Hardening Ubuntu. Systemd edition.
A quick way to make a Ubuntu server a bit more secure.
Tested on Ubuntu 20.04 Focal Fossa
and Ubuntu 21.10 Impish Indri
.
Systemd required.
If you’re just interested in the security focused systemd configuration, it’s available as a separate document.
If you’re interested in testing your host settings, you’ll find the instructions here.
Note
|
This is a constant work in progress. Make sure you understand what it does. Read the code and do not run this script without first testing in a non-operational environment. |
When possible, use the newly installed and configured system as a reference, or golden, image. Use that image as a baseline installation media and ensure that any future installation comply with benchmarks and policies using a configuration management tool, e.g Ansible or Puppet.
Packer template and Ansible playbook
A Packer template is available in the konstruktoid/hardening-geniso repository.
An Ansible playbook is available in the konstruktoid/ansible-role-hardening repository.
Howto
Start the installation of the server.
Pick language, keyboard layout, timezone and so on as you usually would.
Partition the system
/
/boot (rw)
/home (rw,nosuid,nodev)
swap
/var
/var/log (rw,nosuid,nodev,noexec)
/var/log/audit (rw,nosuid,nodev,noexec)
/var/tmp (rw,noexec,nodev,nosuid)
Note that /tmp
will be added automatically by the script.
Login, set a Grub2 password, configure and run ubuntu.sh
Do not add any packages.
Log in.
Select a Grub2 password with grub-mkpasswd-pbkdf2
.
Download the script: git clone https://github.com/konstruktoid/hardening.git
.
Change the configuration options in the ubuntu.cfg
file.
Run the script: sudo bash ubuntu.sh
.
Reboot.
Configuration options
FW_ADMIN='127.0.0.1' // (1)
SSH_GRPS='sudo' // (2)
SSH_PORT='22' // (3)
SYSCTL_CONF='./misc/sysctl.conf' // (4)
AUDITD_MODE='1' // (5)
AUDITD_RULES='./misc/audit-base.rules ./misc/audit-aggressive.rules ./misc/audit-docker.rules' // (6)
LOGROTATE_CONF='./misc/logrotate.conf' // (7)
NTPSERVERPOOL='0.ubuntu.pool.ntp.org 1.ubuntu.pool.ntp.org 2.ubuntu.pool.ntp.org 3.ubuntu.pool.ntp.org pool.ntp.org' // (8)
TIMEDATECTL='' // (9)
VERBOSE='N' // (10)
AUTOFILL='N' // (11)
ADMINEMAIL="root@localhost" // (12)
CHANGEME='' // (13)
# Configuration files
ADDUSER='/etc/adduser.conf'
AUDITDCONF='/etc/audit/auditd.conf'
AUDITRULES='/etc/audit/rules.d/hardening.rules'
COMMONPASSWD='/etc/pam.d/common-password'
COMMONACCOUNT='/etc/pam.d/common-account'
COMMONAUTH='/etc/pam.d/common-auth'
COREDUMPCONF='/etc/systemd/coredump.conf'
DEFAULTGRUB='/etc/default/grub.d'
DISABLEFS='/etc/modprobe.d/disablefs.conf'
DISABLEMOD='/etc/modprobe.d/disablemod.conf'
DISABLENET='/etc/modprobe.d/disablenet.conf'
JOURNALDCONF='/etc/systemd/journald.conf'
LIMITSCONF='/etc/security/limits.conf'
LOGINDCONF='/etc/systemd/logind.conf'
LOGINDEFS='/etc/login.defs'
LOGROTATE='/etc/logrotate.conf'
PAMLOGIN='/etc/pam.d/login'
PSADCONF='/etc/psad/psad.conf'
PSADDL='/etc/psad/auto_dl'
RESOLVEDCONF='/etc/systemd/resolved.conf'
RKHUNTERCONF='/etc/default/rkhunter'
RSYSLOGCONF='/etc/rsyslog.conf'
SECURITYACCESS='/etc/security/access.conf'
SSHFILE='/etc/ssh/ssh_config'
SSHDFILE='/etc/ssh/sshd_config'
SYSCTL='/etc/sysctl.conf'
SYSTEMCONF='/etc/systemd/system.conf'
TIMESYNCD='/etc/systemd/timesyncd.conf'
UFWDEFAULT='/etc/default/ufw'
USERADD='/etc/default/useradd'
USERCONF='/etc/systemd/user.conf'
-
The IP addresses that will be able to connect with SSH, separated by spaces.
-
Which group the users have to be member of in order to acess via SSH, separated by spaces.
-
Configure SSH port.
-
Stricter sysctl settings.
-
Auditd failure mode. 0=silent 1=printk 2=panic.
-
Auditd rules.
-
Logrotate settings.
-
NTP server pool.
-
Add a specific time zone or use the system default by leaving it empty.
-
If you want all the details or not.
-
Let the script guess the
FW_ADMIN
andSSH_GRPS
settings. -
Add a valid email address, so PSAD can send notifications.
-
Add something just to verify that you actually glanced the code.
Functions
Function list
01_pre
Setup script, sets APT flags and permission checks.
02_firewall
Enable ufw
, use /etc/sysctl.conf
, prepare to psad
, and allow port 22 from $FW_ADMIN
.
03_disablenet
Disable dccp
sctp
rds
tipc
protocols.
04_disablemnt
Disable cramfs
freevxfs
jffs2
hfs
hfsplus
udf
vfat
file systems.
05_systemdconf
Disable coredumps and crash shells, set DefaultLimitNOFILE
and
DefaultLimitNPROC
to 1024.
06_journalctl
Compress logs, forward to syslog and make log storage persistent. Ensure rsyslog writes logs with stricter permissions.
07_timesyncd
Add four NTP-servers with a latency < 50ms from $NTPSERVERPOOL
.
08_fstab
Configure /tmp/
and /var/tmp/
. Remove floppy drivers from /etc/fstab
and add hidepid=2
to /proc
.
09_prelink
Undo prelinking, and remove prelink
package.
10_aptget
Configure dpkg
and apt-get
. apt-get
update and upgrade.
11_hosts
/etc/hosts.allow
and /etc/hosts.deny
restrictions.
12_logindefs
Modify /etc/login.defs
, e.g. UMASK
, password age limits and
SHA_CRYPT_MAX_ROUNDS
.
13_sysctl
Update $SYSCTL
with $SYSCTL_CONF
.
14_limits
Set hard and soft limits.
15_adduser
Configure useradd
and adduser
to set /bin/false
as default shell,
home directory permissions to 0750
and lock users 30 days after password
expires.
16_rootaccess
Limit /etc/securetty
to console
, and root
from 127.0.0.1 in
/etc/security/access.conf
.
17_packages
Installs acct
aide-common
apparmor-profiles
apparmor-utils
auditd
audispd-plugins
debsums
gnupg2
haveged
libpam-apparmor
libpam-pwquality
libpam-tmpdir
needrestart
openssh-server
postfix
rkhunter
sysstat
systemd-coredump
tcpd
psad
update-notifier-common
vlock
.
Removes apport*
autofs
avahi*
beep
git
pastebinit
popularity-contest
rsh*
rsync
talk*
telnet*
tftp*
whoopsie
xinetd
yp-tools
ypbind
.
18_sshdconfig
Configure the OpenSSH
-daemon.
19_password
Configure pam_pwquality.so
and pam_tally2.so
.
20_cron
Allow root
to use cron
. Mask atd
.
21_ctraltdel
Disable Ctrl-alt-delete.
22_auditd
Configure auditd
, use $AUDITD_RULES
and set failure mode $AUDITD_MODE
.
23_disablemod
Disable bluetooth
bnep
btusb
cpia2
firewire-core
floppy
n_hdlc
net-pf-31
pcspkr
soundcore
thunderbolt
usb-midi
usb-storage
uvcvideo
v4l2_common
kernel modules.
Note that disabling the usb-storage
will disable any usage of USB storage
devices, if such devices are needed USBGuard
should be configured accordingly.
24_aide
Configure aide
.
25_rhosts
Remove hosts.equiv
and .rhosts
.
26_users
Remove games
gnats
irc
list
news
sync
uucp
users.
27_suid
Remove suid
bits from the executables listed in
this document.
28_umask
Set bash
and /etc/profile
umask.
29_apparmor
Enforce present apparmor
profiles.
30_path
Set root
path to /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
,
and user path to /usr/local/bin:/usr/bin:/bin
.
31_logindconf
Configure systemd/logind.conf
and use KillUserProcesses
.
32_resolvedconf
Configure systemd/resolved.conf
.
33_rkhunter
Configure rkhunter
.
34_issue
Update /etc/issue
/etc/issue.net
/etc/motd
.
35_apport
Disable apport
, ubuntu-report
and popularity-contest
.
36_lockroot
Lock the root
user account.
37_coredump
Disable coredumps with systemd/coredump.conf
.
38_postfix
Disable the VRFY
command, configure smtpd_banner
, smtpd_client_restrictions
and inet_interfaces
.
39_motdnews
Disable motd-news
.
40_usbguard
Install and configure usbguard
.
41_compilers
Restrict compiler access.
42_kernel
Set lockdown=confidentiality
if /sys/kernel/security/lockdown
is present.
43_sudo
Configure sudo
with use_pty
, logfile
, !visiblepw
, !pwfeedback
,
passwd_timeout
and timestamp_timeout
.
Restrict su
to the sudo
group.
44_psad
Configure psad
.
98_systemddelta
If verbose, show systemd-delta
.
99_post
Ensure secureboot-db
is installed, update grub and ensure strict permissions
on boot files.
99_reboot
Print if a reboot is required.
Function execution order
f_pre
f_kernel
f_firewall
f_disablenet
f_disablefs
f_disablemod
f_systemdconf
f_resolvedconf
f_logindconf
f_journalctl
f_timesyncd
f_fstab
f_prelink
f_aptget_configure
f_aptget
f_hosts
f_issue
f_sudo
f_logindefs
f_sysctl
f_limitsconf
f_adduser
f_rootaccess
f_package_install
f_coredump
f_usbguard
f_postfix
f_apport
f_motdnews
f_rkhunter
f_sshconfig
f_sshdconfig
f_password
f_cron
f_ctrlaltdel
f_auditd
f_psad
f_aide
f_rhosts
f_users
f_lockroot
f_package_remove
f_suid
f_restrictcompilers
f_umask
f_path
f_aa_enforce
f_aide_post
f_aide_timer
f_aptget_noexec
f_aptget_clean
f_systemddelta
f_post
f_checkreboot
Tests
There are approximately 750 Bats tests for most of the above settings available in the tests directory.
sudo apt-get -y install bats
git clone https://github.com/konstruktoid/hardening.git
cd hardening/tests/
sudo bats .
Test automation using Vagrant
Testing a host
Running bash ./runHostTests.sh
, located in the tests directory,
will generate a TESTRESULTS-<HOSTNAME>.adoc
report.
Issues: snapd
In order to use snapd
you will have to disable the kernel_lockdown
setting, update grub
, reboot the host and then reinstall
snapd
.
sudo sed -i 's/^/# /g' /etc/default/grub.d/99-hardening-lockdown.cfg
sudo update-grub
sudo reboot
sudo apt-get --assume-yes --reinstall install snapd
Recommended reading
Contributing
Do you want to contribute? That’s great! Contributions are always welcome, no matter how large or small. If you found something odd, feel free to submit a new issue, improve the code by creating a pull request, or by sponsoring this project.
Logo by reallinfo.