This is a script to harden your Linux installation.
- Bastille is obsolete
- Not a member of CIS, so no downloading of the ready made scripts
- For learning
- For minimizing the effort needed to tweak fresh installations
- Also for consistency
- Enables TCP wrappers
- Creates legal banners
- Disable core dumps in
/etc/security/limits.conf
- sysctl settings hardening
- IP stack hardening
- Enables SAK and disables the other magic SysRq stuff
- Restricts the use of
dmesg
by regular users - For the complete list, see sysctl.conf.new
- Hardens mount options (creates
/etc/fstab.new
)- Also, mount /proc with
hidepid=2
- Also, mount /proc with
- Disables the use of certain kernel modules via
modprobe
- Disable Firewire
- Configures shells
- Creates an option to use restricted shell (rbash)
- Also sets it as default for new users
- Restricts the number of available shells (
/etc/shells
)
- Creates an option to use restricted shell (rbash)
- Configures basic auditing based on stig.rules if audit is installed
- NOTE: non-PAM systems (namely Slackware) don't set the
loginuid
properly, so some of the rules don't work when they have-F auid!=4294967295
- NOTE: non-PAM systems (namely Slackware) don't set the
- Enables system accounting (sysstat)
- Sets it's log retention to 99999 days (the logs are really small, so it doesn't eat up disk space)
- Configures password policies
- Maximum age for password
- Minimum age for password
- Password warn age
- Does this for existing users also
- Note: password strength should be enforced with applicable PAM module (such as pam_passwdqc or
pam_pwquality
)
- Reduce the amount of trusted CAs
- Doesn't work in CentOS/RHEL
- Create a strict
securetty
- Sets default umask to a more stricter
077
- Sets console session timeout via
$TMOUT
(Bash) - PAM:
- Configures
/etc/security/namespace.conf
- Configures
/etc/security/access.conf
- Configures
/etc/security/pwquality.conf
if available - Require pam_wheel in
/etc/pam.d/su
- Creates a secure /etc/pam.d/other
- Configures
- Disables unnecessary systemd services
- Configures
sshd_config
- Display managers:
- Disables user lists in GDM3 & LightDM
- Disables guest sessions in LightDM
- Configures failure limits (
faillog
) - Creates
/etc/ftpusers
- Restricts the use of
cron
andat
- Properly locks down system accounts (0 -
SYS_UID_MAX
&& !root
)- Lock the user's password
- Sets shell to
nologin
- Expire the account
- Adds the accounts to /etc/ftpusers
- Sets strict permissions to users home directories
- Configures the default password inactivity period
- Enables AppArmor
- Sets the authorized_default to USB devices via
rc.local
- APT:
- Configures APT not to install suggested packages
- Configure
SUITE
indebsecan
(if installed)
- Creates bunch of
pam-config
s that are toggleable withpam-auth-update
:- Deter brute-force attacks with pam_tally2
- Polyinstantiated temp directories with pam_namespace
/etc/security/access.conf
access control with pam_access/etc/security/time.conf
access control with pam_time- Delay on authentication failure with pam_faildelay
- Set file mode creation mask with pam_umask
- Enable
lastlog
ging from all login methods (not just the consolelogin
) - Limit password reuse with pam_pwhistory
- Disallow empty passwords by removing
nullok
- PAM configuration with
authconfig
:- Enables
pam_faillock
- Configures
pwquality
- Enables
See SLACKWARE.md.
- SSH moduli creation
- Some hardening steps utilize Lynis to verify themselves (to be improved/extended over time)
The import_pgp_keys()
function imports a bunch of PGP keys to your trustedkeys.gpg
keyring, so you can verify downloaded files/packages with gpgv. The keys that are imported are listed in the PGP_URLS[]
and PGP_KEYS[]
arrays.
- Rebooting the system after running this is highly recommended, since many startup scripts are modified
- The script is quite verbose, so you might want to record it with
script
- It is best to run this script on a fresh installation for best results
I think it's justified and recommended to run an antivirus software on all of your Linux servers. This is because, even though the server's role would not be something like a file sharing server or a mail server, a proper antivirus is able to detect much more than these "traditional" malwares. I'm talking about rootkits, exploits, PHP shells and the like. Something that a malicious user might be holding at their home dirs or maybe some PHP shell was dropped through a vulnerable web application. If you would get an early warning from an antivirus software, it just might save you on that one occasion :)
So consider getting ClamAV.
After running the hardening script, the following actions still need to be performed manually:
- Set LILO/GRUB password
- Update LILO/GRUB with
lilo
||update-grub
- Update LILO/GRUB with
- Install at least the following additional software:
- Make sure NTP is running
- Configure remote log host
- Add legit users to:
/etc/porttime
- To the
users
group
Some of these documents are quite old, but most of the stuff still applies.