zeheater · May 10, 2022 07:47
diff --git a/00.sshd.sh b/00.sshd.sh
 #!/bin/bash
 cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
 cat << EOF > /etc/ssh/sshd_config
 Include /etc/ssh/sshd_config.d/*.conf
 Protocol 2
 HostKey /etc/ssh/ssh_host_rsa_key
 HostKey /etc/ssh/ssh_host_ecdsa_key
 HostKey /etc/ssh/ssh_host_ed25519_key
 LogLevel INFO
 PermitRootLogin no
 MaxAuthTries 3
 LoginGraceTime 20
 UsePAM yes
 ChallengeResponseAuthentication no
 PasswordAuthentication no
 PermitEmptyPasswords no
 KerberosAuthentication no
 GSSAPIAuthentication no
 X11Forwarding no
 PermitUserEnvironment no
 AllowAgentForwarding no
 AllowTcpForwarding no
 PermitTunnel no
 EOF

 if [[ $? -eq 0  ]]; then
 	# something
 	systemctl restart sshd.service
 	echo 'Success: sshd configuration'
 else
 	# something else
 	echo 'Failed: can not write to /etc/ssh/sshd_config'
 	exit -1
 fi
diff --git a/01.firewall.sh b/01.firewall.sh
 #!/bin/bash
 cat << EOF > /etc/ufw/ufw.conf
 # Set to yes to start on boot. If setting this remotely, be sure to add a rule
 # to allow your remote connection before starting ufw. Eg: 'ufw allow 22/tcp'
 ENABLED=yes

 # Please use the 'ufw' command to set the loglevel. Eg: 'ufw logging medium'.
 # See 'man ufw' for details.
 LOGLEVEL=low
 EOF

 if [[ $? -eq 0 ]]; then
 	# success
 	ufw enable
 	ufw allow OpenSSH
 	echo 'Success: Enabled ufw firewall'
 else
 	# fail
 	echo 'Failed: Can not write to /etc/ufw/ufw.conf'
 	exit -1
 fi
diff --git a/02.enforce-strong-pass.sh b/02.enforce-strong-pass.sh
 #!/bin/bash

 # https://linuxhint.com/secure_password_policies_ubuntu/
 #
 # replace password requisite pam_pwquality.so retry=3
 # with
 # password requisite pam_pwquality.so retry=4 minlen=9 difok=4 lcredit=-2 ucredit=-2 dcredit= -1 ocredit=-1 reject_username enforce_for_root

 libpwquality=$(dpkg -l libpam-pwquality)
 if [[ $? -eq 0 ]]; then
 	# lib installed, do nothing
 	printf ''
 else
 	apt-get install libpam-pwquality
 	if [[ $? -ne 0 ]]; then
 		echo 'Failed to install libpam-pwquality'
 		exit -1
 	fi
 fi

 lines=$(grep -E 'password.+pam_pwquality.so.+$' /etc/pam.d/common-password | wc -l)
 if [[ $lines -gt 1 ]]; then
 	echo 'Replace match more than one line, please replace manualy'
 	exit -1
 elif [[ $lines -eq 1 ]]; then
 	sed -i -E 's/pam_pwquality.so.+$/pam_pwquality.so retry=4 minlen=9 difok=4 lcredit=-2 ucredit=-2 dcredit= -1 ocredit=-1 reject_username enforce_for_root/g' /etc/pam.d/common-password
 	if [[ $? -eq 0 ]]; then
 		sed -i -E 's/^PASS_MAX_DAYS.+$/PASS_MAX_DAYS 120/g' /etc/login.defs
 		sed -i -E 's/^PASS_WARN_AGE.+$/PASS_WARN_AGE   8/g' /etc/login.defs
 		echo 'Strong password is enforced'
 	else
 		echo 'Failed to replace.'
 		exit -1
 	fi
 else
 	echo 'Line not found, please replace manualy'
 	exit -1
 fi
diff --git a/03.sysctl.sh b/03.sysctl.sh
 #!/bin/bash

 cat << EOF > /etc/sysctl.d/99-sysctl.conf
 # https://www.tenable.com/audits/CIS_Ubuntu_20.04_LTS_v1.1.0_Server_L1

 # Disable IP Forwarding
 net.ipv4.ip_forward = 0
 net.ipv6.conf.all.forwarding=0

 # Ensure packet redirect sending is disabled
 net.ipv4.conf.all.send_redirects = 0
 net.ipv4.conf.default.send_redirects = 0

 # Ensure source routed packets are not accepted
 net.ipv4.conf.all.accept_source_route = 0
 net.ipv4.conf.default.accept_source_route = 0

 # Ensure ICMP redirects are not accepted
 net.ipv4.conf.all.accept_redirects = 0
 net.ipv4.conf.default.accept_redirects = 0

 # Ensure secure ICMP redirects are not accepted
 net.ipv4.conf.all.secure_redirects = 0
 net.ipv4.conf.default.secure_redirects = 0

 # Ensure broadcast ICMP requests are ignored
 net.ipv4.icmp_echo_ignore_broadcasts = 1

 # Ensure bogus ICMP responses are ignored
 # Enable bad error message Protection
 net.ipv4.icmp_ignore_bogus_error_responses = 1

 # Ensure TCP SYN Cookies is enabled
 net.ipv4.tcp_syncookies = 1

 # Disable core dump
 fs.suid_dumpable=0
 kernel.core_pattern=|/bin/false

 # Limit ptrace
 kernel.yama.ptrace_scope = 3
 EOF

 # Reload all configuration
 sysctl --system
diff --git a/04.netplan.sh b/04.netplan.sh
 #!/bin/bash

 cat << EOF > /etc/netplan/00-installer-config.yaml
 # This is the network config written by 'subiquity'
 network:
  ethernets:
    eno1:
     dhcp4: no
     addresses:
             - 172.19.46.4/24
     gateway4: 172.19.46.1
     nameservers:
             addresses: [1.1.1.1, 8.8.8.8]
    eno2:
     optional: true
  version: 2
 EOF

 if [[ $? -eq 0  ]]; then
 	# something
 	netplan apply
 	echo 'Success: netplan configuration'
 else
 	# something else
 	echo 'Failed: can not write to /etc/netplan/00-installer-config.yaml'
 	exit -1
 fi
diff --git a/05.coredump.sh b/05.coredump.sh
 #!/bin/bash
 ## Disable coredump

 sed -i -E 's/\#\ End\ of\ file//g' /etc/security/limits.conf
 cat << EOF >> /etc/security/limits.conf
 * hard core 0
 * soft core 0
 # End of file
 EOF

 if [[ $? -eq 0  ]]; then
 	# something
  echo 'Success: Disable core dump'
 else
 	# something else
  echo 'Fail: Disable core dump'
  exit -1
 fi

 mkdir -p /etc/systemd/coredump.conf.d/
 cat << EOF > /etc/systemd/coredump.conf.d/custom.conf
 [Coredump]
 Storage=none
 ProcessSizeMax=0
 EOF

 if [[ $? -eq 0  ]]; then
 	# something
  echo 'Success: Disable systemd core dump'
 else
 	# something else
  echo 'Fail: Disable systemd core dump'
  exit -1
 fi
	#!/bin/bash
	cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
	cat << EOF > /etc/ssh/sshd_config
	Include /etc/ssh/sshd_config.d/*.conf
	Protocol 2
	HostKey /etc/ssh/ssh_host_rsa_key
	HostKey /etc/ssh/ssh_host_ecdsa_key
	HostKey /etc/ssh/ssh_host_ed25519_key
	LogLevel INFO
	PermitRootLogin no
	MaxAuthTries 3
	LoginGraceTime 20
	UsePAM yes
	ChallengeResponseAuthentication no
	PasswordAuthentication no
	PermitEmptyPasswords no
	KerberosAuthentication no
	GSSAPIAuthentication no
	X11Forwarding no
	PermitUserEnvironment no
	AllowAgentForwarding no
	AllowTcpForwarding no
	PermitTunnel no
	EOF

	if [[ $? -eq 0 ]]; then
	# something
	systemctl restart sshd.service
	echo 'Success: sshd configuration'
	else
	# something else
	echo 'Failed: can not write to /etc/ssh/sshd_config'
	exit -1
	fi
	#!/bin/bash
	cat << EOF > /etc/ufw/ufw.conf
	# Set to yes to start on boot. If setting this remotely, be sure to add a rule
	# to allow your remote connection before starting ufw. Eg: 'ufw allow 22/tcp'
	ENABLED=yes

	# Please use the 'ufw' command to set the loglevel. Eg: 'ufw logging medium'.
	# See 'man ufw' for details.
	LOGLEVEL=low
	EOF

	if [[ $? -eq 0 ]]; then
	# success
	ufw enable
	ufw allow OpenSSH
	echo 'Success: Enabled ufw firewall'
	else
	# fail
	echo 'Failed: Can not write to /etc/ufw/ufw.conf'
	exit -1
	fi
	#!/bin/bash

	# https://linuxhint.com/secure_password_policies_ubuntu/
	#
	# replace password requisite pam_pwquality.so retry=3
	# with
	# password requisite pam_pwquality.so retry=4 minlen=9 difok=4 lcredit=-2 ucredit=-2 dcredit= -1 ocredit=-1 reject_username enforce_for_root

	libpwquality=$(dpkg -l libpam-pwquality)
	if [[ $? -eq 0 ]]; then
	# lib installed, do nothing
	printf ''
	else
	apt-get install libpam-pwquality
	if [[ $? -ne 0 ]]; then
	echo 'Failed to install libpam-pwquality'
	exit -1
	fi
	fi

	lines=$(grep -E 'password.+pam_pwquality.so.+$' /etc/pam.d/common-password \| wc -l)
	if [[ $lines -gt 1 ]]; then
	echo 'Replace match more than one line, please replace manualy'
	exit -1
	elif [[ $lines -eq 1 ]]; then
	sed -i -E 's/pam_pwquality.so.+$/pam_pwquality.so retry=4 minlen=9 difok=4 lcredit=-2 ucredit=-2 dcredit= -1 ocredit=-1 reject_username enforce_for_root/g' /etc/pam.d/common-password
	if [[ $? -eq 0 ]]; then
	sed -i -E 's/^PASS_MAX_DAYS.+$/PASS_MAX_DAYS 120/g' /etc/login.defs
	sed -i -E 's/^PASS_WARN_AGE.+$/PASS_WARN_AGE 8/g' /etc/login.defs
	echo 'Strong password is enforced'
	else
	echo 'Failed to replace.'
	exit -1
	fi
	else
	echo 'Line not found, please replace manualy'
	exit -1
	fi
	#!/bin/bash

	cat << EOF > /etc/sysctl.d/99-sysctl.conf
	# https://www.tenable.com/audits/CIS_Ubuntu_20.04_LTS_v1.1.0_Server_L1

	# Disable IP Forwarding
	net.ipv4.ip_forward = 0
	net.ipv6.conf.all.forwarding=0

	# Ensure packet redirect sending is disabled
	net.ipv4.conf.all.send_redirects = 0
	net.ipv4.conf.default.send_redirects = 0

	# Ensure source routed packets are not accepted
	net.ipv4.conf.all.accept_source_route = 0
	net.ipv4.conf.default.accept_source_route = 0

	# Ensure ICMP redirects are not accepted
	net.ipv4.conf.all.accept_redirects = 0
	net.ipv4.conf.default.accept_redirects = 0

	# Ensure secure ICMP redirects are not accepted
	net.ipv4.conf.all.secure_redirects = 0
	net.ipv4.conf.default.secure_redirects = 0

	# Ensure broadcast ICMP requests are ignored
	net.ipv4.icmp_echo_ignore_broadcasts = 1

	# Ensure bogus ICMP responses are ignored
	# Enable bad error message Protection
	net.ipv4.icmp_ignore_bogus_error_responses = 1

	# Ensure TCP SYN Cookies is enabled
	net.ipv4.tcp_syncookies = 1

	# Disable core dump
	fs.suid_dumpable=0
	kernel.core_pattern=\|/bin/false

	# Limit ptrace
	kernel.yama.ptrace_scope = 3
	EOF

	# Reload all configuration
	sysctl --system
	#!/bin/bash

	cat << EOF > /etc/netplan/00-installer-config.yaml
	# This is the network config written by 'subiquity'
	network:
	ethernets:
	eno1:
	dhcp4: no
	addresses:
	- 172.19.46.4/24
	gateway4: 172.19.46.1
	nameservers:
	addresses: [1.1.1.1, 8.8.8.8]
	eno2:
	optional: true
	version: 2
	EOF

	if [[ $? -eq 0 ]]; then
	# something
	netplan apply
	echo 'Success: netplan configuration'
	else
	# something else
	echo 'Failed: can not write to /etc/netplan/00-installer-config.yaml'
	exit -1
	fi
	#!/bin/bash
	## Disable coredump

	sed -i -E 's/\#\ End\ of\ file//g' /etc/security/limits.conf
	cat << EOF >> /etc/security/limits.conf
	* hard core 0
	* soft core 0
	# End of file
	EOF

	if [[ $? -eq 0 ]]; then
	# something
	echo 'Success: Disable core dump'
	else
	# something else
	echo 'Fail: Disable core dump'
	exit -1
	fi

	mkdir -p /etc/systemd/coredump.conf.d/
	cat << EOF > /etc/systemd/coredump.conf.d/custom.conf
	[Coredump]
	Storage=none
	ProcessSizeMax=0
	EOF

	if [[ $? -eq 0 ]]; then
	# something
	echo 'Success: Disable systemd core dump'
	else
	# something else
	echo 'Fail: Disable systemd core dump'
	exit -1
	fi