300 lines
11 KiB
Bash
300 lines
11 KiB
Bash
#!/bin/bash
|
|
|
|
# [STRG-1846] Disable drivers like firewire
|
|
sudo tee /etc/modprobe.d/firewire-disable.conf > /dev/null <<EOL
|
|
# Disable FireWire kernel modules to prevent unauthorized DMA access
|
|
blacklist firewire-core
|
|
install firewire-core /bin/false
|
|
# Optional additional modules to blacklist
|
|
blacklist firewire-ohci
|
|
blacklist firewire-sbp2
|
|
install firewire-ohci /bin/false
|
|
install firewire-sbp2 /bin/false
|
|
EOL
|
|
|
|
# [LOGG-2154] Ensure system log is configured to send logs to a remote log server
|
|
sudo pacman -S --noconfirm --needed syslog-ng
|
|
sudo systemctl enable --now syslog-ng@default.service
|
|
|
|
# [USB-3000] Ensure USBGUARD is installed and configured
|
|
sudo pacman -S --noconfirm --needed usbguard
|
|
sudo usbguard generate-policy | sudo tee /etc/usbguard/rules.conf > /dev/null
|
|
sudo sed -i 's/^PresentControllerPolicy=.*/PresentControllerPolicy=apply-policy/' /etc/usbguard/usbguard-daemon.conf
|
|
sudo systemctl enable --now usbguard
|
|
|
|
# [NETW-3200] Disable unused network protocols
|
|
sudo tee /etc/modprobe.d/network-protocols-disable.conf > /dev/null <<EOL
|
|
# Disable unnecessary network protocols to reduce attack surface
|
|
blacklist dccp
|
|
install dccp /bin/false
|
|
|
|
blacklist sctp
|
|
install sctp /bin/false
|
|
|
|
blacklist rds
|
|
install rds /bin/false
|
|
|
|
blacklist tipc
|
|
install tipc /bin/false
|
|
EOL
|
|
|
|
# [MALW-3276] Ensure rkhunter is installed
|
|
sudo pacman -S --noconfirm --needed rkhunter
|
|
sudo rkhunter --propupd
|
|
sudo tee /etc/rkhunter.conf > /dev/null <<EOL
|
|
# rkhunter configuration file
|
|
|
|
# Whitelist to avoid false positive
|
|
SCRIPTWHITELIST=/usr/bin/egrep
|
|
SCRIPTWHITELIST=/usr/bin/fgrep
|
|
SCRIPTWHITELIST=/usr/bin/ldd
|
|
SCRIPTWHITELIST=/usr/bin/vendor_perl/GET
|
|
EOL
|
|
|
|
# [MALW-3282] Ensure ClamAV is installed
|
|
sudo pacman -S --noconfirm --needed clamav
|
|
sudo freshclam
|
|
sudo systemctl enable --now clamav-freshclam
|
|
sleep 5
|
|
sudo systemctl enable --now clamav-daemon
|
|
|
|
# [FINT-4350] Install a file integrity tool
|
|
sudo pacman -S --noconfirm --needed aide
|
|
sudo aide --init
|
|
sudo mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
|
|
sudo systemctl enable --now aidecheck.timer
|
|
|
|
# [FIRE-45XX] Firewall configuration
|
|
# remove iptables if installed
|
|
if pacman -Qi iptables &> /dev/null; then
|
|
sudo pacman -R --noconfirm iptables
|
|
fi
|
|
sudo pacman -S --noconfirm --needed nftables
|
|
|
|
sudo tee /etc/modprobe.d/ip_tables-disable.conf > /dev/null <<EOL
|
|
# Disable ip_tables to prevent conflicts with nftables
|
|
blacklist ip_tables
|
|
install ip_tables /bin/false
|
|
EOL
|
|
|
|
# [TOOL-5190] Ensure IDS/IPS tools are installed
|
|
sudo pacman -S --noconfirm --needed snort
|
|
|
|
# [KRNL-5820] Disable core dumps
|
|
## create file /etc/security/limits.d/20-disable-core-dumps.conf with the following content:
|
|
sudo tee /etc/security/limits.d/20-disable-core-dumps.conf > /dev/null <<EOL
|
|
# Disable core dumps for ALL users
|
|
# The format is: <domain> <type> <item> <value>
|
|
* hard core 0
|
|
* soft core 0
|
|
EOL
|
|
# Append to /etc/profile to enforce core dump restriction system-wide
|
|
echo '# Set the core dump soft limit to 0 (current enforceable limit)' | sudo tee -a /etc/profile > /dev/null
|
|
echo 'ulimit -S -c 0 > /dev/null 2>&1' | sudo tee -a /etc/profile > /dev/null
|
|
echo '# Set the hard limit to 0 (absolute maximum limit)' | sudo tee -a /etc/profile > /dev/null
|
|
echo 'ulimit -H -c 0 > /dev/null 2>&1' | sudo tee -a /etc/profile > /dev/null
|
|
|
|
# [KRNL-6000] Check sysctl settings for kernel hardening
|
|
sudo tee /etc/sysctl.d/99-hardened.conf > /dev/null <<'EOL'
|
|
# Kernel and filesystem hardening settings
|
|
kernel.randomize_va_space = 2
|
|
kernel.kptr_restrict = 2
|
|
kernel.unprivileged_bpf_disabled = 1
|
|
#kernel.modules_disabled = 1 # Uncomment to disable module loading entirely at your own risk
|
|
kernel.sysrq = 0
|
|
kernel.core_uses_pid = 1
|
|
|
|
fs.suid_dumpable = 0
|
|
fs.protected_fifos = 2
|
|
fs.protected_hardlinks = 1
|
|
fs.protected_regular = 2
|
|
fs.protected_symlinks = 1
|
|
|
|
dev.tty.ldisc_autoload = 0
|
|
|
|
net.core.bpf_jit_harden = 2
|
|
|
|
net.ipv4.conf.all.forwarding = 0
|
|
net.ipv4.conf.all.accept_redirects = 0
|
|
net.ipv4.conf.all.send_redirects = 0
|
|
net.ipv4.conf.all.log_martians = 1
|
|
net.ipv4.conf.all.rp_filter = 1
|
|
|
|
net.ipv4.conf.default.accept_redirects = 0
|
|
net.ipv4.conf.default.log_martians = 1
|
|
|
|
net.ipv6.conf.all.accept_redirects = 0
|
|
net.ipv6.conf.default.accept_redirects = 0
|
|
EOL
|
|
|
|
sudo sysctl --system
|
|
|
|
# [SHLL-6220] Idle session handling
|
|
sudo sed -i 's/^#\?TMOUT=.*/TMOUT=900/' /etc/profile
|
|
sudo sed -i 's/^#\?readonly TMOUT.*/readonly TMOUT/' /etc/profile
|
|
sudo sed -i 's/^#\?export TMOUT.*/export TMOUT/' /etc/profile
|
|
|
|
# [MACF-6290] Enable MAC framework (AppArmor)
|
|
sudo pacman -S --noconfirm --needed apparmor apparmor.d-git
|
|
sudo systemctl enable --now apparmor
|
|
|
|
# [FILE-6344] Restricting process details to users
|
|
## Editing fstab
|
|
if ! grep -q '^proc\s\+/proc\s\+proc\s\+' /etc/fstab; then
|
|
echo '# /proc' | sudo tee -a /etc/fstab > /dev/null
|
|
echo 'proc /proc proc defaults,hidepid=2,gid=wheel 0 0' | sudo tee -a /etc/fstab > /dev/null
|
|
else
|
|
sudo sed -i 's|^proc[[:space:]]\+/proc[[:space:]]\+proc[[:space:]]\+.*$|proc /proc proc defaults,hidepid=1,gid=wheel 0 0|' /etc/fstab
|
|
fi
|
|
## Remount /proc to apply changes immediately
|
|
sudo mount -o remount /proc
|
|
|
|
# [FILE-6374] Check mount options
|
|
# if /dev/shm is not in /etc/fstab, add it with the correct options
|
|
if ! grep -q '^tmpfs\s\+/dev/shm\s\+tmpfs\s\+' /etc/fstab; then
|
|
echo '# /dev/shm' | sudo tee -a /etc/fstab > /dev/null
|
|
echo 'tmpfs /dev/shm tmpfs rw,nosuid,nodev,noexec 0 0' | sudo tee -a /etc/fstab > /dev/null
|
|
else
|
|
sudo sed -i 's|^tmpfs[[:space:]]\+/dev/shm[[:space:]]\+tmpfs[[:space:]]\+.*$|tmpfs /dev/shm tmpfs rw,nosuid,nodev,noexec 0 0|' /etc/fstab
|
|
fi
|
|
# Remount /dev/shm to apply changes immediately
|
|
sudo mount -o remount /dev/shm
|
|
# Replace /tmp mount
|
|
if ! grep -q '^tmpfs\s\+/tmp\s\+tmpfs\s\+' /etc/fstab; then
|
|
echo '# /tmp' | sudo tee -a /etc/fstab > /dev/null
|
|
echo 'tmpfs /tmp tmpfs rw,nosuid,nodev,noexec 0 0' | sudo tee -a /etc/fstab > /dev/null
|
|
else
|
|
sudo sed -i 's|^tmpfs[[:space:]]\+/tmp[[:space:]]\+tmpfs[[:space:]]\+.*$|tmpfs /tmp tmpfs rw,nosuid,nodev,noexec 0 0|' /etc/fstab
|
|
fi
|
|
# Remount /tmp to apply changes immediately
|
|
sudo mount -o remount /tmp
|
|
|
|
# [FILE-6430] Disable mounting of some filesystems
|
|
sudo tee /etc/modprobe.d/fs_blacklist.conf > /dev/null <<EOL
|
|
# Blacklist unnecessary filesystem modules to reduce attack surface
|
|
|
|
# Cramfs (Compressed ROM filesystem)
|
|
blacklist cramfs
|
|
install cramfs /bin/false
|
|
|
|
# HFS and HFS+ (Apple filesystems)
|
|
blacklist hfs
|
|
install hfs /bin/false
|
|
|
|
blacklist hfsplus
|
|
install hfsplus /bin/false
|
|
|
|
# JFFS2 (Journaling Flash Filesystem)
|
|
blacklist jffs2
|
|
install jffs2 /bin/false
|
|
|
|
# SquashFS (Compressed read-only filesystem, often used for live media/AppImage)
|
|
blacklist squashfs
|
|
install squashfs /bin/false
|
|
|
|
# UDF (Universal Disk Format, used for optical media like DVD/BD)
|
|
blacklist udf
|
|
install udf /bin/false
|
|
EOL
|
|
|
|
# [BANN-7126] Add legal banner to /etc/issue
|
|
sudo tee /etc/issue > /dev/null <<EOL
|
|
********************************************************************
|
|
* WARNING - UNAUTHORIZED ACCESS *
|
|
* *
|
|
* Unauthorized access to this computer system is strictly *
|
|
* prohibited. Individuals accessing, using, or modifying this *
|
|
* system without explicit authorization will be subject to legal *
|
|
* action and prosecuted to the fullest extent of the law. *
|
|
* *
|
|
* Authorized users should have no expectation of privacy. All *
|
|
* activity on this system is monitored, recorded, and may be used *
|
|
* as evidence in criminal or civil proceedings. *
|
|
********************************************************************
|
|
\n\l
|
|
EOL
|
|
|
|
# [HRDN-7220] Don't install /usr/bin/as by adding it to NoExtract
|
|
if sudo grep -q 'usr/bin/as' /etc/pacman.conf; then
|
|
: # already present
|
|
else
|
|
if sudo grep -qE '^[[:space:]]*NoExtract' /etc/pacman.conf; then
|
|
sudo sed -i '0,/^[[:space:]]*NoExtract/ s|^\([[:space:]]*NoExtract[[:space:]]*=[[:space:]]*\)\(.*\)$|\1\2 usr/bin/as|' /etc/pacman.conf
|
|
elif sudo grep -qE '^[[:space:]]*#[[:space:]]*NoExtract' /etc/pacman.conf; then
|
|
sudo sed -i '/^[[:space:]]*#[[:space:]]*NoExtract/ a NoExtract = usr/bin/as' /etc/pacman.conf
|
|
else
|
|
sudo bash -c 'printf "\n# NoExtract added by hardening script\nNoExtract = usr/bin/as\n" >> /etc/pacman.conf'
|
|
fi
|
|
fi
|
|
|
|
# [HRDN-7222] Restricting compilator access to root user only
|
|
sudo chown 700 /usr/bin/as
|
|
sudo chmod 700 /usr/bin/gcc
|
|
sudo chmod 700 /usr/bin/g++
|
|
sudo chmod 700 /usr/bin/cc
|
|
sudo chmod 700 /usr/bin/c++
|
|
sudo chmod 700 /usr/bin/ld
|
|
sudo chmod 700 /usr/bin/lld
|
|
sudo chmod 700 /usr/bin/clang
|
|
|
|
# [PKGS-7320] Checking for package auditing tools
|
|
sudo pacman -S --noconfirm --needed arch-audit
|
|
|
|
# [FILE-7524] Ensuring file permissions
|
|
sudo chmod 600 /etc/ssh/sshd_config
|
|
sudo chmod 700 /etc/cron.hourly
|
|
|
|
# [AUTH-9230] Ensure password hashing algorithm is set to YESCRYPT and hashing rounds to minimum of 5000 and maximum of 5000000
|
|
sudo sed -i 's/^ENCRYPT_METHOD .*/ENCRYPT_METHOD YESCRYPT/' /etc/login.defs
|
|
sudo sed -i 's/^SHA_CRYPT_MIN_ROUNDS .*/SHA_CRYPT_MIN_ROUNDS 5000/' /etc/login.defs
|
|
sudo sed -i 's/^SHA_CRYPT_MAX_ROUNDS .*/SHA_CRYPT_MAX_ROUNDS 5000000/' /etc/login.defs
|
|
|
|
# [AUTH-9262] Password strength checking tool is installed
|
|
sudo pacman -S --noconfirm --needed libpwquality
|
|
sudo tee /etc/security/pwquality.conf > /dev/null <<EOL
|
|
# PAM pwquality configuration file
|
|
retry = 3
|
|
difok = 6
|
|
minlen = 14
|
|
dcredit = -1
|
|
ucredit = -1
|
|
ocredit = -1
|
|
lcredit = -1
|
|
EOL
|
|
|
|
sudo sed -i '/^password\s*required\s*pam_unix.so\s*try_first_pass\s*nullok\s*shadow/i password required pam_pwquality.so' /etc/pam.d/system-auth
|
|
|
|
# [AUTH-9286] Ensure minimum days between password changes is 7 or more and maximum days is 90 or less
|
|
sudo sed -i 's/^PASS_MIN_DAYS.*/PASS_MIN_DAYS 7/' /etc/login.defs
|
|
sudo sed -i 's/^PASS_MAX_DAYS.*/PASS_MAX_DAYS 90/' /etc/login.defs
|
|
|
|
# [AUTH-9328] Ensure default user umask is 027 or more restrictive
|
|
sudo sed -i 's/^UMASK.*/UMASK 027/' /etc/login.defs
|
|
sudo sed -i 's/^#\?umask .*/umask 027/' /etc/profile
|
|
|
|
# [ACCT-9622] Enable process accounting
|
|
sudo pacman -S --noconfirm --needed acct
|
|
sudo systemctl enable --now acct
|
|
|
|
# [ACCT-9626] Enable sysstat to collect accounting data
|
|
sudo pacman -S --noconfirm --needed sysstat
|
|
sudo systemctl enable --now sysstat-collect.timer sysstat-rotate.timer
|
|
|
|
# [ACCT-9628] Enable auditd to collect audit data
|
|
sudo systemctl enable --now auditd audit-rules
|
|
|
|
# [ACCT-9630] Configure auditd rules
|
|
sudo tee /etc/audit/rules.d/hardening.rules > /dev/null <<EOL
|
|
# Monitor attempts to change system time
|
|
-w /etc/localtime -p wa -k time-change
|
|
|
|
# Monitor attempts to change user/group info (password changes)
|
|
-w /etc/passwd -p wa -k user-info
|
|
-w /etc/shadow -p wa -k user-info
|
|
-w /etc/group -p wa -k user-info
|
|
-w /etc/gshadow -p wa -k user-info
|
|
|
|
# Make the configuration immutable (must be the last line)
|
|
-e 2
|
|
EOL
|