Created
September 25, 2018 21:42
-
-
Save therandomsecurityguy/28f257269bef8b1985fd7090a63dfe29 to your computer and use it in GitHub Desktop.
Ubuntu 16.04 hardening script
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # Title: Ubuntu 16.04 Hardening | |
| # | |
| # DESCRIPTION: MODIFY / CHANGE / UPDATE / CONFIGURE | |
| # | |
| # Patching and Software Updates | |
| apt-get -y update | |
| apt-get -y upgrade | |
| # | |
| # File System Configuration | |
| # Bind Mount the /var/tmp directory to /tmp | |
| echo -e "/tmp /var/tmp none rw,noexec,nosuid,nodev,bind 0 0" >> /etc/fstab | |
| # | |
| # Set Sticky Bit on All World-Writable Directories | |
| df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d -perm -0002 2>/dev/null | xargs chmod a+t | |
| # | |
| # Disable mounting of following filesystems | |
| cat >> /etc/modprobe.d/filesystems-blacklist.conf << EOF | |
| install cramfs /bin/true | |
| install freevxfs /bin/true | |
| install jffs2 /bin/true | |
| install hfs /bin/true | |
| install hfsplus /bin/true | |
| install squashfs /bin/true | |
| install udf /bin/true | |
| EOF | |
| # | |
| # Disable automounting | |
| /usr/bin/apt-get -y install gconf2 | |
| /usr/bin/gconftool-2 --type bool --set /apps/nautilus/preferences/media_automount False | |
| /usr/bin/gconftool-2 --type bool --set /apps/nautilus/preferences/media_automount_open False | |
| # | |
| # Secure Boot Settings | |
| /bin/chown root:root /boot/grub/grub.cfg | |
| /bin/chmod 600 /boot/grub/grub.cfg | |
| # | |
| # Require authentication for single-user mode by setting password for root | |
| #/usr/bin/passwd root | |
| # | |
| # Additional Process Hardening | |
| echo "* hard core 0" >> /etc/security/limits.conf | |
| echo "fs.suid_dumpable = 0" >> /etc/sysctl.conf | |
| echo "kernel.randomize_va_space = 2" >> /etc/sysctl.conf | |
| # | |
| # Uninstall apport and whoopsie packages | |
| apt-get -y purge apport | |
| apt-get -y purge whoopsie | |
| # | |
| # Disable prelink | |
| /usr/sbin/prelink -ua | |
| apt-get -y purge prelink | |
| # | |
| # Activate AppArmor | |
| apt-get -y install apparmor apparmor-utils | |
| /usr/sbin/aa-enforce /etc/apparmor.d/* | |
| # | |
| # OS Services | |
| # Uninstall NIS | |
| apt-get -y purge nis | |
| # | |
| # Uninstall rsh client and server | |
| apt-get -y purge rsh-server | |
| apt-get -y purge rsh-client rsh-reload-client | |
| # | |
| # Uninstall talk client and server | |
| apt-get -y purge talk | |
| apt-get -y purge talkd | |
| # | |
| # Uninstall telnet server | |
| apt-get -y purge telnetd | |
| # | |
| # Uninstall tftp server | |
| apt-get -y purge tftpd | |
| # | |
| # Uninstall xinetd | |
| apt-get -y purge xinetd | |
| # | |
| # Special Purpose Services | |
| # Uninstall X windows | |
| apt-get -y purge xserver-xorg-core* | |
| # | |
| # Uninstall avahi server | |
| apt-get -y purge avahi-daemon | |
| # | |
| # Uninstall biosdevname | |
| apt-get -y purge biosdevname | |
| # | |
| # Uninstall cups | |
| apt-get -y purge cups | |
| # | |
| # Uninstall dhcp server | |
| apt-get -y purge isc-dhcp-server isc-dhcp-server6 | |
| # | |
| # Uninstall ldap | |
| #apt-get -y purge slapd | |
| # | |
| # Uninstall NFS and RPC | |
| apt-get -y purge nfs-kernel-server rpcbind | |
| # | |
| # Uninstall DNS | |
| apt-get -y purge bind9 | |
| # | |
| # Uninstall FTP | |
| apt-get -y purge vsftpd | |
| # | |
| # Uninstall HTTP | |
| apt-get -y purge apache2 | |
| # | |
| # Uninstall HTTP proxy | |
| apt-get -y purge squid | |
| # | |
| # Uninstall IMAP and POP server | |
| apt-get -y purge dovecot | |
| # | |
| # Disable Rsync service | |
| sed -i -e 's/^\(RSYNC_ENABLE=\).*/\1false/' /etc/default/rsync | |
| # | |
| # Uninstall Samba | |
| apt-get -y purge samba | |
| apt-get -y purge samba-\* | |
| # | |
| # Uninstall SNMP | |
| apt-get -y purge snmp | |
| # | |
| # Configure NTP | |
| apt-get -y install ntp | |
| #echo "restrict -4 default kod nomodify notrap nopeer noquery" >> /etc/ntp.conf | |
| #echo "restrict -6 default kod nomodify notrap nopeer noquery" >> /etc/ntp.conf | |
| # | |
| # Configure MTA | |
| export DEBIAN_FRONTEND=noninteractive | |
| apt-get -y install postfix | |
| sed -i -e 's/^\(inet_interfaces\).*/\1 = localhost/' /etc/postfix/main.cf | |
| service postfix restart | |
| # | |
| # Network Configuration and Firewalls | |
| # Set Network Configuration and Firewalls | |
| cat >> /etc/sysctl.conf << EOF | |
| net.ipv4.ip_forward = 0 | |
| net.ipv4.conf.all.send_redirects = 0 | |
| net.ipv4.conf.default.send_redirects = 0 | |
| net.ipv4.conf.all.accept_source_route = 0 | |
| net.ipv4.conf.default.accept_source_route = 0 | |
| net.ipv4.conf.all.accept_redirects = 0 | |
| net.ipv4.conf.default.accept_redirects = 0 | |
| net.ipv4.conf.all.secure_redirects = 0 | |
| net.ipv4.conf.default.secure_redirects = 0 | |
| net.ipv4.conf.all.log_martians = 1 | |
| net.ipv4.conf.default.log_martians = 1 | |
| net.ipv4.icmp_echo_ignore_broadcasts = 1 | |
| net.ipv4.icmp_ignore_bogus_error_responses = 1 | |
| net.ipv4.conf.all.rp_filter = 1 | |
| net.ipv4.conf.default.rp_filter = 1 | |
| net.ipv4.tcp_syncookies = 1 | |
| EOF | |
| # | |
| # Configure ipv6 | |
| cat >> /etc/sysctl.conf << EOF | |
| net.ipv6.conf.all.accept_ra = 0 | |
| net.ipv6.conf.default.accept_ra = 0 | |
| net.ipv6.conf.all.accept_redirects = 0 | |
| net.ipv6.conf.default.accept_redirects = 0 | |
| net.ipv6.conf.all.disable_ipv6 = 1 | |
| net.ipv6.conf.default.disable_ipv6 = 1 | |
| net.ipv6.conf.lo.disable_ipv6 = 1 | |
| EOF | |
| # | |
| # Install TCP Wrappers | |
| apt-get -y install tcpd | |
| if [ ! -e /etc/hosts.allow ];then | |
| touch /etc/hosts.allow | |
| fi | |
| if [ ! -e /etc/hosts.deny ];then | |
| touch /etc/hosts.deny | |
| fi | |
| /bin/chmod 644 /etc/hosts.allow | |
| /bin/chmod 644 /etc/hosts.deny | |
| # | |
| # Disable Network Protocols | |
| cat >> /etc/modprobe.d/usgcb-blacklist.conf << EOF | |
| install dccp /bin/true | |
| install sctp /bin/true | |
| install tipc /bin/true | |
| install rds /bin/true | |
| EOF | |
| # | |
| # Deactivate wireless interfaces | |
| #apt-get -y install network-manager | |
| #/usr/bin/nmcli nm wifi off | |
| # | |
| # Enable host-based Firewall | |
| #echo 'y' | /usr/sbin/ufw enable --stdin | |
| # | |
| # Logging and Auditing | |
| # Ensure rsyslog is running | |
| service rsyslog start | |
| # | |
| # Edit /etc/rsyslog.conf settings | |
| cat >> /etc/rsyslog.conf << EOF | |
| authpriv.* /var/log/secure | |
| auth user.* /var/log/messages | |
| kern.* /var/log/kern.log | |
| daemon.* /var/log/daemon.log | |
| syslog.* /var/log/syslog | |
| lpr,news,uucp.* /var/log/unused.log | |
| EOF | |
| # | |
| # Add logrotate for unused.log | |
| cat >> /etc/logrotate.d/unused-log << EOF | |
| /var/log/unused.log { | |
| rotate 3 | |
| maxage 5 | |
| copytruncate | |
| daily | |
| missingok | |
| notifempty | |
| compress | |
| size 100M | |
| delaycompress | |
| su root root | |
| } | |
| EOF | |
| # | |
| # Set permissions | |
| /bin/chmod 600 /var/log/boot.log* | |
| /bin/chmod 600 /var/log/cron* | |
| /bin/chmod 644 /var/log/dmesg | |
| /bin/chmod 600 /var/log/maillog* | |
| /bin/chmod 600 /var/log/messages* | |
| /bin/chmod 750 /var/log/news/* | |
| /bin/chmod 600 /var/log/secure* | |
| /bin/chmod 600 /var/log/spooler* | |
| /bin/chmod 750 /var/log/squid/* | |
| /bin/chmod 750 /var/log/vbox/* | |
| /bin/chmod 664 /var/log/wtmp | |
| #/bin/chown -R root:root /var/log | |
| /bin/chgrp utmp /var/log/wtmp | |
| /bin/chown -R news:news /var/log/news | |
| # | |
| # Ensure auditd is running | |
| apt-get -y install auditd | |
| service auditd start | |
| # | |
| # Edit /etc/audit/auditd.conf | |
| sed -i -e 's/^\(num_logs =\).*/\1 3/' /etc/audit/auditd.conf | |
| sed -i -e 's/^\(max_log_file =\).*/\1 5/' /etc/audit/auditd.conf | |
| sed -i -e 's/^\(space_left_action\).*/\1 = suspend/' /etc/audit/auditd.conf | |
| sed -i -e 's/^\(action_mail_acct\).*/\1 = root/' /etc/audit/auditd.conf | |
| sed -i -e 's/^\(admin_space_left_action\).*/\1 = suspend/' /etc/audit/auditd.conf | |
| sed -i -e 's/^\(max_log_file_action\).*/\1 = rotate/' /etc/audit/auditd.conf | |
| # | |
| # Edit /etc/default/grub | |
| sed -i -e 's/^\(GRUB_CMDLINE_LINUX\)="\(.*\)"/\1="\2 audit=1"/' /etc/default/grub | |
| # | |
| # Edit /etc/audit/audit.rules | |
| cat >> /etc/audit/audit.rules << EOF | |
| -a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change | |
| -a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change | |
| -a always,exit -F arch=b64 -S clock_settime -k time-change | |
| -a always,exit -F arch=b32 -S clock_settime -k time-change | |
| -w /etc/localtime -p wa -k time-change | |
| -w /etc/group -p wa -k identity | |
| -w /etc/passwd -p wa -k identity | |
| -w /etc/gshadow -p wa -k identity | |
| -w /etc/shadow -p wa -k identity | |
| -w /etc/security/opasswd -p wa -k identity | |
| -a exit,always -F arch=b64 -S sethostname -S setdomainname -k system-locale | |
| -a exit,always -F arch=b32 -S sethostname -S setdomainname -k system-locale | |
| -w /etc/issue -p wa -k system-locale | |
| -w /etc/issue.net -p wa -k system-locale | |
| -w /etc/hosts -p wa -k system-locale | |
| -w /etc/network -p wa -k system-locale | |
| -w /etc/selinux/ -p wa -k MAC-policy | |
| -w /var/log/faillog -p wa -k logins | |
| -w /var/log/lastlog -p wa -k logins | |
| -w /var/log/tallylog -p wa -k logins | |
| -w /var/run/utmp -p wa -k session | |
| -w /var/log/wtmp -p wa -k session | |
| -w /var/log/btmp -p wa -k session | |
| -a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod | |
| -a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod | |
| -a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod | |
| -a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod | |
| -a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod | |
| -a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod | |
| -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access | |
| -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access | |
| -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access | |
| -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access | |
| -a always,exit -F arch=b64 -S mount -F auid>=500 -F auid!=4294967295 -k mounts | |
| -a always,exit -F arch=b32 -S mount -F auid>=500 -F auid!=4294967295 -k mounts | |
| -a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete | |
| -a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete | |
| -w /etc/sudoers -p wa -k scope | |
| -w /var/log/sudo.log -p wa -k actions | |
| -w /sbin/insmod -p x -k modules | |
| -w /sbin/rmmod -p x -k modules | |
| -w /sbin/modprobe -p x -k modules | |
| -a always,exit -F arch=b64 -S init_module -S delete_module -k modules | |
| -e 2 | |
| EOF | |
| # | |
| # Configure Cron | |
| /bin/chown root:root /etc/crontab | |
| /bin/chmod 400 /etc/crontab | |
| /bin/chown –R root:root /var/spool/cron | |
| /bin/chmod –R go-rwx /var/spool/cron | |
| /bin/chown root:root /etc/cron.hourly | |
| /bin/chmod 400 /etc/cron.hourly | |
| /bin/chown root:root /etc/cron.daily | |
| /bin/chmod 400 /etc/cron.daily | |
| /bin/chown root:root /etc/cron.weekly | |
| /bin/chmod 400 /etc/cron.weekly | |
| /bin/chown root:root /etc/cron.monthly | |
| /bin/chmod 400 /etc/cron.monthly | |
| /bin/chown root:root /etc/cron.d | |
| /bin/chmod 400 /etc/cron.d | |
| # | |
| # Restrict at/cron to Authorized Users | |
| /bin/rm -f /etc/cron.deny | |
| /bin/rm -f /etc/at.deny | |
| touch /etc/cron.allow | |
| touch /etc/at.allow | |
| /bin/chmod og-rwx /etc/cron.allow | |
| /bin/chmod og-rwx /etc/at.allow | |
| /bin/chown root:root /etc/cron.allow | |
| /bin/chown root:root /etc/at.allow | |
| # | |
| # Configure PAM | |
| echo "password required pam_cracklib.so retry=3 minlen=14 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1" >> /etc/pam.d/common-password | |
| echo "auth required pam_tally2.so onerr=fail audit silent deny=5 unlock_time=900" >> /etc/pam.d/login | |
| echo "password sufficient pam_unix.so use_authtok remember=5" >> /etc/pam.d/common-password | |
| # | |
| # Configure SSH | |
| sed -i -e 's/^#Protocol 2/Protocol 2/' /etc/ssh/sshd_config | |
| sed -i -e 's/^#LogLevel INFO/LogLevel INFO/' /etc/ssh/sshd_config | |
| sed -i -e 's/^X11Forwarding yes/X11Forwarding no/' /etc/ssh/sshd_config | |
| echo "MaxAuthTries 4" >> /etc/ssh/sshd_config | |
| sed -i -e 's/^#IgnoreRhosts yes/IgnoreRhosts yes/' /etc/ssh/sshd_config | |
| echo "RhostsAuthentication no" >> /etc/ssh/sshd_config | |
| sed -i -e 's/^\(RhostsRSAAuthentication\).*/\1 no/' /etc/ssh/sshd_config | |
| sed -i -e 's/^#HostbasedAuthentication no/HostbasedAuthentication no/' /etc/ssh/sshd_config | |
| sed -i -e 's/^\(PermitRootLogin\).*/\1 without-password/' /etc/ssh/sshd_config | |
| sed -i -e 's/^#PermitEmptyPasswords no/PermitEmptyPasswords no/' /etc/ssh/sshd_config | |
| echo "PermitUserEnvironment no" >> /etc/ssh/sshd_config | |
| echo "Ciphers aes128-ctr,aes192-ctr,aes256-ctr" >> /etc/ssh/sshd_config | |
| echo "ClientAliveCountMax 0" >> /etc/ssh/sshd_config | |
| echo "ClientAliveInterval 300" >> /etc/ssh/sshd_config | |
| #echo "Banner - \"Banner\"" >> /etc/ssh/sshd_config | |
| /bin/chown root:sys /etc/ssh/sshd_config | |
| /bin/chmod 600 /etc/ssh/sshd_config | |
| # | |
| # User Accounts and Environment | |
| # Set default umask (we got an exception to change it to 022) | |
| sed -i "/UMASK/s/[0-9]\{3\}/022/" /etc/login.defs | |
| sed -i -e 's/^\(PASS_MAX_DAYS\).*/\1 90/' /etc/login.defs | |
| sed -i -e 's/^\(PASS_MIN_DAYS\).*/\1 7/' /etc/login.defs | |
| sed -i -e 's/^\(PASS_WARN_AGE\).*/\1 7/' /etc/login.defs | |
| for user in `awk -F: '($3 < 500) {print $1 }' /etc/passwd`; do | |
| if [ $user != "root" ]; then | |
| /usr/sbin/usermod -L $user | |
| if [ $user != "sync" ] && [ $user != "shutdown" ] && [ $user != "halt" ]; then | |
| /usr/sbin/usermod -s /usr/sbin/nologin $user | |
| fi | |
| fi | |
| done | |
| /usr/sbin/usermod -g 0 root | |
| /usr/sbin/useradd -D -f 60 | |
| # | |
| # Warning Banners | |
| # | |
| # Verify System File Permisstions | |
| /bin/chmod 644 /etc/passwd | |
| /bin/chown root:root /etc/passwd | |
| /bin/chmod 400 /etc/shadow | |
| /bin/chown root:shadow /etc/shadow | |
| /bin/chmod 644 /etc/group | |
| /bin/chown root:root /etc/group | |
| # | |
| # Review User and Group Settings | |
| find / -name .rhosts -exec rm -f {} \; | |
| find / -name .netrc -exec rm -f {} \; | |
| find / -name .forward -exec rm -f {} \; | |
| # | |
| # Additional Configuration Settings | |
| /usr/sbin/dpkg-statoverride --update --add root admin 4750 /bin/su | |
| # | |
| # Install ipset | |
| apt-get -y install ipset |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment