This is a script to harden your Linux installation.
- Bastille is obsolete
- Not a member of CIS, so no downloading of the ready made scripts
- For learning
- For minimizing the effort needed to tweak fresh installations
- Also for consistency
- Enables TCP wrappers
- Creates legal banners
- Disable core dumps in
/etc/security/limits.conf - sysctl settings hardening
- IP stack hardening
- Enables SAK and disables the other magic SysRq stuff
- Restricts the use of
dmesgby regular users - For the complete list, see sysctl.conf.new
- Hardens mount options (creates
/etc/fstab.new)- Also, mount /proc with
hidepid=2
- Also, mount /proc with
- Disables the use of certain kernel modules via
modprobe- Disable Firewire
- Configures shells
- Creates an option to use restricted shell (rbash)
- Also sets it as default for new users
- Restricts the number of available shells (
/etc/shells)
- Creates an option to use restricted shell (rbash)
- Configures basic auditing based on stig.rules if audit is installed
- NOTE: non-PAM systems (namely Slackware) don't set the
loginuidproperly, so some of the rules don't work when they have-F auid!=4294967295
- NOTE: non-PAM systems (namely Slackware) don't set the
- Enables system accounting (sysstat)
- Sets it's log retention to 99999 days (the logs are really small, so it doesn't eat up disk space)
- Configures password policies
- Maximum age for password
- Minimum age for password
- Password warn age
- Does this for existing users also
- Note: password strength should be enforced with applicable PAM module (such as pam_passwdqc or
pam_pwquality)
- Reduce the amount of trusted CAs
- Doesn't work in CentOS/RHEL
- Create a strict
securetty - Sets default umask to a more stricter
077 - Sets console session timeout via
$TMOUT(Bash) - PAM:
- Configures
/etc/security/namespace.conf - Configures
/etc/security/access.conf - Configures
/etc/security/pwquality.confif available - Require pam_wheel in
/etc/pam.d/su - Creates a secure /etc/pam.d/other
- Configures
- Disables unnecessary systemd services
- Configures
sshd_config - Display managers:
- Disables user lists in GDM3 & LightDM
- Disables guest sessions in LightDM
- Configures failure limits (
faillog) - Creates
/etc/ftpusers - Restricts the use of
cronandat - Properly locks down system accounts (0 -
SYS_UID_MAX&& !root)- Lock the user's password
- Sets shell to
nologin - Expire the account
- Adds the accounts to /etc/ftpusers
- Sets strict permissions to users home directories
- Configures the default password inactivity period
- Enables AppArmor
- Sets the authorized_default to USB devices via
rc.local - APT:
- Configures APT not to install suggested packages
- Configure
SUITEindebsecan(if installed)
Creates bunch of pam-configs that are toggleable with pam-auth-update:
| PAM module | Type | Description |
|---|---|---|
| pam_wheel1 | auth | Require wheel group membership (su) |
| pam_succeed_if | auth & account | Require UID >= 1000 && UID <= 60000 (or 0 & login) |
| pam_unix1 | auth | Remove nullok |
| pam_faildelay | auth | Delay on authentication failure |
| pam_tally2 | auth & account | Deter brute-force attacks |
| pam_access | account | Use login ACL (/etc/security/access.conf) |
| pam_time | account | /etc/security/time.conf |
| pam_lastlog | account | Lock out inactive users (no login in 90 days) |
| pam_namespace | session | Polyinstantiated temp directories |
| pam_umask | session | Set file mode creation mask |
| pam_lastlog | session | Display info about last login and update the lastlog and wtmp files2 |
| pam_pwhistory | password | Limit password reuse |
- Not a
pam-config, but a modification to existing/etc/pam.d/files - For all login methods and not just the console login
- PAM configuration with
authconfig:- Enables
pam_faillock - Configures
pwquality
- Enables
See SLACKWARE.md.
- SSH moduli creation
- Some hardening steps utilize Lynis to verify themselves (to be improved/extended over time)
The import_pgp_keys() function imports a bunch of PGP keys to your trustedkeys.gpg keyring, so you can verify downloaded files/packages with gpgv. The keys that are imported are listed in the PGP_URLS[] and PGP_KEYS[] arrays.
- Rebooting the system after running this is highly recommended, since many startup scripts are modified
- The script is quite verbose, so you might want to record it with
script - It is best to run this script on a fresh installation for best results
I think it's justified and recommended to run an antivirus software on all of your Linux servers. This is because, even though the server's role would not be something like a file sharing server or a mail server, a proper antivirus is able to detect much more than these "traditional" malwares. I'm talking about rootkits, exploits, PHP shells and the like. Something that a malicious user might be holding at their home dirs or maybe some PHP shell was dropped through a vulnerable web application. If you would get an early warning from an antivirus software, it just might save you on that one occasion :)
So consider getting ClamAV.
After running the hardening script, the following actions still need to be performed manually:
- Set LILO/GRUB password
- Update LILO/GRUB with
lilo||update-grub
- Update LILO/GRUB with
- Install at least the following additional software:
- Make sure NTP is running
- Configure remote log host
- Add legit users to:
/etc/porttime- To the
usersgroup
Some of these documents are quite old, but most of the stuff still applies.
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent