Lightemerald/linux-scripts
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fixing MOR-bit set when efi var is immutable, improving some parts and taking improved configs from CIS hardening guide

Browse Source
This commit is contained in:
Lightemerald
2025-12-21 18:47:04 +00:00
parent 4b476e8782
commit bae5c65794
2 changed files with 344 additions and 203 deletions
Download Patch File Download Diff File Expand all files Collapse all files

125
debian-hardening.sh
View File

@@ -7,15 +7,15 @@ set -euo pipefail
export DEBIAN_FRONTEND=noninteractive
log() {
echo "[$(date --rfc-3339=seconds)] $*" >&2
echo "[$(date --rfc-3339=seconds)] $*" >&2
}
log_warn() {
echo "[$(date --rfc-3339=seconds)] WARNING: $*" >&2
echo "[$(date --rfc-3339=seconds)] WARNING: $*" >&2
}
log_error() {
echo "[$(date --rfc-3339=seconds)] ERROR: $*" >&2
echo "[$(date --rfc-3339=seconds)] ERROR: $*" >&2
}
# Update system
@@ -47,7 +47,7 @@ sudo apt-get install -y fail2ban
# [STRG-1846] Disable drivers like firewire
log "Disabling FireWire kernel modules..."
sudo tee /etc/modprobe.d/90-firewire-disable.conf > /dev/null <<EOL
sudo tee /etc/modprobe.d/90-firewire-disable.conf >/dev/null <<EOL
# Disable FireWire kernel modules to prevent unauthorized DMA access
blacklist firewire-core
install firewire-core /bin/false
@@ -66,9 +66,9 @@ sudo systemctl enable --now rsyslog
log "Installing usbguard..."
sudo apt-get install -y usbguard
if command -v usbguard >/dev/null 2>&1; then
sudo usbguard generate-policy | sudo tee /etc/usbguard/rules.conf > /dev/null
sudo sed -i 's/^PresentControllerPolicy=.*/PresentControllerPolicy=apply-policy/' /etc/usbguard/usbguard-daemon.conf || true
sudo systemctl enable --now usbguard
sudo usbguard generate-policy | sudo tee /etc/usbguard/rules.conf >/dev/null
sudo sed -i 's/^PresentControllerPolicy=.*/PresentControllerPolicy=apply-policy/' /etc/usbguard/usbguard-daemon.conf || true
sudo systemctl enable --now usbguard
fi
# [NETW-3032] Checking for ARP monitoring software
@@ -77,7 +77,7 @@ sudo apt-get install -y arpon
# [NETW-3200] Disable unused network protocols
log "Disabling unused network protocol modules..."
sudo tee /etc/modprobe.d/90-network-protocols-disable.conf > /dev/null <<EOL
sudo tee /etc/modprobe.d/90-network-protocols-disable.conf >/dev/null <<EOL
# Disable unnecessary network protocols to reduce attack surface
blacklist dccp
install dccp /bin/false
@@ -130,13 +130,13 @@ log "Installing AIDE..."
sudo apt-get install -y aide
sudo aide --init || true
if [ -f /var/lib/aide/aide.db.new.gz ]; then
sudo mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz || true
sudo mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz || true
fi
sudo systemctl enable --now aidecheck.timer || true
# [FIRE-45XX] Firewall configuration: ensure nftables is installed and iptables removed if present
log "Disabling iptables to prevent conflicts with nftables (default on debian since Buster)..."
sudo tee /etc/modprobe.d/90-ip_tables-disable.conf > /dev/null <<EOL
sudo tee /etc/modprobe.d/90-ip_tables-disable.conf >/dev/null <<EOL
# Disable ip_tables to prevent conflicts with nftables
blacklist ip_tables
install ip_tables /bin/false
@@ -150,8 +150,8 @@ if ! grep -q "set superusers=" "$GRUB_PW_FILE" 2>/dev/null; then
echo
read -s -p "Enter GRUB superuser password: " GRUB_PASS
echo
GRUB_PASS_HASH=$(grub-mkpasswd-pbkdf2 <<< "$GRUB_PASS" | awk -F' ' '/PBKDF2 hash of your password is/ {print $7}')
sudo tee -a "$GRUB_PW_FILE" > /dev/null <<EOL
GRUB_PASS_HASH=$(grub-mkpasswd-pbkdf2 <<<"$GRUB_PASS" | awk -F' ' '/PBKDF2 hash of your password is/ {print $7}')
sudo tee -a "$GRUB_PW_FILE" >/dev/null <<EOL
set superusers="$GRUB_USER"
password_pbkdf2 $GRUB_USER $GRUB_PASS_HASH
EOL
@@ -186,7 +186,7 @@ fi
# [KRNL-5820] Disable core dumps
log "Disabling core dumps via systemd and limits..."
sudo mkdir -p /etc/systemd/coredump.conf.d
sudo tee /etc/systemd/coredump.conf.d/99-disable-coredumps.conf > /dev/null <<'EOL'
sudo tee /etc/systemd/coredump.conf.d/99-disable-coredumps.conf >/dev/null <<'EOL'
[Coredump]
ProcessSizeMax=0
Storage=none
@@ -194,21 +194,21 @@ EOL
sudo systemctl daemon-reload || true
sudo mkdir -p /etc/security/limits.d/
sudo tee /etc/security/limits.d/20-disable-core-dumps.conf > /dev/null <<EOL
sudo tee /etc/security/limits.d/20-disable-core-dumps.conf >/dev/null <<EOL
* hard core 0
* soft core 0
EOL
# Append to /etc/profile to enforce core dump restriction system-wide
if ! grep -q "ulimit -c 0" /etc/profile 2>/dev/null; then
echo '# Disable core dumps system-wide' | sudo tee -a /etc/profile > /dev/null
echo 'ulimit -c 0 > /dev/null 2>&1' | sudo tee -a /etc/profile > /dev/null
echo 'ulimit -S -c 0 > /dev/null 2>&1' | sudo tee -a /etc/profile > /dev/null
echo 'ulimit -H -c 0 > /dev/null 2>&1' | sudo tee -a /etc/profile > /dev/null
echo '# Disable core dumps system-wide' | sudo tee -a /etc/profile >/dev/null
echo 'ulimit -c 0 > /dev/null 2>&1' | sudo tee -a /etc/profile >/dev/null
echo 'ulimit -S -c 0 > /dev/null 2>&1' | sudo tee -a /etc/profile >/dev/null
echo 'ulimit -H -c 0 > /dev/null 2>&1' | sudo tee -a /etc/profile >/dev/null
fi
# [KRNL-6000] Sysctl settings for kernel hardening
log "Applying sysctl hardened settings..."
sudo tee /etc/sysctl.d/99-hardened.conf > /dev/null <<'EOL'
sudo tee /etc/sysctl.d/99-hardened.conf >/dev/null <<'EOL'
# Kernel and filesystem hardening settings
kernel.randomize_va_space = 2
kernel.kptr_restrict = 2
@@ -251,9 +251,9 @@ sudo sysctl --system
# [SHLL-6220] Idle session handling
if ! grep -q 'TMOUT' /etc/profile 2>/dev/null; then
echo 'TMOUT=900' | sudo tee -a /etc/profile > /dev/null
echo 'readonly TMOUT' | sudo tee -a /etc/profile > /dev/null
echo 'export TMOUT' | sudo tee -a /etc/profile > /dev/null
echo 'TMOUT=900' | sudo tee -a /etc/profile >/dev/null
echo 'readonly TMOUT' | sudo tee -a /etc/profile >/dev/null
echo 'export TMOUT' | sudo tee -a /etc/profile >/dev/null
fi
# [MACF-6290] Enable MAC framework (AppArmor)
@@ -264,10 +264,10 @@ sudo systemctl enable --now apparmor || true
# [FILE-6344] Restricting process details to users via /proc mount options
log "Configuring /proc to hide process info..."
if ! grep -q '^proc\s\+/proc\s\+proc\s\+' /etc/fstab; then
echo '# /proc' | sudo tee -a /etc/fstab > /dev/null
echo 'proc /proc proc defaults,hidepid=2,gid=sudo 0 0' | sudo tee -a /etc/fstab > /dev/null
echo '# /proc' | sudo tee -a /etc/fstab >/dev/null
echo 'proc /proc proc defaults,hidepid=2,gid=sudo 0 0' | sudo tee -a /etc/fstab >/dev/null
else
sudo sed -i 's|^proc[[:space:]]\+/proc[[:space:]]\+proc[[:space:]]\+.*$|proc /proc proc defaults,hidepid=2,gid=sudo 0 0|' /etc/fstab
sudo sed -i 's|^proc[[:space:]]\+/proc[[:space:]]\+proc[[:space:]]\+.*$|proc /proc proc defaults,hidepid=2,gid=sudo 0 0|' /etc/fstab
fi
sudo systemctl daemon-reload
sudo mount -o remount /proc
@@ -276,8 +276,8 @@ sudo mount -o remount /proc
log "Ensuring /dev, /dev/shm and /tmp have secure mount options..."
if ! grep -q '^devtmpfs\s\+/dev\s\+devtmpfs\s\+' /etc/fstab; then
echo '# /dev' | sudo tee -a /etc/fstab > /dev/null
echo 'devtmpfs /dev devtmpfs rw,nosuid,noexec,relatime,size=10%,mode=755 0 0' | sudo tee -a /etc/fstab > /dev/null
echo '# /dev' | sudo tee -a /etc/fstab >/dev/null
echo 'devtmpfs /dev devtmpfs rw,nosuid,noexec,relatime,size=10%,mode=755 0 0' | sudo tee -a /etc/fstab >/dev/null
else
sudo sed -i 's|^devtmpfs[[:space:]]\+/dev[[:space:]]\+devtmpfs[[:space:]]\+.*$|devtmpfs /dev devtmpfs rw,nosuid,noexec,relatime,size=10%,mode=755 0 0|' /etc/fstab
fi
@@ -285,26 +285,26 @@ sudo systemctl daemon-reload
sudo mount -o remount /dev
if ! grep -q '^tmpfs\s\+/dev/shm\s\+tmpfs\s\+' /etc/fstab; then
echo '# /dev/shm' | sudo tee -a /etc/fstab > /dev/null
echo 'tmpfs /dev/shm tmpfs rw,nosuid,nodev,noexec 0 0' | sudo tee -a /etc/fstab > /dev/null
echo '# /dev/shm' | sudo tee -a /etc/fstab >/dev/null
echo 'tmpfs /dev/shm tmpfs rw,nosuid,nodev,noexec 0 0' | sudo tee -a /etc/fstab >/dev/null
else
sudo sed -i 's|^tmpfs[[:space:]]\+/dev/shm[[:space:]]\+tmpfs[[:space:]]\+.*$|tmpfs /dev/shm tmpfs rw,nosuid,nodev,noexec 0 0|' /etc/fstab
sudo sed -i 's|^tmpfs[[:space:]]\+/dev/shm[[:space:]]\+tmpfs[[:space:]]\+.*$|tmpfs /dev/shm tmpfs rw,nosuid,nodev,noexec 0 0|' /etc/fstab
fi
sudo systemctl daemon-reload
sudo mount -o remount /dev/shm
if ! grep -q '^tmpfs\s\+/tmp\s\+tmpfs\s\+' /etc/fstab; then
echo '# /tmp' | sudo tee -a /etc/fstab > /dev/null
echo 'tmpfs /tmp tmpfs rw,nosuid,nodev,noexec 0 0' | sudo tee -a /etc/fstab > /dev/null
echo '# /tmp' | sudo tee -a /etc/fstab >/dev/null
echo 'tmpfs /tmp tmpfs rw,nosuid,nodev,noexec 0 0' | sudo tee -a /etc/fstab >/dev/null
else
sudo sed -i 's|^tmpfs[[:space:]]\+/tmp[[:space:]]\+tmpfs[[:space:]]\+.*$|tmpfs /tmp tmpfs rw,nosuid,nodev,noexec 0 0|' /etc/fstab
sudo sed -i 's|^tmpfs[[:space:]]\+/tmp[[:space:]]\+tmpfs[[:space:]]\+.*$|tmpfs /tmp tmpfs rw,nosuid,nodev,noexec 0 0|' /etc/fstab
fi
sudo systemctl daemon-reload
sudo mount -o remount /tmp
# [FILE-6430] Disable mounting of some filesystems
log "Disabling unnecessary filesystem modules..."
sudo tee /etc/modprobe.d/90-fs_blacklist.conf > /dev/null <<EOL
sudo tee /etc/modprobe.d/90-fs_blacklist.conf >/dev/null <<EOL
# Blacklist unnecessary filesystem modules to reduce attack surface
blacklist cramfs
install cramfs /bin/false
@@ -331,7 +331,7 @@ EOL
# [BANN-7126] Add legal banner to /etc/issue
log "Adding legal banner to /etc/issue..."
sudo systemctl disable --now pvebanner || true
sudo tee /etc/issue > /dev/null <<EOL
sudo tee /etc/issue >/dev/null <<EOL
********************************************************************
* WARNING - UNAUTHORIZED ACCESS *
* *
@@ -350,8 +350,8 @@ EOL
# [BANN-7130] Check issue.net banner file contents
log "Checking /etc/issue.net banner file contents..."
if ! sudo grep -q "WARNING - UNAUTHORIZED ACCESS" /etc/issue.net; then
log "Adding legal banner to /etc/issue.net..."
sudo tee /etc/issue.net > /dev/null <<EOL
log "Adding legal banner to /etc/issue.net..."
sudo tee /etc/issue.net >/dev/null <<EOL
********************************************************************
* WARNING - UNAUTHORIZED ACCESS *
* *
@@ -371,7 +371,7 @@ fi
# [HRDN-7220] Check if one or more compilers are installed
# Disallow apt to extract /usr/bin/as by making a dpkg config
log "Checking if as is present and excluding it from installation..."
sudo tee /etc/dpkg/dpkg.cfg.d/01-exclude-as > /dev/null <<'EOL'
sudo tee /etc/dpkg/dpkg.cfg.d/01-exclude-as >/dev/null <<'EOL'
# Exclude as from being installed
path-exclude /usr/bin/as
path-exclude /usr/bin/x86_64-linux-gnu-as
@@ -381,9 +381,9 @@ EOL
# Correcting from chown->chmod to restrict access
log "Restricting compiler binaries..."
for bin in /usr/bin/as /usr/bin/x86_64-linux-gnu-as; do
if [ -f "$bin" ]; then
sudo chmod 700 "$bin" || true
fi
if [ -f "$bin" ]; then
sudo chmod 700 "$bin" || true
fi
done
# [PKGS-7320] Install package auditing tools
@@ -392,23 +392,23 @@ sudo apt-get install -y debsecan || true
# [PKGS-7370] Checking for debsums utility
if ! dpkg -l | grep -q debsums; then
sudo apt-get install -y debsums || true
sudo apt-get install -y debsums || true
fi
# [SSH-7408] Check SSH specific defined options
log "Checking SSH specific defined options..."
set_sshd_option() {
local opt="$1"
local val="$2"
# If the option exists (possibly commented), replace the whole line; otherwise append
if sudo grep -Eq "^[[:space:]]*#?[[:space:]]*${opt}[[:space:]]+" /etc/ssh/sshd_config 2>/dev/null; then
sudo sed -ri "s|^[[:space:]]*#?[[:space:]]*${opt}[[:space:]]+.*|${opt} ${val}|" /etc/ssh/sshd_config
else
echo "${opt} ${val}" | sudo tee -a /etc/ssh/sshd_config > /dev/null
fi
local opt="$1"
local val="$2"
# If the option exists (possibly commented), replace the whole line; otherwise append
if sudo grep -Eq "^[[:space:]]*#?[[:space:]]*${opt}[[:space:]]+" /etc/ssh/sshd_config 2>/dev/null; then
sudo sed -ri "s|^[[:space:]]*#?[[:space:]]*${opt}[[:space:]]+.*|${opt} ${val}|" /etc/ssh/sshd_config
else
echo "${opt} ${val}" | sudo tee -a /etc/ssh/sshd_config >/dev/null
fi
}
set_sshd_option "PermitRootLogin" "no" # Need to setup SSH key and local admin
set_sshd_option "PermitRootLogin" "no" # Need to setup SSH key and local admin
set_sshd_option "PasswordAuthentication" "no" # Need to setup SSH key and local admin
set_sshd_option "ChallengeResponseAuthentication" "no"
set_sshd_option "AllowTcpForwarding" "no"
@@ -426,7 +426,7 @@ sudo systemctl restart ssh || true
log "Installing unattended-upgrades..."
sudo apt-get install -y unattended-upgrades || true
sudo dpkg-reconfigure -f noninteractive unattended-upgrades || true
sudo tee /etc/apt/apt.conf.d/20auto-upgrades > /dev/null <<'EOL'
sudo tee /etc/apt/apt.conf.d/20auto-upgrades >/dev/null <<'EOL'
APT::Periodic::Unattended-Upgrade "1";
EOL
sudo systemctl enable --now unattended-upgrades || true
@@ -452,7 +452,8 @@ sudo sed -i 's/^#SHA_CRYPT_MAX_ROUNDS .*/SHA_CRYPT_MAX_ROUNDS 5000000/' /etc/log
sudo apt-get install -y libpam-pwquality || true
set_pwq() {
local key="$1"; local val="$2"
local key="$1"
local val="$2"
if sudo grep -Eq "^[[:space:]]*${key}[[:space:]]*=" /etc/security/pwquality.conf 2>/dev/null; then
sudo sed -ri "s|^[[:space:]]*${key}[[:space:]]*=.*|${key} = ${val}|" /etc/security/pwquality.conf
else
@@ -473,7 +474,7 @@ set_pwq "enforcing" 1
# Add pam_pwquality to /etc/pam.d/common-password if not present
if ! grep -q "pam_pwquality.so" /etc/pam.d/common-password 2>/dev/null; then
sudo sed -i "/pam_unix.so/ i password requisite pam_pwquality.so" /etc/pam.d/common-password || true
sudo sed -i "/pam_unix.so/ i password requisite pam_pwquality.so" /etc/pam.d/common-password || true
fi
# [AUTH-9286] Password aging
@@ -484,24 +485,24 @@ sudo sed -i 's/^PASS_MAX_DAYS.*/PASS_MAX_DAYS 90/' /etc/login.defs || true
if sudo grep -Eq '^[[:space:]]*#?[[:space:]]*UMASK\b' /etc/login.defs 2>/dev/null; then
sudo sed -ri "s|^[[:space:]]*#?[[:space:]]*UMASK[[:space:]]+.*|UMASK 027|" /etc/login.defs || true
else
echo 'UMASK 027' | sudo tee -a /etc/login.defs > /dev/null
echo 'UMASK 027' | sudo tee -a /etc/login.defs >/dev/null
fi
if grep -qE '^[[:space:]]*#?[[:space:]]*umask' /etc/bash.bashrc 2>/dev/null; then
sudo sed -i 's/^[[:space:]]*#\?[[:space:]]*umask.*/umask 027/' /etc/bash.bashrc || true
sudo sed -i 's/^[[:space:]]*#\?[[:space:]]*umask.*/umask 027/' /etc/bash.bashrc || true
else
echo 'umask 027' | sudo tee -a /etc/bash.bashrc > /dev/null
echo 'umask 027' | sudo tee -a /etc/bash.bashrc >/dev/null
fi
if grep -qE '^[[:space:]]*#?[[:space:]]*umask' /etc/profile 2>/dev/null; then
sudo sed -i 's/^[[:space:]]*#\?[[:space:]]*umask.*/umask 027/' /etc/profile || true
sudo sed -i 's/^[[:space:]]*#\?[[:space:]]*umask.*/umask 027/' /etc/profile || true
else
echo 'umask 027' | sudo tee -a /etc/profile > /dev/null
echo 'umask 027' | sudo tee -a /etc/profile >/dev/null
fi
# [AUTH-9408] Logging of failed login attempts is enabled
if grep -q FAILLOG_ENAB /etc/login.defs 2>/dev/null; then
sudo sed -i 's/^FAILLOG_ENAB .*/FAILLOG_ENAB yes/' /etc/login.defs || true
sudo sed -i 's/^FAILLOG_ENAB .*/FAILLOG_ENAB yes/' /etc/login.defs || true
else
echo 'FAILLOG_ENAB yes' | sudo tee -a /etc/login.defs > /dev/null
echo 'FAILLOG_ENAB yes' | sudo tee -a /etc/login.defs >/dev/null
fi
# [ACCT-9622] Enable process accounting
@@ -535,7 +536,7 @@ if ! grep -q '^max_log_file_action[[:space:]]*=[[:space:]]*keep_logs' /etc/audit
fi
# [ACCT-9630] Configure auditd rules
sudo tee /etc/audit/rules.d/10-harden.rules > /dev/null <<EOL
sudo tee /etc/audit/rules.d/10-harden.rules >/dev/null <<EOL
-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change
-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change
-a always,exit -F arch=b64 -S clock_settime -k time-change