From e479918bc1552d668338e8365b2ffa05f2182416 Mon Sep 17 00:00:00 2001 From: Martijn de Boer Date: Sun, 3 Sep 2023 16:46:21 +0200 Subject: [PATCH] Update rulesets as validated by cnspec --- install.sh | 67 ++++++++++++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 65 insertions(+), 2 deletions(-) diff --git a/install.sh b/install.sh index cfa0b0d..2f354ba 100644 --- a/install.sh +++ b/install.sh @@ -78,6 +78,16 @@ echo "net.ipv4.conf.all.accept_redirects = 0" >> /etc/sysctl.d/99-custom.conf echo "net.ipv4.conf.default.accept_redirects = 0" >> /etc/sysctl.d/99-custom.conf echo "net.ipv4.conf.all.secure_redirects = 0" >> /etc/sysctl.d/99-custom.conf echo "net.ipv4.conf.default.secure_redirects = 0" >> /etc/sysctl.d/99-custom.conf +echo "net.ipv4.conf.all.send_redirects = 0" >> /etc/sysctl.d/99-custom.conf +echo "net.ipv4.conf.default.send_redirects = 0" >> /etc/sysctl.d/99-custom.conf +echo "net.ipv4.conf.all.accept_source_route = 0" >> /etc/sysctl.d/99-custom.conf +echo "net.ipv4.conf.default.accept_source_route = 0" >> /etc/sysctl.d/99-custom.conf +echo "net.ipv4.conf.all.rp_filter = 1" >> /etc/sysctl.d/99-custom.conf +echo "net.ipv4.conf.default.rp_filter = 1" >> /etc/sysctl.d/99-custom.conf +echo "net.ipv4.conf.all.log_martians = 1" >> /etc/sysctl.d/99-custom.conf +echo "net.ipv4.conf.default.log_martians = 1" >> /etc/sysctl.d/99-custom.conf +echo "net.ipv4.conf.all.secure_redirects = 0" >> /etc/sysctl.d/99-custom.conf +echo "net.ipv4.conf.default.secure_redirects = 0" >> /etc/sysctl.d/99-custom.conf echo "net.ipv6.conf.default.autoconf = 0" >> /etc/sysctl.d/99-custom.conf echo "net.ipv6.conf.default.dad_transmits = 0" >> /etc/sysctl.d/99-custom.conf echo "net.ipv6.conf.default.max_addresses = 1" >> /etc/sysctl.d/99-custom.conf @@ -90,6 +100,9 @@ echo "net.ipv6.conf.default.router_solicitations = 0" >> /etc/sysctl.d/99-custom echo "net.ipv6.conf.default.accept_ra_rtr_pref = 0" >> /etc/sysctl.d/99-custom.conf echo "net.ipv6.conf.default.accept_ra_pinfo = 0" >> /etc/sysctl.d/99-custom.conf echo "net.ipv6.conf.default.accept_ra_defrtr = 0" >> /etc/sysctl.d/99-custom.conf +echo "net.ipv6.conf.all.accept_ra = 0" >> /etc/sysctl.d/99-custom.conf +echo "net.ipv6.conf.default.accept_ra = 0" >> /etc/sysctl.d/99-custom.conf + ## Network optimisation echo -e "\e[1;32mOptimising network settings...\e[0m" @@ -132,7 +145,7 @@ echo "* soft nproc 64000" >> /etc/security/limits.d/99-custom.conf # Install common packages echo -e "\e[1;32mInstalling common packages...\e[0m" -apt install -y debian-archive-keyring apt-transport-https curl vim git ufw openssh-server &> /dev/null +apt install -y debian-archive-keyring apt-transport-https curl vim git ufw openssh-server auditd &> /dev/null # Configure SSH echo -e "\e[1;32mConfiguring SSH...\e[0m" @@ -148,7 +161,13 @@ sed -i 's/#GSSAPIAuthentication yes/GSSAPIAuthentication no/g' /etc/ssh/sshd_con sed -i 's/#X11Forwarding yes/X11Forwarding no/g' /etc/ssh/sshd_config sed -i 's/#AllowAgentForwarding yes/AllowAgentForwarding no/g' /etc/ssh/sshd_config sed -i 's/#AllowTcpForwarding yes/AllowTcpForwarding no/g' /etc/ssh/sshd_config -sed -i 's/#DebianBanner yes/DebianBanner no/g' /etc/ssh/sshd_config + +printf ' +DebianBanner no +KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256 +Protocol 2 +Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr +' >> /etc/ssh/sshd_config if [[ $REPLY_SSH_KEYS =~ ^[Yy]$ ]] then @@ -162,6 +181,50 @@ then chmod 400 /root/.ssh/authorized_keys fi +# Configure audit logging +echo -e "\e[1;32mConfiguring Audit logging...\e[0m" +echo "ForwardToSyslog=yes" >> /etc/systemd/journald.conf + +printf ' +-a always,exit -F arch=b64 -S sethostname,setdomainname -k system-locale +-a always,exit -F arch=b32 -S sethostname,setdomainname -k system-locale +-w /etc/issue -p wa -k system-locale +-w /etc/issue.net -p wa -k system-locale +-w /etc/hosts -p wa -k system-locale +-w /var/run/utmp -p wa -k session +-w /var/log/wtmp -p wa -k session +-w /var/log/btmp -p wa -k session +-w /etc/sudoers -p wa -k scope +-w /etc/sudoers.d/ -p wa -k scope +-w /etc/group -p wa -k identity +-w /etc/passwd -p wa -k identity +-w /etc/gshadow -p wa -k identity +-w /etc/shadow -p wa -k identity +-w /etc/security/opasswd -p wa -k identity +-w /var/log/faillog -p wa -k logins +-w /var/log/lastlog -p wa -k logins +-w /var/log/tallylog -p wa -k logins +-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change +-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change +-a always,exit -F arch=b64 -S clock_settime -k time-change +-a always,exit -F arch=b32 -S clock_settime -k time-change +-w /etc/localtime -p wa -k time-change +' >> /etc/audit/rules.d/50-system_local.rules + +printf ' +Defaults logfile="/var/log/sudo.log" +' >> /etc/sudoers.d/log + +augenrules --load + +echo -e "\e[1;32mConfiguring permissions...\e[0m" +chown root:root /etc/ssh/sshd_config +chmod og-rwx /etc/ssh/sshd_config +chown root:root /etc/passwd- +chmod 600 /etc/passwd- +chown root:root /etc/group- +chmod 600 /etc/group- + # Configure firewall echo -e "\e[1;32mConfiguring firewall...\e[0m" ufw default deny incoming