commit 938b3e730e2e4011867f3a7be33361137384236e Author: titanz Date: Mon Jan 27 23:04:14 2025 +0100 first commit diff --git a/.gitea/workflows/shellcheck.yml b/.gitea/workflows/shellcheck.yml new file mode 100644 index 0000000..d2aae74 --- /dev/null +++ b/.gitea/workflows/shellcheck.yml @@ -0,0 +1,39 @@ +name: ShellCheck + +on: + workflow_dispatch: + push: + branches: + - master + - main + paths-ignore: + - '**.gitignore' + - '**.md' + - 'LICENSE' + - '**.conf' + - '**.service' + - '**.timer' + - '**.path' + - '**.list' + pull_request: + paths-ignore: + - '**.gitignore' + - '**.md' + - 'LICENSE' + - '**.conf' + - '**.service' + - '**.timer' + - '**.path' + - '**.list' + +jobs: + shellcheck: + name: Shell syntax checker + runs-on: ubuntu-24.04 + permissions: + contents: read + steps: + - name: Checkout code + uses: actions/checkout@v4 + - name: Run ShellCheck + uses: ludeeus/action-shellcheck@master diff --git a/Fedora-Server-40.sh b/Fedora-Server-40.sh new file mode 100644 index 0000000..1db55a2 --- /dev/null +++ b/Fedora-Server-40.sh @@ -0,0 +1,193 @@ +#!/bin/sh + +# Copyright (C) 2021-2025 Lukas Raub +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may not +# use this file except in compliance with the License. You may obtain a copy of +# the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations under +# the License. + +#Please note that this is how I PERSONALLY setup my computer - I do some stuff such as not using anything to download GNOME extensions from extensions.gnome.org and installing the extensions as a package instead + +set -eu + +output(){ + printf '\e[1;34m%-6s\e[m\n' "${@}" +} + +unpriv(){ + sudo -u nobody "$@" +} + +virtualization=$(systemd-detect-virt) + +# Increase compression level +sudo sed -i 's/zstd:1/zstd/g' /etc/fstab + +# Compliance +sudo systemctl mask debug-shell.service +sudo systemctl mask kdump.service + +# Setting umask to 077 +umask 077 +sudo sed -i 's/^UMASK.*/UMASK 077/g' /etc/login.defs +sudo sed -i 's/^HOME_MODE/#HOME_MODE/g' /etc/login.defs +sudo sed -i 's/umask 022/umask 077/g' /etc/bashrc + +# Make home directory private +sudo chmod 700 /home/* + +# Setup NTS +sudo rm -rf /etc/chrony.conf +unpriv curl -s https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/chrony.conf | sudo tee /etc/chrony.conf > /dev/null +sudo chmod 644 /etc/chrony.conf +unpriv curl -s https://git.conorz.at/titanz/Linux-Setup-Scripts/raw/branch/development/etc/sysconfig/chronyd | sudo tee /etc/sysconfig/chronyd > /dev/null +sudo chmod 544 /etc/sysconfig/chronyd + +sudo systemctl restart chronyd + +# Remove nullok +sudo /usr/bin/sed -i 's/\s+nullok//g' /etc/pam.d/system-auth + +# Harden SSH +unpriv curl -s https://git.conorz.at/titanz/Linux-Setup-Scripts/raw/branch/development/etc/ssh/sshd_config.d/10-custom.conf | sudo tee /etc/ssh/sshd_config.d/10-custom.conf > /dev/null +sudo chmod 644 /etc/ssh/sshd_config.d/10-custom.conf +unpriv curl -s https://git.conorz.at/titanz/Linux-Setup-Scripts/raw/branch/development/etc/ssh/ssh_config.d/10-custom.conf | sudo tee /etc/ssh/ssh_config.d/10-custom.conf > /dev/null +sudo chmod 644 /etc/ssh/ssh_config.d/10-custom.conf +sudo mkdir -p /etc/systemd/system/sshd.service.d/ +sudo chmod 755 /etc/systemd/system/sshd.service.d/ +unpriv curl -s https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/systemd/system/sshd.service.d/override.conf | sudo tee /etc/systemd/system/sshd.service.d/override.conf > /dev/null +sudo chmod 644 /etc/systemd/system/sshd.service.d/override.conf +sudo systemctl daemon-reload +sudo systemctl restart sshd + +# Security kernel settings +unpriv curl -s https://raw.githubusercontent.com/secureblue/secureblue/live/files/system/etc/modprobe.d/blacklist.conf | sudo tee /etc/modprobe.d/server-blacklist.conf > /dev/null +sudo chmod 644 /etc/modprobe.d/server-blacklist.conf +unpriv curl -s https://git.conorz.at/titanz/Linux-Setup-Scripts/raw/branch/development/etc/sysctl.d/99-server.conf | sudo tee /etc/sysctl.d/99-server.conf > /dev/null +sudo chmod 644 /etc/sysctl.d/99-server.conf +sudo dracut -f +sudo sysctl -p + +if [ -d /usr/lib/systemd/boot/efi ]; then + sudo sed -i 's/quiet root/quiet mitigations=auto,nosmt spectre_v2=on spectre_bhi=on spec_store_bypass_disable=on tsx=off kvm.nx_huge_pages=force nosmt=force l1d_flush=on spec_rstack_overflow=safe-ret gather_data_sampling=force reg_file_data_sampling=on random.trust_bootloader=off random.trust_cpu=off intel_iommu=on amd_iommu=force_isolation efi=disable_early_pci_dma iommu=force iommu.passthrough=0 iommu.strict=1 slab_nomerge init_on_alloc=1 init_on_free=1 pti=on vsyscall=none ia32_emulation=0 page_alloc.shuffle=1 randomize_kstack_offset=on debugfs=off lockdown=confidentiality module.sig_enforce=1 console=tty0 console=ttyS0,115200 root/g' /etc/kernel/cmdline + sudo dnf reinstall -y kernel-core +else + sudo grubby --update-kernel=ALL --args='mitigations=auto,nosmt spectre_v2=on spectre_bhi=on spec_store_bypass_disable=on tsx=off kvm.nx_huge_pages=force nosmt=force l1d_flush=on spec_rstack_overflow=safe-ret gather_data_sampling=force reg_file_data_sampling=on random.trust_bootloader=off random.trust_cpu=off intel_iommu=on amd_iommu=force_isolation efi=disable_early_pci_dma iommu=force iommu.passthrough=0 iommu.strict=1 slab_nomerge init_on_alloc=1 init_on_free=1 pti=on vsyscall=none ia32_emulation=0 page_alloc.shuffle=1 randomize_kstack_offset=on debugfs=off lockdown=confidentiality module.sig_enforce=1 console=tty0 console=ttyS0,115200' +fi + +# Disable coredump + +unpriv curl -s https://git.conorz.at/titanz/Linux-Setup-Scripts/raw/branch/development/etc/security/limits.d/30-disable-coredump.conf | sudo tee /etc/security/limits.d/30-disable-coredump.conf > /dev/null +sudo chmod 644 /etc/security/limits.d/30-disable-coredump.conf +sudo mkdir -p /etc/systemd/coredump.conf.d +sudo chmod 755 /etc/systemd/coredump.conf.d +unpriv curl -s https://git.conorz.at/titanz/Linux-Setup-Scripts/raw/branch/development/etc/systemd/coredump.conf.d/disable.conf | sudo tee /etc/systemd/coredump.conf.d/disable.conf > /dev/null +sudo chmod 644 /etc/systemd/coredump.conf.d/disable.conf + +# Setup ZRAM +unpriv curl -s https://git.conorz.at/titanz/Linux-Setup-Scripts/raw/branch/development/etc/systemd/zram-generator.conf | sudo tee /etc/systemd/zram-generator.conf > /dev/null +sudo chmod 644 /etc/systemd/zram-generator.conf + +# Setup DNF +unpriv curl -s https://git.conorz.at/titanz/Linux-Setup-Scripts/raw/branch/development/etc/dnf/dnf.conf | sudo tee /etc/dnf/dnf.conf > /dev/null +sudo chmod 644 /etc/dnf/dnf.conf +sudo sed -i 's/^metalink=.*/&\&protocol=https/g' /etc/yum.repos.d/* + +# Setup automatic updates +sudo dnf install -y dnf-automatic +sudo sed -i 's/apply_updates = no/apply_updates = yes\nreboot = when-needed/g' /etc/dnf/automatic.conf +sudo systemctl enable --now dnf-automatic.timer + +# Remove unnecessary packages +sudo dnf remove -y cockpit* + +# Install hardened_malloc +sudo dnf copr enable secureblue/hardened_malloc -y +sudo dnf install -y hardened_malloc +echo 'libhardened_malloc.so' | sudo tee /etc/ld.so.preload +sudo chmod 644 /etc/ld.so.preload + +# Install appropriate virtualization drivers +if [ "$virtualization" = 'kvm' ]; then + sudo dnf install -y qemu-guest-agent +fi + +# Setup unbound +sudo dnf install unbound -y +unpriv curl -s https://git.conorz.at/titanz/Fedora-CoreOS-Ignition/raw/branch/development/etc/unbound/unbound.conf | sudo tee /etc/unbound/unbound.conf > /dev/null +sudo sed -i 's; ip-transparent: yes;# ip-transparent: yes;g' /etc/unbound/unbound.conf +sudo sed -i 's; interface: 127.0.0.1;# interface: 127.0.0.1;g' /etc/unbound/unbound.conf +sudo sed -i 's; interface: ::1;# interface: ::1;g' /etc/unbound/unbound.conf +sudo sed -i 's; interface: 242.242.0.1;# interface: 242.242.0.1;g' /etc/unbound/unbound.conf +sudo sed -i 's; access-control: 242.242.0.0/16 allow;# access-control: 242.242.0.0/16 allow;g' /etc/unbound/unbound.conf +sudo chmod 644 /etc/unbound/unbound.conf +sudo mkdir /etc/systemd/system/unbound.service.d +unpriv curl -s https://git.conorz.at/titanz/Linux-Setup-Scripts/raw/branch/development/etc/systemd/system/unbound.service.d/override.conf | sudo tee /etc/systemd/system/unbound.service.d/override.conf > /dev/null +sudo chmod 644 /etc/systemd/system/unbound.service.d/override.conf +sudo systemctl enable --now unbound +sudo systemctl disable systemd-resolved + +### Differentiating bare metal and virtual installs + +# Enable auto TRIM +sudo systemctl enable fstrim.timer + +# Setup fwupd +if [ "$virtualization" = 'none' ]; then + sudo dnf install -y fwupd + echo 'UriSchemes=file;https' | sudo tee -a /etc/fwupd/fwupd.conf + sudo systemctl restart fwupd + mkdir -p /etc/systemd/system/fwupd-refresh.service.d + unpriv curl -s https://git.conorz.at/titanz/Linux-Setup-Scripts/raw/branch/development/etc/systemd/system/fwupd-refresh.service.d/override.conf | sudo tee /etc/systemd/system/fwupd-refresh.service.d/override.conf > /dev/null + sudo chmod 644 /etc/systemd/system/fwupd-refresh.service.d/override.conf + sudo systemctl daemon-reload + sudo systemctl enable --now fwupd-refresh.timer +else + sudo dnf remove -y fwupd +fi + +# Setup tuned +sudo dnf install -y tuned +sudo systemctl enable --now tuned + +if [ "$virtualization" = 'none' ]; then + sudo tuned-adm profile latency-performance +else + sudo tuned-adm profile virtual-guest +fi + +# Setup networking +sudo systemctl enable --now firewalld +sudo firewall-cmd --permanent --remove-service=cockpit +sudo firewall-cmd --reload +sudo firewall-cmd --lockdown-on + +sudo mkdir -p /etc/systemd/system/NetworkManager.service.d +unpriv curl -s https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/NetworkManager.service.d/99-brace.conf | sudo tee /etc/systemd/system/NetworkManager.service.d/99-brace.conf > /dev/null +sudo chmod 644 /etc/systemd/system/NetworkManager.service.d/99-brace.conf +sudo systemctl daemon-reload +sudo systemctl restart NetworkManager + +# irqbalance hardening +sudo mkdir -p /etc/systemd/system/irqbalance.service.d +unpriv curl -s https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/irqbalance.service.d/99-brace.conf | sudo tee /etc/systemd/system/irqbalance.service.d/99-brace.conf > /dev/null +sudo chmod 644 /etc/systemd/system/irqbalance.service.d/99-brace.conf +sudo systemctl daemon-reload +sudo systemctl restart irqbalance + +# Setup notices +unpriv curl -s https://git.conorz.at/titanz/Linux-Setup-Scripts/raw/branch/development/etc/issue | sudo tee /etc/issue > /dev/null +sudo chmod 644 /etc/issue +unpriv curl -s https://git.conorz.at/titanz/Linux-Setup-Scripts/raw/branch/development/etc/issue | sudo tee /etc/issue.net > /dev/null +sudo chmod 644 /etc/issue.net + +# Final notes to the user +output 'Server setup complete. To use unbound for DNS, you need to reboot.' diff --git a/Fedora-Workstation-40.sh b/Fedora-Workstation-40.sh new file mode 100644 index 0000000..1ea504b --- /dev/null +++ b/Fedora-Workstation-40.sh @@ -0,0 +1,253 @@ +#!/bin/sh + +# Copyright (C) 2021-2025 Lukas Raub +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may not +# use this file except in compliance with the License. You may obtain a copy of +# the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations under +# the License. + +#Please note that this is how I PERSONALLY setup my computer - I do some stuff such as not using anything to download GNOME extensions from extensions.gnome.org and installing the extensions as a package instead + +set -eu + +output(){ + printf '\e[1;34m%-6s\e[m\n' "${@}" +} + +unpriv(){ + sudo -u nobody "$@" +} + +virtualization=$(systemd-detect-virt) + +# Increase compression level +sudo sed -i 's/zstd:1/zstd/g' /etc/fstab + +# Compliance +sudo systemctl mask debug-shell.service +sudo systemctl mask kdump.service + +# Setting umask to 077 +umask 077 +sudo sed -i 's/^UMASK.*/UMASK 077/g' /etc/login.defs +sudo sed -i 's/^HOME_MODE/#HOME_MODE/g' /etc/login.defs +sudo sed -i 's/umask 022/umask 077/g' /etc/bashrc + +# Make home directory private +sudo chmod 700 /home/* + +# Setup NTS +if [ "${virtualization}" = 'parallels' ]; then + sudo dnf -y remove chrony +else + sudo rm -rf /etc/chrony.conf + unpriv curl -s https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/chrony.conf | sudo tee /etc/chrony.conf > /dev/null + sudo chmod 644 /etc/chrony.conf + unpriv curl -s https://git.conorz.at/titanz/Linux-Setup-Scripts/raw/branch/development/etc/sysconfig/chronyd | sudo tee /etc/sysconfig/chronyd > /dev/null + sudo chmod 644 /etc/sysconfig/chronyd + sudo systemctl restart chronyd +fi + +# Remove nullok +sudo /usr/bin/sed -i 's/\s+nullok//g' /etc/pam.d/system-auth + +# Harden SSH +unpriv curl -s https://git.conorz.at/titanz/Linux-Setup-Scripts/raw/branch/development/etc/ssh/ssh_config.d/10-custom.conf | sudo tee /etc/ssh/ssh_config.d/10-custom.conf > /dev/null +sudo chmod 644 /etc/ssh/ssh_config.d/10-custom.conf + +# Security kernel settings +if [ "${virtualization}" = 'parallels' ]; then + unpriv curl -s https://git.conorz.at/titanz/Kernel-Module-Blacklist/raw/branch/development/etc/modprobe.d/workstation-blacklist.conf | sudo tee /etc/modprobe.d/workstation-blacklist.conf > /dev/null +else + unpriv curl -s https://raw.githubusercontent.com/secureblue/secureblue/live/files/system/etc/modprobe.d/blacklist.conf | sudo tee /etc/modprobe.d/workstation-blacklist.conf > /dev/null +fi +sudo chmod 644 /etc/modprobe.d/workstation-blacklist.conf +unpriv curl -s https://git.conorz.at/titanz/Linux-Setup-Scripts/raw/branch/development/etc/sysctl.d/99-workstation.conf | sudo tee /etc/sysctl.d/99-workstation.conf > /dev/null +sudo chmod 644 /etc/sysctl.d/99-workstation.conf +sudo dracut -f +sudo sysctl -p + +if sudo bootctl status | grep -q systemd-boot; then + if [ "${virtualization}" = 'parallels' ]; then + sudo sed -i 's/quiet root/quiet mitigations=auto,nosmt spectre_v2=on spectre_bhi=on spec_store_bypass_disable=on tsx=off kvm.nx_huge_pages=force nosmt=force l1d_flush=on spec_rstack_overflow=safe-ret gather_data_sampling=force reg_file_data_sampling=on random.trust_bootloader=off random.trust_cpu=off intel_iommu=on amd_iommu=force_isolation efi=disable_early_pci_dma iommu=force iommu.passthrough=0 iommu.strict=1 slab_nomerge init_on_alloc=1 init_on_free=1 pti=on vsyscall=none ia32_emulation=0 page_alloc.shuffle=1 randomize_kstack_offset=on debugfs=off root/g' /etc/kernel/cmdline + else + sudo sed -i 's/quiet root/quiet mitigations=auto,nosmt spectre_v2=on spectre_bhi=on spec_store_bypass_disable=on tsx=off kvm.nx_huge_pages=force nosmt=force l1d_flush=on spec_rstack_overflow=safe-ret gather_data_sampling=force reg_file_data_sampling=on random.trust_bootloader=off random.trust_cpu=off intel_iommu=on amd_iommu=force_isolation efi=disable_early_pci_dma iommu=force iommu.passthrough=0 iommu.strict=1 slab_nomerge init_on_alloc=1 init_on_free=1 pti=on vsyscall=none ia32_emulation=0 page_alloc.shuffle=1 randomize_kstack_offset=on debugfs=off lockdown=confidentiality module.sig_enforce=1 root/g' /etc/kernel/cmdline + fi + sudo dnf reinstall -y kernel-core +else + if [ "${virtualization}" = 'parallels' ]; then + sudo grubby --update-kernel=ALL --args='mitigations=auto,nosmt spectre_v2=on spectre_bhi=on spec_store_bypass_disable=on tsx=off kvm.nx_huge_pages=force nosmt=force l1d_flush=on spec_rstack_overflow=safe-ret gather_data_sampling=force reg_file_data_sampling=on random.trust_bootloader=off random.trust_cpu=off intel_iommu=on amd_iommu=force_isolation efi=disable_early_pci_dma iommu=force iommu.passthrough=0 iommu.strict=1 slab_nomerge init_on_alloc=1 init_on_free=1 pti=on vsyscall=none ia32_emulation=0 page_alloc.shuffle=1 randomize_kstack_offset=on debugfs=off' + else + sudo grubby --update-kernel=ALL --args='mitigations=auto,nosmt spectre_v2=on spectre_bhi=on spec_store_bypass_disable=on tsx=off kvm.nx_huge_pages=force nosmt=force l1d_flush=on spec_rstack_overflow=safe-ret gather_data_sampling=force reg_file_data_sampling=on random.trust_bootloader=off random.trust_cpu=off intel_iommu=on amd_iommu=force_isolation efi=disable_early_pci_dma iommu=force iommu.passthrough=0 iommu.strict=1 slab_nomerge init_on_alloc=1 init_on_free=1 pti=on vsyscall=none ia32_emulation=0 page_alloc.shuffle=1 randomize_kstack_offset=on debugfs=off lockdown=confidentiality module.sig_enforce=1' + fi +fi + +# Disable coredump +unpriv curl -s https://git.conorz.at/titanz/Linux-Setup-Scripts/raw/branch/development/etc/security/limits.d/30-disable-coredump.conf | sudo tee /etc/security/limits.d/30-disable-coredump.conf > /dev/null +sudo chmod 644 /etc/security/limits.d/30-disable-coredump.conf +sudo mkdir -p /etc/systemd/coredump.conf.d +sudo chmod 755 /etc/systemd/coredump.conf.d +unpriv curl -s https://git.conorz.at/titanz/Linux-Setup-Scripts/raw/branch/development/etc/systemd/coredump.conf.d/disable.conf | sudo tee /etc/systemd/coredump.conf.d/disable.conf > /dev/null +sudo chmod 644 /etc/systemd/coredump.conf.d/disable.conf + +# Disable XWayland +sudo mkdir -p /etc/systemd/user/org.gnome.Shell@wayland.service.d +sudo chmod 755 /etc/systemd/user/org.gnome.Shell@wayland.service.d +unpriv curl -s https://git.conorz.at/titanz/Linux-Setup-Scripts/raw/branch/development/etc/systemd/user/org.gnome.Shell%40wayland.service.d/override.conf | sudo tee /etc/systemd/user/org.gnome.Shell@wayland.service.d/override.conf > /dev/null +sudo chmod 644 /etc/systemd/user/org.gnome.Shell@wayland.service.d/override.conf + +# Disable GJS and WebkitGTK JIT +unpriv curl https://git.conorz.at/titanz/Linux-Setup-Scripts/raw/branch/development/etc/environment | sudo tee -a /etc/environment + +# Setup dconf +unpriv curl -s https://git.conorz.at/titanz/Linux-Setup-Scripts/raw/branch/development/etc/dconf/db/local.d/adw-gtk3-dark | sudo tee /etc/dconf/db/local.d/adw-gtk3-dark > /dev/null +unpriv curl -s https://git.conorz.at/titanz/Linux-Setup-Scripts/raw/branch/development/etc/dconf/db/local.d/automount-disable | sudo tee /etc/dconf/db/local.d/automount-disable > /dev/null +unpriv curl -s https://git.conorz.at/titanz/Linux-Setup-Scripts/raw/branch/development/etc/dconf/db/local.d/button-layout | sudo tee /etc/dconf/db/local.d/button-layout > /dev/null +unpriv curl -s https://git.conorz.at/titanz/Linux-Setup-Scripts/raw/branch/development/etc/dconf/db/local.d/prefer-dark | sudo tee /etc/dconf/db/local.d/prefer-dark > /dev/null +unpriv curl -s https://git.conorz.at/titanz/Linux-Setup-Scripts/raw/branch/development/etc/dconf/db/local.d/privacy | sudo tee /etc/dconf/db/local.d/privacy > /dev/null +unpriv curl -s https://git.conorz.at/titanz/Linux-Setup-Scripts/raw/branch/development/etc/dconf/db/local.d/touchpad | sudo tee /etc/dconf/db/local.d/touchpad > /dev/null +sudo chmod 644 /etc/dconf/db/local.d/* + +mkdir -p /etc/dconf/db/local.d/locks +sudo chmod 755 /etc/dconf/db/local.d/locks + +unpriv curl -s https://git.conorz.at/titanz/Linux-Setup-Scripts/raw/branch/development/etc/dconf/db/local.d/locks/automount-disable | sudo tee /etc/dconf/db/local.d/locks/automount-disable > /dev/null +unpriv curl -s https://git.conorz.at/titanz/Linux-Setup-Scripts/raw/branch/development/etc/dconf/db/local.d/locks/privacy | sudo tee /etc/dconf/db/local.d/locks/privacy > /dev/null +sudo chmod 644 /etc/dconf/db/local.d/locks/* + +umask 022 +sudo dconf update +umask 077 + +# Setup ZRAM +unpriv curl -s https://git.conorz.at/titanz/Linux-Setup-Scripts/raw/branch/development/etc/systemd/zram-generator.conf | sudo tee /etc/systemd/zram-generator.conf > /dev/null +sudo chmod 644 /etc/systemd/zram-generator.conf + +# Setup DNF +unpriv curl -s https://git.conorz.at/titanz/Linux-Setup-Scripts/raw/branch/developmentn/etc/dnf/dnf.conf | sudo tee /etc/dnf/dnf.coraw/branch/development /dev/null +sudo chmod 644 /etc/dnf/dnf.coraw/branch/developmentudo sed -i 's/^metalink=.*/&\&protocol=htraw/branch/developmentaw/branch/development/etc/yum.repos.d/* + +raw/branch/developmentmove unwanted groraw/branch/developmentsuraw/branch/developmentnf -y group remove 'Container Managemenraraw/branch/developmentanch/developmentDesktop accessibility' 'Fraw/branch/developmentox Web Browsraw/branch/developmentGuest Desktop Agents' 'LibreOffice' 'Prinraw/branch/development Support' +raw/branch/development/move firefox packagesrraw/branch/development/aw/branch/development -y remove fedora-bookmarks fedora-chromiraw/branch/developmentonfig firmraw/branch/developraw/branch/development/ozilla-filesystemeraw/branch/development/movraw/branch/developmenttwork + hardware tools packages +sudo dnf raw/branch/developmentemove avahi cifs* '*cups' dmidecode dnsmasq geolite2* mtr net-snmp-libs net-tools nfs-utils nmap-ncat nmap-ncat opensc openssh-server rsync rygel sgpio tcpdump teamd traceroute usb_modeswitch +raw/branch/development/move support for some languages and spelling raw/branch/development/dnf -y remove '*anthy*' '*hangul*' ibus-typing-booster '*m17n*' '*pinyin*' '*speech*' texlivsraw/branch/developraw/branch/development/ words '*zhuyin*'eraw/branch/development/move codec + image + printers +sudo dnf -y remove openh264 ImageMagick* sane* simple-scan + +# Remove Active Directory + Sysadmin + reporting tools +sudo dnf -y remove 'sssd*' realmd cyrus-sasl-gssapi quota* dos2unix kpartx smraw/branch/developbraw/branch/development/a-client gvfs-smb + +# Remmraw/branch/development/ and virtual stuff +sudo yraw/branch/development/ remove 'podman*' '*libvirt*' 'open-vm*' qemu-guest-agent 'hyperv*' spice-vdagent virtualbox-guest-additions vino xorg-x11-drv-vmware xorg-x11-drv-amdgpu + +# Remove NetworkManager +sudo dnf -y remove NetworkManager-pptp-gnome NetworkManager-ssh-gnome NetworkManager-openconnect-gnome NetworkManager-openvpn-gnome NetworkManager-vpnc-gnome ppp* ModemMana#raw/branch/development/ Remove Gnome apps +sudo dnf remove -y baobab chrome-gnome-shell eog gnome-boxes gnome-calculator gnome-calendar gnome-characters gnome-classic* gnome-clocks gnome-color-manager gnome-connections \ + gnome-contacts gnome-disk-utility gnome-font-viewer gnome-logs gnome-maps gnome-photos gnome-remote-desktop gnome-screenshot gnome-shell-extension-apps-menu \ + gsraw/branch/development/hell-extension-background-logo gnome-shell-extension-launch-new-instance gnome-shell-extension-places-menu gnome-shell-extension-window-list gnome-text-editor \ + gnome-themes-extra gnome-tour gnome-user* gnome-weather loupe snapshot totem + +# Remove apps +sudo dnf remove raw/branch/developmentbrt* cheese evince file-roller* libreoffiraw/branch/developmentmediawriter rhythmbox yelp + +# Remove other paraw/branch/developmentes + sudo dnf remove -y raw/branch/developraw/branch/development rng-tools thermald '*perl*' yajl + +# Disaraw/branch/developmentbranch/developmentopenh264 repo +sudo dnf raw/branch/developmentig-manager --set-draw/branch/developmentlraw/branch/developmentedora-cisco-openh264 + +# Update packaraw/braw/branch/developmenth/developmentsudo dnf -y upgrade + +# Instaraw/branch/developmentardened_mraw/branch/developmentc +sudo dnraw/branch/development/r enable secureblue/hardeneraw/branch/developmentlloc -y +sudo dsraw/branch/development/tall -y hardened_mallraw/branch/developmentcho 'libhardened_malloc.so' | sudo tee /eraw/branch/developmentd.so.preload +sudo c6raw/branch/development/44 /etc/ld.so.prraw/branch/developmentd +raw/braraw/branch/development/evelopment/stall packages that I use raw/branch/development/dnf -y install adw-gtk3-theme gnome-console gnome-shell-extension-appindicator gnome-shell-extension-blur-my-shell gnome-shell-exoraw/branch/developraw/branch/development/n-background-logonraw/branch/development/stall appropriate virtualization drivers +if [ "$virtualization" = 'kvm' ]; then + sudo dnf install -y qemu-guest-agent spice-vdagent +fi + +# Setup Flatpak +sudo flatpak override --system --nosocket=x11 --nosocket=fallback-x11 --nosocket=pulseaudio --nosocket=session-bus --nosocket=system-bus --unshare=network --unshare=ipc --nofilesystem=host:reset --nodevice=input --nodevice=shm --nodevice=all --no-talk-name=org.freedesktop.Flatpnraw/branch/development/o-talk-name=org.freedesktop.systemd1 --no-talk-name=ca.desrt.dconf --no-talk-name=org.gnome.Shell.Extensions +flatpak override --user --nosocket=x11 --nosocket=fallback-x11 --nosocket=pulseaudio --nosocket=session-bus --nosocket=system-bus --unshare=network --unshare=ipc --nofilesystem=host:reset --nodevice=input --nodevice=shm --nodevice=all --no-talk-name=org.freedesktop.Flatpak --no-raw/branch/development/name=org.freedesktop.systemd1 --no-talk-name=ca.desrt.dconf --no-talk-name=org.gnome.Shell.Extensions +flatpak remote-add --if-not-exists --user flathub https://dl.flathub.org/repo/flathub.flatpakrepo +flatpak --user install org.gnome.Extensions com.github.tchx84.Flatseal org.gnome.Loupe -y +flatpak --user override com.github.tchx84.Flatseal --filesystem=/var/lib/flatpak/app:ro --filesystem=xdg-data/flatpak/app:ro --filesystem=xdg-data/flatpak/overrides:create +flatpak --user override org.gnome.Extensions --talk-name=org.gnome.Shell.Extensions +flatpak update -y + +# Enable hardened_malloc for Flatpak +sudo flatpak override --system --filesystem=host-os:ro --env=LD_PRELOAD=/var/run/host/usr/libbraw/branch/development/hardened_malloc.so +flatpak override --user --filesystem=host-os:ro --env=LD_PRELOAD=/var/run/host/usr/lib64/libhardened_malloc.so + +# Install Microsoft Edge if x86_64 +MACHINE_TYPE=$(uname -m) +if [ "${MACHINE_TYPE}" = 'x86_64' ]; then + output 'x86_64 machine, installing Microsoft Edge.' + echo '[microsoft-edge] +name=microsoft-edge +baseurl=https://packages.microsoft.com/yumrepos/edge/ +enabled=1 +gpgcheck=1 +gpgkey=https://packages.microsoft.com/keys/microsoft.asc' | sudo tee /etc/yum.repos.d/microsoft-edge.repo + sudo chmod 644 /etc/yum.repos.d/microsoft-edge.repo + sudo dnf install -y microsoft-edge-stable + sudo mkdir -p /etc/opt/edge/policies/managed/ /etc/opt/edge/policies/recommended/ + sudo chmod -R 755 /etc/opt + unpriv curl -s https://git.conorz.at/titanz/Microsoft-Edge-Policies/raw/branch/development/Linux/managed.json | sudo tee /etc/opt/edge/policies/managed/managed.json > /dev/null + unpriv curl -s https://git.conorz.at/titanz/Microsoft-Edge-Policies/raw/branch/development/Linux/recommended.json | sudo tee /etc/opt/edge/policies/recommended/recommended.json > /dev/null + sudo chmod 644 /etc/opt/edge/policies/managed/managed.json /etc/opt/edge/policies/recommended/recommended.json + sudo mkdir -p /usr/local/share/applications + sudo chmod 755 /usr/local/share/applications + sed 's/^Exec=\/usr\/bin\/microsoft-edge-stable/& --ozone-platform=wayland --start-maximized/g' /usr/share/applications/microsoft-edge.desktop | sudo tee /usr/local/share/applications/microsoft-edge.desktop + sudo chmod 644 /usr/local/share/applications/microsoft-edge.desktop +fi + +# Enable auto TRIM +sudo systemctl enable fstrim.timer + +### Differentiating bare metal and virtual installs + +# Setup fwupd +echo 'UriSchemes=file;https' | sudo tee -a /etc/fwupd/fwupd.conf +sudo systemctl restart fwupd + +# Setup tuned +if [ "$virtualization" = 'none' ]; then + output "Bare Metal installation. Tuned will not be set up here - PPD should take care of it." +else + sudo dnf remove -y power-profiles-daemon + sudo dnf install -y tuned + sudo systemctl enable --now tuned + sudo tuned-adm profile virtual-guest +fi + +# Setup networking +sudo systemctl enable --now firewalld +sudo firewall-cmd --set-default-zone=block +sudo firewall-cmd --permanent --add-service=dhcpv6-client +sudo firewall-cmd --reload +sudo firewall-cmd --lockdown-on + +unpriv curl -s https://git.conorz.at/titanz/Linux-Setup-Scripts/raw/branch/development/etc/NetworkManager/conf.d/00-macrandomize.conf | sudo tee /etc/NetworkManager/conf.d/00-macrandomize.conf > /dev/null +sudo chmod 644 /etc/NetworkManager/conf.d/00-macrandomize.conf +unpriv curl -s https://git.conorz.at/titanz/Linux-Setup-Scripts/raw/branch/development/etc/NetworkManager/conf.d/01-transient-hostname.conf | sudo tee /etc/NetworkManager/conf.d/01-transient-hostname.conf > /dev/null +sudo chmod 644 /etc/NetworkManager/conf.d/01-transient-hostname.conf +sudo nmcli general reload conf +sudo hostnamectl hostname 'localhost' +sudo hostnamectl --transient hostname '' + +sudo mkdir -p /etc/systemd/system/NetworkManager.service.d +unpriv curl -s https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/NetworkManager.service.d/99-brace.conf | sudo tee /etc/systemd/system/NetworkManager.service.d/99-brace.conf > /dev/null +sudo chmod 644 /etc/systemd/system/NetworkManager.service.d/99-brace.conf +sudo systemctl daemon-reload +sudo systemctl restart NetworkManager + +output 'The script is done. You can also remove gnome-terminal since gnome-console will replace it.' diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..d8e7ba7 --- /dev/null +++ b/LICENSE @@ -0,0 +1,201 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright 2022 Thien Tran + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/README.md b/README.md new file mode 100644 index 0000000..3d28b91 --- /dev/null +++ b/README.md @@ -0,0 +1,25 @@ +# Linux Setup Scripts + +[![ShellCheck](https://git.conorz.at/titanz/Linux-Setup-Scripts/actions/workflows/shellcheck.yml/badge.svg)](https://git.conorz.at/titanz/Linux-Setup-Scripts/actions?workflow=shellcheck.yml) + +My setup scripts for my workstations. You should edit the scripts to your liking before running them. +Please run the scripts as your actual user and not root. Provide sudo password when it asks you to. Flatpak packages and themes/icons are only installed for your user and not system wide.
+ +The printing stack (cups) is removed as I do not use it. + +## Notes on DNS handling + +For desktop installations, the assumption here is that you will use a VPN of some sort for your privacy. No custom DNS server will be configured, as websites [can detect](https://www.dnsleaktest.com/) that you are using a different DNS server from your VPN provider's server. + +For server installations, Unbound will be configured to handle local DNSSEC validation. The difference in the scripts on how this is set up are because of the following reasons: + +- Each distribution needs its own Unbound configuration due to version differences and how each distro packages it. +- If both Unbound and systemd-resolved are preset on the system, whichever one gets used depends entirely on whether systemd-resolved is running and controlling `/etc/resolv.conf` or not. My scripts set Unbound to enabled and systemd-resolved whenever possible. +- If systemd-resolved is not present on the system, NetworkManager will take control of `/etc/resolv.conf`. RHEL does not ship with systemd-resolved, so manual configuration to set NetworkManager to use the local DNS forwarder is needed. + +## Notes on io_uring +io_uring is disabled. On Proxmox, use aio=native for drives. You will need to manually edit the config for cdrom. Alternatively, if you do not want to deal with this, comment out the io_uring line in `/etc/sysctl.d/99-server.conf` + +# Qubes OS + +Check out this repository: https://git.conorz.at/titanz/QubesOS-Scripts
diff --git a/RHEL-9.sh b/RHEL-9.sh new file mode 100644 index 0000000..1b53eb4 --- /dev/null +++ b/RHEL-9.sh @@ -0,0 +1,219 @@ +#!/bin/sh + +# Copyright (C) 2021-2024 Lukas Raub +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may not +# use this file except in compliance with the License. You may obtain a copy of +# the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations under +# the License. + +set -eu + +output(){ + printf '\e[1;34m%-6s\e[m\n' "${@}" +} + +unpriv(){ + sudo -u nobody "$@" +} + +virtualization=$(systemd-detect-virt) + +# Compliance +sudo systemctl mask debug-shell.service +sudo systemctl mask kdump.service + +# Setting umask to 077 +umask 077 +sudo sed -i 's/^UMASK.*/UMASK 077/g' /etc/login.defs +sudo sed -i 's/^HOME_MODE/#HOME_MODE/g' /etc/login.defs +sudo sed -i 's/umask 022/umask 077/g' /etc/bashrc + +# Make home directory private +sudo chmod 700 /home/* + +# Setup NTS +sudo dnf install -y chrony +unpriv curl -s https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/chrony.conf | sudo tee /etc/chrony.conf > /dev/null +sudo chmod 644 /etc/chrony.conf +unpriv curl -s https://git.conorz.at/Linux-Setup-Scripts/raw/branch/development/etc/sysconfig/chronyd | sudo tee /etc/sysconfig/chronyd > /dev/null +sudo chmod 644 /etc/sysconfig/chronyd + +sudo systemctl restart chronyd + +# Remove nullok +sudo /usr/bin/sed -i 's/\s+nullok//g' /etc/pam.d/system-auth + +# Harden SSH +unpriv curl -s https://git.conorz.at/Linux-Setup-Scripts/raw/branch/development/etc/ssh/sshd_config.d/10-custom.conf | sudo tee /etc/ssh/sshd_config.d/10-custom.conf > /dev/null +sudo chmod 644 /etc/ssh/sshd_config.d/10-custom.conf +unpriv curl -s https://git.conorz.at/Linux-Setup-Scripts/raw/branch/development/etc/ssh/ssh_config.d/10-custom.conf | sudo tee /etc/ssh/ssh_config.d/10-custom.conf > /dev/null +sudo chmod 644 /etc/ssh/ssh_config.d/10-custom.conf +sudo mkdir -p /etc/systemd/system/sshd.service.d/ +sudo chmod 755 /etc/systemd/system/sshd.service.d/ +unpriv curl -s https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/systemd/system/sshd.service.d/override.conf | sudo tee /etc/systemd/system/sshd.service.d/override.conf > /dev/null +sudo systemctl daemon-reload +sudo systemctl restart sshd + +# Security kernel settings +unpriv curl -s https://raw.githubusercontent.com/secureblue/secureblue/live/files/system/etc/modprobe.d/blacklist.conf | sudo tee /etc/modprobe.d/server-blacklist.conf > /dev/null +sudo chmod 644 /etc/modprobe.d/server-blacklist.conf +unpriv curl -s https://git.conorz.at/Linux-Setup-Scripts/raw/branch/development/etc/sysctl.d/99-server.conf | sudo tee /etc/sysctl.d/99-server.conf > /dev/null +sudo chmod 644 /etc/sysctl.d/99-server.conf +sudo dracut -f +sudo sysctl -p + +# efi=disable_early_pci_dma seems to break boot on RHEL and only RHEL, dunno why yet +sudo grubby --update-kernel=ALL --args='mitigations=auto,nosmt spectre_v2=on spectre_bhi=on spec_store_bypass_disable=on tsx=off kvm.nx_huge_pages=force nosmt=force l1d_flush=on spec_rstack_overflow=safe-ret gather_data_sampling=force reg_file_data_sampling=on random.trust_bootloader=off random.trust_cpu=off intel_iommu=on amd_iommu=force_isolation iommu=force iommu.passthrough=0 iommu.strict=1 slab_nomerge init_on_alloc=1 init_on_free=1 pti=on vsyscall=none ia32_emulation=0 page_alloc.shuffle=1 randomize_kstack_offset=on debugfs=off lockdown=confidentiality module.sig_enforce=1 console=tty0 console=ttyS0,115200' + +# Disable coredump +unpriv curl -s https://git.conorz.at/Linux-Setup-Scripts/main/etc/security/limits.d/30-disable-coredump.conf | sudo tee /etc/security/limits.d/30-disable-coredump.conf > /dev/null +sudo chmod 644 /etc/security/limits.d/30-disable-coredump.conf +sudo mkdir -p /etc/systemd/coredump.conf.d +unpriv curl -s https://git.conorz.at/Linux-Setup-Scripts/raw/branch/development/etc/systemd/coredump.conf.d/disable.conf | sudo tee /etc/systemd/coredump.conf.d/disable.conf > /dev/null +sudo chmod 644 /etc/systemd/coredump.conf.d/disable.conf + +# Setup DNF +unpriv curl -s https://git.conorz.at/Linux-Setup-Scripts/raw/branch/development/etc/dnf/dnf.conf | sudo tee /etc/dnf/dnf.conf > /dev/null +sudo chmod 644 /etc/dnf/dnf.conf +sudo sed -i 's/^metalink=.*/&\&protocol=https/g' /etc/yum.repos.d/* + +# Setup automatic updates +sudo dnf install -y dnf-automatic +sudo sed -i 's/apply_updates = no/apply_updates = yes\nreboot = when-needed/g' /etc/dnf/automatic.conf +sudo systemctl enable --now dnf-automatic.timer + +# Remove unnecessary packages +sudo dnf remove -y cockpit* + +# Install hardened_malloc +sudo dnf copr enable secureblue/hardened_malloc -y +sudo dnf install -y hardened_malloc +echo 'libhardened_malloc.so' | sudo tee /etc/ld.so.preload +sudo chmod 644 /etc/ld.so.preload + +# Install appropriate virtualization drivers +if [ "$virtualization" = 'kvm' ]; then + sudo dnf install -y qemu-guest-agent +fi + +# Setup unbound +sudo dnf install unbound -y + +echo 'server: + chroot: "" + auto-trust-anchor-file: "/var/lib/unbound/root.key" + trust-anchor-signaling: yes + root-key-sentinel: yes + tls-cert-bundle: "/etc/ssl/cert.pem" + tls-ciphers: "PROFILE=SYSTEM" + hide-http-user-agent: yes + hide-identity: yes + hide-trustanchor: yes + hide-version: yes + deny-any: yes + harden-algo-downgrade: yes + harden-large-queries: yes + harden-referral-path: yes + ignore-cd-flag: yes + max-udp-size: 3072 + module-config: "validator iterator" + qname-minimisation-strict: yes + unwanted-reply-threshold: 10000000 + use-caps-for-id: yes + outgoing-port-permit: 1024-65535 + prefetch: yes + prefetch-key: yes + +# ip-transparent: yes +# interface: 127.0.0.1 +# interface: ::1 +# interface: 242.242.0.1 +# access-control: 242.242.0.0/16 allow + +forward-zone: + name: "." + forward-tls-upstream: yes + forward-addr: 1.1.1.2@853#security.cloudflare-dns.com + forward-addr: 1.0.0.2@853#security.cloudflare-dns.com + forward-addr: 2606:4700:4700::1112@853#security.cloudflare-dns.com + forward-addr: 2606:4700:4700::1002@853#security.cloudflare-dns.com' | sudo tee /etc/unbound/unbound.conf + +sudo chmod 644 /etc/unbound/unbound.conf + +sudo mkdir -p /etc/systemd/system/unbound.service.d +unpriv curl -s https://git.conorz.at/Linux-Setup-Scripts/raw/branch/development/etc/systemd/system/unbound.service.d/override.conf | sudo tee /etc/systemd/system/unbound.service.d/override.conf > /dev/null +sudo chmod 644 /etc/systemd/system/unbound.service.d/override.conf + +sudo systemctl enable --now unbound + +# Setup yara +#sudo dnf install -y yara +#sudo insights-client --collector malware-detection +#sudo sed -i 's/test_scan: true/test_scan: false/' /etc/insights-client/malware-detection-config.yml + +# Enable auto TRIM +sudo systemctl enable fstrim.timer + +### Differentiating bare metal and virtual installs + +# Setup fwupd +#if [ "$virtualization" = 'none' ]; then + sudo dnf install -y fwupd + echo 'UriSchemes=file;https' | sudo tee -a /etc/fwupd/fwupd.conf + sudo systemctl restart fwupd + sudo mkdir -p /etc/systemd/system/fwupd-refresh.service.d + unpriv curl -s https://git.conorz.at/Linux-Setup-Scripts/raw/branch/development/etc/systemd/system/fwupd-refresh.service.d/override.conf | sudo tee /etc/systemd/system/fwupd-refresh.service.d/override.conf > /dev/null + sudo chmod 644 /etc/systemd/system/fwupd-refresh.service.d/override.conf + sudo systemctl daemon-reload + sudo systemctl enable --now fwupd-refresh.timer +#else +# sudo dnf remove -y fwupd +#fi + +# Setup tuned +sudo dnf install -y tuned +sudo systemctl enable --now tuned + +if [ "$virtualization" = 'none' ]; then + sudo tuned-adm profile latency-performance +else + sudo tuned-adm profile virtual-guest +fi + +# Setup networking +sudo systemctl enable --now firewalld +sudo firewall-cmd --permanent --remove-service=cockpit +sudo firewall-cmd --reload +sudo firewall-cmd --lockdown-on + +sudo mkdir -p /etc/systemd/system/NetworkManager.service.d +unpriv curl -s https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/NetworkManager.service.d/99-brace.conf | sudo tee /etc/systemd/system/NetworkManager.service.d/99-brace.conf > /dev/null +sudo chmod 644 /etc/systemd/system/NetworkManager.service.d/99-brace.conf +sudo systemctl daemon-reload +sudo systemctl restart NetworkManager + +# irqbalance hardening +sudo mkdir -p /etc/systemd/system/irqbalance.service.d +unpriv curl -s https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/irqbalance.service.d/99-brace.conf | sudo tee /etc/systemd/system/irqbalance.service.d/99-brace.conf > /dev/null +sudo chmod 644 /etc/systemd/system/irqbalance.service.d/99-brace.conf +sudo systemctl daemon-reload +sudo systemctl restart irqbalance + +# Setup notices +unpriv curl -s https://git.conorz.at/Linux-Setup-Scripts/raw/branch/development/etc/issue | sudo tee /etc/issue > /dev/null +sudo chmod 644 /etc/issue +unpriv curl -s https://git.conorz.at/Linux-Setup-Scripts/raw/branch/development/etc/issue | sudo tee /etc/issue.net > /dev/null +sudo chmod 644 /etc/issue.net + +# Final notes to the user +output 'Server setup complete. To use unbound for DNS, you need to run the following commands:' +output 'nmcli con mod ipv4.dns 127.0.0.1' +output 'nmcli con mod ipv6.dns ::1' diff --git a/etc/NetworkManager/conf.d/00-macrandomize.conf b/etc/NetworkManager/conf.d/00-macrandomize.conf new file mode 100644 index 0000000..d2f9fbc --- /dev/null +++ b/etc/NetworkManager/conf.d/00-macrandomize.conf @@ -0,0 +1,6 @@ +[device] +wifi.scan-rand-mac-address=yes +[connection] +wifi.cloned-mac-address=random +ethernet.cloned-mac-address=random +connection.stable-id=${CONNECTION}/${BOOT} \ No newline at end of file diff --git a/etc/NetworkManager/conf.d/01-transient-hostname.conf b/etc/NetworkManager/conf.d/01-transient-hostname.conf new file mode 100644 index 0000000..30300b6 --- /dev/null +++ b/etc/NetworkManager/conf.d/01-transient-hostname.conf @@ -0,0 +1,2 @@ +[main] +hostname-mode=none \ No newline at end of file diff --git a/etc/apt/apt.conf.d/99sane-upgrades b/etc/apt/apt.conf.d/99sane-upgrades new file mode 100644 index 0000000..30d491f --- /dev/null +++ b/etc/apt/apt.conf.d/99sane-upgrades @@ -0,0 +1,6 @@ +Update-Manager::Always-Include-Phased-Updates "true"; +APT::Get::Always-Include-Phased-Updates "true"; +APT::Get::Upgrade-Allow-New "true"; +APT::Install-Recommends "false"; +APT::Install-Suggests "false"; +APT::Get::AutomaticRemove "true"; \ No newline at end of file diff --git a/etc/apt/sources.list.d/docker.sources b/etc/apt/sources.list.d/docker.sources new file mode 100644 index 0000000..d64a0e8 --- /dev/null +++ b/etc/apt/sources.list.d/docker.sources @@ -0,0 +1,5 @@ +Types: deb +URIs: https://download.docker.com/linux/ubuntu +Suites: noble +Components: stable +Signed-By: /usr/share/keyrings/docker.asc \ No newline at end of file diff --git a/etc/apt/sources.list.d/element-io.sources b/etc/apt/sources.list.d/element-io.sources new file mode 100644 index 0000000..5f6d4ed --- /dev/null +++ b/etc/apt/sources.list.d/element-io.sources @@ -0,0 +1,5 @@ +Types: deb +URIs: https://packages.element.io/debian/ +Suites: default +Components: main +Signed-By: /usr/share/keyrings/element-io-archive-keyring.gpg \ No newline at end of file diff --git a/etc/apt/sources.list.d/mariadb.sources b/etc/apt/sources.list.d/mariadb.sources new file mode 100644 index 0000000..fd4f8ca --- /dev/null +++ b/etc/apt/sources.list.d/mariadb.sources @@ -0,0 +1,21 @@ +Types: deb +URIs: https://dlm.mariadb.com/repo/mariadb-server/11.4/repo/ubuntu +Suites: noble +Components: main +Signed-By: /usr/share/keyrings/mariadb-keyring-2019.gpg +Architectures: amd64 arm64 + +# The jammy part is not a typo. They just haven't released it for noble yet. +Types: deb +URIs: https://dlm.mariadb.com/repo/maxscale/latest/apt +Suites: jammy +Components: main +Signed-By: /usr/share/keyrings/mariadb-keyring-2019.gpg +Architectures: amd64 arm64 + +Types: deb +URIs: http://downloads.mariadb.com/Tools/ubuntu +Suites: noble +Components: main +Signed-By: /usr/share/keyrings/mariadb-keyring-2019.gpg +Architectures: amd64 \ No newline at end of file diff --git a/etc/apt/sources.list.d/microsoft-edge.sources b/etc/apt/sources.list.d/microsoft-edge.sources new file mode 100644 index 0000000..69b87ae --- /dev/null +++ b/etc/apt/sources.list.d/microsoft-edge.sources @@ -0,0 +1,6 @@ +Types: deb +URIs: https://packages.microsoft.com/repos/edge +Suites: stable +Components: main +Signed-By: /usr/share/keyrings/microsoft.gpg +Architectures: amd64 \ No newline at end of file diff --git a/etc/apt/sources.list.d/nginx.sources b/etc/apt/sources.list.d/nginx.sources new file mode 100644 index 0000000..c18bfa3 --- /dev/null +++ b/etc/apt/sources.list.d/nginx.sources @@ -0,0 +1,5 @@ +Types: deb +URIs: http://nginx.org/packages/mainline/ubuntu +Suites: noble +Components: nginx +Signed-By: /usr/share/keyrings/nginx-archive-keyring.gpg \ No newline at end of file diff --git a/etc/apt/sources.list.d/rosetta.sources b/etc/apt/sources.list.d/rosetta.sources new file mode 100644 index 0000000..481b745 --- /dev/null +++ b/etc/apt/sources.list.d/rosetta.sources @@ -0,0 +1,27 @@ +Types: deb +URIs: http://ports.ubuntu.com/ubuntu-ports/ +Suites: noble noble-updates noble-backports +Components: main restricted universe multiverse +Signed-By: /usr/share/keyrings/ubuntu-archive-keyring.gpg +Architectures: arm64 + +Types: deb +URIs: http://ports.ubuntu.com/ubuntu-ports/ +Suites: noble-security +Components: main restricted universe multiverse +Signed-By: /usr/share/keyrings/ubuntu-archive-keyring.gpg +Architectures: arm64 + +Types: deb +URIs: http://archive.ubuntu.com/ubuntu/ +Suites: noble noble-updates noble-backports +Components: main restricted universe multiverse +Signed-By: /usr/share/keyrings/ubuntu-archive-keyring.gpg +Architectures: amd64 + +Types: deb +URIs: http://archive.ubuntu.com/ubuntu/ +Suites: noble-security +Components: main restricted universe multiverse +Signed-By: /usr/share/keyrings/ubuntu-archive-keyring.gpg +Architectures: amd64 \ No newline at end of file diff --git a/etc/apt/sources.list.d/vscode.sources b/etc/apt/sources.list.d/vscode.sources new file mode 100644 index 0000000..9711e2a --- /dev/null +++ b/etc/apt/sources.list.d/vscode.sources @@ -0,0 +1,5 @@ +Types: deb +URIs: https://packages.microsoft.com/repos/code +Suites: stable +Components: main +Signed-By: /usr/share/keyrings/microsoft.gpg \ No newline at end of file diff --git a/etc/dconf/db/local.d/adw-gtk3-dark b/etc/dconf/db/local.d/adw-gtk3-dark new file mode 100644 index 0000000..c6a1e1f --- /dev/null +++ b/etc/dconf/db/local.d/adw-gtk3-dark @@ -0,0 +1,2 @@ +[org/gnome/desktop/interface] +gtk-theme='adw-gtk3-dark' \ No newline at end of file diff --git a/etc/dconf/db/local.d/apport-disable b/etc/dconf/db/local.d/apport-disable new file mode 100644 index 0000000..fe98504 --- /dev/null +++ b/etc/dconf/db/local.d/apport-disable @@ -0,0 +1,2 @@ +[com/ubuntu/update-notifier] +show-apport-crashes=false \ No newline at end of file diff --git a/etc/dconf/db/local.d/automount-disable b/etc/dconf/db/local.d/automount-disable new file mode 100644 index 0000000..a0d778c --- /dev/null +++ b/etc/dconf/db/local.d/automount-disable @@ -0,0 +1,4 @@ +[org/gnome/desktop/media-handling] +automount=false +automount-open=false +autorun-never=true \ No newline at end of file diff --git a/etc/dconf/db/local.d/button-layout b/etc/dconf/db/local.d/button-layout new file mode 100644 index 0000000..c11d003 --- /dev/null +++ b/etc/dconf/db/local.d/button-layout @@ -0,0 +1,2 @@ +[org/gnome/desktop/wm/preferences] +button-layout='appmenu:minimize,maximize,close' \ No newline at end of file diff --git a/etc/dconf/db/local.d/locks/apport-disable b/etc/dconf/db/local.d/locks/apport-disable new file mode 100644 index 0000000..3bec18f --- /dev/null +++ b/etc/dconf/db/local.d/locks/apport-disable @@ -0,0 +1 @@ +com/ubuntu/update-notifier/show-apport-crashes \ No newline at end of file diff --git a/etc/dconf/db/local.d/locks/automount-disable b/etc/dconf/db/local.d/locks/automount-disable new file mode 100644 index 0000000..345c536 --- /dev/null +++ b/etc/dconf/db/local.d/locks/automount-disable @@ -0,0 +1,3 @@ +org/gnome/desktop/media-handling/automount +org/gnome/desktop/media-handling/automount-open +/org/gnome/desktop/media-handling/autorun-never \ No newline at end of file diff --git a/etc/dconf/db/local.d/locks/privacy b/etc/dconf/db/local.d/locks/privacy new file mode 100644 index 0000000..f342bad --- /dev/null +++ b/etc/dconf/db/local.d/locks/privacy @@ -0,0 +1,14 @@ +/org/gnome/system/location/enabled + +/org/gnome/desktop/privacy/remember-recent-files +/org/gnome/desktop/privacy/remove-old-trash-files +/org/gnome/desktop/privacy/remove-old-temp-files +/org/gnome/desktop/privacy/report-technical-problems +/org/gnome/desktop/privacy/send-software-usage-stats +/org/gnome/desktop/privacy/remember-app-usage + +/org/gnome/online-accounts/whitelisted-providers + +/org/gnome/desktop/remote-desktop/rdp/enable + +/org/gnome/desktop/remote-desktop/vnc/enable \ No newline at end of file diff --git a/etc/dconf/db/local.d/prefer-dark b/etc/dconf/db/local.d/prefer-dark new file mode 100644 index 0000000..ba1d69f --- /dev/null +++ b/etc/dconf/db/local.d/prefer-dark @@ -0,0 +1,2 @@ +[org/gnome/desktop/interface] +color-scheme='prefer-dark' \ No newline at end of file diff --git a/etc/dconf/db/local.d/privacy b/etc/dconf/db/local.d/privacy new file mode 100644 index 0000000..131e18b --- /dev/null +++ b/etc/dconf/db/local.d/privacy @@ -0,0 +1,16 @@ +[org/gnome/system/location] +enabled=false + +[org/gnome/desktop/privacy] +remember-recent-files=false +remove-old-trash-files=true +remove-old-temp-files=true +report-technical-problems=false +send-software-usage-stats=false +remember-app-usage=false + +[org/gnome/desktop/remote-desktop/rdp] +enable=false + +[org/gnome/desktop/remote-desktop/vnc] +enable=false \ No newline at end of file diff --git a/etc/dconf/db/local.d/touchpad b/etc/dconf/db/local.d/touchpad new file mode 100644 index 0000000..85c898f --- /dev/null +++ b/etc/dconf/db/local.d/touchpad @@ -0,0 +1,5 @@ +[org/gnome/desktop/peripherals/touchpad] +click-method='areas' +disable-while-typing=false +tap-to-click=true +to-finger-scrolling-enabled=false \ No newline at end of file diff --git a/etc/dnf/dnf.conf b/etc/dnf/dnf.conf new file mode 100644 index 0000000..b1ebaf6 --- /dev/null +++ b/etc/dnf/dnf.conf @@ -0,0 +1,11 @@ +[main] +gpgcheck=True +installonly_limit=3 +clean_requirements_on_remove=True +best=False +skip_if_unavailable=True +max_parallel_downloads=10 +deltarpm=False +defaultyes=True +install_weak_deps=False +countme=False diff --git a/etc/environment b/etc/environment new file mode 100644 index 0000000..22eebdc --- /dev/null +++ b/etc/environment @@ -0,0 +1,2 @@ +JavaScriptCoreUseJIT=0 +GJS_DISABLE_JIT=1 \ No newline at end of file diff --git a/etc/issue b/etc/issue new file mode 100644 index 0000000..8540d01 --- /dev/null +++ b/etc/issue @@ -0,0 +1,6 @@ +You are accessing Lukas Raub's information system that is provided for authorized uses only. + +ALL ACTIVITY MAY BE MONITORED AND REPORTED. UNAUTHORIZED USES SHALL BE PROSECUTED TO THE FULLEST EXTENT OF THE LAW. + +To report a potential security concern, please contact titanz@pm.me. + diff --git a/etc/security/limits.d/30-disable-coredump.conf b/etc/security/limits.d/30-disable-coredump.conf new file mode 100644 index 0000000..527b136 --- /dev/null +++ b/etc/security/limits.d/30-disable-coredump.conf @@ -0,0 +1 @@ +* hard core 0 \ No newline at end of file diff --git a/etc/ssh/ssh_config.d/10-custom.conf b/etc/ssh/ssh_config.d/10-custom.conf new file mode 100644 index 0000000..9ee0fd6 --- /dev/null +++ b/etc/ssh/ssh_config.d/10-custom.conf @@ -0,0 +1,2 @@ +GSSAPIAuthentication no +VerifyHostKeyDNS yes \ No newline at end of file diff --git a/etc/ssh/sshd_config.d/10-custom.conf b/etc/ssh/sshd_config.d/10-custom.conf new file mode 100644 index 0000000..ccae084 --- /dev/null +++ b/etc/ssh/sshd_config.d/10-custom.conf @@ -0,0 +1,43 @@ +# Encryption hardening +HostKey /etc/ssh/ssh_host_ed25519_key +HostKeyAlgorithms ssh-ed25519 +KexAlgorithms sntrup761x25519-sha512@openssh.com +PubkeyAcceptedKeyTypes ssh-ed25519 +Ciphers aes256-gcm@openssh.com +MACs -* + +# Security hardening +AuthenticationMethods publickey +AuthorizedKeysFile .ssh/authorized_keys +Compression no +DisableForwarding yes +LoginGraceTime 15s +MaxAuthTries 1 +PermitUserEnvironment no +PermitUserRC no +StrictModes yes +UseDNS no + +# Use KeepAlive over SSH instead of with TCP to prevent spoofing +TCPKeepAlive no +ClientAliveInterval 15 +ClientAliveCountMax 4 + +## Use PAM for session checks here but authentication is disabled below +## Also, this prevents running sshd as non-root +UsePAM yes + +# Disabling unused authentication methods +ChallengeResponseAuthentication no +GSSAPIAuthentication no +HostbasedAuthentication no +PasswordAuthentication no +PermitRootLogin no +PermitEmptyPasswords no +KbdInteractiveAuthentication no +KerberosAuthentication no + +# Displaying info +Banner /etc/issue.net +PrintLastLog yes +PrintMotd yes diff --git a/etc/sysconfig/chronyd b/etc/sysconfig/chronyd new file mode 100644 index 0000000..74bd9cf --- /dev/null +++ b/etc/sysconfig/chronyd @@ -0,0 +1,2 @@ +# Command-line options for chronyd +OPTIONS="-F 1" \ No newline at end of file diff --git a/etc/sysctl.d/99-server.conf b/etc/sysctl.d/99-server.conf new file mode 100644 index 0000000..131dae4 --- /dev/null +++ b/etc/sysctl.d/99-server.conf @@ -0,0 +1,115 @@ + +# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl +dev.tty.ldisc_autoload = 0 + +# https://access.redhat.com/solutions/1985633 +# Seems dangerous. +fs.binfmt_misc.status = 0 + +# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-userspace +# Enable fs.protected sysctls. +fs.protected_regular = 2 +fs.protected_fifos = 2 +fs.protected_symlinks = 1 +fs.protected_hardlinks = 1 + +# https://madaidans-insecurities.github.io/guides/linux-hardening.html#core-dumps +# Disable coredumps. +# For additional safety, disable coredumps using ulimit and systemd too. +kernel.core_pattern=|/bin/false +fs.suid_dumpable = 0 + +# Restrict dmesg to CAP_SYS_LOG. +# https://www.kernel.org/doc/Documentation/sysctl/kernel.txt +kernel.dmesg_restrict = 1 + +# Disable io_uring +# https://docs.kernel.org/admin-guide/sysctl/kernel.html#io-uring-disabled +# https://security.googleblog.com/2023/06/learnings-from-kctf-vrps-42-linux.html +# Note that this will make using Proxmox extremely annoying though, so you might wanna comment this out +# on a Proxmox node. +kernel.io_uring_disabled = 2 + +# https://www.kernel.org/doc/Documentation/sysctl/kernel.txt +# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-kernel +# https://kernsec.org/wiki/index.php/Bug_Classes/Kernel_pointer_leak +# Restrict access to /proc. +kernel.kptr_restrict = 2 + +# Not needed, I don't do livepatching and reboot regularly. +# On Ubuntu LTS just sed this to be 0 if you use livepatch. +kernel.kexec_load_disabled = 1 + +# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl +# Basically, restrict eBPF to CAP_BPF. +kernel.unprivileged_bpf_disabled = 1 +net.core.bpf_jit_harden = 2 + +# Docker running as root do not require unpriv user ns, which is dangerous, so we disabe it. +kernel.unprivileged_userns_clone = 0 + +# Needed for gVisor, which is used on almost all of my servers. +kernel.yama.ptrace_scope = 1 + +# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl +# Restrict performance events from unprivileged users as much as possible. +# We are using 4 here, since Ubuntu supports such a level. +# Official Linux kernel documentation only says >= so it probably will work. +kernel.perf_event_paranoid = 4 + +# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-kernel +# Disable sysrq. +kernel.sysrq = 0 + +# https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2020-09-03/finding/V-217911 +# Not running a router here, so no redirects. +net.ipv4.conf.*.send_redirects = 0 +net.ipv4.conf.*.accept_redirects = 0 +net.ipv6.conf.*.accept_redirects = 0 + +# Check if the source of the IP address is reachable through the same interface it came in. +# Basic IP spoofing mitigation. +net.ipv4.conf.*.rp_filter = 1 + +# Respond to ICMP +net.ipv4.icmp_echo_ignore_all = 0 +net.ipv6.icmp.echo_ignore_all = 0 + +# Enable IP Forwarding. +# Almost all of my servers run Docker anyways, and Docker absolutely requires this. +net.ipv4.ip_forward = 1 +net.ipv6.conf.all.forwarding = 1 + +# https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2016-06-05/finding/V-38537 +# Ignore bogus icmp response. +net.ipv4.icmp_ignore_bogus_error_responses = 1 + +# Protection against time-wait assasination attacks. +net.ipv4.tcp_rfc1337 = 1 + +# Enable SYN cookies. +# Basic SYN flood mitigation. +net.ipv4.tcp_syncookies = 1 + +# https://access.redhat.com/sites/default/files/attachments/20150325_network_performance_tuning.pdf +# Make sure TCP timestamp is enabled. +net.ipv4.tcp_timestamps = 1 + +# https://access.redhat.com/sites/default/files/attachments/20150325_network_performance_tuning.pdf +# Disable TCP SACK. +# We have good networking :) +net.ipv4.tcp_sack = 0 + +# No SACK, therefore no Duplicated SACK. +net.ipv4.tcp_dsack = 0 + +# Improve ALSR effectiveness for mmap. +vm.mmap_rnd_bits = 32 +vm.mmap_rnd_compat_bits = 16 + +# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-kernel +# Restrict userfaultfd to CAP_SYS_PTRACE. +# https://bugs.archlinux.org/task/62780 +# Interestingly enough, Arch does not even have userfaultfd in their kernel, so it is +# probably not used in the real world at all. +vm.unprivileged_userfaultfd = 0 diff --git a/etc/sysctl.d/99-workstation.conf b/etc/sysctl.d/99-workstation.conf new file mode 100644 index 0000000..c4a20be --- /dev/null +++ b/etc/sysctl.d/99-workstation.conf @@ -0,0 +1,116 @@ + +# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl +dev.tty.ldisc_autoload = 0 + +# https://access.redhat.com/solutions/1985633 +# Seems dangerous. +# Roseta need this though, so if you use it change it to 1. +fs.binfmt_misc.status = 0 + +# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-userspace +# Enable fs.protected sysctls. +fs.protected_regular = 2 +fs.protected_fifos = 2 +fs.protected_symlinks = 1 +fs.protected_hardlinks = 1 + +# https://madaidans-insecurities.github.io/guides/linux-hardening.html#core-dumps +# Disable coredumps. +# For additional safety, disable coredumps using ulimit and systemd too. +kernel.core_pattern=|/bin/false +fs.suid_dumpable = 0 + +# Restrict dmesg to CAP_SYS_LOG. +# https://www.kernel.org/doc/Documentation/sysctl/kernel.txt +kernel.dmesg_restrict = 1 + +# https://www.kernel.org/doc/Documentation/sysctl/kernel.txt +# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-kernel +# https://kernsec.org/wiki/index.php/Bug_Classes/Kernel_pointer_leak +# Restrict access to /proc. +kernel.kptr_restrict = 2 + +# Not needed, I don't do livepatching and reboot regularly. +# On a workstation, this shouldn't be used at all. Don't live patch, just reboot. +kernel.kexec_load_disabled = 1 + +# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl +# Basically, restrict eBPF to CAP_BPF. +kernel.unprivileged_bpf_disabled = 1 +net.core.bpf_jit_harden = 2 + +# Needed for Flatpak and Bubblewrap. +kernel.unprivileged_userns_clone = 1 + +# Disable ptrace. Not needed on workstations. +kernel.yama.ptrace_scope = 3 + +# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl +# Restrict performance events from unprivileged users as much as possible. +# We are using 4 here, since Ubuntu supports such a level. +# Official Linux kernel documentation only says >= so it probably will work. +kernel.perf_event_paranoid = 4 + +# Disable io_uring +# https://docs.kernel.org/admin-guide/sysctl/kernel.html#io-uring-disabled +# https://security.googleblog.com/2023/06/learnings-from-kctf-vrps-42-linux.html +# Note that this will make using Proxmox extremely annoying though, so you might wanna comment this out +# on a Proxmox node. +kernel.io_uring_disabled = 2 + +# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-kernel +# Disable sysrq. +kernel.sysrq = 0 + +# https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2020-09-03/finding/V-217911 +# Not running a router here, so no redirects. +net.ipv4.conf.*.send_redirects = 0 +net.ipv4.conf.*.accept_redirects = 0 +net.ipv6.conf.*.accept_redirects = 0 + +# Check if the source of the IP address is reachable through the same interface it came in +# Basic IP spoofing mitigation. +net.ipv4.conf.*.rp_filter = 1 + +# Do not respond to ICMP. +net.ipv4.icmp_echo_ignore_all = 1 +net.ipv6.icmp.echo_ignore_all = 1 + +# Enable IP Forwarding. +# Needed for VM networking and whatnot. +net.ipv4.ip_forward = 1 +net.ipv6.conf.all.forwarding = 1 + +# https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2016-06-05/finding/V-38537 +# Ignore bogus icmp response. +net.ipv4.icmp_ignore_bogus_error_responses = 1 + +# Protection against time-wait assasination attacks. +net.ipv4.tcp_rfc1337 = 1 + +# Enable SYN cookies. +# Basic SYN flood mitigation. +net.ipv4.tcp_syncookies = 1 + +# https://access.redhat.com/sites/default/files/attachments/20150325_network_performance_tuning.pdf +# Make sure TCP timestamp is enabled. +net.ipv4.tcp_timestamps = 1 + +# https://access.redhat.com/sites/default/files/attachments/20150325_network_performance_tuning.pdf +# Disable TCP SACK. +# We have good networking :) +net.ipv4.tcp_sack = 0 + +# No SACK, therefore no Duplicated SACK. +net.ipv4.tcp_dsack = 0 + +# Improve ALSR effectiveness for mmap. +vm.mmap_rnd_bits = 32 +vm.mmap_rnd_compat_bits = 16 + +# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-kernel +# Restrict userfaultfd to CAP_SYS_PTRACE. +# https://bugs.archlinux.org/task/62780 +# Interestingly enough, Arch does not even have userfaultfd in their kernel, so it is +# probably not used in the real world at all. +vm.unprivileged_userfaultfd = 0 diff --git a/etc/systemd/coredump.conf.d/disable.conf b/etc/systemd/coredump.conf.d/disable.conf new file mode 100644 index 0000000..4cfe0f8 --- /dev/null +++ b/etc/systemd/coredump.conf.d/disable.conf @@ -0,0 +1,2 @@ +[Coredump] +Storage=none \ No newline at end of file diff --git a/etc/systemd/system/fwupd-refresh.service.d/override.conf b/etc/systemd/system/fwupd-refresh.service.d/override.conf new file mode 100644 index 0000000..e2f4943 --- /dev/null +++ b/etc/systemd/system/fwupd-refresh.service.d/override.conf @@ -0,0 +1,2 @@ +[Service] +ExecStart=/usr/bin/fwupdmgr update \ No newline at end of file diff --git a/etc/systemd/system/unbound.service.d/override-chroot.conf b/etc/systemd/system/unbound.service.d/override-chroot.conf new file mode 100644 index 0000000..fd40093 --- /dev/null +++ b/etc/systemd/system/unbound.service.d/override-chroot.conf @@ -0,0 +1,35 @@ +[Service] +CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_SYS_RESOURCE CAP_NET_RAW +MemoryDenyWriteExecute=true +NoNewPrivileges=true +PrivateDevices=true +PrivateTmp=true +ProtectHome=true +ProtectClock=true +ProtectControlGroups=true +ProtectKernelLogs=true +ProtectKernelModules=true +# This breaks using socket options like 'so-rcvbuf'. +ProtectKernelTunables=true +ProtectProc=invisible +# ProtectSystem with strict does not work - need further testing. +ProtectSystem=full +#RuntimeDirectory=unbound +#ConfigurationDirectory=unbound +#StateDirectory=unbound +RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX +RestrictRealtime=true +SystemCallArchitectures=native +SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module mount @obsolete @resources +RestrictNamespaces=yes +LockPersonality=yes +RestrictSUIDSGID=yes +ReadWritePaths=@UNBOUND_RUN_DIR@ @UNBOUND_CHROOT_DIR@ + +# Below rules are needed when chroot is enabled (usually it's enabled by default). +# If chroot is disabled like chroot: "" then they may be safely removed. +TemporaryFileSystem=@UNBOUND_CHROOT_DIR@/dev:ro +TemporaryFileSystem=@UNBOUND_CHROOT_DIR@/run:ro +BindReadOnlyPaths=-/run/systemd/notify:@UNBOUND_CHROOT_DIR@/run/systemd/notify +BindReadOnlyPaths=-/dev/urandom:@UNBOUND_CHROOT_DIR@/dev/urandom +BindPaths=-/dev/log:@UNBOUND_CHROOT_DIR@/dev/log \ No newline at end of file diff --git a/etc/systemd/system/unbound.service.d/override.conf b/etc/systemd/system/unbound.service.d/override.conf new file mode 100644 index 0000000..3ac7132 --- /dev/null +++ b/etc/systemd/system/unbound.service.d/override.conf @@ -0,0 +1,26 @@ +[Service] +CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_SYS_RESOURCE CAP_NET_RAW CAP_DAC_OVERRIDE +MemoryDenyWriteExecute=true +#NoNewPrivileges=true +PrivateDevices=true +PrivateTmp=true +ProtectHome=true +ProtectClock=true +ProtectControlGroups=true +ProtectKernelLogs=true +ProtectKernelModules=true +# This breaks using socket options like 'so-rcvbuf'. +ProtectKernelTunables=true +ProtectProc=invisible +# ProtectSystem with strict does not work - need further testing. +ProtectSystem=full +#RuntimeDirectory=unbound +#ConfigurationDirectory=unbound +#StateDirectory=unbound +RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX +RestrictRealtime=true +SystemCallArchitectures=native +SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module mount @obsolete @resources +RestrictNamespaces=yes +LockPersonality=yes +RestrictSUIDSGID=yes \ No newline at end of file diff --git a/etc/systemd/user/org.gnome.Shell@wayland.service.d/override.conf b/etc/systemd/user/org.gnome.Shell@wayland.service.d/override.conf new file mode 100644 index 0000000..ad9d696 --- /dev/null +++ b/etc/systemd/user/org.gnome.Shell@wayland.service.d/override.conf @@ -0,0 +1,3 @@ +[Service] +ExecStart= +ExecStart=/usr/bin/gnome-shell --no-x11 \ No newline at end of file diff --git a/etc/systemd/zram-generator.conf b/etc/systemd/zram-generator.conf new file mode 100644 index 0000000..f41f8ca --- /dev/null +++ b/etc/systemd/zram-generator.conf @@ -0,0 +1,4 @@ +[zram0] +zram-fraction = 1 +max-zram-size = 8192 +compression-algorithm = zstd \ No newline at end of file diff --git a/etc/yum.repos.d/nginx.repo b/etc/yum.repos.d/nginx.repo new file mode 100644 index 0000000..921b1e6 --- /dev/null +++ b/etc/yum.repos.d/nginx.repo @@ -0,0 +1,15 @@ +[nginx-stable] +name=nginx stable repo +baseurl=http://nginx.org/packages/centos/$releasever/$basearch/ +gpgcheck=1 +enabled=0 +gpgkey=https://nginx.org/keys/nginx_signing.key +module_hotfixes=true + +[nginx-mainline] +name=nginx mainline repo +baseurl=http://nginx.org/packages/mainline/centos/$releasever/$basearch/ +gpgcheck=1 +enabled=1 +gpgkey=https://nginx.org/keys/nginx_signing.key +module_hotfixes=true \ No newline at end of file