diff --git a/ConfigFiles/AuditD/auditd.conf b/ConfigFiles/AuditD/auditd.conf new file mode 100644 index 0000000..3292aff --- /dev/null +++ b/ConfigFiles/AuditD/auditd.conf @@ -0,0 +1,46 @@ +# +# Known Element Enterprises Customized Config File +# auditd +# Initial version 2025-06-27 +# + +local_events = yes +write_logs = yes +log_file = /var/log/audit/audit.log +log_group = adm +log_format = ENRICHED +flush = INCREMENTAL_ASYNC +freq = 50 +max_log_file = 8 +num_logs = 5 +priority_boost = 4 +name_format = NONE +max_log_file_action = keep_logs +space_left = 75 +space_left_action = email +action_mail_acct = root + +admin_space_left_action = halt +disk_full_action = SUSPEND +disk_error_action = SUSPEND +admin_space_left = 50 + +verify_email = yes +use_libwrap = yes +tcp_listen_queue = 5 +tcp_max_per_addr = 1 +tcp_client_max_idle = 0 +transport = TCP +distribute_network = no +q_depth = 2000 +overflow_action = SYSLOG +max_restarts = 10 +plugin_dir = /etc/audit/plugins.d +end_of_event_timeout = 2 +##tcp_client_ports = 1024-65535 +##tcp_listen_port = 60 + +##krb5_key_file = /etc/audit/audit.key +krb5_principal = auditd + +##name = mydomain \ No newline at end of file diff --git a/ConfigFiles/AuditD/rules.d/time-change.rules b/ConfigFiles/AuditD/rules.d/time-change.rules new file mode 100644 index 0000000..e69de29 diff --git a/ConfigFiles/BANNERS/issue b/ConfigFiles/BANNERS/issue new file mode 100644 index 0000000..cace08b --- /dev/null +++ b/ConfigFiles/BANNERS/issue @@ -0,0 +1,5 @@ +This system is the property of Known Element Enterprises LLC. + +Authorized uses only. All activity may be monitored and reported. + +All activities subject to monitoring/recording/review in real time and/or at a later time. \ No newline at end of file diff --git a/ConfigFiles/BANNERS/issue.net b/ConfigFiles/BANNERS/issue.net new file mode 100644 index 0000000..cace08b --- /dev/null +++ b/ConfigFiles/BANNERS/issue.net @@ -0,0 +1,5 @@ +This system is the property of Known Element Enterprises LLC. + +Authorized uses only. All activity may be monitored and reported. + +All activities subject to monitoring/recording/review in real time and/or at a later time. \ No newline at end of file diff --git a/ConfigFiles/BANNERS/motd b/ConfigFiles/BANNERS/motd new file mode 100644 index 0000000..cace08b --- /dev/null +++ b/ConfigFiles/BANNERS/motd @@ -0,0 +1,5 @@ +This system is the property of Known Element Enterprises LLC. + +Authorized uses only. All activity may be monitored and reported. + +All activities subject to monitoring/recording/review in real time and/or at a later time. \ No newline at end of file diff --git a/ConfigFiles/Logrotate/logrotate.conf b/ConfigFiles/Logrotate/logrotate.conf new file mode 100644 index 0000000..e571f2b --- /dev/null +++ b/ConfigFiles/Logrotate/logrotate.conf @@ -0,0 +1,23 @@ +# see "man logrotate" for details + +# global options do not affect preceding include directives + +# rotate log files weekly +weekly + +# keep 4 weeks worth of backlogs +rotate 4 + +# create new (empty) log files after rotating old ones +create 0640 root utmp + +# use date as a suffix of the rotated file +#dateext + +# uncomment this if you want your log files compressed +#compress + +# packages drop log rotation information into this directory +include /etc/logrotate.d + +# system-specific logs may also be configured here. \ No newline at end of file diff --git a/ConfigFiles/ModProbe/cramfs.conf b/ConfigFiles/ModProbe/cramfs.conf new file mode 100644 index 0000000..8a1840d --- /dev/null +++ b/ConfigFiles/ModProbe/cramfs.conf @@ -0,0 +1 @@ +install cramfs /bin/true \ No newline at end of file diff --git a/ConfigFiles/ModProbe/dccp.conf b/ConfigFiles/ModProbe/dccp.conf new file mode 100644 index 0000000..581b897 --- /dev/null +++ b/ConfigFiles/ModProbe/dccp.conf @@ -0,0 +1 @@ +install dccp /bin/true \ No newline at end of file diff --git a/ConfigFiles/ModProbe/freevxfs.conf b/ConfigFiles/ModProbe/freevxfs.conf new file mode 100644 index 0000000..d955a1b --- /dev/null +++ b/ConfigFiles/ModProbe/freevxfs.conf @@ -0,0 +1 @@ +install freevxfs /bin/true \ No newline at end of file diff --git a/ConfigFiles/ModProbe/hfs.conf b/ConfigFiles/ModProbe/hfs.conf new file mode 100644 index 0000000..d958196 --- /dev/null +++ b/ConfigFiles/ModProbe/hfs.conf @@ -0,0 +1 @@ +install hfs /bin/true \ No newline at end of file diff --git a/ConfigFiles/ModProbe/hfsplus.conf b/ConfigFiles/ModProbe/hfsplus.conf new file mode 100644 index 0000000..ff899bb --- /dev/null +++ b/ConfigFiles/ModProbe/hfsplus.conf @@ -0,0 +1 @@ +install hfsplus /bin/true \ No newline at end of file diff --git a/ConfigFiles/ModProbe/jffs2.conf b/ConfigFiles/ModProbe/jffs2.conf new file mode 100644 index 0000000..4d667ff --- /dev/null +++ b/ConfigFiles/ModProbe/jffs2.conf @@ -0,0 +1 @@ +install jffs2 /bin/true \ No newline at end of file diff --git a/ConfigFiles/ModProbe/rds.conf b/ConfigFiles/ModProbe/rds.conf new file mode 100644 index 0000000..3bc54e4 --- /dev/null +++ b/ConfigFiles/ModProbe/rds.conf @@ -0,0 +1 @@ +install rds /bin/true \ No newline at end of file diff --git a/ConfigFiles/ModProbe/sctp.conf b/ConfigFiles/ModProbe/sctp.conf new file mode 100644 index 0000000..33bcb68 --- /dev/null +++ b/ConfigFiles/ModProbe/sctp.conf @@ -0,0 +1 @@ +install sctp /bin/true \ No newline at end of file diff --git a/ConfigFiles/ModProbe/squashfs.conf b/ConfigFiles/ModProbe/squashfs.conf new file mode 100644 index 0000000..9de3008 --- /dev/null +++ b/ConfigFiles/ModProbe/squashfs.conf @@ -0,0 +1 @@ +install squashfs /bin/true \ No newline at end of file diff --git a/ConfigFiles/ModProbe/tipc.conf b/ConfigFiles/ModProbe/tipc.conf new file mode 100644 index 0000000..a2a8e52 --- /dev/null +++ b/ConfigFiles/ModProbe/tipc.conf @@ -0,0 +1 @@ +install tipc /bin/true \ No newline at end of file diff --git a/ConfigFiles/ModProbe/udf.conf b/ConfigFiles/ModProbe/udf.conf new file mode 100644 index 0000000..dc5169d --- /dev/null +++ b/ConfigFiles/ModProbe/udf.conf @@ -0,0 +1 @@ +install udf /bin/true \ No newline at end of file diff --git a/ConfigFiles/ModProbe/usb_storage.conf b/ConfigFiles/ModProbe/usb_storage.conf new file mode 100644 index 0000000..a4f90da --- /dev/null +++ b/ConfigFiles/ModProbe/usb_storage.conf @@ -0,0 +1 @@ +install usb-storage /bin/true \ No newline at end of file diff --git a/ConfigFiles/NTP/ntp.conf b/ConfigFiles/NTP/ntp.conf index 10f3861..2f78bc3 100644 --- a/ConfigFiles/NTP/ntp.conf +++ b/ConfigFiles/NTP/ntp.conf @@ -1,5 +1,5 @@ driftfile /var/lib/ntp/ntp.drift leapfile /usr/share/zoneinfo/leap-seconds.list -server pfv-netboot.taile3044.ts.net +server pfv-netboot.knel.net restrict 127.0.0.1 restrict ::1 \ No newline at end of file diff --git a/ConfigFiles/SSH/Configs/tsys-sshd-config b/ConfigFiles/SSH/Configs/tsys-sshd-config index 155ef4f..7325a6f 100644 --- a/ConfigFiles/SSH/Configs/tsys-sshd-config +++ b/ConfigFiles/SSH/Configs/tsys-sshd-config @@ -2,12 +2,19 @@ Include /etc/ssh/sshd_config.d/*.conf HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_ed25519_key KbdInteractiveAuthentication no -X11Forwarding yes PrintMotd no PasswordAuthentication no +AllowTcpForwarding no +X11Forwarding no ChallengeResponseAuthentication no -Banner none AcceptEnv LANG LC_* Subsystem sftp /usr/lib/openssh/sftp-server UsePAM yes -PermitRootLogin prohibit-password \ No newline at end of file +Banner /etc/issue.net +MaxAuthTries 2 +MaxStartups 10:30:100 +PermitRootLogin prohibit-password +ClientAliveInterval 300 +ClientAliveCountMax 3 +AllowUsers root localuser subodev +LoginGraceTime 60 \ No newline at end of file diff --git a/ConfigFiles/Systemd/journald.conf b/ConfigFiles/Systemd/journald.conf new file mode 100644 index 0000000..decbe3b --- /dev/null +++ b/ConfigFiles/Systemd/journald.conf @@ -0,0 +1,31 @@ +[Journal] +#Compress=yes +#Seal=yes +#SplitMode=uid +#SyncIntervalSec=5m +#RateLimitIntervalSec=30s +#RateLimitBurst=10000 +#SystemMaxUse= +#SystemKeepFree= +#SystemMaxFileSize= +#SystemMaxFiles=100 +#RuntimeMaxUse= +#RuntimeKeepFree= +#RuntimeMaxFileSize= +#RuntimeMaxFiles=100 +#MaxRetentionSec= +#MaxFileSec=1month +#ForwardToSyslog=yes +#ForwardToKMsg=no +#ForwardToConsole=no +#ForwardToWall=yes +#TTYPath=/dev/console +#MaxLevelStore=debug +#MaxLevelSyslog=debug +#MaxLevelKMsg=notice +#MaxLevelConsole=info +#MaxLevelWall=emerg +#LineMax=48K +#ReadKMsg=yes +#Audit=no +Storage=persistent \ No newline at end of file diff --git a/Modules/Security/secharden-audit-agents.sh b/Modules/Security/secharden-audit-agents.sh index 611454f..29f5c81 100644 --- a/Modules/Security/secharden-audit-agents.sh +++ b/Modules/Security/secharden-audit-agents.sh @@ -1,15 +1,52 @@ #!/bin/bash -#lynis +set -o errexit +set -o nounset +set -o pipefail +set -o functrace -# Sourced from +export PS4='(${BASH_SOURCE}:${LINENO}): - [${SHLVL},${BASH_SUBSHELL},$?] $ ' + +function error_out() +{ + echo "Bailing out. See above for reason...." + exit 1 +} + +function handle_failure() { + local lineno=$1 + local fn=$2 + local exitstatus=$3 + local msg=$4 + local lineno_fns=${0% 0} + if [[ "$lineno_fns" != "-1" ]] ; then + lineno="${lineno} ${lineno_fns}" + fi + echo "${BASH_SOURCE[0]}: Function: ${fn} Line Number : [${lineno}] Failed with status ${exitstatus}: $msg" +} + +trap 'handle_failure "${BASH_LINENO[*]}" "$LINENO" "${FUNCNAME[*]:-script}" "$?" "$BASH_COMMAND"' ERR + +export DL_ROOT +DL_ROOT="https://dl.knownelement.com/KNEL/FetchApply/" + +# Material herein Sourced from # https://cisofy.com/documentation/lynis/ # https://jbcsec.com/configure-linux-ssh/ # https://opensource.com/article/20/5/linux-security-lynis +# https://forum.greenbone.net/t/ssh-authentication/13536 # openvas -# Sourced from +#lynis -# https://forum.greenbone.net/t/ssh-authentication/13536 \ No newline at end of file +#Auditd + +curl --silent ${DL_ROOT}/ConfigFiles/AudidD/auditd.conf > /etc/audit/auditd.conf + +# Systemd +curl --silent ${DL_ROOT}/ConfigFiles/Systemd/journald.conf > /etc/systemd/journald.conf + +# logrotate +curl --silent ${DL_ROOT}/ConfigFiles/Logrotate/logrotate.conf > /etc/logrotate.conf \ No newline at end of file diff --git a/Modules/Security/secharden-scap-stig.sh b/Modules/Security/secharden-scap-stig.sh index 0cb0891..b75838e 100644 --- a/Modules/Security/secharden-scap-stig.sh +++ b/Modules/Security/secharden-scap-stig.sh @@ -27,6 +27,21 @@ function handle_failure() { trap 'handle_failure "${BASH_LINENO[*]}" "$LINENO" "${FUNCNAME[*]:-script}" "$?" "$BASH_COMMAND"' ERR +function pi-detect() +{ +echo Now running "$FUNCNAME".... +if [ -f /sys/firmware/devicetree/base/model ] ; then +export IS_RASPI="1" +fi + +if [ ! -f /sys/firmware/devicetree/base/model ] ; then +export IS_RASPI="0" +fi +echo Completed running "$FUNCNAME" +} + +# Actual script logic starts here + export DL_ROOT DL_ROOT="https://dl.knownelement.com/KNEL/FetchApply/" @@ -62,17 +77,57 @@ DL_ROOT="https://dl.knownelement.com/KNEL/FetchApply/" #password hashing algo #fix grub perms + +if [ "$IS_RASPI" = 0 ] ; then + chown root:root /boot/grub/grub.cfg chmod og-rwx /boot/grub/grub.cfg +chmod 0400 /boot/grub/grub.cfg + +fi + #disable auto mounting systemctl --now disable autofs || true apt purge autofs || true #disable usb storage -curl --silent ${DL_ROOT}/ConfigFiles/ModProbe/usb_storage.conf > /etc/modprobe.d/usb_storage.conf && rmmod usb-storage +curl --silent ${DL_ROOT}/ConfigFiles/ModProbe/usb_storage.conf > /etc/modprobe.d/usb_storage.conf +curl --silent ${DL_ROOT}/ConfigFiles/ModProbe/dccp.conf > /etc/modprobe.d/dccp.conf +curl --silent ${DL_ROOT}/ConfigFiles/ModProbe/rds.conf > /etc/modprobe.d/rds.conf +curl --silent ${DL_ROOT}/ConfigFiles/ModProbe/sctp.conf > /etc/modprobe.d/sctp.conf +curl --silent ${DL_ROOT}/ConfigFiles/ModProbe/tipc.conf > /etc/modprobe.d/tipc.conf +curl --silent ${DL_ROOT}/ConfigFiles/ModProbe/cramfs.conf > /etc/modprobe.d/cramfs.conf +curl --silent ${DL_ROOT}/ConfigFiles/ModProbe/freevxfs.conf > /etc/modprobe.d/freevxfs.conf +curl --silent ${DL_ROOT}/ConfigFiles/ModProbe/hfs.conf > /etc/modprobe.d/hfs.conf +curl --silent ${DL_ROOT}/ConfigFiles/ModProbe/hfsplus.conf > /etc/modprobe.d/hfsplus.conf +curl --silent ${DL_ROOT}/ConfigFiles/ModProbe/jffs2.conf > /etc/modprobe.d/jffs2.conf +curl --silent ${DL_ROOT}/ConfigFiles/ModProbe/squashfs.conf > /etc/modprobe.d/squashfs.conf +curl --silent ${DL_ROOT}/ConfigFiles/ModProbe/udf.conf > /etc/modprobe.d/udf.conf #banners + curl --silent ${DL_ROOT}/ConfigFiles/BANNERS/issue > /etc/issue curl --silent ${DL_ROOT}/ConfigFiles/BANNERS/issue.net > /etc/issue.net -curl --silent ${DL_ROOT}/ConfigFiles/BANNERS/motd > /etc/motd \ No newline at end of file +curl --silent ${DL_ROOT}/ConfigFiles/BANNERS/motd > /etc/motd + +#Cron perms +rm /etc/cron.deny || true +touch /etc/cron.allow +chmod g-wx,o-rwx /etc/cron.allow +chown root:root /etc/cron.allow + +chmod og-rwx /etc/crontab +chmod og-rwx /etc/cron.hourly/ +chmod og-rwx /etc/cron.daily/ +chmod og-rwx /etc/cron.weekly/ +chmod og-rwx /etc/cron.monthly/ +chown root:root /etc/cron.d/ +chmod og-rwx /etc/cron.d/ + +# At perms + +rm -f /etc/at.deny || true +touch /etc/at.allow +chmod g-wx,o-rwx /etc/at.allow +chown root:root /etc/at.allow \ No newline at end of file diff --git a/Modules/Security/secharden-ssh.sh b/Modules/Security/secharden-ssh.sh index d4b9829..17586e2 100644 --- a/Modules/Security/secharden-ssh.sh +++ b/Modules/Security/secharden-ssh.sh @@ -1,20 +1,13 @@ #!/bin/bash -iptables -I INPUT -p tcp --dport 22 -m state --state NEW -m recent --set -iptables -I INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 10 --hitcount 10 -j DROP -ip6tables -I INPUT -p tcp --dport 22 -m state --state NEW -m recent --set -ip6tables -I INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 10 --hitcount 10 -j DROP - -service netfilter-persistent save +curl --silent ${DL_ROOT}/ConfigFiles/SSH/Configs/tsys-sshd-config > /etc/ssh/sshd_config +curl --silent ${DL_ROOT}/ConfigFiles/SSH/Configs/ssh-audit_hardening.conf > /etc/ssh/sshd_config.d/ssh-audit_hardening.conf # Perms on sshd_config -# X11 forwarding disabled -# MaxAuthTries set to 4 or less -# login disabled -# only strong mAC algos are used -# idle timeout -# login grace time -# ssh access is limited -# ssh warning banner is configured -# allowtcpforwarding is disabled -# maxstartups is configured \ No newline at end of file +chmod og-rwx /etc/ssh/sshd_config +chmod og-rwx /etc/ssh/sshd_config.d/* + +#todo + +# root login disabled +# only strong mAC algos are used \ No newline at end of file diff --git a/SetupNewSystem.sh b/SetupNewSystem.sh index ca89b9d..b95e4ab 100644 --- a/SetupNewSystem.sh +++ b/SetupNewSystem.sh @@ -29,12 +29,33 @@ function handle_failure() { trap 'handle_failure "${BASH_LINENO[*]}" "$LINENO" "${FUNCNAME[*]:-script}" "$?" "$BASH_COMMAND"' ERR +function PreflightCheck() +{ + +export curr_user="$USER" +export user_check + +user_check="$(echo "$curr_user" | grep -c root)" + + +if [ $user_check -ne 1 ]; then + echo "Must run as root." + error_out +fi + +echo "All checks passed...." + +} + # Start actual script logic here... ################# #Global variables ################# +export IS_PHYSICAL_HOST +IS_PHYSICAL_HOST="$(dmidecode -t System|grep -c Dell ||true)" + export SUBODEV_CHECK SUBODEV_CHECK="$(getent passwd|grep -c subodev || true)" @@ -49,35 +70,6 @@ DL_ROOT="https://dl.knownelement.com/KNEL/FetchApply/" # Support functions ####################### -function error_out() -{ - echo "Bailing out. See above for reason...." - exit 1 -} - - -function PreflightCheck() -{ - - -export curr_user="$USER" -export user_check - -user_check="$(echo "$curr_user" | grep -c root)" - - -if [ $user_check -ne 1 ]; then - echo "Must run as root." - error_out -fi - -#Your additional stuff here... - -echo "All checks passed...." - -} - - function pi-detect() { echo Now running "$FUNCNAME".... @@ -124,8 +116,6 @@ echo Now running "$FUNCNAME".... curl --silent ${DL_ROOT}/ConfigFiles/ZSH/tsys-zshrc > /etc/zshrc curl --silent ${DL_ROOT}/ConfigFiles/SMTP/aliases > /etc/aliases curl --silent ${DL_ROOT}/ConfigFiles/Syslog/rsyslog.conf > /etc/rsyslog.conf -curl --silent ${DL_ROOT}/ConfigFiles/SSH/Configs/tsys-sshd-config > /etc/ssh/sshd_config -curl --silent ${DL_ROOT}/ConfigFiles/SSH/Configs/ssh-audit_hardening.conf > /etc/ssh/sshd_config.d/ssh-audit_hardening.conf export ROOT_SSH_DIR="/root/.ssh" export LOCALUSER_SSH_DIR="/home/localuser/.ssh" @@ -198,6 +188,8 @@ curl -fsSL https://pkgs.tailscale.com/stable/debian/bookworm.tailscale-keyring.l #Remove stuff we don't want +apt-get --yes --purge remove systemd-timesyncd chrony telnet inetutils-telnet + #export DEBIAN_FRONTEND="noninteractive" && apt-get -qq --yes -o Dpkg::Options::="--force-confold" --purge remove nano # add stuff we want @@ -206,6 +198,9 @@ echo "Now installing all the packages..." DEBIAN_FRONTEND="noninteractive" apt-get -qq --yes -o Dpkg::Options::="--force-confold" install \ virt-what \ +auditd \ +audispd-plugins \ +aide \ htop \ dstat \ snmpd \ @@ -226,7 +221,6 @@ net-tools \ dos2unix \ gpg \ molly-guard \ -fail2ban \ lshw \ fzf \ ripgrep \ @@ -237,7 +231,6 @@ sl \ rsyslog \ logwatch \ git \ -rsync \ net-tools \ tshark \ tcpdump \ @@ -255,8 +248,7 @@ cockpit \ iptables \ netfilter-persistent \ iptables-persistent \ -postfix \ -telnet +postfix export KALI_CHECK KALI_CHECK="$(distro |grep -c kali ||true)" @@ -289,10 +281,8 @@ if [[ $IS_KVM_GUEST = 1 ]]; then apt -y install qemu-guest-agent fi -export PHYSICAL_HOST -PHYSICAL_HOST="$(dmidecode -t System|grep -c Dell ||true)" -if [[ $PHYSICAL_HOST -gt 0 ]]; then +if [[ $IS_PHYSICAL_HOST -gt 0 ]]; then export DEBIAN_FRONTEND="noninteractive" && apt-get -qq --yes -o Dpkg::Options::="--force-confold" install \ i7z \ thermald \ @@ -309,10 +299,11 @@ function global-postPackageConfiguration() echo Now running "$FUNCNAME" +systemctl --now enable auditd + systemctl stop postfix curl --silent ${DL_ROOT}/ConfigFiles/SMTP/postfix_generic> /etc/postfix/generic -dos2unix /etc/postfix/generic postmap /etc/postfix/generic postconf -e "inet_protocols = ipv4" @@ -348,7 +339,7 @@ sed -i "s|-Lsd|-LS6d|" /lib/systemd/system/snmpd.service pi-detect -if [ "$IS_RASPI" -eq 1 ] ; then +if [ "$IS_RASPI" = 1 ] ; then curl --silent ${DL_ROOT}/ConfigFiles/SNMP/snmpd-rpi.conf > /etc/snmp/snmpd.conf fi @@ -381,7 +372,7 @@ systemctl start postfix /usr/sbin/accton on -if [ "$PHYSICAL_HOST" -gt 0 ]; then +if [ "$IS_PHYSICAL_HOST" -gt 0 ]; then cpufreq-set -r -g performance cpupower frequency-set --governor performance @@ -452,7 +443,7 @@ echo Completed running "$FUNCNAME" function secharden-scap-stig() { echo Now running "$FUNCNAME" -#curl --silent ${DL_ROOT}/Modules/Security/secharden-scap-stig.sh|$(which bash) +curl --silent ${DL_ROOT}/Modules/Security/secharden-scap-stig.sh|$(which bash) echo Completed running "$FUNCNAME" }