Small improvement
This commit is contained in:
@@ -16,6 +16,10 @@ EOL
|
|||||||
sudo pacman -S --noconfirm --needed syslog-ng
|
sudo pacman -S --noconfirm --needed syslog-ng
|
||||||
sudo systemctl enable --now syslog-ng@default.service
|
sudo systemctl enable --now syslog-ng@default.service
|
||||||
|
|
||||||
|
# [NETW-2706] Ensure DNSSEC validation is enabled
|
||||||
|
echo 'DNSSEC=yes' | sudo tee -a /etc/systemd/resolved.conf > /dev/null
|
||||||
|
sudo systemctl restart systemd-resolved
|
||||||
|
|
||||||
# [USB-3000] Ensure USBGUARD is installed and configured
|
# [USB-3000] Ensure USBGUARD is installed and configured
|
||||||
sudo pacman -S --noconfirm --needed usbguard
|
sudo pacman -S --noconfirm --needed usbguard
|
||||||
sudo usbguard generate-policy | sudo tee /etc/usbguard/rules.conf > /dev/null
|
sudo usbguard generate-policy | sudo tee /etc/usbguard/rules.conf > /dev/null
|
||||||
@@ -239,7 +243,7 @@ sudo tee /etc/issue > /dev/null <<EOL
|
|||||||
* activity on this system is monitored, recorded, and may be used *
|
* activity on this system is monitored, recorded, and may be used *
|
||||||
* as evidence in criminal or civil proceedings. *
|
* as evidence in criminal or civil proceedings. *
|
||||||
********************************************************************
|
********************************************************************
|
||||||
\n\l
|
\n - \l
|
||||||
EOL
|
EOL
|
||||||
|
|
||||||
# [HRDN-7220] Don't install /usr/bin/as by adding it to NoExtract
|
# [HRDN-7220] Don't install /usr/bin/as by adding it to NoExtract
|
||||||
@@ -248,7 +252,7 @@ if sudo grep -q 'usr/bin/as' /etc/pacman.conf; then
|
|||||||
else
|
else
|
||||||
if sudo grep -qE '^[[:space:]]*NoExtract' /etc/pacman.conf; then
|
if sudo grep -qE '^[[:space:]]*NoExtract' /etc/pacman.conf; then
|
||||||
sudo sed -i '0,/^[[:space:]]*NoExtract/ s|^\([[:space:]]*NoExtract[[:space:]]*=[[:space:]]*\)\(.*\)$|\1\2 usr/bin/as|' /etc/pacman.conf
|
sudo sed -i '0,/^[[:space:]]*NoExtract/ s|^\([[:space:]]*NoExtract[[:space:]]*=[[:space:]]*\)\(.*\)$|\1\2 usr/bin/as|' /etc/pacman.conf
|
||||||
elif sudo grep -qE '^[[:space:]]*#[[:space:]]*NoExtract' /etc/pacman.conf; then
|
elif sudo grep -qE '^[[:space:]]*#[[:space:]]*NoExtract' /etc/pacman.conf; then
|
||||||
sudo sed -i '/^[[:space:]]*#[[:space:]]*NoExtract/ a NoExtract = usr/bin/as' /etc/pacman.conf
|
sudo sed -i '/^[[:space:]]*#[[:space:]]*NoExtract/ a NoExtract = usr/bin/as' /etc/pacman.conf
|
||||||
else
|
else
|
||||||
sudo bash -c 'printf "\n# NoExtract added by hardening script\nNoExtract = usr/bin/as\n" >> /etc/pacman.conf'
|
sudo bash -c 'printf "\n# NoExtract added by hardening script\nNoExtract = usr/bin/as\n" >> /etc/pacman.conf'
|
||||||
@@ -330,6 +334,11 @@ sudo sed -i 's/^PASS_MAX_DAYS.*/PASS_MAX_DAYS 90/' /etc/login.defs
|
|||||||
|
|
||||||
# [AUTH-9328] Ensure default user umask is 027 or more restrictive
|
# [AUTH-9328] Ensure default user umask is 027 or more restrictive
|
||||||
sudo sed -i 's/^UMASK.*/UMASK 027/' /etc/login.defs
|
sudo sed -i 's/^UMASK.*/UMASK 027/' /etc/login.defs
|
||||||
|
if sudo grep -qE '^[[:space:]]*#?[[:space:]]*umask' /etc/bash.bashrc; then
|
||||||
|
sudo sed -i 's/^[[:space:]]*#\?[[:space:]]*umask.*/umask 027/' /etc/bash.bashrc
|
||||||
|
else
|
||||||
|
echo 'umask 027' | sudo tee -a /etc/bash.bashrc > /dev/null
|
||||||
|
fi
|
||||||
if sudo grep -qE '^[[:space:]]*#?[[:space:]]*umask' /etc/profile; then
|
if sudo grep -qE '^[[:space:]]*#?[[:space:]]*umask' /etc/profile; then
|
||||||
sudo sed -i 's/^[[:space:]]*#\?[[:space:]]*umask.*/umask 027/' /etc/profile
|
sudo sed -i 's/^[[:space:]]*#\?[[:space:]]*umask.*/umask 027/' /etc/profile
|
||||||
else
|
else
|
||||||
@@ -372,9 +381,9 @@ EOL
|
|||||||
# To test
|
# To test
|
||||||
# Function to create basic systemd hardening drop-in
|
# Function to create basic systemd hardening drop-in
|
||||||
create_systemd_hardening () {
|
create_systemd_hardening () {
|
||||||
SERVICE="$1"
|
SERVICE="$1"
|
||||||
DROPIN="/etc/systemd/system/${SERVICE}.d"
|
DROPIN="/etc/systemd/system/${SERVICE}.d"
|
||||||
sudo mkdir -p "$DROPIN"
|
sudo mkdir -p "$DROPIN"
|
||||||
sudo tee "$DROPIN/hardening.conf" > /dev/null <<EOL
|
sudo tee "$DROPIN/hardening.conf" > /dev/null <<EOL
|
||||||
[Service]
|
[Service]
|
||||||
PrivateTmp=true
|
PrivateTmp=true
|
||||||
@@ -391,7 +400,7 @@ RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
|
|||||||
SystemCallFilter=@system-service
|
SystemCallFilter=@system-service
|
||||||
UMask=0077
|
UMask=0077
|
||||||
EOL
|
EOL
|
||||||
sudo systemctl daemon-reload
|
sudo systemctl daemon-reload
|
||||||
}
|
}
|
||||||
|
|
||||||
# Add conservative hardening overrides for high-risk services you should review
|
# Add conservative hardening overrides for high-risk services you should review
|
||||||
@@ -438,7 +447,7 @@ SERVICES_TO_HARDEN=(
|
|||||||
"wpa_supplicant"
|
"wpa_supplicant"
|
||||||
)
|
)
|
||||||
for S in "${SERVICES_TO_HARDEN[@]}"; do
|
for S in "${SERVICES_TO_HARDEN[@]}"; do
|
||||||
if systemctl list-unit-files | grep -q "$S"; then
|
if systemctl list-unit-files | grep -q "$S"; then
|
||||||
create_systemd_hardening "$S"
|
create_systemd_hardening "$S"
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
|
|||||||
Reference in New Issue
Block a user