Improving script
This commit is contained in:
@@ -89,6 +89,8 @@ sudo tee /etc/security/limits.d/20-disable-core-dumps.conf > /dev/null <<EOL
|
||||
* soft core 0
|
||||
EOL
|
||||
# Append to /etc/profile to enforce core dump restriction system-wide
|
||||
echo '# Disable core dumps system-wide' | sudo tee -a /etc/profile > /dev/null
|
||||
echo 'ulimit -c 0 > /dev/null 2>&1' | sudo tee -a /etc/profile > /dev/null
|
||||
echo '# Set the core dump soft limit to 0 (current enforceable limit)' | sudo tee -a /etc/profile > /dev/null
|
||||
echo 'ulimit -S -c 0 > /dev/null 2>&1' | sudo tee -a /etc/profile > /dev/null
|
||||
echo '# Set the hard limit to 0 (absolute maximum limit)' | sudo tee -a /etc/profile > /dev/null
|
||||
@@ -147,6 +149,7 @@ else
|
||||
sudo sed -i 's|^proc[[:space:]]\+/proc[[:space:]]\+proc[[:space:]]\+.*$|proc /proc proc defaults,hidepid=1,gid=wheel 0 0|' /etc/fstab
|
||||
fi
|
||||
## Remount /proc to apply changes immediately
|
||||
sudo systemctl daemon-reload
|
||||
sudo mount -o remount /proc
|
||||
|
||||
# [FILE-6374] Check mount options
|
||||
@@ -158,7 +161,9 @@ else
|
||||
sudo sed -i 's|^tmpfs[[:space:]]\+/dev/shm[[:space:]]\+tmpfs[[:space:]]\+.*$|tmpfs /dev/shm tmpfs rw,nosuid,nodev,noexec 0 0|' /etc/fstab
|
||||
fi
|
||||
# Remount /dev/shm to apply changes immediately
|
||||
sudo systemctl daemon-reload
|
||||
sudo mount -o remount /dev/shm
|
||||
|
||||
# Replace /tmp mount
|
||||
if ! grep -q '^tmpfs\s\+/tmp\s\+tmpfs\s\+' /etc/fstab; then
|
||||
echo '# /tmp' | sudo tee -a /etc/fstab > /dev/null
|
||||
@@ -167,6 +172,7 @@ else
|
||||
sudo sed -i 's|^tmpfs[[:space:]]\+/tmp[[:space:]]\+tmpfs[[:space:]]\+.*$|tmpfs /tmp tmpfs rw,nosuid,nodev,noexec 0 0|' /etc/fstab
|
||||
fi
|
||||
# Remount /tmp to apply changes immediately
|
||||
sudo systemctl daemon-reload
|
||||
sudo mount -o remount /tmp
|
||||
|
||||
# [FILE-6430] Disable mounting of some filesystems
|
||||
@@ -246,8 +252,8 @@ sudo chmod 700 /etc/cron.hourly
|
||||
|
||||
# [AUTH-9230] Ensure password hashing algorithm is set to YESCRYPT and hashing rounds to minimum of 5000 and maximum of 5000000
|
||||
sudo sed -i 's/^ENCRYPT_METHOD .*/ENCRYPT_METHOD YESCRYPT/' /etc/login.defs
|
||||
sudo sed -i 's/^SHA_CRYPT_MIN_ROUNDS .*/SHA_CRYPT_MIN_ROUNDS 5000/' /etc/login.defs
|
||||
sudo sed -i 's/^SHA_CRYPT_MAX_ROUNDS .*/SHA_CRYPT_MAX_ROUNDS 5000000/' /etc/login.defs
|
||||
sudo sed -i 's/^#SHA_CRYPT_MIN_ROUNDS .*/SHA_CRYPT_MIN_ROUNDS 5000/' /etc/login.defs
|
||||
sudo sed -i 's/^#SHA_CRYPT_MAX_ROUNDS .*/SHA_CRYPT_MAX_ROUNDS 5000000/' /etc/login.defs
|
||||
|
||||
# [AUTH-9262] Password strength checking tool is installed
|
||||
sudo pacman -S --noconfirm --needed libpwquality
|
||||
@@ -270,7 +276,11 @@ sudo sed -i 's/^PASS_MAX_DAYS.*/PASS_MAX_DAYS 90/' /etc/login.defs
|
||||
|
||||
# [AUTH-9328] Ensure default user umask is 027 or more restrictive
|
||||
sudo sed -i 's/^UMASK.*/UMASK 027/' /etc/login.defs
|
||||
sudo sed -i 's/^#\?umask .*/umask 027/' /etc/profile
|
||||
if sudo grep -qE '^[[:space:]]*#?[[:space:]]*umask' /etc/profile; then
|
||||
sudo sed -i 's/^[[:space:]]*#\?[[:space:]]*umask.*/umask 027/' /etc/profile
|
||||
else
|
||||
echo 'umask 027' | sudo tee -a /etc/profile > /dev/null
|
||||
fi
|
||||
|
||||
# [ACCT-9622] Enable process accounting
|
||||
sudo pacman -S --noconfirm --needed acct
|
||||
@@ -284,7 +294,7 @@ sudo systemctl enable --now sysstat-collect.timer sysstat-rotate.timer
|
||||
sudo systemctl enable --now auditd audit-rules
|
||||
|
||||
# [ACCT-9630] Configure auditd rules
|
||||
sudo tee /etc/audit/rules.d/hardening.rules > /dev/null <<EOL
|
||||
sudo tee /etc/audit/rules.d/10-harden.rules > /dev/null <<EOL
|
||||
# Monitor attempts to change system time
|
||||
-w /etc/localtime -p wa -k time-change
|
||||
|
||||
@@ -297,3 +307,77 @@ sudo tee /etc/audit/rules.d/hardening.rules > /dev/null <<EOL
|
||||
# Make the configuration immutable (must be the last line)
|
||||
-e 2
|
||||
EOL
|
||||
|
||||
# To test
|
||||
# Function to create basic systemd hardening drop-in
|
||||
create_systemd_hardening () {
|
||||
SERVICE="$1"
|
||||
DROPIN="/etc/systemd/system/${SERVICE}.d"
|
||||
sudo mkdir -p "$DROPIN"
|
||||
sudo tee "$DROPIN/hardening.conf" > /dev/null <<EOL
|
||||
[Service]
|
||||
PrivateTmp=true
|
||||
ProtectSystem=full
|
||||
ProtectHome=true
|
||||
NoNewPrivileges=true
|
||||
ProtectKernelTunables=yes
|
||||
ProtectKernelModules=yes
|
||||
ProtectClock=true
|
||||
ProtectHostname=true
|
||||
ProtectControlGroups=true
|
||||
PrivateDevices=false
|
||||
RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
|
||||
SystemCallFilter=@system-service
|
||||
UMask=0077
|
||||
EOL
|
||||
sudo systemctl daemon-reload
|
||||
}
|
||||
|
||||
# Add conservative hardening overrides for high-risk services you should review
|
||||
SERVICES_TO_HARDEN=(
|
||||
"NetworkManager"
|
||||
"accounts-daemon"
|
||||
"aidecheck"
|
||||
"auditd"
|
||||
"bluetooth"
|
||||
"bolt"
|
||||
"dbus-broker"
|
||||
"dirmngr@etc-pacman.d-gnupg"
|
||||
"dm-event"
|
||||
"emergency"
|
||||
"firewalld"
|
||||
"fprintd"
|
||||
"getty@tty1"
|
||||
"gpg-agent@etc-pacman.d-gnupg"
|
||||
"keyboxd@etc-pacman.d-gnupg"
|
||||
"lenovo-cfgservice"
|
||||
"libvirtd"
|
||||
"meshagent"
|
||||
"ollama"
|
||||
"packagekit"
|
||||
"plymouth-start"
|
||||
"rescue"
|
||||
"rtkit-daemon"
|
||||
"sddm"
|
||||
"snapper-cleanup"
|
||||
"snapper-timeline"
|
||||
"syslog-ng@default"
|
||||
"systemd-ask-password-console"
|
||||
"systemd-ask-password-plymouth"
|
||||
"systemd-ask-password-wall"
|
||||
"systemd-bsod"
|
||||
"systemd-rfkill"
|
||||
"systemd-importd"
|
||||
"systemd-machined"
|
||||
"systemd-udevd"
|
||||
"udisks2"
|
||||
"user@1000"
|
||||
"virtlockd"
|
||||
"waydroid-container"
|
||||
"wpa_supplicant"
|
||||
)
|
||||
for S in "${SERVICES_TO_HARDEN[@]}"; do
|
||||
if systemctl list-unit-files | grep -q "$S"; then
|
||||
create_systemd_hardening "$S"
|
||||
fi
|
||||
done
|
||||
|
||||
Reference in New Issue
Block a user