Lightemerald/linux-scripts
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fixes

Browse Source
This commit is contained in:
Lightemerald
2025-12-07 00:09:57 +01:00
parent eaf9cca514
commit bcb50f0c92
1 changed files with 13 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
arch-hardening.sh
View File

@@ -18,7 +18,7 @@ sudo pacman -S --noconfirm --needed syslog-ng
# [USB-3000] Ensure USBGUARD is installed and configured # [USB-3000] Ensure USBGUARD is installed and configured
sudo pacman -S --noconfirm --needed usbguard sudo pacman -S --noconfirm --needed usbguard
sudo usbguard generate-policy | sudo tee /etc/usbguard/rules.conf > /dev/null sudo usbguard generate-policy | sudo tee /etc/usbguard/rules.conf > /dev/null
sudo sed -i 's/^PresentControllerPolicy = .*/PresentControllerPolicy = apply-policy/' /etc/usbguard/usbguard-daemon.conf sudo sed -i 's/^PresentControllerPolicy=.*/PresentControllerPolicy=apply-policy/' /etc/usbguard/usbguard-daemon.conf
sudo systemctl enable --now usbguard sudo systemctl enable --now usbguard
# [NETW-3200] Disable unused network protocols # [NETW-3200] Disable unused network protocols
@@ -70,7 +70,7 @@ if pacman -Qi iptables &> /dev/null; then
sudo pacman -R --noconfirm iptables sudo pacman -R --noconfirm iptables
fi fi
sudo pacman -S --noconfirm --needed nftables sudo pacman -S --noconfirm --needed nftables
echo "blacklist ip_tables" | sudo tee /etc/modprobe.d/blacklist-iptables.conf
sudo tee /etc/modprobe.d/ip_tables-disable.conf > /dev/null <<EOL sudo tee /etc/modprobe.d/ip_tables-disable.conf > /dev/null <<EOL
# Disable ip_tables to prevent conflicts with nftables # Disable ip_tables to prevent conflicts with nftables
blacklist ip_tables blacklist ip_tables
@@ -88,7 +88,6 @@ sudo tee /etc/security/limits.d/20-disable-core-dumps.conf > /dev/null <<EOL
* hard core 0 * hard core 0
* soft core 0 * soft core 0
EOL EOL
# Append to /etc/profile to enforce core dump restriction system-wide # Append to /etc/profile to enforce core dump restriction system-wide
echo '# Set the core dump soft limit to 0 (current enforceable limit)' | sudo tee -a /etc/profile > /dev/null echo '# Set the core dump soft limit to 0 (current enforceable limit)' | sudo tee -a /etc/profile > /dev/null
echo 'ulimit -S -c 0 > /dev/null 2>&1' | sudo tee -a /etc/profile > /dev/null echo 'ulimit -S -c 0 > /dev/null 2>&1' | sudo tee -a /etc/profile > /dev/null
@@ -128,7 +127,6 @@ net.ipv6.conf.all.accept_redirects = 0
net.ipv6.conf.default.accept_redirects = 0 net.ipv6.conf.default.accept_redirects = 0
EOL EOL
# Apply settings now
sudo sysctl --system sudo sysctl --system
# [SHLL-6220] Idle session handling # [SHLL-6220] Idle session handling
@@ -136,7 +134,7 @@ sudo sed -i 's/^#\?TMOUT=.*/TMOUT=900/' /etc/profile
sudo sed -i 's/^#\?readonly TMOUT.*/readonly TMOUT/' /etc/profile sudo sed -i 's/^#\?readonly TMOUT.*/readonly TMOUT/' /etc/profile
sudo sed -i 's/^#\?export TMOUT.*/export TMOUT/' /etc/profile sudo sed -i 's/^#\?export TMOUT.*/export TMOUT/' /etc/profile
# [MACF-6290] Enable MAC framework # [MACF-6290] Enable MAC framework (AppArmor)
sudo pacman -S --noconfirm --needed apparmor apparmor.d-git sudo pacman -S --noconfirm --needed apparmor apparmor.d-git
sudo systemctl enable --now apparmor sudo systemctl enable --now apparmor
@@ -217,8 +215,16 @@ sudo tee /etc/issue > /dev/null <<EOL
EOL EOL
# [HRDN-7220] Don't install /usr/bin/as by adding it to NoExtract # [HRDN-7220] Don't install /usr/bin/as by adding it to NoExtract
if ! grep -q '^NoExtract\s*=\s*/usr/bin/as' /etc/pacman.conf; then if sudo grep -q 'usr/bin/as' /etc/pacman.conf; then
sudo sed -i '/^\[options\]/a NoExtract = /usr/bin/as' /etc/pacman.conf : # already present
else
if sudo grep -qE '^[[:space:]]*NoExtract' /etc/pacman.conf; then
sudo sed -i '0,/^[[:space:]]*NoExtract/ s|^\([[:space:]]*NoExtract[[:space:]]*=[[:space:]]*\)\(.*\)$|\1\2 usr/bin/as|' /etc/pacman.conf
elif sudo grep -qE '^[[:space:]]*#[[:space:]]*NoExtract' /etc/pacman.conf; then
sudo sed -i '/^[[:space:]]*#[[:space:]]*NoExtract/ a NoExtract = usr/bin/as' /etc/pacman.conf
else
sudo bash -c 'printf "\n# NoExtract added by hardening script\nNoExtract = usr/bin/as\n" >> /etc/pacman.conf'
fi
fi fi
# [HRDN-7222] Restricting compilator access to root user only # [HRDN-7222] Restricting compilator access to root user only