Update rulesets as validated by cnspec

This commit is contained in:
Martijn de Boer 2023-09-03 16:46:21 +02:00
parent d248da157e
commit e479918bc1

View file

@ -78,6 +78,16 @@ echo "net.ipv4.conf.all.accept_redirects = 0" >> /etc/sysctl.d/99-custom.conf
echo "net.ipv4.conf.default.accept_redirects = 0" >> /etc/sysctl.d/99-custom.conf echo "net.ipv4.conf.default.accept_redirects = 0" >> /etc/sysctl.d/99-custom.conf
echo "net.ipv4.conf.all.secure_redirects = 0" >> /etc/sysctl.d/99-custom.conf echo "net.ipv4.conf.all.secure_redirects = 0" >> /etc/sysctl.d/99-custom.conf
echo "net.ipv4.conf.default.secure_redirects = 0" >> /etc/sysctl.d/99-custom.conf echo "net.ipv4.conf.default.secure_redirects = 0" >> /etc/sysctl.d/99-custom.conf
echo "net.ipv4.conf.all.send_redirects = 0" >> /etc/sysctl.d/99-custom.conf
echo "net.ipv4.conf.default.send_redirects = 0" >> /etc/sysctl.d/99-custom.conf
echo "net.ipv4.conf.all.accept_source_route = 0" >> /etc/sysctl.d/99-custom.conf
echo "net.ipv4.conf.default.accept_source_route = 0" >> /etc/sysctl.d/99-custom.conf
echo "net.ipv4.conf.all.rp_filter = 1" >> /etc/sysctl.d/99-custom.conf
echo "net.ipv4.conf.default.rp_filter = 1" >> /etc/sysctl.d/99-custom.conf
echo "net.ipv4.conf.all.log_martians = 1" >> /etc/sysctl.d/99-custom.conf
echo "net.ipv4.conf.default.log_martians = 1" >> /etc/sysctl.d/99-custom.conf
echo "net.ipv4.conf.all.secure_redirects = 0" >> /etc/sysctl.d/99-custom.conf
echo "net.ipv4.conf.default.secure_redirects = 0" >> /etc/sysctl.d/99-custom.conf
echo "net.ipv6.conf.default.autoconf = 0" >> /etc/sysctl.d/99-custom.conf echo "net.ipv6.conf.default.autoconf = 0" >> /etc/sysctl.d/99-custom.conf
echo "net.ipv6.conf.default.dad_transmits = 0" >> /etc/sysctl.d/99-custom.conf echo "net.ipv6.conf.default.dad_transmits = 0" >> /etc/sysctl.d/99-custom.conf
echo "net.ipv6.conf.default.max_addresses = 1" >> /etc/sysctl.d/99-custom.conf echo "net.ipv6.conf.default.max_addresses = 1" >> /etc/sysctl.d/99-custom.conf
@ -90,6 +100,9 @@ echo "net.ipv6.conf.default.router_solicitations = 0" >> /etc/sysctl.d/99-custom
echo "net.ipv6.conf.default.accept_ra_rtr_pref = 0" >> /etc/sysctl.d/99-custom.conf echo "net.ipv6.conf.default.accept_ra_rtr_pref = 0" >> /etc/sysctl.d/99-custom.conf
echo "net.ipv6.conf.default.accept_ra_pinfo = 0" >> /etc/sysctl.d/99-custom.conf echo "net.ipv6.conf.default.accept_ra_pinfo = 0" >> /etc/sysctl.d/99-custom.conf
echo "net.ipv6.conf.default.accept_ra_defrtr = 0" >> /etc/sysctl.d/99-custom.conf echo "net.ipv6.conf.default.accept_ra_defrtr = 0" >> /etc/sysctl.d/99-custom.conf
echo "net.ipv6.conf.all.accept_ra = 0" >> /etc/sysctl.d/99-custom.conf
echo "net.ipv6.conf.default.accept_ra = 0" >> /etc/sysctl.d/99-custom.conf
## Network optimisation ## Network optimisation
echo -e "\e[1;32mOptimising network settings...\e[0m" echo -e "\e[1;32mOptimising network settings...\e[0m"
@ -132,7 +145,7 @@ echo "* soft nproc 64000" >> /etc/security/limits.d/99-custom.conf
# Install common packages # Install common packages
echo -e "\e[1;32mInstalling common packages...\e[0m" echo -e "\e[1;32mInstalling common packages...\e[0m"
apt install -y debian-archive-keyring apt-transport-https curl vim git ufw openssh-server &> /dev/null apt install -y debian-archive-keyring apt-transport-https curl vim git ufw openssh-server auditd &> /dev/null
# Configure SSH # Configure SSH
echo -e "\e[1;32mConfiguring SSH...\e[0m" echo -e "\e[1;32mConfiguring SSH...\e[0m"
@ -148,7 +161,13 @@ sed -i 's/#GSSAPIAuthentication yes/GSSAPIAuthentication no/g' /etc/ssh/sshd_con
sed -i 's/#X11Forwarding yes/X11Forwarding no/g' /etc/ssh/sshd_config sed -i 's/#X11Forwarding yes/X11Forwarding no/g' /etc/ssh/sshd_config
sed -i 's/#AllowAgentForwarding yes/AllowAgentForwarding no/g' /etc/ssh/sshd_config sed -i 's/#AllowAgentForwarding yes/AllowAgentForwarding no/g' /etc/ssh/sshd_config
sed -i 's/#AllowTcpForwarding yes/AllowTcpForwarding no/g' /etc/ssh/sshd_config sed -i 's/#AllowTcpForwarding yes/AllowTcpForwarding no/g' /etc/ssh/sshd_config
sed -i 's/#DebianBanner yes/DebianBanner no/g' /etc/ssh/sshd_config
printf '
DebianBanner no
KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
Protocol 2
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
' >> /etc/ssh/sshd_config
if [[ $REPLY_SSH_KEYS =~ ^[Yy]$ ]] if [[ $REPLY_SSH_KEYS =~ ^[Yy]$ ]]
then then
@ -162,6 +181,50 @@ then
chmod 400 /root/.ssh/authorized_keys chmod 400 /root/.ssh/authorized_keys
fi fi
# Configure audit logging
echo -e "\e[1;32mConfiguring Audit logging...\e[0m"
echo "ForwardToSyslog=yes" >> /etc/systemd/journald.conf
printf '
-a always,exit -F arch=b64 -S sethostname,setdomainname -k system-locale
-a always,exit -F arch=b32 -S sethostname,setdomainname -k system-locale
-w /etc/issue -p wa -k system-locale
-w /etc/issue.net -p wa -k system-locale
-w /etc/hosts -p wa -k system-locale
-w /var/run/utmp -p wa -k session
-w /var/log/wtmp -p wa -k session
-w /var/log/btmp -p wa -k session
-w /etc/sudoers -p wa -k scope
-w /etc/sudoers.d/ -p wa -k scope
-w /etc/group -p wa -k identity
-w /etc/passwd -p wa -k identity
-w /etc/gshadow -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/security/opasswd -p wa -k identity
-w /var/log/faillog -p wa -k logins
-w /var/log/lastlog -p wa -k logins
-w /var/log/tallylog -p wa -k logins
-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change
-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change
-a always,exit -F arch=b64 -S clock_settime -k time-change
-a always,exit -F arch=b32 -S clock_settime -k time-change
-w /etc/localtime -p wa -k time-change
' >> /etc/audit/rules.d/50-system_local.rules
printf '
Defaults logfile="/var/log/sudo.log"
' >> /etc/sudoers.d/log
augenrules --load
echo -e "\e[1;32mConfiguring permissions...\e[0m"
chown root:root /etc/ssh/sshd_config
chmod og-rwx /etc/ssh/sshd_config
chown root:root /etc/passwd-
chmod 600 /etc/passwd-
chown root:root /etc/group-
chmod 600 /etc/group-
# Configure firewall # Configure firewall
echo -e "\e[1;32mConfiguring firewall...\e[0m" echo -e "\e[1;32mConfiguring firewall...\e[0m"
ufw default deny incoming ufw default deny incoming