Lightemerald/linux-scripts
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Improving script

Browse Source
This commit is contained in:
Lightemerald
2025-12-12 21:08:29 +01:00
parent 59a68436f8
commit 8f6b61cd96
1 changed files with 88 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

92
arch-hardening.sh
View File

@@ -89,6 +89,8 @@ sudo tee /etc/security/limits.d/20-disable-core-dumps.conf > /dev/null <<EOL
* soft core 0 * soft core 0
EOL EOL
# Append to /etc/profile to enforce core dump restriction system-wide # Append to /etc/profile to enforce core dump restriction system-wide
echo '# Disable core dumps system-wide' | sudo tee -a /etc/profile > /dev/null
echo 'ulimit -c 0 > /dev/null 2>&1' | sudo tee -a /etc/profile > /dev/null
echo '# Set the core dump soft limit to 0 (current enforceable limit)' | sudo tee -a /etc/profile > /dev/null echo '# Set the core dump soft limit to 0 (current enforceable limit)' | sudo tee -a /etc/profile > /dev/null
echo 'ulimit -S -c 0 > /dev/null 2>&1' | sudo tee -a /etc/profile > /dev/null echo 'ulimit -S -c 0 > /dev/null 2>&1' | sudo tee -a /etc/profile > /dev/null
echo '# Set the hard limit to 0 (absolute maximum limit)' | sudo tee -a /etc/profile > /dev/null echo '# Set the hard limit to 0 (absolute maximum limit)' | sudo tee -a /etc/profile > /dev/null
@@ -147,6 +149,7 @@ else
sudo sed -i 's|^proc[[:space:]]\+/proc[[:space:]]\+proc[[:space:]]\+.*$|proc /proc proc defaults,hidepid=1,gid=wheel 0 0|' /etc/fstab sudo sed -i 's|^proc[[:space:]]\+/proc[[:space:]]\+proc[[:space:]]\+.*$|proc /proc proc defaults,hidepid=1,gid=wheel 0 0|' /etc/fstab
fi fi
## Remount /proc to apply changes immediately ## Remount /proc to apply changes immediately
sudo systemctl daemon-reload
sudo mount -o remount /proc sudo mount -o remount /proc
# [FILE-6374] Check mount options # [FILE-6374] Check mount options
@@ -158,7 +161,9 @@ else
sudo sed -i 's|^tmpfs[[:space:]]\+/dev/shm[[:space:]]\+tmpfs[[:space:]]\+.*$|tmpfs /dev/shm tmpfs rw,nosuid,nodev,noexec 0 0|' /etc/fstab sudo sed -i 's|^tmpfs[[:space:]]\+/dev/shm[[:space:]]\+tmpfs[[:space:]]\+.*$|tmpfs /dev/shm tmpfs rw,nosuid,nodev,noexec 0 0|' /etc/fstab
fi fi
# Remount /dev/shm to apply changes immediately # Remount /dev/shm to apply changes immediately
sudo systemctl daemon-reload
sudo mount -o remount /dev/shm sudo mount -o remount /dev/shm
# Replace /tmp mount # Replace /tmp mount
if ! grep -q '^tmpfs\s\+/tmp\s\+tmpfs\s\+' /etc/fstab; then if ! grep -q '^tmpfs\s\+/tmp\s\+tmpfs\s\+' /etc/fstab; then
echo '# /tmp' | sudo tee -a /etc/fstab > /dev/null echo '# /tmp' | sudo tee -a /etc/fstab > /dev/null
@@ -167,6 +172,7 @@ else
sudo sed -i 's|^tmpfs[[:space:]]\+/tmp[[:space:]]\+tmpfs[[:space:]]\+.*$|tmpfs /tmp tmpfs rw,nosuid,nodev,noexec 0 0|' /etc/fstab sudo sed -i 's|^tmpfs[[:space:]]\+/tmp[[:space:]]\+tmpfs[[:space:]]\+.*$|tmpfs /tmp tmpfs rw,nosuid,nodev,noexec 0 0|' /etc/fstab
fi fi
# Remount /tmp to apply changes immediately # Remount /tmp to apply changes immediately
sudo systemctl daemon-reload
sudo mount -o remount /tmp sudo mount -o remount /tmp
# [FILE-6430] Disable mounting of some filesystems # [FILE-6430] Disable mounting of some filesystems
@@ -246,8 +252,8 @@ sudo chmod 700 /etc/cron.hourly
# [AUTH-9230] Ensure password hashing algorithm is set to YESCRYPT and hashing rounds to minimum of 5000 and maximum of 5000000 # [AUTH-9230] Ensure password hashing algorithm is set to YESCRYPT and hashing rounds to minimum of 5000 and maximum of 5000000
sudo sed -i 's/^ENCRYPT_METHOD .*/ENCRYPT_METHOD YESCRYPT/' /etc/login.defs sudo sed -i 's/^ENCRYPT_METHOD .*/ENCRYPT_METHOD YESCRYPT/' /etc/login.defs
sudo sed -i 's/^SHA_CRYPT_MIN_ROUNDS .*/SHA_CRYPT_MIN_ROUNDS 5000/' /etc/login.defs sudo sed -i 's/^#SHA_CRYPT_MIN_ROUNDS .*/SHA_CRYPT_MIN_ROUNDS 5000/' /etc/login.defs
sudo sed -i 's/^SHA_CRYPT_MAX_ROUNDS .*/SHA_CRYPT_MAX_ROUNDS 5000000/' /etc/login.defs sudo sed -i 's/^#SHA_CRYPT_MAX_ROUNDS .*/SHA_CRYPT_MAX_ROUNDS 5000000/' /etc/login.defs
# [AUTH-9262] Password strength checking tool is installed # [AUTH-9262] Password strength checking tool is installed
sudo pacman -S --noconfirm --needed libpwquality sudo pacman -S --noconfirm --needed libpwquality
@@ -270,7 +276,11 @@ sudo sed -i 's/^PASS_MAX_DAYS.*/PASS_MAX_DAYS 90/' /etc/login.defs
# [AUTH-9328] Ensure default user umask is 027 or more restrictive # [AUTH-9328] Ensure default user umask is 027 or more restrictive
sudo sed -i 's/^UMASK.*/UMASK 027/' /etc/login.defs sudo sed -i 's/^UMASK.*/UMASK 027/' /etc/login.defs
sudo sed -i 's/^#\?umask .*/umask 027/' /etc/profile if sudo grep -qE '^[[:space:]]*#?[[:space:]]*umask' /etc/profile; then
sudo sed -i 's/^[[:space:]]*#\?[[:space:]]*umask.*/umask 027/' /etc/profile
else
echo 'umask 027' | sudo tee -a /etc/profile > /dev/null
fi
# [ACCT-9622] Enable process accounting # [ACCT-9622] Enable process accounting
sudo pacman -S --noconfirm --needed acct sudo pacman -S --noconfirm --needed acct
@@ -284,7 +294,7 @@ sudo systemctl enable --now sysstat-collect.timer sysstat-rotate.timer
sudo systemctl enable --now auditd audit-rules sudo systemctl enable --now auditd audit-rules
# [ACCT-9630] Configure auditd rules # [ACCT-9630] Configure auditd rules
sudo tee /etc/audit/rules.d/hardening.rules > /dev/null <<EOL sudo tee /etc/audit/rules.d/10-harden.rules > /dev/null <<EOL
# Monitor attempts to change system time # Monitor attempts to change system time
-w /etc/localtime -p wa -k time-change -w /etc/localtime -p wa -k time-change
@@ -297,3 +307,77 @@ sudo tee /etc/audit/rules.d/hardening.rules > /dev/null <<EOL
# Make the configuration immutable (must be the last line) # Make the configuration immutable (must be the last line)
-e 2 -e 2
EOL EOL
# To test
# Function to create basic systemd hardening drop-in
create_systemd_hardening () {
SERVICE="$1"
DROPIN="/etc/systemd/system/${SERVICE}.d"
sudo mkdir -p "$DROPIN"
sudo tee "$DROPIN/hardening.conf" > /dev/null <<EOL
[Service]
PrivateTmp=true
ProtectSystem=full
ProtectHome=true
NoNewPrivileges=true
ProtectKernelTunables=yes
ProtectKernelModules=yes
ProtectClock=true
ProtectHostname=true
ProtectControlGroups=true
PrivateDevices=false
RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
SystemCallFilter=@system-service
UMask=0077
EOL
sudo systemctl daemon-reload
}
# Add conservative hardening overrides for high-risk services you should review
SERVICES_TO_HARDEN=(
"NetworkManager"
"accounts-daemon"
"aidecheck"
"auditd"
"bluetooth"
"bolt"
"dbus-broker"
"dirmngr@etc-pacman.d-gnupg"
"dm-event"
"emergency"
"firewalld"
"fprintd"
"getty@tty1"
"gpg-agent@etc-pacman.d-gnupg"
"keyboxd@etc-pacman.d-gnupg"
"lenovo-cfgservice"
"libvirtd"
"meshagent"
"ollama"
"packagekit"
"plymouth-start"
"rescue"
"rtkit-daemon"
"sddm"
"snapper-cleanup"
"snapper-timeline"
"syslog-ng@default"
"systemd-ask-password-console"
"systemd-ask-password-plymouth"
"systemd-ask-password-wall"
"systemd-bsod"
"systemd-rfkill"
"systemd-importd"
"systemd-machined"
"systemd-udevd"
"udisks2"
"user@1000"
"virtlockd"
"waydroid-container"
"wpa_supplicant"
)
for S in "${SERVICES_TO_HARDEN[@]}"; do
if systemctl list-unit-files | grep -q "$S"; then
create_systemd_hardening "$S"
fi
done