Skip to content

Instantly share code, notes, and snippets.

@tonyclemmey

tonyclemmey/hardening.sh

Last active November 1, 2022 14:29
Show Gist options
  • Save tonyclemmey/fa9157b20f98fd7679bb5116babc5e6d to your computer and use it in GitHub Desktop.
Save tonyclemmey/fa9157b20f98fd7679bb5116babc5e6d to your computer and use it in GitHub Desktop.
Download ZIP
Ubuntu Hardening
Raw
hardening.sh
#!/bin/bash
# ===================================
# ########## Bash Colours ###########
# ===================================
NC='\033[31;0m' # no colors or formatting
RED='\033[0;31;1m' # print text in bold Red
GRE='\033[0;32;1m' # print text in bold Green
YEL='\033[0;33;1m' # print text in bold Yellow
BLU='\033[0;34;1m' # print text in bold Blue
PUR='\033[0;35;1m' # print text in bold Purple
CYA='\033[0;36;1m' # print text in bold Cyan
GRA='\033[0;37;1m' # print text in bold Gray
# ===================================
# ######## Require root user ########
# ===================================
if [[ $UID -ne 0 ]]; then
echo -e "${RED}This script needs to be run as root (with sudo).${NC}"
exit 1
fi
# ===================================
# ############ Harden OS ############
# ===================================
BACKUP_SUFFIX=$(date +"%Y-%m-%d_%H-%M-%S")
echo -e "${YEL}===================================${NC}"
echo -e "${YEL}Updating System${NC}"
echo -e "${YEL}===================================${NC}"
sudo apt update -y;sudo apt upgrade -y;
sudo apt dist-upgrade -y;sudo apt full-upgrade -y
sudo apt autoremove -y;sudo apt autoclean -y
echo -e "${YEL}===================================${NC}"
echo -e "${YEL}Securing SSH${NC}"
echo -e "${YEL}===================================${NC}"
sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config_backup-$BACKUP_SUFFIX
sudo sed -i 's/.*PermitRootLogin.*/PermitRootLogin no/' /etc/ssh/sshd_config
sudo sed -i 's/.*PermitEmptyPasswords.*/PermitEmptyPasswords no/' /etc/ssh/sshd_config
sudo sed -i 's/.*MaxAuthTries 6.*/MaxAuthTries 3/' /etc/ssh/sshd_config
sudo sed -i 's/.*LoginGraceTime.*/LoginGraceTime 20/' /etc/ssh/sshd_config
sudo sed -i 's/.*ClientAliveInterval.*/ClientAliveInterval 300/' /etc/ssh/sshd_config
sudo sed -i 's/.*ClientAliveCountMax.*/ClientAliveCountMax 0/' /etc/ssh/sshd_config
sudo sed -i 's/.*X11Forwarding.*/X11Forwarding no/' /etc/ssh/sshd_config
sudo sed -i 's/.*Banner.*/Banner \/etc\/issue.net/' /etc/ssh/sshd_config
echo -e "${GRE}See changes made to /etc/ssh/sshd_config${NC}"
sudo diff /etc/ssh/sshd_config /etc/ssh/sshd_config_backup-$BACKUP_SUFFIX
sudo systemctl restart sshd
echo -e "${YEL}===================================${NC}"
echo -e "${YEL}Installing libpam-pwquality${NC}"
echo -e "${YEL}===================================${NC}"
sudo apt install libpam-pwquality -y
echo -e "${YEL}===================================${NC}"
echo -e "${YEL}Preventing standard users from executing su${NC}"
echo -e "${YEL}===================================${NC}"
sudo dpkg-statoverride --update --add root adm 4750 /bin/su
echo -e "${YEL}===================================${NC}"
echo -e "${YEL}Disabling shell access for new users${NC}"
echo -e "${YEL}===================================${NC}"
sudo cp /etc/default/useradd /etc/default/useradd_backup-$BACKUP_SUFFIX
sudo sed -ie '/^SHELL=/ s/=.*\+/=\/usr\/sbin\/nologin/' /etc/default/useradd
echo -e "${GRE}See changes made to /etc/default/useradd${NC}"
sudo diff /etc/default/useradd /etc/default/useradd_backup-$BACKUP_SUFFIX
sudo cp /etc/adduser.conf /etc/adduser.conf_backup-$BACKUP_SUFFIX
sudo sed -ie '/^DSHELL=/ s/=.*\+/=\/usr\/sbin\/nologin/' /etc/adduser.conf
echo -e "${GRE}See changes made to /etc/adduser.conf${NC}"
sudo diff /etc/adduser.conf /etc/adduser.conf_backup-$BACKUP_SUFFIX
echo -e "${YEL}===================================${NC}"
echo -e "${YEL}Protecting home directories${NC}"
echo -e "${YEL}===================================${NC}"
sudo cp /etc/adduser.conf /etc/adduser.conf_backup-$BACKUP_SUFFIX
sudo sed -ie '/^DIR_MODE=/ s/=[0-9]*\+/=0700/' /etc/adduser.conf
echo -e "${GRE}See changes made to /etc/adduser.conf${NC}"
sudo diff /etc/adduser.conf /etc/adduser.conf_backup-$BACKUP_SUFFIX
#sudo cp /etc/login.defs /etc/login.defs_backup-$BACKUP_SUFFIX
#sudo sed -ie '/^UMASK\s\+/ s/022/077/' /etc/login.defs
#echo -e "${GRE}See changes made to /etc/login.defs${NC}"
#sudo diff /etc/login.defs /etc/login.defs_backup-$BACKUP_SUFFIX
echo -e "${YEL}===================================${NC}"
echo -e "${YEL}Disabling error reporting services${NC}"
echo -e "${YEL}===================================${NC}"
sudo systemctl stop apport.service
sudo systemctl disable apport.service
sudo systemctl mask apport.service
sudo systemctl stop whoopsie.service
sudo systemctl disable whoopsie.service
sudo systemctl mask whoopsie.service
echo -e "${YEL}===================================${NC}"
echo -e "${YEL}Disabling apport (error reporting)${NC}"
echo -e "${YEL}===================================${NC}"
sudo sed -ie '/^enabled=1$/ s/1/0/' /etc/default/apport
sudo sed -ie '/^enabled=1$/ s/1/0/' /etc/default/whoopsie
echo -e "${YEL}===================================${NC}"
echo -e "${YEL}Fixing some permissions in /var that are writable and executable by the standard user${NC}"
echo -e "${YEL}===================================${NC}"
sudo chmod o-w /var/crash
sudo chmod o-w /var/metrics
sudo chmod o-w /var/tmp
echo -e "${YEL}===================================${NC}"
echo -e "${YEL}Updating fstab - mount /home /tmp /run/shm with special permissions${NC}"
echo -e "${YEL}===================================${NC}"
sudo cp /etc/fstab /etc/fstab_backup-$BACKUP_SUFFIX
# home
sudo sed -ie '/\s\/home\s/ s/defaults/defaults,noexec,nosuid,nodev/' /etc/fstab
# tmp
EXISTS=$(grep "/tmp" /etc/fstab)
if [ -z "$EXISTS" ]; then
echo "none /tmp tmpfs rw,noexec,nosuid,nodev 0 0" | sudo tee -a /etc/fstab
echo "/tmp /var/tmp none bind 0 0" | sudo tee -a /etc/fstab
sudo mount -a
echo -e "DPkg::Pre-Invoke{\"mount -o remount,exec /tmp\";};\nDPkg::Post-Invoke {\"mount -o remount /tmp\";};" >> /etc/apt/apt.conf.d/99tmpexec
chmod 644 /etc/apt/apt.conf.d/99tmpexec
fi
sudo chown root:root /tmp;sudo chmod 1777 /tmp
mount | grep "/tmp"
# run/shm
EXISTS=$(grep "/dev/shm" /etc/fstab)
if [ -z "$EXISTS" ]; then
echo "none /run/shm tmpfs rw,noexec,nosuid,nodev 0 0" | sudo tee -a /etc/fstab
sudo mount -o remount /run/shm
fi
mount | grep "/run/shm"
echo -e "${YEL}===================================${NC}"
echo -e "${YEL}Installing AppArmour & enforcing some apparmor profiles${NC}"
echo -e "${YEL}===================================${NC}"
sudo apt install apparmor-profiles apparmor-utils -y
sudo aa-enforce /etc/apparmor.d/usr.bin.firefox
sudo aa-enforce /etc/apparmor.d/usr.sbin.avahi-daemon
sudo aa-enforce /etc/apparmor.d/usr.sbin.dnsmasq
sudo aa-enforce /etc/apparmor.d/bin.ping
sudo aa-enforce /etc/apparmor.d/usr.sbin.rsyslogd
echo -e "${YEL}===================================${NC}"
echo -e "${YEL}Installing auditd & configuring system auditing${NC}"
echo -e "${YEL}===================================${NC}"
sudo apt install auditd -y
if [ ! -f /etc/audit/rules.d/tmp-monitor.rules ]; then
echo "# Monitor changes and executions within /tmp
-w /tmp/ -p wa -k tmp_write
-w /tmp/ -p x -k tmp_exec" | sudo tee /etc/audit/rules.d/tmp-monitor.rules
fi
if [ ! -f /etc/audit/rules.d/admin-home-watch.rules ]; then
echo "# Monitor administrator access to /home directories
-a always,exit -F dir=/home/ -F uid=0 -C auid!=obj_uid -k admin_home_user" | sudo tee /etc/audit/rules.d/admin-home-watch.rules
fi
sudo augenrules
sudo systemctl restart auditd
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment