Lightemerald/linux-scripts
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Small improvement

Browse Source
This commit is contained in:
Lightemerald
2025-12-13 00:39:09 +01:00
parent 9f82b654aa
commit 870b935308
1 changed files with 18 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
arch-hardening.sh
View File

@@ -16,6 +16,10 @@ EOL
sudo pacman -S --noconfirm --needed syslog-ng sudo pacman -S --noconfirm --needed syslog-ng
sudo systemctl enable --now syslog-ng@default.service sudo systemctl enable --now syslog-ng@default.service
# [NETW-2706] Ensure DNSSEC validation is enabled
echo 'DNSSEC=yes' | sudo tee -a /etc/systemd/resolved.conf > /dev/null
sudo systemctl restart systemd-resolved
# [USB-3000] Ensure USBGUARD is installed and configured # [USB-3000] Ensure USBGUARD is installed and configured
sudo pacman -S --noconfirm --needed usbguard sudo pacman -S --noconfirm --needed usbguard
sudo usbguard generate-policy | sudo tee /etc/usbguard/rules.conf > /dev/null sudo usbguard generate-policy | sudo tee /etc/usbguard/rules.conf > /dev/null
@@ -239,7 +243,7 @@ sudo tee /etc/issue > /dev/null <<EOL
* activity on this system is monitored, recorded, and may be used * * activity on this system is monitored, recorded, and may be used *
* as evidence in criminal or civil proceedings. * * as evidence in criminal or civil proceedings. *
******************************************************************** ********************************************************************
\n\l \n - \l
EOL EOL
# [HRDN-7220] Don't install /usr/bin/as by adding it to NoExtract # [HRDN-7220] Don't install /usr/bin/as by adding it to NoExtract
@@ -330,6 +334,11 @@ sudo sed -i 's/^PASS_MAX_DAYS.*/PASS_MAX_DAYS 90/' /etc/login.defs
# [AUTH-9328] Ensure default user umask is 027 or more restrictive # [AUTH-9328] Ensure default user umask is 027 or more restrictive
sudo sed -i 's/^UMASK.*/UMASK 027/' /etc/login.defs sudo sed -i 's/^UMASK.*/UMASK 027/' /etc/login.defs
if sudo grep -qE '^[[:space:]]*#?[[:space:]]*umask' /etc/bash.bashrc; then
sudo sed -i 's/^[[:space:]]*#\?[[:space:]]*umask.*/umask 027/' /etc/bash.bashrc
else
echo 'umask 027' | sudo tee -a /etc/bash.bashrc > /dev/null
fi
if sudo grep -qE '^[[:space:]]*#?[[:space:]]*umask' /etc/profile; then if sudo grep -qE '^[[:space:]]*#?[[:space:]]*umask' /etc/profile; then
sudo sed -i 's/^[[:space:]]*#\?[[:space:]]*umask.*/umask 027/' /etc/profile sudo sed -i 's/^[[:space:]]*#\?[[:space:]]*umask.*/umask 027/' /etc/profile
else else