/solidcore-scripts

Hardening scripts for immutable Fedora

Primary LanguageShellGNU General Public License v3.0GPL-3.0

solidcore-scripts

Hardening scripts for immutable Fedora.

💘 Love Fedora?

💖 Love the immutable desktops?

😯 Thought you were safe?

Whilst it is true that a read-only (immutable) filesystem during run-time does reduce a lot of attack surface exploited by malware, security depends on much more than that.

  • What if someone gains physical access to your device?
  • What if someone else who uses your computer downloads malware?
  • What if you are the target of malicious network activity? ... You get the picture.

These are just some of the issues that solidcore hardening aims to protect against.

Aims

This project aims to protect immutable Fedora variants against a variety of attack vectors by:

  • Securing the bootloader
  • Hardening the kernel
  • Locking down root and implementing stronger password policies
  • Blocking malicious domains
  • Disabling all unused ports and interfaces
  • Improving the firewall settings
  • 🔥 ... plus more!! 🔥

Current features

v0.2.7 alpha released September 10th 2023.

Despite the low version number of v0.2.7, this script implements some serious hardening:

  • Guided user interface ✔️
  • Auto-generate backups of important config files ✔️
  • Sysctl kernel, network and userspace hardening ✔️
  • Hardened GRUB boot parameters ✔️
  • Kernel module blacklist ✔️
  • High risk and unused services disabled and masked ✔️
  • Processes hidden from other users (hidepid) ✔️
  • New files only viewable to owner/creator ✔️
  • Core dumps disabled (stops sensitive information about the system being available) ✔️
  • Improved password policies ✔️
  • Root account locked ✔️
  • Update user password to align with new policies ✔️
  • Firewalld zone set to drop (drops all incoming connections) ✔️
  • Automatic updates for rpm-ostree and flatpaks ✔️
  • Fedora flatpaks replaced with Flathub flatpaks ✔️
  • Mute microphone by default on login ✔️
  • Flatseal installed ✔️
  • Firstboot script installed to ensure:
    • New password set ✔️
    • GRUB password set (optional, but recommended) ✔️
    • Wireless technologies blocked (optional) ✔️
    • Unused ports are disabled and blacklisted ✔️
    • USBGuard installed (if required) ✔️
    • Enable hardware key support (optional) ✔️
  • DNSCrypt-proxy installed (uses the encrypted, more secure DNSCrypt protocol for all your DNS lookups) ✔️
  • DNS blocklists added (blocks ad, malicious and tracking domains by default; adult content optional) ✔️
  • Updates scheduled for dnscrypt-proxy and DNS blocklists ✔️
  • MAC randomization ✔️
  • Checks in place for SELinux mode, known CPU vulnerabilities and insecure HTTP URLs in the repos ✔️
  • Chrony (NTP) config updated to match GrapheneOS configuration ✔️
  • Hardened USBGuard config ✔️
  • Uninstall file (untested in current version - may throw out unexpected errors, but should be operational)

Tested on Fedora Silverblue 38.

Planned features and future goals

The long-term goal (probably for v1.0) is to have the hardening provided by this script work both client-side - i.e. manual running of the script on any existing immutable Fedora system - and server-side, so people can carry out an rpm-ostree rebase to a pre-hardened and constantly updated system.

In the meantime, there's plenty of work to do. Including the following, in no particular order:

  • create testing VMs of all official immutable Fedora variants
  • create solidcore aliases for common post-install actions (e.g. solidcore uninstall, solidcore add-blocklist, solidcore allow [domain], solidcore status [to check whether settings are still valid & active])
  • develop the -test flag further for more verbosity
  • align as much as immutable Fedora will allow with the Center for Internet Security's RHEL 9 Workstation Level 1 & Level 2 benchmark
  • research and improve sysctl, kernel module and bootloader hardening
  • install and sign hardened kernel (removing any currently implemented kernel hardening)
  • progress on getting the hardened malloc to work
  • create scripts to audit all relevant settings on new versions of Fedora to make keeping it up-to-date easier
  • research and possibly implement clam-tk and AIDE
  • research anti-forensic tools
  • set up full installation of hardware keys, i.e. creation of U2F pam module key and required modification to solidcore pam profile
  • develop the -server flag further to eliminate all user interaction
  • establish blocklist review process

For the next release:

  • implement conditional conf_msg and error reporting
  • user-testing and implement feedback
  • test uninstall process thoroughly
  • continue work on developing -test flag

The plan is to open up to public testing in version 0.3 when the whole process has undergone more testing.

Instructions

Note

Currently in alpha stage. Only install for testing purposes or if you're really keen. The uninstall script is not fully tested, but all changes instigated by the script are reversible.

Installation

Pre-install recommendations

  1. It is strongly recommended to install your favourite immutable Fedora variant on an encrypted drive. Drive encryption is best done during the installation process of the OS, although may be possible after. See the Fedora docs for information on how to encrypt the drive during the installation process.

  2. If you haven't added a password to your BIOS yet, either, then please do so and ensure that - in the boot order section - your device boots from the encrypted drive before any USB drives. Please also ensure that SecureBoot is enabled.

Installing

To install the solidcore-scripts, type in the following command and follow the on-screen instructions:

wget https://raw.githubusercontent.com/solidc0re/solidcore-scripts/main/solidcore-install.sh && sudo bash solidcore-install.sh

Upgrading

Uninstall first, then re-install, just to be safe.

Uninstall:

sudo bash /etc/soldicore/solidcore-uninstall.sh

Re-install:

wget https://raw.githubusercontent.com/solidc0re/solidcore-scripts/main/solidcore-install.sh && sudo bash solidcore-install.sh

Uninstalling

Uninstalling reverts all changed system settings to how they previously were, along with uninstalling any solidcore-installed packages.

sudo bash /etc/soldicore/solidcore-uninstall.sh

Post-install information

Congratulations! You have hardened your immutable Fedora installation.

Your GRUB username is 'root' - you will need this if you want to change your GRUB entries. The password is what you set it as during the firstboot script.

Most computer security threats come from online sources. It is therefore strongly recommended that you install a more secure browser, such as Brave (Chrome-based, boo!) or Librewolf (pre-hardened Firefox).

flatpak install io.gitlab.librewolf-community

If you are a Mullvad user then Mullvad browser is by far the best browser option available, unless you want to use Tor.

Your system will automatically update the following:

  • dnscrypt-proxy and DNS blocklists, 20 seconds after boot and every 24 hours
  • rpm-ostree, 10 minutes after boot and every 3 hours
  • Flatpak apps, 20 minutes after boot and every 3 hours 10 minutes

If USBGuard was installed when running solidcore-scripts, then I recommend reviewing the allowed devices and blocking any you don't use (such as fingerprint readers):

usbguard list-devices
usbguard block-device <device number>

Please report any issues and suggested improvements on this Github page.

'How to' guides

How to: add a domain to the DNS allowlist

How to: add a domain to the DNS allowlist

If you're happy with the blocklist set up but there's still the odd domain that you want to allow that's currently being blocked, then the allowlist is for you. The allowlist is located here: '/usr/local/sbin/dnscrypt-proxy/domains-allowlist.txt'.

To edit:

sudo nano /usr/local/sbin/dnscrypt-proxy/domains-allowlist.txt

Simply add a domain, such as 'github.com', with each domain on a new line. Once changes have been made to 'domains-allowlist.txt', run the following command to apply them:

sudo systemctl start dnscrypt-proxy-update

Refer to the https://github.com/DNSCrypt/dnscrypt-proxy/wiki if you need further assistance.

How to: change the DNS blocklists

How to: change the DNS blocklists

The blocklists are stored in '/usr/local/sbin/dnscrypt-proxy/domains-blocklist.conf'. To edit:

sudo nano /usr/local/sbin/dnscrypt-proxy/domains-blocklist.conf

Once changes have been made to 'domains-blocklist.conf', run the following command to apply them:

sudo systemctl start dnscrypt-proxy-update

Refer to https://github.com/DNSCrypt/dnscrypt-proxy/wiki if you need further assistance.

How to: unblock bluetooth

How to: unblock bluetooth

First:

sudo sed -i 's/^install bluetooth /bin/true/#&/' /etc/modprobe.d/solidcore-blacklist.conf
sudo sed -i 's/^install btusb /bin/true/#&/' /etc/modprobe.d/solidcore-blacklist.conf
sudo modprobe bluetooth btusb
rkfill unblock bluetooth
sudo systemctl unmask bluetooth.service
sudo systemctl enable --now bluetooth.service
How to: unblock Firewire

How to: unblock Firewire

First:

sudo sed -i 's/^install firewire-core /bin/true/#&/' /etc/modprobe.d/solidcore-blacklist.conf
sudo sed -i 's/^install ohcil394 /bin/true/#&/' /etc/modprobe.d/solidcore-blacklist.conf
sudo sed -i 's/^install sbp2 /bin/true/#&/' /etc/modprobe.d/solidcore-blacklist.conf

Then reboot. After reboot:

sudo modprobe firewire_core ohcil394 sbp2
How to: unblock Thunderbolt

How to: unblock Thunderbolt

sudo sed -i 's/^install thunderbolt /bin/true/#&/' /etc/modprobe.d/solidcore-blacklist.conf

Then reboot. After reboot:

sudo boltctl list

Then use:

sudo boltctl enable <domain>

... for the Thunderbolt domain you wish to enable.

How to: unblock USB

How to: unblock USB

This is for those who blacklisted the USB kernel module - NOT FOR THOSE WHO INSTALLED USBGUARD. To unblock the USB modules:

sudo sed -i 's/^install usbcore /bin/true/#&/' /etc/modprobe.d/solidcore-blacklist.conf
sudo sed -i 's/^install usb_storage /bin/true/#&/' /etc/modprobe.d/solidcore-blacklist.conf
sudo modprobe usbcore usb_storage
How to: allow/unblock a USB device using USBGuard

How to: allow/unblock a USB device using USBGuard

If you notified solidcore-script that you use USB ports, it will have installed USBGuard to protect these ports. This means that all unknown USB devices will not be accessible. To whitelist devices:

usbguard list-devices
usbguard allow-device <device number>
How to: block a USB device using USBGuard

How to: block a USB device using USBGuard

If you notified solidcore-script that you use USB ports, it will have installed USBGuard to protect these ports. This means that all unknown USB devices will not be accessible. To whitelist devices:

usbguard list-devices
usbguard block-device <device number>
How to: unblock webcam

How to: unblock webcam

First:

sudo sed -i 's/^install uvcvideo /bin/true/#&/' /etc/modprobe.d/solidcore-blacklist.conf
sudo modprobe uvcvideo
How to: unblock Wi-Fi

How to: unblock Wi-Fi

rfkill unblock wifi
How to: stop microphone being muted on login

How to: stop microphone being muted on login

sudo rm /etc/xdg/autostart/solidcore-mute-mic.desktop

Comments

The focus of this project is OS hardening, not changing the default Fedora software choices.

That said, some opinionated choices had to be made. These include the installation of dnscrypt-proxy, the DNS blocklists used, keeping IPv6 active and switiching all Fedora project flatpaks to Flathub source flatpaks. If you don't agree with these then feel free to contact me, or download the scripts and manually undo the changes, or fork the repo and implement your own preferences.

Acknowledgements

This project is made possible by the diligent and forward-thinking work of the Fedora and RedHat developers and community. A special shout out to the CoreOS and rpm-ostree developers for their excellent work.

Many of the hardening improvements implemented by the solidcore-scripts are recommendations from these sources:

Introductory resources

If you're relatively new to the infosec (information security) world, then the following resources come recommended:

🎥 YouTube channels

🎧 Podcasts

👀 Websites & guides