#!/bin/bash ################################################################################ ### File Type : Postinst ### Profile : vmssrvstd ### Date : 2023-10-21-1307 ################################################################################ FNAME=`basename -- "$0"` env echo $PATH pwd export PS4='Line $LINENO: ' set -x ###############################################i####### # Use configuration files from cdrom and install them ####################################################### #mount cdrom if [ -z "`findmnt -mn /media/cdrom`" ]; then mount /media/cdrom fi cdrompath="/media/cdrom/conffiles-std" # Specific configuration files to replace standard ones # copy splash image logger -p syslog.info -i " $FNAME: Install splash screen" cp -vfp $cdrompath/enedwaith-org-scdd_BASE.png /boot/grub/ # copy informations files (CHANGELOG, VERSION, REAME, TODO) logger -p syslog.info -i " $FNAME: Install CHANGELOG, VERSION, REAME and TODO .md files" cp -vfp $cdrompath/*.md /etc/ # copy configuration files # ulog logger -p syslog.info -i " $FNAME: Install ulogd.conf" cp -vfp $cdrompath/ulogd.conf /etc/ # securetty logger -p syslog.info -i " $FNAME: Install securetty" cp -vfp $cdrompath/securetty /etc/ # copy keyboard and font for grub logger -p syslog.info -i " $FNAME: Install grub keyboard layout" mkdir -p /boot/grub/layouts cp -vfp $cdrompath/fr.gkb /boot/grub/layouts/ cp -vfp $cdrompath/ringbearer-*.pf2 /boot/grub/fonts/ cd $HOME ###################################### # System splash screen Configuration ###################################### logger -p syslog.info -i " $FNAME: Splash screen creation" logger -p syslog.info -i " $FNAME: Install Ringbearer font" mkdir -p /usr/local/share/fonts/truetype/ringbearer cd /usr/local/share/fonts/truetype/ringbearer unzip /media/cdrom/conffiles-std/ringbearer.zip chmod -R 644 /usr/local/share/fonts/truetype/ringbearer cd $HOME logger -p syslog.info -i " $FNAME: Modify splash screen version" filedir="/boot/grub" filebase="enedwaith-org-scdd" VERSION=`cat /etc/VERSION.md` /usr/bin/convert -font Ringbearer-Medium -weight Bold -pointsize 10 -fill "#0a344c" -annotate +670+800 "v" ${filedir}/${filebase}_BASE.png ${filedir}/${filebase}_01.png /usr/bin/convert -font Ringbearer-Medium -weight Bold -pointsize 20 -fill "#0a344c" -annotate +675+800 $VERSION ${filedir}/${filebase}_01.png ${filedir}/${filebase}.png rm -fr ${filedir}/${filebase}_01.png rm -fr ${filedir}/${filebase}_BASE.png ######################### # Extract network datas ######################### # Configure all interfaces as: # #1 is Primary # #2 is Admin if server have more than one interfaces # #3 is Secondary interface if any # #4 and over are named interfaces # logger -p syslog.info -i " $FNAME: ---- Extraction of network configuration data" network4_ip=() prefix4_ip=() network6_ip=() prefix6_ip=() ipv4=() ipv6=() # Get interfaces information logger -p syslog.info -i " $FNAME: ---- Get interfaces names" # Get interfaces list iflist=(`ip -o link show | grep -v '1\: lo\:' | cut -d ':' -f2 | sed "s/\s//g"`) iflist4=(`ip -o link show | grep -v '1\: lo\:' | cut -d ':' -f2 | sed "s/\s//g"`) #iflist4=(`ip -o -4 a | egrep -v '1\: lo' | cut -d ' ' -f2`) iflist6=(`ip -o -6 a | egrep -v '1\: lo|fe80' | cut -d ' ' -f2`) logger -p syslog.info -i " $FNAME: ---- Interfaces: iflist[] =${iflist[@]}" logger -p syslog.info -i " $FNAME: ---- Interfaces: iflist4[]=${iflist4[@]}" logger -p syslog.info -i " $FNAME: ---- Interfaces: iflist6[]=${iflist6[@]}" # Get networks information logger -p syslog.info -i " $FNAME: ---- Get IPv4 ip and networks" for intf in "${iflist[@]}" do logger -p syslog.info -i " $FNAME: ---- Interface: if=${intf}" network4=`ip -o -4 a | grep -iE ".*${intf}.*inet\s" | awk '{print $4}'` logger -p syslog.info -i " $FNAME: ---- network4($intf)=$network4" if [ -z $network4 ]; then /sbin/dhclient -4 -v -i -pf /run/dhclient.$intf.pid -lf /var/lib/dhcp/dhclient.$intf.leases -I -df /var/lib/dhclient6.$intf.leases $intf network4=`ip -o -4 a | grep -iE ".*${intf}.*inet\s" | awk '{print $4}'` logger -p syslog.info -i " $FNAME: ---- IN IF 1 network4($intf)=$network4" fi if [ ! -z $network4 ]; then ipv4+=(${network4}) network4_ip+=(`ip -o -4 a | grep -iE ".*${intf}.*inet\s" | awk '{print $4}' | xargs ipcalc-ng -n | awk -F'=' '{print $2}'`) prefix4_ip+=(`ip -o -4 a | grep -iE ".*${intf}.*inet\s" | awk '{print $4}' | xargs ipcalc-ng -p | awk -F'=' '{print $2}'`) logger -p syslog.info -i " $FNAME: ---- IN IF 2 network4($intf)=$network4" fi done logger -p syslog.info -i " $FNAME: ---- Get IPv6 ip and networks" for intf in "${iflist[@]}" do logger -p syslog.info -i " $FNAME: ---- Interface: if=${intf}" network6=`ip -o -6 a | grep -iE ".*${intf}.*inet6\s" | awk '{print $4}'| grep -v fe80` logger -p syslog.info -i " $FNAME: ---- network6($intf)=$network6" if [ -z $network6 ]; then /sbin/dhclient -6 -1 -v -i -pf /run/dhclient.$intf.pid -lf /var/lib/dhcp/dhclient.$intf.leases -I -df /var/lib/dhclient6.$intf.leases $intf network6=`ip -o -6 a | grep -iE ".*${intf}.*inet6\s" | awk '{print $4}'| grep -v fe80` logger -p syslog.info -i " $FNAME: ---- IN IF 1 network6($intf)=$network6" fi if [ ! -z $network6 ]; then ipv6+=(${network6}) network6_ip+=(`ip -o -6 a | grep -iE ".*${intf}.*inet6\s" | grep -v 'fe80' | awk '{print $4}' | xargs ipcalc-ng -n | awk -F'=' '{print $2}'`) prefix6_ip+=(`ip -o -6 a | grep -iE ".*${intf}.*inet6\s" | grep -v 'fe80' | awk '{print $4}' | xargs ipcalc-ng -p | awk -F'=' '{print $2}'`) logger -p syslog.info -i " $FNAME: ---- IN IF 2 network6($intf)=$network6" fi done logger -p syslog.info -i " $FNAME: ---- Interfaces names : ${iflist[@]}" logger -p syslog.info -i " $FNAME: ---- Interfaces names IPv4: ${iflist4[@]}" logger -p syslog.info -i " $FNAME: ---- Interfaces names IPv6: ${iflist6[@]}" logger -p syslog.info -i " $FNAME: ---- Interfaces IPv4 : ${ipv4[@]}" logger -p syslog.info -i " $FNAME: ---- Interfaces IPv6 : ${ipv6[@]}" logger -p syslog.info -i " $FNAME: ---- Network IPs IPv4 : ${network4_ip[@]}" logger -p syslog.info -i " $FNAME: ---- Prefix IPs IPv4 : ${prefix4_ip[@]}" logger -p syslog.info -i " $FNAME: ---- Network IPs IPv6 : ${network6_ip[@]}" logger -p syslog.info -i " $FNAME: ---- Prefix IPs IPv6 : ${prefix6_ip[@]}" ##################### # Configure network ##################### # Configure all interfaces as: # #1 is Primary # #2 is Admin if server have more than one interfaces # #3 is Secondary interface if any # #4 and over are named interfaces # logger -p syslog.info -i " $FNAME: Install network configuration (/etc/network/interfaces)" # Write start of file /etc/network/interfaces printf "# This file describes the network interfaces available on your system # and how to activate them. For more information, see interfaces(5). source /etc/network/interfaces.d/* logger -p syslog.info -i " $FNAME: Interfaces: allow-hotplug" allow-hotplug" > /etc/network/interfaces for intf in ${iflist[@]} do printf -- " %s" $intf >> /etc/network/interfaces done logger -p syslog.info -i " $FNAME: Interfaces: loopback configuration" printf " # The loopback network interface auto lo iface lo inet loopback " > /etc/network/interfaces # Set configuration for each interface for intf in ${iflist[@]} do logger -p syslog.info -i " $FNAME: Interfaces: $intf configuration" printf "# Configuration for interface $intf " >> /etc/network/interfaces printf "auto $intf iface $intf inet dhcp iface $intf inet6 auto " >> /etc/network/interfaces done #systemctl stop networking #systemctl start networking ##################### # Configure network ##################### # Configure all interfaces as: # #1 is Primary # #2 is Admin if server have more than one interfaces # #3 is Secondary interface if any # #4 and over are named interfaces # logger -p syslog.info -i " $FNAME: Configure /etc/hosts" # Get pv4, ipv6, hostname and fqdn hostname=`hostname` fqdn=`hostname -f` IFS='/' read -r ip4 msk4 <<< ${ipv4[0]} IFS='/' read -r ip6 msk6 <<< ${ipv6[0]} logger -p syslog.info -i " $FNAME: Configure /etc/hosts - hostname=${hostname}" logger -p syslog.info -i " $FNAME: Configure /etc/hosts - fqdn=${fqdn}" # IPv4 part printf "# IPv4 entries " > /etc/hosts # Write lo interface host ipv4 entry printf "127.0.0.1 localhost.localdomain localhost " >> /etc/hosts # Write host ipv4 entry printf "${ip4} ${fqdn} ${hostname} " >> /etc/hosts # IPv6 part printf " # IPv6 entries " >> /etc/hosts # Write lo interface host ipv6 entry printf "::1 localhost.localdomain localhost ip6-localhost ip6-loopback ff02::1 ip6-allnodes ff02::2 ip6-allrouters " >> /etc/hosts # Write host ipv6 entry printf "${ip6} ${fqdn} ${hostname} " >> /etc/hosts ######################### # Configure motd Neofetch ######################### # Install Neofetch configuration logger -p syslog.info -i " $FNAME: Install Neofetch configuration" mkdir -p /etc/neofetch cp -vfp $cdrompath/neofetch.conf /etc/neofetch/ cp -vfp $cdrompath/issue* /etc/ cp -vfp $cdrompath/00-header /etc/update-motd.d/ chmod 0755 /etc/neofetch chmod 0644 /etc/neofetch/neofetch.conf chmod 0644 /etc/issue* chmod 0755 /etc/update-motd.d chmod 0755 /etc/update-motd.d/00-header # Suppress the motd file to avoid security information leaking logger -p syslog.info -i " $FNAME: Remove motd" rm -f /etc/motd ###################### # /etc/fstab updates # ###################### # Setting up the data=ordered and rw mount options logger -p syslog.info -i " $FNAME: /etc/fstab modifications" if [ ! -z "`grep -i ext4 /etc/fstab`" ]; then /usr/bin/sed -i -r 's/(.*vg01.*ext4\s+)(.*)/\1rw,\2/; s/(\/home|\/var\s|\/var\/log\/audit\s+ext4\s+)(.*[a-zA-Z])(\s+0)/\1\2,data=ordered\3/' /etc/fstab elif [ ! -z "`grep -i btrfs /etc/fstab`" ]; then /usr/bin/sed -i -r 's/(.*vg01.*btrfs\s+)(.*)/\1rw,\2/; s/(\/home|\/var\s|\/var\/log\/audit\s+btrfs\s+)(.*[a-zA-Z])(\s+0)/\1\2,data=ordered\3/' /etc/fstab else logger -p syslog.info -i " $FNAME: /etc/fstab modifications error" fi # adding tmpfs /dev/shm mount options echo "tmpfs /dev/shm tmpfs rw,nosuid,nodev,noexec 0 0" >> /etc/fstab ############################### # Additionnal process hardening ############################### logger -p syslog.info -i " $FNAME: ------------- process hardening -----------" # Ensure address space layout randomization (ASLR) is enabled # and # Ensure core dumps are restricted printf "# Ensure address space layout randomization (ASLR) is enabled kernel.randomize_va_space = 2 # Ensure core dumps are restricted fs.suid_dumpable = 0 " >> /etc/sysctl.d/60-kernel_sysctl.conf # process hardening EIFN=`grep -n '^# End of file' /etc/security/limits.conf | awk -F ':' '{ print $1 }'` cmdline=`grep -E '^\*\s+hard\s+core\s+0' /etc/security/limits.conf` if [ -z "$cmdline" ]; then logger -p syslog.info -i " $FNAME: dump are not restricted. Setting restricted dump." sed -i "$EIFN"'i* hard core 0\n' /etc/security/limits.conf fi # set in complain mode apparmor profiles aa-complain /etc/apparmor.d/* ####################### # Logging configuration ####################### # Ensure permissions on all logfiles are configured logger -p syslog.info -i " $FNAME: Ensure permissions on all logfiles are configured" find /var/log -type f -exec chmod g-wx,o-rwx "{}" + -o -type d -exec chmod g-w,o-rwx "{}" + # Ensure logging is configured logger -p syslog.info -i " $FNAME: Ensure logging is configured" sed -Ei 's/^\*\.\*;auth,authpriv\.none/*.*;auth,authpriv,cron.none/' /etc/rsyslog.conf sed -Ei 's/^[#]cron.\*/cron.*/' /etc/rsyslog.conf # Ensure all logfiles have appropriate permissions and ownership echo -e "\n- Start remediation - logfiles have appropriate permissions and ownership" find /var/log -type f | while read -r fname; do bname="$(basename "$fname")" case "$bname" in lastlog | lastlog.* | wtmp | wtmp.* | btmp | btmp.*) ! stat -Lc "%a" "$fname" | grep -Pq -- '^\h*[0,2,4,6][0,2,4,6][0,4]\h*$' && echo -e "- changing mode on \"$fname\"" && chmod ug-x,o-wx "$fname" ! stat -Lc "%U" "$fname" | grep -Pq -- '^\h*root\h*$' && echo -e "- changing owner on \"$fname\"" && chown root "$fname" ! stat -Lc "%G" "$fname" | grep -Pq -- '^\h*(utmp|root)\h*$' && echo -e "- changing group on \"$fname\"" && chgrp root "$fname" ;; secure | auth.log) ! stat -Lc "%a" "$fname" | grep -Pq -- '^\h*[0,2,4,6][0,4]0\h*$' && echo -e "- changing mode on \"$fname\"" && chmod u-x,g-wx,o-rwx "$fname" ! stat -Lc "%U" "$fname" | grep -Pq -- '^\h*(syslog|root)\h*$' && echo -e "- changing owner on \"$fname\"" && chown root "$fname" ! stat -Lc "%G" "$fname" | grep -Pq -- '^\h*(adm|root)\h*$' && echo -e "- changing group on \"$fname\"" && chgrp root "$fname" ;; SSSD | sssd) ! stat -Lc "%a" "$fname" | grep -Pq -- '^\h*[0,2,4,6][0,2,4,6]0\h*$' && echo -e "- changing mode on \"$fname\"" && chmod ug-x,o-rwx "$fname" ! stat -Lc "%U" "$fname" | grep -Piq -- '^\h*(SSSD|root)\h*$' && echo -e "- changing owner on \"$fname\"" && chown root "$fname" ! stat -Lc "%G" "$fname" | grep -Piq -- '^\h*(SSSD|root)\h*$' && echo -e "- changing group on \"$fname\"" && chgrp root "$fname" ;; gdm | gdm3) ! stat -Lc "%a" "$fname" | grep -Pq -- '^\h*[0,2,4,6][0,2,4,6]0\h*$' && echo -e "- changing mode on \"$fname\"" && chmod ug-x,o-rwx ! stat -Lc "%U" "$fname" | grep -Pq -- '^\h*root\h*$' && echo -e "- changing owner on \"$fname\"" && chown root "$fname" ! stat -Lc "%G" "$fname" | grep -Pq -- '^\h*(gdm3?|root)\h*$' && echo -e "- changing group on \"$fname\"" && chgrp root "$fname" ;; *.journal) ! stat -Lc "%a" "$fname" | grep -Pq -- '^\h*[0,2,4,6][0,4]0\h*$' && echo -e "- changing mode on \"$fname\"" && chmod u-x,g-wx,o-rwx "$fname" ! stat -Lc "%U" "$fname" | grep -Pq -- '^\h*root\h*$' && echo -e "- changing owner on \"$fname\"" && chown root "$fname" ! stat -Lc "%G" "$fname" | grep -Pq -- '^\h*(systemd-journal|root)\h*$' && echo -e "- changing group on \"$fname\"" && chgrp root "$fname" ;; *) ! stat -Lc "%a" "$fname" | grep -Pq -- '^\h*[0,2,4,6][0,4]0\h*$' && echo -e "- changing mode on \"$fname\"" && chmod u-x,g-wx,o-rwx "$fname" ! stat -Lc "%U" "$fname" | grep -Pq -- '^\h*(syslog|root)\h*$' && echo -e "- changing owner on \"$fname\"" && chown root "$fname" ! stat -Lc "%G" "$fname" | grep -Pq -- '^\h*(adm|root)\h*$' && echo -e "- changing group on \"$fname\"" && chgrp root "$fname" ;; esac done echo -e "- End remediation - logfiles have appropriate permissions and ownership\n" # Ensure journald is configured to compress large log files logger -p syslog.info -i " $FNAME: Ensure journald is configured to compress large log files" sed -Ei 's/^[#]*\s*Compress.*/Compress=yes/' /etc/systemd/journald.conf # Ensure journald is configured to write logfiles to persistent logger -p syslog.info -i " $FNAME: Ensure journald is configured to write logfiles to persistent" sed -Ei 's/^[#]*\s*Storage=.*/Storage=persistent/' /etc/systemd/journald.conf # Ensure journald is configured to send logs to rsyslog # NOTE: Verify why this options in CIS Workshop and how to have necessary logs # NOTE: Chosen to send logs to rsyslog logger -p syslog.info -i " $FNAME: Ensure journald is not configured to send logs to rsyslog" sed -Ei 's/^[#]*\s*ForwardToSyslog.*/ForwardToSyslog=yes/' /etc/systemd/journald.conf ####################### # SSHD configuration ####################### # logger -p syslog.info -i " $FNAME: SSHD Configuration" # Ensure permissions on /etc/ssh/sshd_config are configured logger -p syslog.info -i " $FNAME: Ensure permissions on /etc/ssh/sshd_config are configured" chown root:root /etc/ssh/sshd_config chmod og-rwx /etc/ssh/sshd_config # Configure protocol and listen parameters sed -Ei 's/^[#]*\s*Port.*/Port 22/' /etc/ssh/sshd_config sed -Ei 's/^[#]*\s*AddressFamily.*/AddressFamily any/' /etc/ssh/sshd_config sed -Ei 's/^[#]*\s*ListenAddress\s0\.0\.0\.0/ListenAddress 0.0.0.0/' /etc/ssh/sshd_config sed -Ei 's/^[#]*\s*ListenAddress\s\:\:/ListenAddress ::/' /etc/ssh/sshd_config # Ensure permissions on SSH private host key files are configured #logger -p syslog.info -i " $FNAME: Ensure permissions on SSH private host key files are configured" l_skgn="ssh_keys" # Group designated to own openSSH keys l_skgid="$(awk -F: '($1 == "'"$l_skgn"'"){print $3}' /etc/group)" awk '{print}' <<< "$(find /etc/ssh -xdev -type f -name 'ssh_host_*_key' -exec stat -L -c "%n %#a %U %G %g" {} +)" | (while read -r l_file l_mode l_owner l_group l_gid; do [ -n "$l_skgid" ] && l_cga="$l_skgn" || l_cga="root" [ "$l_gid" = "$l_skgid" ] && l_pmask="0137" || l_pmask="0177" l_maxperm="$( printf '%o' $(( 0777 & ~$l_pmask )) )" if [ $(( $l_mode & $l_pmask )) -gt 0 ]; then echo -e " - File: \"$l_file\" is mode \"$l_mode\" changing to mode: \"$l_maxperm\"" if [ -n "$l_skgid" ]; then chmod u-x,g-wx,o-rwx "$l_file" else chmod u-x,go-rwx "$l_file" fi fi if [ "$l_owner" != "root" ]; then echo -e " - File: \"$l_file\" is owned by: \"$l_owner\" changing owner to \"root\"" chown root "$l_file" fi if [ "$l_group" != "root" ] && [ "$l_gid" != "$l_skgid" ]; then echo -e " - File: \"$l_file\" is owned by group \"$l_group\" should belong to group \"$l_cga\"" chgrp "$l_cga" "$l_file" fi done) # Ensure permissions on SSH public host key files are configured logger -p syslog.info -i " $FNAME: Ensure permissions on SSH public host key files are configured" find /etc/ssh -xdev -type f -name 'ssh_host_*_key.pub' -exec chmod u-x,go-wx {} \; find /etc/ssh -xdev -type f -name 'ssh_host_*_key.pub' -exec chown root:root {} \; # Ensure SSH access is limited logger -p syslog.info -i " $FNAME: Ensure SSH access is limited" addgroup sshgroup usermod -a -G sshgroup zargos #sed -Ei 's/^(sshgroup.*)/\1zargos/' /etc/group printf " # Ensure SSH access is limited AllowGroups sshgroup " > /etc/ssh/sshd_config.d/sshd_cis.conf logger -p syslog.info -i " $FNAME: /etc/ssh/sshd_config configuration modification" # Ensure SSH root login is disabled logger -p syslog.info -i " $FNAME: Ensure SSH root login is disabled" sed -Ei 's/^[#]*\s*PermitRootLogin\s+.*/PermitRootLogin no/' /etc/ssh/sshd_config # Ensure SSH HostbasedAuthentication is disabled logger -p syslog.info -i " $FNAME: Ensure SSH HostbasedAuthentication is disabled" sed -Ei 's/^[#]*\s*HostbasedAuthentication\s+.*/HostbasedAuthentication no/' /etc/ssh/sshd_config # Ensure SSH IgnoreRhosts is enabled logger -p syslog.info -i " $FNAME: Ensure SSH IgnoreRhosts is enabled" sed -Ei 's/^[#]*\s*IgnoreRhosts\s+.*/IgnoreRhosts yes/' /etc/ssh/sshd_config # Ensure SSH PermitEmptyPasswords is disabled logger -p syslog.info -i " $FNAME: Ensure SSH PermitEmptyPasswords is disabled" sed -Ei 's/^[#]*\s*PermitEmptyPasswords\s+.*/PermitEmptyPasswords no/' /etc/ssh/sshd_config # Ensure SSH PermitUserEnvironment is disabled logger -p syslog.info -i " $FNAME: Ensure SSH PermitUserEnvironment is disabled" sed -Ei 's/^[#]*\s*PermitUserEnvironment\s+.*/PermitUserEnvironment no/' /etc/ssh/sshd_config # Ensure SSH X11 forwarding is disabled logger -p syslog.info -i " $FNAME: Ensure SSH X11 forwarding is disabled" sed -i '0,/^[#]*\s*X11Forwarding/s/^\([#]*\s*X11Forwarding\s+.*\)/X11Forwarding no/' /etc/ssh/sshd_config # Ensure SSH AllowTcpForwarding is disabled logger -p syslog.info -i " $FNAME: Ensure SSH AllowTcpForwarding is disabled" sed -i '0,/^[#]*\s*AllowTcpForwarding/s/^\([#]*\s*AllowTcpForwarding\s+.*\)/AllowTcpForwarding no/' /etc/ssh/sshd_config # Ensure only strong Ciphers are used logger -p syslog.info -i " $FNAME: Ensure only strong Ciphers are used" sed -Ei '/^[#]\s*Ciphers and keying/a Ciphers chacha20-poly1305\@openssh.com,aes256-gcm\@openssh.com,aes128-gcm\@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr' /etc/ssh/sshd_config # Ensure only strong Key Exchange algorithms are used logger -p syslog.info -i " $FNAME: Ensure only strong Key Exchange algorithms are used" sed -Ei '/^Ciphers\s+/a KexAlgorithms curve25519-sha256,curve25519-sha256\@libssh.org,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256' /etc/ssh/sshd_config # Ensure only strong MAC algorithms are used logger -p syslog.info -i " $FNAME: Ensure only strong MAC algorithms are used" sed -Ei '/^KexAlgorithms\s+/a MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm\@openssh.com,hmac-sha2-512,hmac-sha2-256' /etc/ssh/sshd_config # Ensure SSH warning banner is configured logger -p syslog.info -i " $FNAME: Ensure SSH warning banner is configured" sed -Ei 's/^[#]*\s*Banner none/Banner \/etc\/issue.net/' /etc/ssh/sshd_config # Ensure SSH MaxAuthTries is set to 4 or less logger -p syslog.info -i " $FNAME: Ensure SSH MaxAuthTries is set to 4 or less" sed -Ei 's/^[#]*\s*MaxAuthTries.*/MaxAuthTries 4/' /etc/ssh/sshd_config # Ensure SSH MaxStartups is configured logger -p syslog.info -i " $FNAME: Ensure SSH MaxStartups is configured" sed -Ei 's/^[#]*\s*MaxStartups.*/MaxStartups 10:30:60/' /etc/ssh/sshd_config # Ensure SSH MaxSessions is set to 10 or less logger -p syslog.info -i " $FNAME: Ensure SSH MaxSessions is set to 10 or less" sed -Ei 's/^[#]*\s*MaxSessions.*/MaxSessions 10/' /etc/ssh/sshd_config # Ensure SSH LoginGraceTime is set to one minute or less logger -p syslog.info -i " $FNAME: Ensure SSH LoginGraceTime is set to one minute or less" sed -Ei 's/^[#]*\s*LoginGraceTime.*/LoginGraceTime 60/' /etc/ssh/sshd_config # Ensure SSH Idle Timeout Interval is configured logger -p syslog.info -i " $FNAME: Ensure SSH Idle Timeout Interval is configured" sed -Ei 's/^[#]*\s*ClientAliveInterval.*/ClientAliveInterval 15/' /etc/ssh/sshd_config sed -Ei 's/^[#]*\s*ClientAliveCountMax.*/ClientAliveCountMax 3/' /etc/ssh/sshd_config ############################################ # GRUB default configuration modifications ############################################ # Copy GRUB menu files and modify default grub configuration logger -p syslog.info -i " $FNAME: Update Grub default configuration and install on disk" sed -Ei 's/^[#]*(GRUB_CMDLINE_LINUX_DEFAULT).*/\1="video=1280x1024 quiet splash"/' /etc/default/grub sed -Ei 's/^[#]*(GRUB_CMDLINE_LINUX=).*/\1"apparmor=1 security=apparmor audit=1 audit_backlog_limit=8192"/' /etc/default/grub #sed -Ei '/^[#]\s*GRUB_TERMINAL\s*=\s*console/a GRUB_TERMINAL_INPUT=at_keyboard' /etc/default/grub sed -Ei 's/^[#]\s*(GRUB_GFXMODE).*/\1=1280x1024/' /etc/default/grub sed -Ei '/GRUB_GFXMODE=1280x1024/a GRUB_GFXPAYLOAD_LINUX=keep' /etc/default/grub cat <> /etc/default/grub # Setup Grub menu GRUB_BACKGROUND="/boot/grub/enedwaith-org-scdd.png" COLOR_NORMAL="blue/black" MENU_COLOR_NORMAL="ligh-blue/black" # Set os_prober active as it is disable by default in bookworm GRUB_DISABLE_OS_PROBER=false EOF update-grub ########################### # TIMESYNCD configuration ########################### # NTP Fallback configuration sed -Ei '/^[#]FallbackNTP=/a FallbackNTP=192.168.1.254' /etc/systemd/timesyncd.conf ####################### # Users configuration ####################### # Ensure inactive password lock is 30 days or less logger -p syslog.info -i " $FNAME: Ensure inactive password lock is 30 days or less" for user in `grep -E ^[^:]+:[^\!*] /etc/shadow | cut -d: -f1,7 | grep -v ':30$' | grep -v '^root:' | awk -F ':' '{ print $1 }'`; do chage --inactive 30 $user; done ################################## # Configure/Set Common Shorewall ################################## # Fix all Shorewall services files logger -p syslog.info -i " $FNAME: Fix Shorewall-int services files" sed -i '/syslog/d' /lib/systemd/system/shorewall-init.service sed -i '/syslog/d' /lib/systemd/system/shorewall.service sed -i '/syslog/d' /lib/systemd/system/shorewall6.service ######################################### ## configre /etc/default/shorewall-init ######################################### sed -i 's/PRODUCTS=""/PRODUCTS="shorewall shorewall6"/' /etc/default/shorewall-init sed -i 's/IFUPDOWN=0/IFUPDOWN=1/' /etc/default/shorewall-init ################################ ## Install shorewall.conf file ################################ logger -p syslog.info -i " $FNAME: Configure shorewall.conf and shorewall6.confi from ${cdrompath}" cat ${cdrompath}/shorewall.conf > /etc/shorewall/shorewall.conf cat ${cdrompath}/shorewall6.conf > /etc/shorewall6/shorewall6.conf ############################ # Get shorewall base datas ############################ # iflist variable is defined in 01-xxx-network.postinst logger -p syslog.info -i " $FNAME: SHOREWALL configuration base data" WAN_ADR4=`ip -o a | grep -iE ".*${iflist[0]}.*inet\s" | awk '{print $4}'` WAN_ADR6=`ip -o a | grep -iE ".*${iflist[0]}.*inet6.*scope\sglobal" | awk '{print $4}'` logger -p syslog.info -i " $FNAME: SHOREWALL/SHOREWALL6 configuration" ############################## # Configure Shorewall params ############################## logger -p syslog.info -i " $FNAME: ---- Configure SHOREWALL files" logger -p syslog.info -i " $FNAME: ---- Configure /etc/shorewall/params" # Prepare params configuration files in /etc/shorewall/params # params logger -p syslog.info -i " $FNAME: ---- create base params file" cat << EOF > /etc/shorewall/params # # Shorewall - Params File # Copyright (C) $(date '+%Y') by Enedwaith.org # # This library is free software; you can redistribute it and/or # modify it under the terms of the GNU Lesser General Public # License as published by the Free Software Foundation; either # version 2.1 of the License, or (at your option) any later version. # # See the file README.txt for further details. #------------------------------------------------------------------------------- # For information on entries in this file, type \"man shorewall-params\" ################################################################################ LOG=NFLOG EOF # Configure /etc/shorewall/params count=0 for intf in "${iflist[@]}" do printf "# Configuration of interface ${intf} " >> /etc/shorewall/params if [ $count -eq 0 ]; then printf "Z_LAN=\"net\" NET_IFLAN=\"${intf}\" NET_LAN=\"${network4_ip[${count}]}/${prefix4_ip[${count}]}\" " >> /etc/shorewall/params elif [ $count -eq 1 ]; then printf "Z_ADM=\"admin\" NET_IFADM=\"${intf}\" NET_ADM=\"${network4_ip[${count}]}/${prefix4_ip[${count}]}\" " >> /etc/shorewall/params else printf "\$Z_OPT${count}=\"OPT${count}\" NET_IFOPT${count}=\"${intf}\" NET_OPT${count}=\"${network4_ip[${count}]}/${prefix4_ip[${count}]}\" " >> /etc/shorewall/params fi ((count++)) done ############################# # Configure Shorewall zones ############################# # zones logger -p syslog.info -i " $FNAME: ---- create base zones file" cat << EOF > /etc/shorewall/zones # # Shorewall - Zones File # Copyright (C) $(date '+%Y') by Enedwaith.org # # This library is free software; you can redistribute it and/or # modify it under the terms of the GNU Lesser General Public # License as published by the Free Software Foundation; either # version 2.1 of the License, or (at your option) any later version. # # See the file README.txt for further details. #------------------------------------------------------------------------------- # For information on entries in this file, type \"man shorewall-zones\" ################################################################################ fw firewall EOF logger -p syslog.info -i " $FNAME: ---- Configure /etc/shorewall/zones" # Configure /etc/shorewall/zones count=0 for intf in "${iflist4[@]}" do if [ $count -eq 0 ]; then printf "\$Z_LAN ipv4 " >> /etc/shorewall/zones elif [ $count -eq 1 ]; then printf "\$Z_ADM ipv4 " >> /etc/shorewall/zones else printf "\$Z_OPT${count} ipv4 " >> /etc/shorewall/zones fi ((count++)) done ################################## # Configure Shorewall interfaces ################################## # interfaces logger -p syslog.info -i " $FNAME: ---- create base interfaces file" cat << EOF > /etc/shorewall/interfaces # # Shorewall - Interfaces File # Copyright (C) $(date '+%Y') by Enedwaith.org # # This library is free software; you can redistribute it and/or # modify it under the terms of the GNU Lesser General Public # License as published by the Free Software Foundation; either # version 2.1 of the License, or (at your option) any later version. # # See the file README.txt for further details. #------------------------------------------------------------------------------- # For information on entries in this file, type \"man shorewall-interfaces\" ################################################################################ ?FORMAT 2 ################################################################################ #ZONE INTERFACE OPTIONS EOF logger -p syslog.info -i " $FNAME: ---- Configure /etc/shorewall/interfaces" # Configure /etc/shorewall/interfaces count=0 countopt=0 for intf in "${iflist4[@]}" do ((countopt++)) if [ $count -eq 0 ]; then printf "# Configuration of Interface #1 ${intf} \$Z_LAN \$NET_IFLAN dhcp,tcpflags,logmartians,nosmurfs,sourceroute=0 " >> /etc/shorewall/interfaces elif [ $count -eq 1 ]; then printf "# Configuration of Interface #2 ${intf} \$Z_ADM \$NET_IFADM dhcp,tcpflags,logmartians,nosmurfs,sourceroute=0 " >> /etc/shorewall/interfaces else printf "# Configuration of Interface #2 ${intf} \$Z_OPT${count} \$NET_IFOPT${countopt} dhcp,tcpflags,logmartians,nosmurfs,sourceroute=0 " >> /etc/shorewall/interfaces fi ((count++)) done ############################## # Configure Shorewall policy ############################## logger -p syslog.info -i " $FNAME: ---- Configure /etc/shorewall/policy" cat << EOF > /etc/shorewall/policy # # Shorewall - Policy File # Copyright (C) $(date '+%Y') by Enedwaith.org # # This library is free software; you can redistribute it and/or # modify it under the terms of the GNU Lesser General Public # License as published by the Free Software Foundation; either # version 2.1 of the License, or (at your option) any later version. # # See the file README.txt for further details. #------------------------------------------------------------------------------- # For information about entries in this file, type "man shorewall-policy" ################################################################################ #SOURCE DEST POLICY LOGLEVEL RATE CONNLIMIT \$FW \$Z_LAN ACCEPT EOF if [ ${#iflist4[@]} -ge 2 ]; then printf "\$Z_ADM \$FW ACCEPT " >> /etc/shorewall/policy fi cat << EOF >> /etc/shorewall/policy # The FOLLOWING POLICY MUST BE LAST all all DROP \$LOG EOF ############################# # Configure Shorewall rules ############################# logger -p syslog.info -i " $FNAME: ---- create base rules file" cat << EOF > /etc/shorewall/rules # # Shorewall - Rules File # Copyright (C) $(date '+%Y') by Enedwaith.org # # This library is free software; you can redistribute it and/or # modify it under the terms of the GNU Lesser General Public # License as published by the Free Software Foundation; either # version 2.1 of the License, or (at your option) any later version. # # See the file README.txt for further details. #------------------------------------------------------------------------------------------------------------ # For information on entries in this file, type "man shorewall-rules" ###################################################################################################################################################################################################### #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH HELPER # PORT PORT(S) DEST LIMIT GROUP ?SECTION ALL ?SECTION ESTABLISHED ?SECTION RELATED ?SECTION INVALID ?SECTION UNTRACKED ?SECTION NEW # Drop packets in the INVALID state Invalid(DROP):\$LOG \$Z_LAN \$FW tcp # Drop Ping from the "bad" net zone.. and prevent your log from being flooded.. Ping(DROP) \$Z_LAN \$FW # Permit all ICMP traffic FROM the firewall TO the net zone ACCEPT \$FW \$Z_LAN icmp EOF sed -Ei '/^\?SECTION NEW/a Webmin(ACCEPT)\t$Z_LAN:\$NET_LAN\t\$FW' /etc/shorewall/rules sed -Ei '/^\?SECTION NEW/a # LAN WEBMIN ACCESS' /etc/shorewall/rules sed -Ei '/^\?SECTION NEW/a SSH(ACCEPT)\t$Z_LAN:\$NET_LAN\t\$FW' /etc/shorewall/rules sed -Ei '/^\?SECTION NEW/a # LAN SSH ACCESS' /etc/shorewall/rules if [ ${#iflist[@]} -ge 2 ]; then sed -Ei '/^SSH\(ACCEPT\)\s*[$]Z_LAN\:[$]NET_LAN\s*[$]FW/a # ADMIN SSH ACCESS' /etc/shorewall/rules sed -Ei '/^[#]\s*ADMIN\s*SSH\s*ACCESS/a SSH(ACCEPT)\t$Z_ADM:$NET_ADM\t$FW' /etc/shorewall/rules sed -Ei '/^SSH\(ACCEPT\)\s+[$]Z_ADM\:[$]NET_ADM\s+[$]FW/a # ADMIN WEBMIN ACCESS' /etc/shorewall/rules sed -Ei '/^[#]\s*ADMIN\s*WEBMIN\s*ACCESS/a Webmin(ACCEPT)\t$Z_ADM:$NET_ADM\t$FW' /etc/shorewall/rules fi ############################## # Configure Shorewall params ############################## logger -p syslog.info -i " $FNAME: ---- Configure SHOREWALL6 files" logger -p syslog.info -i " $FNAME: ---- Configure /etc/shorewall6/params" # Prepare params configuration files in /etc/shorewall6/params # params logger -p syslog.info -i " $FNAME: ---- create base params file" cat << EOF > /etc/shorewall6/params # # Shorewall6 - Params File # Copyright (C) $(date '+%Y') by Enedwaith.org # # This library is free software; you can redistribute it and/or # modify it under the terms of the GNU Lesser General Public # License as published by the Free Software Foundation; either # version 2.1 of the License, or (at your option) any later version. # # See the file README.txt for further details. #------------------------------------------------------------------------------- # For information on entries in this file, type \"man shorewall-params\" ################################################################################ LOG=NFLOG EOF # Configure /etc/shorewall6/params count=0 for intf in "${iflist[@]}" do printf "# Configuration of interface ${intf} " >> /etc/shorewall6/params if [ $count -eq 0 ]; then printf "Z_LAN=\"net\" NET_IFLAN=\"${intf}\" NET_LAN=\"${network6_ip[${count}]}/${prefix6_ip[${count}]}\" " >> /etc/shorewall6/params else printf "\$Z_OPT${count}=\"OPT${count}\" NET_IFOPT${count}=\"${intf}\" NET_OPT${count}=\"${network6_ip[${count}]}/${prefix4_ip[${count}]}\" " >> /etc/shorewall6/params fi ((count++)) done ############################# # Configure Shorewall6 zones ############################# # zones logger -p syslog.info -i " $FNAME: ---- Create base /etc/shorewall6/zones" cat << EOF > /etc/shorewall6/zones # # Shorewall6 - Zones File # Copyright (C) $(date '+%Y') by Enedwaith.org # # This library is free software; you can redistribute it and/or # modify it under the terms of the GNU Lesser General Public # License as published by the Free Software Foundation; either # version 2.1 of the License, or (at your option) any later version. # # See the file README.txt for further details. #------------------------------------------------------------------------------- # For information on entries in this file, type \"man shorewall-zones\" ################################################################################ fw firewall EOF logger -p syslog.info -i " $FNAME: ---- Configure /etc/shorewall6/zones" # Configure /etc/shorewall6/zones count=0 for intf in "${iflist6[@]}" do if [ $count -eq 0 ]; then printf "\$Z_LAN ipv6 " >> /etc/shorewall6/zones else printf "\$Z_OPT${count} ipv6 " >> /etc/shorewall6/zones fi ((count++)) done ################################## # Configure Shorewall6 interfaces ################################## # interfaces logger -p syslog.info -i " $FNAME: ---- create base /etc/shorewall6/interfaces" cat << EOF > /etc/shorewall6/interfaces # # Shorewall6 - Interfaces File # Copyright (C) $(date '+%Y') by Enedwaith.org # # This library is free software; you can redistribute it and/or # modify it under the terms of the GNU Lesser General Public # License as published by the Free Software Foundation; either # version 2.1 of the License, or (at your option) any later version. # # See the file README.txt for further details. #------------------------------------------------------------------------------- # For information on entries in this file, type \"man shorewall-interfaces\" ################################################################################ ?FORMAT 2 ################################################################################ #ZONE INTERFACE OPTIONS EOF logger -p syslog.info -i " $FNAME: ---- Configure /etc/shorewall6/interfaces" # Configure /etc/shorewall6/interfaces count=0 for intf in "${iflist6[@]}" do if [ $count -eq 0 ]; then printf "# Configuration of Interface ${intf} \$Z_LAN \$NET_IFLAN dhcp,tcpflags " >> /etc/shorewall6/interfaces else printf "# Configuration of Interface ${intf} \$Z_OPT${count} \$NET_IFOPT${count} dhcp,tcpflags " >> /etc/shorewall6/interfaces fi ((count++)) done ############################## # Configure Shorewall6 policy ############################## logger -p syslog.info -i " $FNAME: ---- Configure /etc/shorewall6/policy" cat << EOF > /etc/shorewall6/policy # # Shorewall6 - Policy File # Copyright (C) $(date '+%Y') by Enedwaith.org # # This library is free software; you can redistribute it and/or # modify it under the terms of the GNU Lesser General Public # License as published by the Free Software Foundation; either # version 2.1 of the License, or (at your option) any later version. # # See the file README.txt for further details. #------------------------------------------------------------------------------- # For information about entries in this file, type "man shorewall-policy" ################################################################################ #SOURCE DEST POLICY LOGLEVEL RATE CONNLIMIT \$FW \$Z_LAN ACCEPT EOF if [ ${#iflist6[@]} -ge 2 ]; then printf "\$Z_ADM \$FW ACCEPT " >> /etc/shorewall6/policy fi cat << EOF >> /etc/shorewall6/policy # The FOLLOWING POLICY MUST BE LAST all all DROP \$LOG EOF ############################# # Configure Shorewall6 rules ############################# logger -p syslog.info -i " $FNAME: ---- create base /etc/shorewall6/rules" cat << EOF > /etc/shorewall6/rules # # Shorewall6 - Rules File # Copyright (C) $(date '+%Y') by Enedwaith.org # # This library is free software; you can redistribute it and/or # modify it under the terms of the GNU Lesser General Public # License as published by the Free Software Foundation; either # version 2.1 of the License, or (at your option) any later version. # # See the file README.txt for further details. #------------------------------------------------------------------------------------------------------------ # For information on entries in this file, type "man shorewall-rules" ###################################################################################################################################################################################################### #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH HELPER # PORT PORT(S) DEST LIMIT GROUP ?SECTION ALL ?SECTION ESTABLISHED ?SECTION RELATED ?SECTION INVALID ?SECTION UNTRACKED ?SECTION NEW # Drop packets in the INVALID state Invalid(DROP):\$LOG \$Z_LAN \$FW tcp # Drop Ping from the "bad" net zone.. and prevent your log from being flooded.. Ping(DROP) \$Z_LAN \$FW # Permit all ICMP traffic FROM the firewall TO the net zone ACCEPT \$FW \$Z_LAN ipv6-icmp EOF sed -Ei '/^\?SECTION NEW/a Webmin(ACCEPT)\t$Z_LAN:\$NET_LAN\t\$FW' /etc/shorewall6/rules sed -Ei '/^\?SECTION NEW/a # LAN WEBMIN ACCESS' /etc/shorewall6/rules sed -Ei '/^\?SECTION NEW/a SSH(ACCEPT)\t$Z_LAN:\$NET_LAN\t\$FW' /etc/shorewall6/rules sed -Ei '/^\?SECTION NEW/a # LAN SSH ACCESS' /etc/shorewall6/rules ################################## # Restart Shorewall & Shorewall6 ################################## # Enable and start all shorewall services logger -p syslog.info -i " $FNAME: Enable and start all shorewall services" systemctl enable shorewall-init systemctl enable shorewall systemctl enable shorewall6 ################ # Install Webmin ################ logger -p syslog.info -i " $FNAME: Install Webmin" cd $HOME #curl -o setup-repos.sh https://raw.githubusercontent.com/webmin/webmin/master/setup-repos.sh sh $cdrompath/setup-repos.sh chmod o+r /usr/share/keyrings/debian-webmin-developers.gpg apt-get update apt-get -y install webmin systemctl disable webmin ###################### # Other actions ###################### # # Set network preference to IPv4 logger -p syslog.info -i " $FNAME: Set network preference to IPv4" sed -Ei 's/^[#]*\s*(precedence\s+\:\:ffff\:0\:0\/96\s+100)/\1/' /etc/gai.conf # Remove unused packages logger -p syslog.info -i " $FNAME: Remove unused packages" apt-get -y --purge autoremove # GEOip configuration logger -p syslog.info -i " $FNAME: geoipupdate installation" apt -y install geoipupdate logger -p syslog.info -i " $FNAME: Copy GeoIP.conf file" cat /media/cdrom/conffiles-std/GeoIP.conf > /etc/GeoIP.conf logger -p syslog.info -i " $FNAME: Update GEOip configuration" geoipupdate # Fix pid in some services logger -p syslog.info -i " $FNAME: Fix pid in some services" sed -i 's#/var/run/auditd.pid#/run/auditd.pid#g' /lib/systemd/system/auditd.service sed -i 's#/var/run/dbus/system_bus_socket#/run/dbus/system_bus_socket#g' /lib/systemd/system/dbus.socket # Setup aide database logger -p syslog.info -i " $FNAME: Setup aide database" aideinit aide -c /etc/aide/aide.conf -u # Disable rsync logger -p syslog.info -i " $FNAME: Disable rsync" systemctl --now disable rsync # Setup mlocate database logger -p syslog.info -i " $FNAME: Setup mlocate database" updatedb # Set the right swap logger -p syslog.info -i " $FNAME: Set the right swap" current_vg=`lvs | grep -Eoi '^\s+root.*ao' | awk -F ' ' '{ print $2 }'` logger -p syslog.info -i " $FNAME: Set the right swap -- current_vg=${current_vg}" for swap in `grep -i swap /etc/fstab | awk '{ print $1 }'` do logger -p syslog.info -i " $FNAME: Set the right swap --- swap=$swap" if [ -z `echo $swap | grep -i ${current_vg}` ]; then pattern=`echo $swap | awk -F '/' '{ print $4 }'` logger -p syslog.info -i " $FNAME: Set the right swap --- pattern="$pattern sed -i "/${pattern}/d" /etc/fstab fi done # Update apt-file apt-file update ####################################################### # Add umask and TIMEOUT configuration to /etc/profile ####################################################### # logger -p syslog.info -i " $FNAME: Add umask and TIMEOUT configuration to /etc/profile" echo "umask 027" >> /etc/profile echo "readonly TMOUT=900 ; export TMOUT" >> /etc/profile ####################################################### # Configure VIM through /etc/vim/vimrc ####################################################### # logger -p syslog.info -i "$FNAME: Configure VIM through /etc/vim/vimrc" sed -i 's/^"syntax on/syntax on/' /etc/vim/vimrc sed -i 's/^"set\sbackground=dark/set background=dark/' /etc/vim/vimrc sed -i '/^set\sbackground=dark/a set t_Co=256' /etc/vim/vimrc sed -i '/^set\st_Co=256/a set termguicolors' /etc/vim/vimrc sed -i 's/^"filetype plugin indent on/filetype plugin indent on/' /etc/vim/vimrc sed -i 's/^"set showcmd/set showcmd/' /etc/vim/vimrc sed -i 's/^"set showmatch/set showcmd/' /etc/vim/vimrc sed -i 's/^"set mouse=a/set mouse=n/' /etc/vim/vimrc cp /etc/vim/vimrc /home/zargos/.vimrc chown zargos:zargos /home/zargos/.vimrc cp /etc/vim/vimrc /root/.vimrc chown root:root /root/.vimrc ######################################### # SYSCTL configurationi modification ######################################### # logger -p syslog.info -i " $FNAME: SYSCTL configuration modification" # Ensure packet redirect sending is disabled printf "# Ensure packet redirect sending is disabled net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.default.send_redirects = 0 " >> /etc/sysctl.d/90-sysctl-network.conf # Ensure IP forwarding is disabled printf "# Ensure IP forwarding is disabled net.ipv4.ip_forward = 0 net.ipv6.conf.all.forwarding = 0 " >> /etc/sysctl.d/90-sysctl-network.conf # Ensure source routed packets are not accepted printf "# Ensure source routed packets are not accepted net.ipv4.conf.all.accept_source_route = 0 net.ipv4.conf.default.accept_source_route = 0 net.ipv6.conf.all.accept_source_route = 0 net.ipv6.conf.default.accept_source_route = 0 " >> /etc/sysctl.d/90-sysctl-network.conf # Ensure ICMP redirects are not accepted printf "# Ensure ICMP redirects are not accepted net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.default.accept_redirects = 0 net.ipv6.conf.all.accept_redirects = 0 net.ipv6.conf.default.accept_redirects = 0 " >> /etc/sysctl.d/90-sysctl-network.conf # Ensure secure ICMP redirects are not accepted printf "# Ensure secure ICMP redirects are not accepted net.ipv4.conf.default.secure_redirects = 0 net.ipv4.conf.all.secure_redirects = 0 " >> /etc/sysctl.d/90-sysctl-network.conf # Ensure suspicious packets are logged # Comment 2022-09-07 LME - Doesn't fit with VBox Host Network printf "# Ensure suspicious packets are logged net.ipv4.conf.all.log_martians = 0 net.ipv4.conf.default.log_martians = 0 " >> /etc/sysctl.d/90-sysctl-network.conf # Ensure broadcast ICMP requests are ignored printf "# Ensure broadcast ICMP requests are ignored net.ipv4.icmp_echo_ignore_broadcasts = 1 " >> /etc/sysctl.d/90-sysctl-network.conf # Ensure bogus ICMP responses are ignored printf "#Ensure bogus ICMP responses are ignored icmp_ignore_bogus_error_responses = 1 " >> /etc/sysctl.d/90-sysctl-network.conf # Ensure Reverse Path Filtering is enabled printf "# Ensure Reverse Path Filtering is enabled net.ipv4.conf.all.rp_filter = 1 net.ipv4.conf.default.rp_filter = 1 " >> /etc/sysctl.d/90-sysctl-network.conf # Ensure TCP SYN Cookies is enabled printf "# Ensure TCP SYN Cookies is enabled net.ipv4.tcp_syncookies = 1 " >> /etc/sysctl.d/90-sysctl-network.conf # Ensure IPv6 router advertisements are not accepted printf "# Ensure IPv6 router advertisements are not accepted net.ipv6.conf.all.accept_ra = 0 net.ipv6.conf.default.accept_ra = 0 # Disable TCP timestamps net.ipv4.tcp_timestamps = 0 " >> /etc/sysctl.d/90-sysctl-network.conf ########################### # PAM.D Configuration ########################### # logger -p syslog.info -i " $FNAME: PAM.D Configuration" ########################### # PWQUALITY Configuration ########################### # logger -p syslog.info -i " $FNAME: --- PWQUALITY Configuration" # Password must be 14 characters or more sed -Ei 's/^[#]\s*(minlen\s*=\s*).*/\114/' /etc/security/pwquality.conf # The minimum number of required classes of characters for the new password # (digits, uppercase, lowercase, others) sed -Ei 's/^[#]\s*(minclass\s*=\s*).*/\14/' /etc/security/pwquality.conf # Provide at least one digit, at least one uppercase character, at least one # special character, at least one lowercase character sed -Ei 's/^[#]\s*([duol]credit\s*=\s*).*/\1-1/' /etc/security/pwquality.conf ########################### # FAILLOCK Configuration ########################### # logger -p syslog.info -i " $FNAME: --- FAILLOCK Configuration" # Deny access if the number of consecutive authentication failures for this user # during the recent interval exceeds 4 entries. sed -Ei 's/^[#]\s*(deny\s*=\s*).*/\13/' /etc/security/faillock.conf # The length of the interval, in seconds, during which the consecutive authenti- # cation failures must happen for the user account to be locked out sed -Ei 's/^[#]\s*(fail_interval\s*=\s*).*/\1900/' /etc/security/faillock.conf # The access will be re-enabled after 600 seconds after the lock out. The value # 0 has the same meaning as value never - the access will not be re-enabled # without resetting the faillock entries by the faillock command. sed -Ei 's/^[#]\s*(unlock_time\s*=\s*).*/\1600/' /etc/security/pwquality.conf ################################ # COMMON-ACCOUNT Configuration ################################ # logger -p syslog.info -i " $FNAME: --- COMMON-ACCOUNT Configuration" # Faillock configuration sed -Ei '/^[#]\s*end of pam-auth-update config/i account required pam_faillock.so' /etc/pam.d/common-account ########################### # COMMON-AUTH Configuration ########################### logger -p syslog.info -i " $FNAME: --- COMMON-AUTH Configuration" # Added to enable faillock sed -Ei '/^auth\s*\[success=1\s*default=ignore\]\s*pam_unix.so\s*nullok/i auth required pam_faillock.so preauth # Added to enable faillock' /etc/pam.d/common-auth sed -Ei '/^auth\s*\[success=1\s*default=ignore\]\s*pam_unix.so\s*nullok/a auth sufficient pam_faillock.so authsucc # Added to enable faillock' /etc/pam.d/common-auth sed -Ei '/^auth\s*\[success=1\s*default=ignore\]\s*pam_unix.so\s*nullok/a auth [default=die] pam_faillock.so authfail # Added to enable faillock' /etc/pam.d/common-auth sed -Ei '/^[#]\s*end\s*of\s*pam-auth-update\s*config/i auth optional pam_cap.so' /etc/pam.d/common-auth ################################# # COMMON-PASSWORD Configuration ################################# # logger -p syslog.info -i " $FNAME: --- COMMON-PASWORD Configuration" sed -Ei '/^[#]\s*end\s*of\s*pam-auth-update\s*config/i password required pam_pwhistory.so remember=5' /etc/pam.d/common-password ################################# # SU Configuration ################################# # logger -p syslog.info -i " $FNAME: --- SU Configuration" addgroup sugroup usermod -a -G sugroup zargos logger -p syslog.info -i " $FNAME: --- SU Configuration -- change /etc/pam.d/su" sed -Ei 's/^[#]\s*auth\s*required\s*pam_wheel.so$/auth required pam_wheel.so use_uid group=sugroup/' /etc/pam.d/su ######################## # BASHRC configuration ######################## # logger -p syslog.info -i " $FNAME: --- BASHRC Configuration" cat < /etc/skel/.bash_aliases alias dir='dir --color=auto' alias vdir='vdir --color=auto' alias grep='grep --color=auto' alias fgrep='fgrep --color=auto' alias egrep='egrep --color=auto' alias ll='ls -l' alias la='ls -A' alias l='ls -CF' EOF cp -vfp /etc/skel/.bash_aliases /root/ cp -vfp /etc/skel/.bash_aliases /home/zargos/ chown zargos:zargos /home/zargos/.bash_aliases cp -vfp /home/zargos/.bashrc /root/.bashrc chown root:root /root/.bashrc ############################ # LOGIN.DEFS configuration ############################ # logger -p syslog.info -i " $FNAME: LOGIN.DEFS configuration" sed -Ei 's/^(UMASK\s+).*/\1027/g' /etc/login.defs sed -Ei 's/^(PASS_MAX_DAYS\s+).*/\1365/g' /etc/login.defs sed -Ei 's/^(PASS_MIN_DAYS\s+).*/\11/g' /etc/login.defs sed -Ei 's/^(PASS_WARN_AGE\s+).*/\17/g' /etc/login.defs ###################################### # AUDITD configuration modifications ###################################### # Clean old auditd rules logger -p syslog.info -i " $FNAME: Remove old auditd rules" rm -fr /etc/audit/rules.d/audit.rules # auditd.conf and rules are made accordingly to # CIS Debian Linux 11 Benchmark v1.0.0 sed -Ei 's/^(max_log_file_action\s*=\s*).*/\1KEEP_LOGS/' /etc/audit/auditd.conf sed -Ei 's/^(space_left_action\s*=\s*).*/\1EMAIL/' /etc/audit/auditd.conf sed -Ei 's/^(admin_space_left_action\s*=\s*).*/\1HALT/' /etc/audit/auditd.conf # auditd startin rules printf " ## First rule - delete all -D ## Increase the buffers to survive stress events. ## Make this bigger for busy systems -b 8192 ## This determine how long to wait in burst of events --backlog_wait_time 0 ## Set failure mode to syslog -f 1 " >> /etc/audit/rules.d/00-audit_rules.rules # Ensure changes to system administration scope (sudoers) is collected printf "# Ensure changes to system administration scope (sudoers) is collected -w /etc/sudoers -p wa -k scope -w /etc/sudoers.d -p wa -k scope " >> /etc/audit/rules.d/50-scope.rules # Ensure actions as another user are always logged printf "# Ensure actions as another user are always logged -a always,exit -F arch=b64 -C euid!=uid -F auid!=unset -S execve -k user_emulation -a always,exit -F arch=b32 -C euid!=uid -F auid!=unset -S execve -k user_emulation " >> /etc/audit/rules.d/50-user_emulation.rules # Ensure events that modify the sudo log file are collected SUDO_LOG_FILE=$(grep -r logfile /etc/sudoers* | sed -e 's/.*logfile=//;s/,? .*//' -e 's/"//g') [ -n "${SUDO_LOG_FILE}" ] && printf "# Ensure events that modify the sudo log file are collected -w ${SUDO_LOG_FILE} -p wa -k sudo_log_file " >> /etc/audit/rules.d/50-sudo.rules || printf "ERROR: Variable 'SUDO_LOG_FILE_ESCAPED' is unset.\n" # Ensure events that modify date and time information are collected printf "# Ensure events that modify date and time information are collected -a always,exit -F arch=b64 -S adjtimex,settimeofday,clock_settime -k time-change -a always,exit -F arch=b32 -S adjtimex,settimeofday,clock_settime -k time-change -w /etc/localtime -p wa -k time-change " >> /etc/audit/rules.d/50-time-change.rules # Ensure events that modify the system's network environment are collected printf "# Ensure events that modify the system's network environment are collected -a always,exit -F arch=b64 -S sethostname,setdomainname -k system-locale -a always,exit -F arch=b32 -S sethostname,setdomainname -k system-locale -w /etc/issue -p wa -k system-locale -w /etc/issue.net -p wa -k system-locale -w /etc/hosts -p wa -k system-locale -w /etc/networks -p wa -k system-locale -w /etc/network/ -p wa -k system-locale " >> /etc/audit/rules.d/50-system_local.rules # Ensure use of privileged commands are collected UID_MIN=$(awk '/^\s*UID_MIN/{print $2}' /etc/login.defs) AUDIT_RULE_FILE="/etc/audit/rules.d/50-privileged.rules" NEW_DATA=() for PARTITION in $(findmnt -n -l -k -it $(awk '/nodev/ { print $2 }' /proc/filesystems | paste -sd,) | grep -Pv "noexec|nosuid" | awk '{print $1}'); do readarray -t DATA < <(find "${PARTITION}" -xdev -perm /6000 -type f | awk -v UID_MIN=${UID_MIN} '{print "-a always,exit -F path=" $1 " -F perm=x -F auid>="UID_MIN" -F auid!=unset -k privileged" }') for ENTRY in "${DATA[@]}"; do NEW_DATA+=("${ENTRY}") done done readarray &> /dev/null -t OLD_DATA < "${AUDIT_RULE_FILE}" COMBINED_DATA=( "${OLD_DATA[@]}" "${NEW_DATA[@]}" ) printf "# Ensure use of privileged commands are collected" > "${AUDIT_RULE_FILE}" printf '%s\n' "${COMBINED_DATA[@]}" | sort -u >> "${AUDIT_RULE_FILE}" # Ensure unsuccessful file access attempts are collected UID_MIN=$(awk '/^\s*UID_MIN/{print $2}' /etc/login.defs) [ -n "${UID_MIN}" ] && printf "# Ensure unsuccessful file access attempts are collected -a always,exit -F arch=b64 -S creat,open,openat,truncate,ftruncate -F exit=-EACCES -F auid>=${UID_MIN} -F auid!=unset -k access -a always,exit -F arch=b64 -S creat,open,openat,truncate,ftruncate -F exit=-EPERM -F auid>=${UID_MIN} -F auid!=unset -k access -a always,exit -F arch=b32 -S creat,open,openat,truncate,ftruncate -F exit=-EACCES -F auid>=${UID_MIN} -F auid!=unset -k access -a always,exit -F arch=b32 -S creat,open,openat,truncate,ftruncate -F exit=-EPERM -F auid>=${UID_MIN} -F auid!=unset -k access " >> /etc/audit/rules.d/50-access.rules || printf "ERROR: Variable 'UID_MIN' is unset.\n" # Ensure events that modify user/group information are collected printf "# Ensure events that modify user/group information are collected -w /etc/group -p wa -k identity -w /etc/passwd -p wa -k identity -w /etc/gshadow -p wa -k identity -w /etc/shadow -p wa -k identity -w /etc/security/opasswd -p wa -k identity " >> /etc/audit/rules.d/50-identity.rules # Ensure discretionary access control permission modification events are collected UID_MIN=$(awk '/^\s*UID_MIN/{print $2}' /etc/login.defs) [ -n "${UID_MIN}" ] && printf "# Ensure discretionary access control permission modification events are collected -a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=${UID_MIN} -F auid!=unset -F key=perm_mod -a always,exit -F arch=b64 -S chown,fchown,lchown,fchownat -F auid>=${UID_MIN} -F auid!=unset -F key=perm_mod -a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=${UID_MIN} -F auid!=unset -F key=perm_mod -a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F auid>=${UID_MIN} -F auid!=unset -F key=perm_mod -a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=${UID_MIN} -F auid!=unset -F key=perm_mod -a always,exit -F arch=b32 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=${UID_MIN} -F auid!=unset -F key=perm_mod " >> /etc/audit/rules.d/50-perm_mod.rules || printf "ERROR: Variable 'UID_MIN' is unset.\n" # Ensure successful file system mounts are collected UID_MIN=$(awk '/^\s*UID_MIN/{print $2}' /etc/login.defs) [ -n "${UID_MIN}" ] && printf "# Ensure successful file system mounts are collected -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=unset -k mounts -a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=unset -k mounts " >> /etc/audit/rules.d/50-mounts.rules || printf "ERROR: Variable 'UID_MIN' is unset.\n" # Ensure session initiation information is collected printf "# Ensure session initiation information is collected -w /var/run/utmp -p wa -k session -w /var/log/wtmp -p wa -k session -w /var/log/btmp -p wa -k session " >> /etc/audit/rules.d/50-session.rules # Ensure login and logout events are collected printf "# Ensure login and logout events are collected -w /var/log/lastlog -p wa -k logins -w /var/run/faillock -p wa -k logins " >> /etc/audit/rules.d/50-login.rules # Ensure file deletion events by users are collected UID_MIN=$(awk '/^\s*UID_MIN/{print $2}' /etc/login.defs) [ -n "${UID_MIN}" ] && printf "# Ensure file deletion events by users are collected -a always,exit -F arch=b64 -S rename,unlink,unlinkat,renameat -F auid>=${UID_MIN} -F auid!=unset -F key=delete -a always,exit -F arch=b32 -S rename,unlink,unlinkat,renameat -F auid>=${UID_MIN} -F auid!=unset -F key=delete " >> /etc/audit/rules.d/50-delete.rules || printf "ERROR: Variable 'UID_MIN' is unset.\n" # Ensure events that modify the system's Mandatory Access Controls are collected printf "# Ensure events that modify the system's Mandatory Access Controls are collected -w /etc/apparmor/ -p wa -k MAC-policy -w /etc/apparmor.d/ -p wa -k MAC-policy " >> /etc/audit/rules.d/50-MAC-policy.rules # Ensure successful and unsuccessful attempts to use the chcon command are recorded UID_MIN=$(awk '/^\s*UID_MIN/{print $2}' /etc/login.defs) [ -n "${UID_MIN}" ] && printf "# Ensure successful and unsuccessful attempts to use the chcon command are recorded -a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=${UID_MIN} -F auid!=unset -k perm_chng " >> /etc/audit/rules.d/50-perm_chng.rules || printf "ERROR: Variable 'UID_MIN' is unset.\n" # Ensure successful and unsuccessful attempts to use the setfacl command are recorded UID_MIN=$(awk '/^\s*UID_MIN/{print $2}' /etc/login.defs) [ -n "${UID_MIN}" ] && printf "# Ensure successful and unsuccessful attempts to use the setfacl command are recorded -a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=${UID_MIN} -F auid!=unset -k perm_chng " >> /etc/audit/rules.d/50-priv_cmd.rules || printf "ERROR: Variable 'UID_MIN' is unset.\n" # Ensure successful and unsuccessful attempts to use the chacl command are recorded UID_MIN=$(awk '/^\s*UID_MIN/{print $2}' /etc/login.defs) [ -n "${UID_MIN}" ] && printf "# Ensure successful and unsuccessful attempts to use the chacl command are recorded -a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=${UID_MIN} -F auid!=unset -k perm_chng " >> /etc/audit/rules.d/50-perm_chng.rules || printf "ERROR: Variable 'UID_MIN' is unset.\n" # Ensure successful and unsuccessful attempts to use the usermod command are recorded UID_MIN=$(awk '/^\s*UID_MIN/{print $2}' /etc/login.defs) [ -n "${UID_MIN}" ] && printf "# Ensure successful and unsuccessful attempts to use the usermod command are recorded -a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=${UID_MIN} -F auid!=unset -k usermod " >> /etc/audit/rules.d/50-usermod.rules || printf "ERROR: Variable 'UID_MIN' is unset.\n" # Ensure kernel module loading unloading and modification is collected UID_MIN=$(awk '/^\s*UID_MIN/{print $2}' /etc/login.defs) [ -n "${UID_MIN}" ] && printf "# Ensure kernel module loading unloading and modification is collected -a always,exit -F arch=b64 -S init_module,finit_module,delete_module,create_module,query_module -F auid>=${UID_MIN} -F auid!=unset -k kernel_modules -a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=${UID_MIN} -F auid!=unset -k kernel_modules " >> /etc/audit/rules.d/50-kernel_modules.rules || printf "ERROR: Variable 'UID_MIN' is unset.\n" # Ensure the audit configuration is immutable printf -- "# Ensure the audit configuration is immutable -e 2 " >> /etc/audit/rules.d/99-finalize.rules ######################### # Netdata Configuration ######################### logger -p syslog.info -i " $FNAME: Netdata Configuration" cat << EOF >> /etc/netdata/netdata.conf [host labels] type = server location = France/Tours installed = $(date '+%Y%m%d') EOF if [ -d "/var/lib/netdata/cloud.d" ]; then cat << EOF > /var/lib/netdata/cloud.d/cloud.conf [global] enable = no EOF chown netdata:netdata /var/lib/netdata/cloud.d/cloud.conf else logger -p syslog.info -i " $FNAME: Netdata Configuration: dir /var/lib/netdata/cloud.d doesn't exist." fi ##################### # Setup chkboot datas ##################### logger -p syslog.info -i " $FNAME: Setup chkboot configuration and data" # This script part consider that all installation are with UEFI # Legacy installation will have to manually configure chkboot # related to the installation chosen (separate and/or specific /boot partition) # Get the partition of /boot/efi bootdir="/boot/efi" bootpart=`findmnt -mn ${bootdir} | awk '{ print $2 }'` # If boot directory is found get the corresponding disk device if [ ! -z $bootpart ]; then part=${bootpart} part=${part#/dev/} disk=$(readlink /sys/class/block/$part) disk=${disk%/*} disk=/dev/${disk##*/} # set bootdir as /boot for final conf bootdir="/boot" sed -Ei "s|^(BOOTDISK=).*|\1${disk}|" /etc/default/chkboot sed -Ei "s|^(BOOTPART=).*|\1${bootpart}|" /etc/default/chkboot sed -Ei "s|^(BOOTDIR=).*|\1${bootdir}|" /etc/default/chkboot fi chkboot # END-OF-FILE