Adding a few more hardening settings
This commit is contained in:
@@ -22,6 +22,10 @@ sudo usbguard generate-policy | sudo tee /etc/usbguard/rules.conf > /dev/null
|
||||
sudo sed -i 's/^PresentControllerPolicy=.*/PresentControllerPolicy=apply-policy/' /etc/usbguard/usbguard-daemon.conf
|
||||
sudo systemctl enable --now usbguard
|
||||
|
||||
# [NETW-3032] Checking for ARP monitoring software
|
||||
sudo pacman -S --noconfirm --needed arpwatch
|
||||
sudo systemctl enable --now arpwatch
|
||||
|
||||
# [NETW-3200] Disable unused network protocols
|
||||
sudo tee /etc/modprobe.d/network-protocols-disable.conf > /dev/null <<EOL
|
||||
# Disable unnecessary network protocols to reduce attack surface
|
||||
@@ -79,9 +83,21 @@ EOL
|
||||
|
||||
# [TOOL-5190] Ensure IDS/IPS tools are installed
|
||||
sudo pacman -S --noconfirm --needed snort
|
||||
sudo systemctl enable --now snort
|
||||
|
||||
# [KRNL-5820] Disable core dumps
|
||||
sudo mkdir /etc/security/limits.d/
|
||||
|
||||
# Disable coredump handling in systemd's coredump configuration and mask units
|
||||
sudo mkdir -p /etc/systemd/coredump.conf.d
|
||||
sudo tee /etc/systemd/coredump.conf.d/99-disable-coredumps.conf > /dev/null <<'EOL'
|
||||
[Coredump]
|
||||
# Prevent any core file data being stored and limit accepted size to 0
|
||||
ProcessSizeMax=0
|
||||
Storage=none
|
||||
EOL
|
||||
sudo systemctl daemon-reload
|
||||
|
||||
sudo mkdir -p /etc/security/limits.d/
|
||||
sudo tee /etc/security/limits.d/20-disable-core-dumps.conf > /dev/null <<EOL
|
||||
# Disable core dumps for ALL users
|
||||
# The format is: <domain> <type> <item> <value>
|
||||
@@ -254,6 +270,34 @@ sudo chmod 700 /etc/cron.hourly
|
||||
sudo pacman -S --noconfirm --needed rng-tools
|
||||
sudo systemctl enable --now rngd
|
||||
|
||||
# [CRYP-8005] Presence of software pseudo random number generator
|
||||
sudo pacman -S --noconfirm --needed haveged
|
||||
sudo systemctl enable --now haveged
|
||||
|
||||
# [CRYP-8006] Ensure MemoryOverwriteRequest-bit set
|
||||
sudo tee /usr/lib/systemd/system-shutdown/mor-bit-wipe.sh > /dev/null <<'EOL'
|
||||
#!/bin/bash
|
||||
|
||||
# Path to the MemoryOverwriteRequestControl UEFI variable
|
||||
MOR_VAR_PATH="/sys/firmware/efi/efivars/MemoryOverwriteRequestControl-e20939be-32d4-41be-a150-897f85d49829"
|
||||
|
||||
# Check if the UEFI variable path exists
|
||||
if [ -e "$MOR_VAR_PATH" ]; then
|
||||
# The expected format is: Attributes (4 bytes) + Value (1 byte for MOR state)
|
||||
# We need to write 5 bytes in total: 0x07 0x00 0x00 0x00 (Attributes) + 0x01 (MOR-bit set)
|
||||
|
||||
# Use printf to create the necessary 5-byte data and write it to the variable
|
||||
# 0x01 means MOR is SET (request memory wipe)
|
||||
printf "\x07\x00\x00\x00\x01" | dd of="$MOR_VAR_PATH" bs=5 count=1 conv=notrunc >/dev/null 2>&1
|
||||
|
||||
# Log the action (optional, for debugging/audit logs)
|
||||
echo "$(date) - Successfully set MOR-bit (MemoryOverwriteRequestControl) for next boot memory wipe." >> /var/log/mor-wipe.log
|
||||
fi
|
||||
|
||||
exit 0
|
||||
EOL
|
||||
sudo chmod +x /usr/lib/systemd/system-shutdown/mor-bit-wipe.sh
|
||||
|
||||
# [AUTH-9230] Ensure password hashing algorithm is set to YESCRYPT and hashing rounds to minimum of 5000 and maximum of 5000000
|
||||
sudo sed -i 's/^ENCRYPT_METHOD .*/ENCRYPT_METHOD YESCRYPT/' /etc/login.defs
|
||||
sudo sed -i 's/^#SHA_CRYPT_MIN_ROUNDS .*/SHA_CRYPT_MIN_ROUNDS 5000/' /etc/login.defs
|
||||
@@ -286,6 +330,13 @@ else
|
||||
echo 'umask 027' | sudo tee -a /etc/profile > /dev/null
|
||||
fi
|
||||
|
||||
# [AUTH-9408] Logging of failed login attempts is enabled
|
||||
if sudo grep FAILLOG_ENAB /etc/login.defs; then
|
||||
sudo sed -i 's/^FAILLOG_ENAB .*/FAILLOG_ENAB yes/' /etc/login.defs
|
||||
else
|
||||
echo 'FAILLOG_ENAB yes' | sudo tee -a /etc/login.defs > /dev/null
|
||||
fi
|
||||
|
||||
# [ACCT-9622] Enable process accounting
|
||||
sudo pacman -S --noconfirm --needed acct
|
||||
sudo systemctl enable --now acct
|
||||
|
||||
Reference in New Issue
Block a user