemerald/linux-scripts
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Small improvement

Browse Source
This commit is contained in:
Lightemerald
2025-12-13 00:39:09 +01:00
parent 9f82b654aa
commit 870b935308
1 changed files with 18 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

27
arch-hardening.sh
View File

@@ -16,6 +16,10 @@ EOL
sudo pacman -S --noconfirm --needed syslog-ng
sudo systemctl enable --now syslog-ng@default.service
# [NETW-2706] Ensure DNSSEC validation is enabled
echo 'DNSSEC=yes' | sudo tee -a /etc/systemd/resolved.conf > /dev/null
sudo systemctl restart systemd-resolved
# [USB-3000] Ensure USBGUARD is installed and configured
sudo pacman -S --noconfirm --needed usbguard
sudo usbguard generate-policy | sudo tee /etc/usbguard/rules.conf > /dev/null
@@ -239,7 +243,7 @@ sudo tee /etc/issue > /dev/null <<EOL
* activity on this system is monitored, recorded, and may be used *
* as evidence in criminal or civil proceedings. *
********************************************************************
\n\l
\n - \l
EOL
# [HRDN-7220] Don't install /usr/bin/as by adding it to NoExtract
@@ -248,7 +252,7 @@ if sudo grep -q 'usr/bin/as' /etc/pacman.conf; then
else
if sudo grep -qE '^[[:space:]]*NoExtract' /etc/pacman.conf; then
sudo sed -i '0,/^[[:space:]]*NoExtract/ s|^\([[:space:]]*NoExtract[[:space:]]*=[[:space:]]*\)\(.*\)$|\1\2 usr/bin/as|' /etc/pacman.conf
elif sudo grep -qE '^[[:space:]]*#[[:space:]]*NoExtract' /etc/pacman.conf; then
elif sudo grep -qE '^[[:space:]]*#[[:space:]]*NoExtract' /etc/pacman.conf; then
sudo sed -i '/^[[:space:]]*#[[:space:]]*NoExtract/ a NoExtract = usr/bin/as' /etc/pacman.conf
else
sudo bash -c 'printf "\n# NoExtract added by hardening script\nNoExtract = usr/bin/as\n" >> /etc/pacman.conf'
@@ -330,6 +334,11 @@ sudo sed -i 's/^PASS_MAX_DAYS.*/PASS_MAX_DAYS 90/' /etc/login.defs
# [AUTH-9328] Ensure default user umask is 027 or more restrictive
sudo sed -i 's/^UMASK.*/UMASK 027/' /etc/login.defs
if sudo grep -qE '^[[:space:]]*#?[[:space:]]*umask' /etc/bash.bashrc; then
sudo sed -i 's/^[[:space:]]*#\?[[:space:]]*umask.*/umask 027/' /etc/bash.bashrc
else
echo 'umask 027' | sudo tee -a /etc/bash.bashrc > /dev/null
fi
if sudo grep -qE '^[[:space:]]*#?[[:space:]]*umask' /etc/profile; then
sudo sed -i 's/^[[:space:]]*#\?[[:space:]]*umask.*/umask 027/' /etc/profile
else
@@ -372,9 +381,9 @@ EOL
# To test
# Function to create basic systemd hardening drop-in
create_systemd_hardening () {
SERVICE="$1"
DROPIN="/etc/systemd/system/${SERVICE}.d"
sudo mkdir -p "$DROPIN"
SERVICE="$1"
DROPIN="/etc/systemd/system/${SERVICE}.d"
sudo mkdir -p "$DROPIN"
sudo tee "$DROPIN/hardening.conf" > /dev/null <<EOL
[Service]
PrivateTmp=true
@@ -391,7 +400,7 @@ RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
SystemCallFilter=@system-service
UMask=0077
EOL
sudo systemctl daemon-reload
sudo systemctl daemon-reload
}
# Add conservative hardening overrides for high-risk services you should review
@@ -438,7 +447,7 @@ SERVICES_TO_HARDEN=(
"wpa_supplicant"
)
for S in "${SERVICES_TO_HARDEN[@]}"; do
if systemctl list-unit-files | grep -q "$S"; then
create_systemd_hardening "$S"
fi
if systemctl list-unit-files | grep -q "$S"; then
create_systemd_hardening "$S"
fi
done