Update rulesets as validated by cnspec
This commit is contained in:
parent
d248da157e
commit
e479918bc1
1 changed files with 65 additions and 2 deletions
67
install.sh
67
install.sh
|
|
@ -78,6 +78,16 @@ echo "net.ipv4.conf.all.accept_redirects = 0" >> /etc/sysctl.d/99-custom.conf
|
|||
echo "net.ipv4.conf.default.accept_redirects = 0" >> /etc/sysctl.d/99-custom.conf
|
||||
echo "net.ipv4.conf.all.secure_redirects = 0" >> /etc/sysctl.d/99-custom.conf
|
||||
echo "net.ipv4.conf.default.secure_redirects = 0" >> /etc/sysctl.d/99-custom.conf
|
||||
echo "net.ipv4.conf.all.send_redirects = 0" >> /etc/sysctl.d/99-custom.conf
|
||||
echo "net.ipv4.conf.default.send_redirects = 0" >> /etc/sysctl.d/99-custom.conf
|
||||
echo "net.ipv4.conf.all.accept_source_route = 0" >> /etc/sysctl.d/99-custom.conf
|
||||
echo "net.ipv4.conf.default.accept_source_route = 0" >> /etc/sysctl.d/99-custom.conf
|
||||
echo "net.ipv4.conf.all.rp_filter = 1" >> /etc/sysctl.d/99-custom.conf
|
||||
echo "net.ipv4.conf.default.rp_filter = 1" >> /etc/sysctl.d/99-custom.conf
|
||||
echo "net.ipv4.conf.all.log_martians = 1" >> /etc/sysctl.d/99-custom.conf
|
||||
echo "net.ipv4.conf.default.log_martians = 1" >> /etc/sysctl.d/99-custom.conf
|
||||
echo "net.ipv4.conf.all.secure_redirects = 0" >> /etc/sysctl.d/99-custom.conf
|
||||
echo "net.ipv4.conf.default.secure_redirects = 0" >> /etc/sysctl.d/99-custom.conf
|
||||
echo "net.ipv6.conf.default.autoconf = 0" >> /etc/sysctl.d/99-custom.conf
|
||||
echo "net.ipv6.conf.default.dad_transmits = 0" >> /etc/sysctl.d/99-custom.conf
|
||||
echo "net.ipv6.conf.default.max_addresses = 1" >> /etc/sysctl.d/99-custom.conf
|
||||
|
|
@ -90,6 +100,9 @@ echo "net.ipv6.conf.default.router_solicitations = 0" >> /etc/sysctl.d/99-custom
|
|||
echo "net.ipv6.conf.default.accept_ra_rtr_pref = 0" >> /etc/sysctl.d/99-custom.conf
|
||||
echo "net.ipv6.conf.default.accept_ra_pinfo = 0" >> /etc/sysctl.d/99-custom.conf
|
||||
echo "net.ipv6.conf.default.accept_ra_defrtr = 0" >> /etc/sysctl.d/99-custom.conf
|
||||
echo "net.ipv6.conf.all.accept_ra = 0" >> /etc/sysctl.d/99-custom.conf
|
||||
echo "net.ipv6.conf.default.accept_ra = 0" >> /etc/sysctl.d/99-custom.conf
|
||||
|
||||
|
||||
## Network optimisation
|
||||
echo -e "\e[1;32mOptimising network settings...\e[0m"
|
||||
|
|
@ -132,7 +145,7 @@ echo "* soft nproc 64000" >> /etc/security/limits.d/99-custom.conf
|
|||
|
||||
# Install common packages
|
||||
echo -e "\e[1;32mInstalling common packages...\e[0m"
|
||||
apt install -y debian-archive-keyring apt-transport-https curl vim git ufw openssh-server &> /dev/null
|
||||
apt install -y debian-archive-keyring apt-transport-https curl vim git ufw openssh-server auditd &> /dev/null
|
||||
|
||||
# Configure SSH
|
||||
echo -e "\e[1;32mConfiguring SSH...\e[0m"
|
||||
|
|
@ -148,7 +161,13 @@ sed -i 's/#GSSAPIAuthentication yes/GSSAPIAuthentication no/g' /etc/ssh/sshd_con
|
|||
sed -i 's/#X11Forwarding yes/X11Forwarding no/g' /etc/ssh/sshd_config
|
||||
sed -i 's/#AllowAgentForwarding yes/AllowAgentForwarding no/g' /etc/ssh/sshd_config
|
||||
sed -i 's/#AllowTcpForwarding yes/AllowTcpForwarding no/g' /etc/ssh/sshd_config
|
||||
sed -i 's/#DebianBanner yes/DebianBanner no/g' /etc/ssh/sshd_config
|
||||
|
||||
printf '
|
||||
DebianBanner no
|
||||
KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
|
||||
Protocol 2
|
||||
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
|
||||
' >> /etc/ssh/sshd_config
|
||||
|
||||
if [[ $REPLY_SSH_KEYS =~ ^[Yy]$ ]]
|
||||
then
|
||||
|
|
@ -162,6 +181,50 @@ then
|
|||
chmod 400 /root/.ssh/authorized_keys
|
||||
fi
|
||||
|
||||
# Configure audit logging
|
||||
echo -e "\e[1;32mConfiguring Audit logging...\e[0m"
|
||||
echo "ForwardToSyslog=yes" >> /etc/systemd/journald.conf
|
||||
|
||||
printf '
|
||||
-a always,exit -F arch=b64 -S sethostname,setdomainname -k system-locale
|
||||
-a always,exit -F arch=b32 -S sethostname,setdomainname -k system-locale
|
||||
-w /etc/issue -p wa -k system-locale
|
||||
-w /etc/issue.net -p wa -k system-locale
|
||||
-w /etc/hosts -p wa -k system-locale
|
||||
-w /var/run/utmp -p wa -k session
|
||||
-w /var/log/wtmp -p wa -k session
|
||||
-w /var/log/btmp -p wa -k session
|
||||
-w /etc/sudoers -p wa -k scope
|
||||
-w /etc/sudoers.d/ -p wa -k scope
|
||||
-w /etc/group -p wa -k identity
|
||||
-w /etc/passwd -p wa -k identity
|
||||
-w /etc/gshadow -p wa -k identity
|
||||
-w /etc/shadow -p wa -k identity
|
||||
-w /etc/security/opasswd -p wa -k identity
|
||||
-w /var/log/faillog -p wa -k logins
|
||||
-w /var/log/lastlog -p wa -k logins
|
||||
-w /var/log/tallylog -p wa -k logins
|
||||
-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change
|
||||
-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change
|
||||
-a always,exit -F arch=b64 -S clock_settime -k time-change
|
||||
-a always,exit -F arch=b32 -S clock_settime -k time-change
|
||||
-w /etc/localtime -p wa -k time-change
|
||||
' >> /etc/audit/rules.d/50-system_local.rules
|
||||
|
||||
printf '
|
||||
Defaults logfile="/var/log/sudo.log"
|
||||
' >> /etc/sudoers.d/log
|
||||
|
||||
augenrules --load
|
||||
|
||||
echo -e "\e[1;32mConfiguring permissions...\e[0m"
|
||||
chown root:root /etc/ssh/sshd_config
|
||||
chmod og-rwx /etc/ssh/sshd_config
|
||||
chown root:root /etc/passwd-
|
||||
chmod 600 /etc/passwd-
|
||||
chown root:root /etc/group-
|
||||
chmod 600 /etc/group-
|
||||
|
||||
# Configure firewall
|
||||
echo -e "\e[1;32mConfiguring firewall...\e[0m"
|
||||
ufw default deny incoming
|
||||
|
|
|
|||
Loading…
Reference in a new issue