lots of things

ConfigFiles/AuditD/auditd.conf

@@ -0,0 +1,46 @@
+#
+# Known Element Enterprises Customized Config File
+# auditd
+# Initial version 2025-06-27 
+#
+
+local_events = yes
+write_logs = yes
+log_file = /var/log/audit/audit.log
+log_group = adm
+log_format = ENRICHED
+flush = INCREMENTAL_ASYNC
+freq = 50
+max_log_file = 8
+num_logs = 5
+priority_boost = 4
+name_format = NONE
+max_log_file_action = keep_logs
+space_left = 75
+space_left_action = email
+action_mail_acct = root
+
+admin_space_left_action = halt
+disk_full_action = SUSPEND
+disk_error_action = SUSPEND
+admin_space_left = 50
+
+verify_email = yes
+use_libwrap = yes
+tcp_listen_queue = 5
+tcp_max_per_addr = 1
+tcp_client_max_idle = 0
+transport = TCP
+distribute_network = no
+q_depth = 2000
+overflow_action = SYSLOG
+max_restarts = 10
+plugin_dir = /etc/audit/plugins.d
+end_of_event_timeout = 2
+##tcp_client_ports = 1024-65535
+##tcp_listen_port = 60
+
+##krb5_key_file = /etc/audit/audit.key
+krb5_principal = auditd
+
+##name = mydomain

ConfigFiles/BANNERS/issue

@@ -0,0 +1,5 @@
+This system is the property of Known Element Enterprises LLC.
+
+Authorized uses only. All activity may be monitored and reported.
+
+All activities subject to monitoring/recording/review in real time and/or at a later time.

ConfigFiles/BANNERS/issue.net

@@ -0,0 +1,5 @@
+This system is the property of Known Element Enterprises LLC.
+
+Authorized uses only. All activity may be monitored and reported.
+
+All activities subject to monitoring/recording/review in real time and/or at a later time.

ConfigFiles/BANNERS/motd

@@ -0,0 +1,5 @@
+This system is the property of Known Element Enterprises LLC.
+
+Authorized uses only. All activity may be monitored and reported.
+
+All activities subject to monitoring/recording/review in real time and/or at a later time.

ConfigFiles/Logrotate/logrotate.conf

@@ -0,0 +1,23 @@
+# see "man logrotate" for details
+
+# global options do not affect preceding include directives
+
+# rotate log files weekly
+weekly
+
+# keep 4 weeks worth of backlogs
+rotate 4
+
+# create new (empty) log files after rotating old ones
+create 0640 root utmp
+
+# use date as a suffix of the rotated file
+#dateext
+
+# uncomment this if you want your log files compressed
+#compress
+
+# packages drop log rotation information into this directory
+include /etc/logrotate.d
+
+# system-specific logs may also be configured here.

ConfigFiles/ModProbe/cramfs.conf

@@ -0,0 +1 @@
+install cramfs /bin/true

ConfigFiles/ModProbe/dccp.conf

@@ -0,0 +1 @@
+install dccp /bin/true

ConfigFiles/ModProbe/freevxfs.conf

@@ -0,0 +1 @@
+install freevxfs /bin/true

ConfigFiles/ModProbe/hfs.conf

@@ -0,0 +1 @@
+install hfs /bin/true

ConfigFiles/ModProbe/hfsplus.conf

@@ -0,0 +1 @@
+install hfsplus /bin/true

ConfigFiles/ModProbe/jffs2.conf

@@ -0,0 +1 @@
+install jffs2 /bin/true

ConfigFiles/ModProbe/rds.conf

@@ -0,0 +1 @@
+install rds /bin/true

ConfigFiles/ModProbe/sctp.conf

@@ -0,0 +1 @@
+install sctp /bin/true

ConfigFiles/ModProbe/squashfs.conf

@@ -0,0 +1 @@
+install squashfs /bin/true

ConfigFiles/ModProbe/tipc.conf

@@ -0,0 +1 @@
+install tipc /bin/true

ConfigFiles/ModProbe/udf.conf

@@ -0,0 +1 @@
+install udf /bin/true

ConfigFiles/ModProbe/usb_storage.conf

@@ -0,0 +1 @@
+install usb-storage /bin/true

ConfigFiles/NTP/ntp.conf

@@ -1,5 +1,5 @@
 driftfile /var/lib/ntp/ntp.drift
 leapfile /usr/share/zoneinfo/leap-seconds.list
-server pfv-netboot.taile3044.ts.net
+server pfv-netboot.knel.net
 restrict 127.0.0.1
 restrict ::1

ConfigFiles/SSH/Configs/tsys-sshd-config

@@ -2,12 +2,19 @@ Include /etc/ssh/sshd_config.d/*.conf
 HostKey /etc/ssh/ssh_host_rsa_key
 HostKey /etc/ssh/ssh_host_ed25519_key
 KbdInteractiveAuthentication no
-X11Forwarding yes
 PrintMotd no
 PasswordAuthentication no
+AllowTcpForwarding no
+X11Forwarding no
 ChallengeResponseAuthentication no
-Banner none
 AcceptEnv LANG LC_*
 Subsystem       sftp    /usr/lib/openssh/sftp-server
 UsePAM yes
-PermitRootLogin prohibit-password
+Banner /etc/issue.net
+MaxAuthTries 2
+MaxStartups 10:30:100
+PermitRootLogin prohibit-password
+ClientAliveInterval 300
+ClientAliveCountMax 3
+AllowUsers root localuser subodev
+LoginGraceTime 60

ConfigFiles/Systemd/journald.conf

@@ -0,0 +1,31 @@
+[Journal]
+#Compress=yes
+#Seal=yes
+#SplitMode=uid
+#SyncIntervalSec=5m
+#RateLimitIntervalSec=30s
+#RateLimitBurst=10000
+#SystemMaxUse=
+#SystemKeepFree=
+#SystemMaxFileSize=
+#SystemMaxFiles=100
+#RuntimeMaxUse=
+#RuntimeKeepFree=
+#RuntimeMaxFileSize=
+#RuntimeMaxFiles=100
+#MaxRetentionSec=
+#MaxFileSec=1month
+#ForwardToSyslog=yes
+#ForwardToKMsg=no
+#ForwardToConsole=no
+#ForwardToWall=yes
+#TTYPath=/dev/console
+#MaxLevelStore=debug
+#MaxLevelSyslog=debug
+#MaxLevelKMsg=notice
+#MaxLevelConsole=info
+#MaxLevelWall=emerg
+#LineMax=48K
+#ReadKMsg=yes
+#Audit=no
+Storage=persistent

Modules/Security/secharden-audit-agents.sh

@@ -1,15 +1,52 @@
 #!/bin/bash
 
-#lynis
+set -o errexit
+set -o nounset
+set -o pipefail
+set -o functrace
 
-# Sourced from
+export PS4='(${BASH_SOURCE}:${LINENO}): - [${SHLVL},${BASH_SUBSHELL},$?] $ '
+
+function error_out()
+{
+        echo "Bailing out. See above for reason...."
+        exit 1
+}
+
+function handle_failure() {
+  local lineno=$1
+  local fn=$2
+  local exitstatus=$3
+  local msg=$4
+  local lineno_fns=${0% 0}
+  if [[ "$lineno_fns" != "-1" ]] ; then
+    lineno="${lineno} ${lineno_fns}"
+  fi
+  echo "${BASH_SOURCE[0]}: Function: ${fn} Line Number : [${lineno}] Failed with status ${exitstatus}: $msg"
+}
+
+trap 'handle_failure "${BASH_LINENO[*]}" "$LINENO" "${FUNCNAME[*]:-script}" "$?" "$BASH_COMMAND"' ERR
+
+export DL_ROOT
+DL_ROOT="https://dl.knownelement.com/KNEL/FetchApply/"
+
+# Material herein Sourced from
 
 # https://cisofy.com/documentation/lynis/
 # https://jbcsec.com/configure-linux-ssh/
 # https://opensource.com/article/20/5/linux-security-lynis
+# https://forum.greenbone.net/t/ssh-authentication/13536
 
 # openvas
 
-# Sourced from
+#lynis
 
-# https://forum.greenbone.net/t/ssh-authentication/13536
+#Auditd
+
+curl --silent ${DL_ROOT}/ConfigFiles/AudidD/auditd.conf > /etc/audit/auditd.conf
+
+# Systemd
+curl --silent ${DL_ROOT}/ConfigFiles/Systemd/journald.conf > /etc/systemd/journald.conf
+
+# logrotate
+curl --silent ${DL_ROOT}/ConfigFiles/Logrotate/logrotate.conf > /etc/logrotate.conf

Modules/Security/secharden-scap-stig.sh

@@ -27,6 +27,21 @@ function handle_failure() {
 
 trap 'handle_failure "${BASH_LINENO[*]}" "$LINENO" "${FUNCNAME[*]:-script}" "$?" "$BASH_COMMAND"' ERR
 
+function pi-detect()
+{
+echo Now running "$FUNCNAME"....
+if [ -f /sys/firmware/devicetree/base/model ] ; then
+export IS_RASPI="1"
+fi
+
+if [ ! -f /sys/firmware/devicetree/base/model ] ; then
+export IS_RASPI="0"
+fi
+echo Completed running "$FUNCNAME"
+}
+
+# Actual script logic starts here
+
 export DL_ROOT
 DL_ROOT="https://dl.knownelement.com/KNEL/FetchApply/"
 
@@ -62,17 +77,57 @@ DL_ROOT="https://dl.knownelement.com/KNEL/FetchApply/"
 #password hashing algo
 
 #fix grub perms
+
+if [ "$IS_RASPI" = 0 ] ; then
+
 chown root:root /boot/grub/grub.cfg 
 chmod og-rwx /boot/grub/grub.cfg
+chmod 0400 /boot/grub/grub.cfg
+
+fi
+
 
 #disable auto mounting
 systemctl --now disable autofs  || true
 apt purge autofs || true
 
 #disable usb storage
-curl --silent ${DL_ROOT}/ConfigFiles/ModProbe/usb_storage.conf > /etc/modprobe.d/usb_storage.conf && rmmod usb-storage
+curl --silent ${DL_ROOT}/ConfigFiles/ModProbe/usb_storage.conf > /etc/modprobe.d/usb_storage.conf 
+curl --silent ${DL_ROOT}/ConfigFiles/ModProbe/dccp.conf > /etc/modprobe.d/dccp.conf
+curl --silent ${DL_ROOT}/ConfigFiles/ModProbe/rds.conf > /etc/modprobe.d/rds.conf
+curl --silent ${DL_ROOT}/ConfigFiles/ModProbe/sctp.conf > /etc/modprobe.d/sctp.conf
+curl --silent ${DL_ROOT}/ConfigFiles/ModProbe/tipc.conf > /etc/modprobe.d/tipc.conf
+curl --silent ${DL_ROOT}/ConfigFiles/ModProbe/cramfs.conf > /etc/modprobe.d/cramfs.conf
+curl --silent ${DL_ROOT}/ConfigFiles/ModProbe/freevxfs.conf > /etc/modprobe.d/freevxfs.conf
+curl --silent ${DL_ROOT}/ConfigFiles/ModProbe/hfs.conf > /etc/modprobe.d/hfs.conf
+curl --silent ${DL_ROOT}/ConfigFiles/ModProbe/hfsplus.conf > /etc/modprobe.d/hfsplus.conf
+curl --silent ${DL_ROOT}/ConfigFiles/ModProbe/jffs2.conf > /etc/modprobe.d/jffs2.conf
+curl --silent ${DL_ROOT}/ConfigFiles/ModProbe/squashfs.conf > /etc/modprobe.d/squashfs.conf
+curl --silent ${DL_ROOT}/ConfigFiles/ModProbe/udf.conf > /etc/modprobe.d/udf.conf
 
 #banners
+
 curl --silent ${DL_ROOT}/ConfigFiles/BANNERS/issue > /etc/issue
 curl --silent ${DL_ROOT}/ConfigFiles/BANNERS/issue.net > /etc/issue.net
-curl --silent ${DL_ROOT}/ConfigFiles/BANNERS/motd > /etc/motd
+curl --silent ${DL_ROOT}/ConfigFiles/BANNERS/motd > /etc/motd
+
+#Cron perms
+rm /etc/cron.deny || true
+touch /etc/cron.allow
+chmod g-wx,o-rwx /etc/cron.allow
+chown root:root /etc/cron.allow
+
+chmod og-rwx /etc/crontab
+chmod og-rwx /etc/cron.hourly/
+chmod og-rwx /etc/cron.daily/
+chmod og-rwx /etc/cron.weekly/
+chmod og-rwx /etc/cron.monthly/
+chown root:root /etc/cron.d/
+chmod og-rwx /etc/cron.d/
+
+# At perms
+
+rm -f /etc/at.deny || true
+touch /etc/at.allow
+chmod g-wx,o-rwx /etc/at.allow
+chown root:root /etc/at.allow

Modules/Security/secharden-ssh.sh

@@ -1,20 +1,13 @@
 #!/bin/bash
 
-iptables -I INPUT -p tcp --dport 22 -m state --state NEW -m recent --set
-iptables -I INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 10 --hitcount 10 -j DROP
-ip6tables -I INPUT -p tcp --dport 22 -m state --state NEW -m recent --set
-ip6tables -I INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 10 --hitcount 10 -j DROP
-
-service netfilter-persistent save
+curl --silent ${DL_ROOT}/ConfigFiles/SSH/Configs/tsys-sshd-config > /etc/ssh/sshd_config
+curl --silent ${DL_ROOT}/ConfigFiles/SSH/Configs/ssh-audit_hardening.conf > /etc/ssh/sshd_config.d/ssh-audit_hardening.conf
 
 # Perms on sshd_config 
-# X11 forwarding disabled
-# MaxAuthTries set to 4 or less
-# login disabled
-# only strong mAC algos are used
-# idle timeout
-# login grace time 
-# ssh access is limited
-# ssh warning banner is configured
-# allowtcpforwarding is disabled
-# maxstartups is configured
+chmod og-rwx /etc/ssh/sshd_config
+chmod og-rwx /etc/ssh/sshd_config.d/*
+
+#todo
+
+# root login disabled
+# only strong mAC algos are used

SetupNewSystem.sh

@@ -29,12 +29,33 @@ function handle_failure() {
 
 trap 'handle_failure "${BASH_LINENO[*]}" "$LINENO" "${FUNCNAME[*]:-script}" "$?" "$BASH_COMMAND"' ERR
 
+function PreflightCheck()
+{
+
+export curr_user="$USER"
+export user_check
+
+user_check="$(echo "$curr_user" | grep -c root)"
+
+
+if [ $user_check -ne 1 ]; then
+    echo "Must run as root."
+    error_out
+fi
+
+echo "All checks passed...."
+
+}
+
 # Start actual script logic here...
 
 #################
 #Global variables
 #################
 
+export IS_PHYSICAL_HOST
+IS_PHYSICAL_HOST="$(dmidecode -t System|grep -c Dell ||true)"
+
 export SUBODEV_CHECK
 SUBODEV_CHECK="$(getent passwd|grep -c subodev || true)"
 
@@ -49,35 +70,6 @@ DL_ROOT="https://dl.knownelement.com/KNEL/FetchApply/"
 # Support functions
 #######################
 
-function error_out()
-{
-        echo "Bailing out. See above for reason...."
-        exit 1
-}
-
-
-function PreflightCheck()
-{
-
-
-export curr_user="$USER"
-export user_check
-
-user_check="$(echo "$curr_user" | grep -c root)"
-
-
-if [ $user_check -ne 1 ]; then
-    echo "Must run as root."
-    error_out
-fi
-
-#Your additional stuff here...
-
-echo "All checks passed...."
-
-}
-
-
 function pi-detect()
 {
 echo Now running "$FUNCNAME"....
@@ -124,8 +116,6 @@ echo Now running "$FUNCNAME"....
 curl --silent ${DL_ROOT}/ConfigFiles/ZSH/tsys-zshrc > /etc/zshrc
 curl --silent ${DL_ROOT}/ConfigFiles/SMTP/aliases > /etc/aliases 
 curl --silent ${DL_ROOT}/ConfigFiles/Syslog/rsyslog.conf > /etc/rsyslog.conf
-curl --silent ${DL_ROOT}/ConfigFiles/SSH/Configs/tsys-sshd-config > /etc/ssh/sshd_config
-curl --silent ${DL_ROOT}/ConfigFiles/SSH/Configs/ssh-audit_hardening.conf > /etc/ssh/sshd_config.d/ssh-audit_hardening.conf
 
 export ROOT_SSH_DIR="/root/.ssh"
 export LOCALUSER_SSH_DIR="/home/localuser/.ssh"
@@ -198,6 +188,8 @@ curl -fsSL https://pkgs.tailscale.com/stable/debian/bookworm.tailscale-keyring.l
 
 #Remove stuff we don't want
 
+apt-get --yes --purge remove systemd-timesyncd chrony telnet inetutils-telnet
+
 #export DEBIAN_FRONTEND="noninteractive" && apt-get -qq --yes -o Dpkg::Options::="--force-confold" --purge remove nano
 
 # add stuff we want
@@ -206,6 +198,9 @@ echo "Now installing all the packages..."
 
 DEBIAN_FRONTEND="noninteractive" apt-get -qq --yes -o Dpkg::Options::="--force-confold" install \
 virt-what \
+auditd \
+audispd-plugins \
+aide \
 htop  \
 dstat  \
 snmpd  \
@@ -226,7 +221,6 @@ net-tools  \
 dos2unix \
 gpg  \
 molly-guard  \
-fail2ban \
 lshw  \
 fzf \
 ripgrep \
@@ -237,7 +231,6 @@ sl \
 rsyslog  \
 logwatch \
 git \
-rsync \
 net-tools \
 tshark \
 tcpdump \
@@ -255,8 +248,7 @@ cockpit \
 iptables \
 netfilter-persistent \
 iptables-persistent \
-postfix \
-telnet 
+postfix 
 
 export KALI_CHECK
 KALI_CHECK="$(distro |grep -c kali ||true)"
@@ -289,10 +281,8 @@ if [[ $IS_KVM_GUEST = 1 ]]; then
   apt -y install qemu-guest-agent
 fi
 
-export PHYSICAL_HOST
-PHYSICAL_HOST="$(dmidecode -t System|grep -c Dell ||true)"
 
-if [[ $PHYSICAL_HOST -gt 0 ]]; then
+if [[ $IS_PHYSICAL_HOST -gt 0 ]]; then
 export DEBIAN_FRONTEND="noninteractive" && apt-get -qq --yes -o Dpkg::Options::="--force-confold" install \
  i7z \
  thermald \
@@ -309,10 +299,11 @@ function global-postPackageConfiguration()
 
 echo Now running "$FUNCNAME"
 
+systemctl --now enable auditd
+
 systemctl stop postfix
 
 curl --silent ${DL_ROOT}/ConfigFiles/SMTP/postfix_generic> /etc/postfix/generic
-dos2unix /etc/postfix/generic
 postmap /etc/postfix/generic
 
 postconf -e "inet_protocols = ipv4" 
@@ -348,7 +339,7 @@ sed -i "s|-Lsd|-LS6d|" /lib/systemd/system/snmpd.service
 
 pi-detect
 
-if [ "$IS_RASPI" -eq 1 ] ; then
+if [ "$IS_RASPI" = 1 ] ; then
 curl --silent ${DL_ROOT}/ConfigFiles/SNMP/snmpd-rpi.conf > /etc/snmp/snmpd.conf 
 fi
 
@@ -381,7 +372,7 @@ systemctl start postfix
 /usr/sbin/accton on
 
 
-if [ "$PHYSICAL_HOST" -gt 0 ]; then
+if [ "$IS_PHYSICAL_HOST" -gt 0 ]; then
 cpufreq-set -r -g performance
 cpupower frequency-set --governor performance
 
@@ -452,7 +443,7 @@ echo Completed running "$FUNCNAME"
 function secharden-scap-stig()
 {
 echo Now running "$FUNCNAME"
-#curl --silent ${DL_ROOT}/Modules/Security/secharden-scap-stig.sh|$(which bash)
+curl --silent ${DL_ROOT}/Modules/Security/secharden-scap-stig.sh|$(which bash)
 echo Completed running "$FUNCNAME"
 }