KNEL/KNELServerBuild
2
0
Fork 0
Code Pull Requests Actions Packages Releases 1 Activity

lots of things

Browse Source
This commit is contained in:
Charles N Wyble
2025-06-29 19:54:10 -05:00
parent 23cba4713b
commit 7a5b90ae84
25 changed files with 278 additions and 68 deletions
Download Patch File Download Diff File Expand all files Collapse all files

46
ConfigFiles/AuditD/auditd.conf Normal file
View File

@@ -0,0 +1,46 @@
#
# Known Element Enterprises Customized Config File
# auditd
# Initial version 2025-06-27
#
local_events = yes
write_logs = yes
log_file = /var/log/audit/audit.log
log_group = adm
log_format = ENRICHED
flush = INCREMENTAL_ASYNC
freq = 50
max_log_file = 8
num_logs = 5
priority_boost = 4
name_format = NONE
max_log_file_action = keep_logs
space_left = 75
space_left_action = email
action_mail_acct = root
admin_space_left_action = halt
disk_full_action = SUSPEND
disk_error_action = SUSPEND
admin_space_left = 50
verify_email = yes
use_libwrap = yes
tcp_listen_queue = 5
tcp_max_per_addr = 1
tcp_client_max_idle = 0
transport = TCP
distribute_network = no
q_depth = 2000
overflow_action = SYSLOG
max_restarts = 10
plugin_dir = /etc/audit/plugins.d
end_of_event_timeout = 2
##tcp_client_ports = 1024-65535
##tcp_listen_port = 60
##krb5_key_file = /etc/audit/audit.key
krb5_principal = auditd
##name = mydomain

0
ConfigFiles/AuditD/rules.d/time-change.rules Normal file
View File

5
ConfigFiles/BANNERS/issue Normal file
View File

@@ -0,0 +1,5 @@
This system is the property of Known Element Enterprises LLC.
Authorized uses only. All activity may be monitored and reported.
All activities subject to monitoring/recording/review in real time and/or at a later time.

5
ConfigFiles/BANNERS/issue.net Normal file
View File

@@ -0,0 +1,5 @@
This system is the property of Known Element Enterprises LLC.
Authorized uses only. All activity may be monitored and reported.
All activities subject to monitoring/recording/review in real time and/or at a later time.

5
ConfigFiles/BANNERS/motd Normal file
View File

@@ -0,0 +1,5 @@
This system is the property of Known Element Enterprises LLC.
Authorized uses only. All activity may be monitored and reported.
All activities subject to monitoring/recording/review in real time and/or at a later time.

23
ConfigFiles/Logrotate/logrotate.conf Normal file
View File

@@ -0,0 +1,23 @@
# see "man logrotate" for details
# global options do not affect preceding include directives
# rotate log files weekly
weekly
# keep 4 weeks worth of backlogs
rotate 4
# create new (empty) log files after rotating old ones
create 0640 root utmp
# use date as a suffix of the rotated file
#dateext
# uncomment this if you want your log files compressed
#compress
# packages drop log rotation information into this directory
include /etc/logrotate.d
# system-specific logs may also be configured here.

1
ConfigFiles/ModProbe/cramfs.conf Normal file
View File

@@ -0,0 +1 @@
install cramfs /bin/true

1
ConfigFiles/ModProbe/dccp.conf Normal file
View File

@@ -0,0 +1 @@
install dccp /bin/true

1
ConfigFiles/ModProbe/freevxfs.conf Normal file
View File

@@ -0,0 +1 @@
install freevxfs /bin/true

1
ConfigFiles/ModProbe/hfs.conf Normal file
View File

@@ -0,0 +1 @@
install hfs /bin/true

1
ConfigFiles/ModProbe/hfsplus.conf Normal file
View File

@@ -0,0 +1 @@
install hfsplus /bin/true

1
ConfigFiles/ModProbe/jffs2.conf Normal file
View File

@@ -0,0 +1 @@
install jffs2 /bin/true

1
ConfigFiles/ModProbe/rds.conf Normal file
View File

@@ -0,0 +1 @@
install rds /bin/true

1
ConfigFiles/ModProbe/sctp.conf Normal file
View File

@@ -0,0 +1 @@
install sctp /bin/true

1
ConfigFiles/ModProbe/squashfs.conf Normal file
View File

@@ -0,0 +1 @@
install squashfs /bin/true

1
ConfigFiles/ModProbe/tipc.conf Normal file
View File

@@ -0,0 +1 @@
install tipc /bin/true

1
ConfigFiles/ModProbe/udf.conf Normal file
View File

@@ -0,0 +1 @@
install udf /bin/true

1
ConfigFiles/ModProbe/usb_storage.conf Normal file
View File

@@ -0,0 +1 @@
install usb-storage /bin/true

2
ConfigFiles/NTP/ntp.conf
View File

@@ -1,5 +1,5 @@
driftfile /var/lib/ntp/ntp.drift driftfile /var/lib/ntp/ntp.drift
leapfile /usr/share/zoneinfo/leap-seconds.list leapfile /usr/share/zoneinfo/leap-seconds.list
server pfv-netboot.taile3044.ts.net server pfv-netboot.knel.net
restrict 127.0.0.1 restrict 127.0.0.1
restrict ::1 restrict ::1

13
ConfigFiles/SSH/Configs/tsys-sshd-config
View File

@@ -2,12 +2,19 @@ Include /etc/ssh/sshd_config.d/*.conf
HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ed25519_key HostKey /etc/ssh/ssh_host_ed25519_key
KbdInteractiveAuthentication no KbdInteractiveAuthentication no
X11Forwarding yes
PrintMotd no PrintMotd no
PasswordAuthentication no PasswordAuthentication no
AllowTcpForwarding no
X11Forwarding no
ChallengeResponseAuthentication no ChallengeResponseAuthentication no
Banner none
AcceptEnv LANG LC_* AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server Subsystem sftp /usr/lib/openssh/sftp-server
UsePAM yes UsePAM yes
PermitRootLogin prohibit-password Banner /etc/issue.net
MaxAuthTries 2
MaxStartups 10:30:100
PermitRootLogin prohibit-password
ClientAliveInterval 300
ClientAliveCountMax 3
AllowUsers root localuser subodev
LoginGraceTime 60

31
ConfigFiles/Systemd/journald.conf Normal file
View File

@@ -0,0 +1,31 @@
[Journal]
#Compress=yes
#Seal=yes
#SplitMode=uid
#SyncIntervalSec=5m
#RateLimitIntervalSec=30s
#RateLimitBurst=10000
#SystemMaxUse=
#SystemKeepFree=
#SystemMaxFileSize=
#SystemMaxFiles=100
#RuntimeMaxUse=
#RuntimeKeepFree=
#RuntimeMaxFileSize=
#RuntimeMaxFiles=100
#MaxRetentionSec=
#MaxFileSec=1month
#ForwardToSyslog=yes
#ForwardToKMsg=no
#ForwardToConsole=no
#ForwardToWall=yes
#TTYPath=/dev/console
#MaxLevelStore=debug
#MaxLevelSyslog=debug
#MaxLevelKMsg=notice
#MaxLevelConsole=info
#MaxLevelWall=emerg
#LineMax=48K
#ReadKMsg=yes
#Audit=no
Storage=persistent

45
Modules/Security/secharden-audit-agents.sh
View File

@@ -1,15 +1,52 @@
#!/bin/bash #!/bin/bash
#lynis set -o errexit
set -o nounset
set -o pipefail
set -o functrace
# Sourced from export PS4='(${BASH_SOURCE}:${LINENO}): - [${SHLVL},${BASH_SUBSHELL},$?] $ '
function error_out()
{
echo "Bailing out. See above for reason...."
exit 1
}
function handle_failure() {
local lineno=$1
local fn=$2
local exitstatus=$3
local msg=$4
local lineno_fns=${0% 0}
if [[ "$lineno_fns" != "-1" ]] ; then
lineno="${lineno} ${lineno_fns}"
fi
echo "${BASH_SOURCE[0]}: Function: ${fn} Line Number : [${lineno}] Failed with status ${exitstatus}: $msg"
}
trap 'handle_failure "${BASH_LINENO[*]}" "$LINENO" "${FUNCNAME[*]:-script}" "$?" "$BASH_COMMAND"' ERR
export DL_ROOT
DL_ROOT="https://dl.knownelement.com/KNEL/FetchApply/"
# Material herein Sourced from
# https://cisofy.com/documentation/lynis/ # https://cisofy.com/documentation/lynis/
# https://jbcsec.com/configure-linux-ssh/ # https://jbcsec.com/configure-linux-ssh/
# https://opensource.com/article/20/5/linux-security-lynis # https://opensource.com/article/20/5/linux-security-lynis
# https://forum.greenbone.net/t/ssh-authentication/13536
# openvas # openvas
# Sourced from #lynis
# https://forum.greenbone.net/t/ssh-authentication/13536 #Auditd
curl --silent ${DL_ROOT}/ConfigFiles/AudidD/auditd.conf > /etc/audit/auditd.conf
# Systemd
curl --silent ${DL_ROOT}/ConfigFiles/Systemd/journald.conf > /etc/systemd/journald.conf
# logrotate
curl --silent ${DL_ROOT}/ConfigFiles/Logrotate/logrotate.conf > /etc/logrotate.conf

59
Modules/Security/secharden-scap-stig.sh
View File

@@ -27,6 +27,21 @@ function handle_failure() {
trap 'handle_failure "${BASH_LINENO[*]}" "$LINENO" "${FUNCNAME[*]:-script}" "$?" "$BASH_COMMAND"' ERR trap 'handle_failure "${BASH_LINENO[*]}" "$LINENO" "${FUNCNAME[*]:-script}" "$?" "$BASH_COMMAND"' ERR
function pi-detect()
{
echo Now running "$FUNCNAME"....
if [ -f /sys/firmware/devicetree/base/model ] ; then
export IS_RASPI="1"
fi
if [ ! -f /sys/firmware/devicetree/base/model ] ; then
export IS_RASPI="0"
fi
echo Completed running "$FUNCNAME"
}
# Actual script logic starts here
export DL_ROOT export DL_ROOT
DL_ROOT="https://dl.knownelement.com/KNEL/FetchApply/" DL_ROOT="https://dl.knownelement.com/KNEL/FetchApply/"
@@ -62,17 +77,57 @@ DL_ROOT="https://dl.knownelement.com/KNEL/FetchApply/"
#password hashing algo #password hashing algo
#fix grub perms #fix grub perms
if [ "$IS_RASPI" = 0 ] ; then
chown root:root /boot/grub/grub.cfg chown root:root /boot/grub/grub.cfg
chmod og-rwx /boot/grub/grub.cfg chmod og-rwx /boot/grub/grub.cfg
chmod 0400 /boot/grub/grub.cfg
fi
#disable auto mounting #disable auto mounting
systemctl --now disable autofs || true systemctl --now disable autofs || true
apt purge autofs || true apt purge autofs || true
#disable usb storage #disable usb storage
curl --silent ${DL_ROOT}/ConfigFiles/ModProbe/usb_storage.conf > /etc/modprobe.d/usb_storage.conf && rmmod usb-storage curl --silent ${DL_ROOT}/ConfigFiles/ModProbe/usb_storage.conf > /etc/modprobe.d/usb_storage.conf
curl --silent ${DL_ROOT}/ConfigFiles/ModProbe/dccp.conf > /etc/modprobe.d/dccp.conf
curl --silent ${DL_ROOT}/ConfigFiles/ModProbe/rds.conf > /etc/modprobe.d/rds.conf
curl --silent ${DL_ROOT}/ConfigFiles/ModProbe/sctp.conf > /etc/modprobe.d/sctp.conf
curl --silent ${DL_ROOT}/ConfigFiles/ModProbe/tipc.conf > /etc/modprobe.d/tipc.conf
curl --silent ${DL_ROOT}/ConfigFiles/ModProbe/cramfs.conf > /etc/modprobe.d/cramfs.conf
curl --silent ${DL_ROOT}/ConfigFiles/ModProbe/freevxfs.conf > /etc/modprobe.d/freevxfs.conf
curl --silent ${DL_ROOT}/ConfigFiles/ModProbe/hfs.conf > /etc/modprobe.d/hfs.conf
curl --silent ${DL_ROOT}/ConfigFiles/ModProbe/hfsplus.conf > /etc/modprobe.d/hfsplus.conf
curl --silent ${DL_ROOT}/ConfigFiles/ModProbe/jffs2.conf > /etc/modprobe.d/jffs2.conf
curl --silent ${DL_ROOT}/ConfigFiles/ModProbe/squashfs.conf > /etc/modprobe.d/squashfs.conf
curl --silent ${DL_ROOT}/ConfigFiles/ModProbe/udf.conf > /etc/modprobe.d/udf.conf
#banners #banners
curl --silent ${DL_ROOT}/ConfigFiles/BANNERS/issue > /etc/issue curl --silent ${DL_ROOT}/ConfigFiles/BANNERS/issue > /etc/issue
curl --silent ${DL_ROOT}/ConfigFiles/BANNERS/issue.net > /etc/issue.net curl --silent ${DL_ROOT}/ConfigFiles/BANNERS/issue.net > /etc/issue.net
curl --silent ${DL_ROOT}/ConfigFiles/BANNERS/motd > /etc/motd curl --silent ${DL_ROOT}/ConfigFiles/BANNERS/motd > /etc/motd
#Cron perms
rm /etc/cron.deny || true
touch /etc/cron.allow
chmod g-wx,o-rwx /etc/cron.allow
chown root:root /etc/cron.allow
chmod og-rwx /etc/crontab
chmod og-rwx /etc/cron.hourly/
chmod og-rwx /etc/cron.daily/
chmod og-rwx /etc/cron.weekly/
chmod og-rwx /etc/cron.monthly/
chown root:root /etc/cron.d/
chmod og-rwx /etc/cron.d/
# At perms
rm -f /etc/at.deny || true
touch /etc/at.allow
chmod g-wx,o-rwx /etc/at.allow
chown root:root /etc/at.allow

25
Modules/Security/secharden-ssh.sh
View File

@@ -1,20 +1,13 @@
#!/bin/bash #!/bin/bash
iptables -I INPUT -p tcp --dport 22 -m state --state NEW -m recent --set curl --silent ${DL_ROOT}/ConfigFiles/SSH/Configs/tsys-sshd-config > /etc/ssh/sshd_config
iptables -I INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 10 --hitcount 10 -j DROP curl --silent ${DL_ROOT}/ConfigFiles/SSH/Configs/ssh-audit_hardening.conf > /etc/ssh/sshd_config.d/ssh-audit_hardening.conf
ip6tables -I INPUT -p tcp --dport 22 -m state --state NEW -m recent --set
ip6tables -I INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 10 --hitcount 10 -j DROP
service netfilter-persistent save
# Perms on sshd_config # Perms on sshd_config
# X11 forwarding disabled chmod og-rwx /etc/ssh/sshd_config
# MaxAuthTries set to 4 or less chmod og-rwx /etc/ssh/sshd_config.d/*
# login disabled
# only strong mAC algos are used #todo
# idle timeout
# login grace time # root login disabled
# ssh access is limited # only strong mAC algos are used
# ssh warning banner is configured
# allowtcpforwarding is disabled
# maxstartups is configured

75
SetupNewSystem.sh
View File

@@ -29,12 +29,33 @@ function handle_failure() {
trap 'handle_failure "${BASH_LINENO[*]}" "$LINENO" "${FUNCNAME[*]:-script}" "$?" "$BASH_COMMAND"' ERR trap 'handle_failure "${BASH_LINENO[*]}" "$LINENO" "${FUNCNAME[*]:-script}" "$?" "$BASH_COMMAND"' ERR
function PreflightCheck()
{
export curr_user="$USER"
export user_check
user_check="$(echo "$curr_user" | grep -c root)"
if [ $user_check -ne 1 ]; then
echo "Must run as root."
error_out
fi
echo "All checks passed...."
}
# Start actual script logic here... # Start actual script logic here...
################# #################
#Global variables #Global variables
################# #################
export IS_PHYSICAL_HOST
IS_PHYSICAL_HOST="$(dmidecode -t System|grep -c Dell ||true)"
export SUBODEV_CHECK export SUBODEV_CHECK
SUBODEV_CHECK="$(getent passwd|grep -c subodev || true)" SUBODEV_CHECK="$(getent passwd|grep -c subodev || true)"
@@ -49,35 +70,6 @@ DL_ROOT="https://dl.knownelement.com/KNEL/FetchApply/"
# Support functions # Support functions
####################### #######################
function error_out()
{
echo "Bailing out. See above for reason...."
exit 1
}
function PreflightCheck()
{
export curr_user="$USER"
export user_check
user_check="$(echo "$curr_user" | grep -c root)"
if [ $user_check -ne 1 ]; then
echo "Must run as root."
error_out
fi
#Your additional stuff here...
echo "All checks passed...."
}
function pi-detect() function pi-detect()
{ {
echo Now running "$FUNCNAME".... echo Now running "$FUNCNAME"....
@@ -124,8 +116,6 @@ echo Now running "$FUNCNAME"....
curl --silent ${DL_ROOT}/ConfigFiles/ZSH/tsys-zshrc > /etc/zshrc curl --silent ${DL_ROOT}/ConfigFiles/ZSH/tsys-zshrc > /etc/zshrc
curl --silent ${DL_ROOT}/ConfigFiles/SMTP/aliases > /etc/aliases curl --silent ${DL_ROOT}/ConfigFiles/SMTP/aliases > /etc/aliases
curl --silent ${DL_ROOT}/ConfigFiles/Syslog/rsyslog.conf > /etc/rsyslog.conf curl --silent ${DL_ROOT}/ConfigFiles/Syslog/rsyslog.conf > /etc/rsyslog.conf
curl --silent ${DL_ROOT}/ConfigFiles/SSH/Configs/tsys-sshd-config > /etc/ssh/sshd_config
curl --silent ${DL_ROOT}/ConfigFiles/SSH/Configs/ssh-audit_hardening.conf > /etc/ssh/sshd_config.d/ssh-audit_hardening.conf
export ROOT_SSH_DIR="/root/.ssh" export ROOT_SSH_DIR="/root/.ssh"
export LOCALUSER_SSH_DIR="/home/localuser/.ssh" export LOCALUSER_SSH_DIR="/home/localuser/.ssh"
@@ -198,6 +188,8 @@ curl -fsSL https://pkgs.tailscale.com/stable/debian/bookworm.tailscale-keyring.l
#Remove stuff we don't want #Remove stuff we don't want
apt-get --yes --purge remove systemd-timesyncd chrony telnet inetutils-telnet
#export DEBIAN_FRONTEND="noninteractive" && apt-get -qq --yes -o Dpkg::Options::="--force-confold" --purge remove nano #export DEBIAN_FRONTEND="noninteractive" && apt-get -qq --yes -o Dpkg::Options::="--force-confold" --purge remove nano
# add stuff we want # add stuff we want
@@ -206,6 +198,9 @@ echo "Now installing all the packages..."
DEBIAN_FRONTEND="noninteractive" apt-get -qq --yes -o Dpkg::Options::="--force-confold" install \ DEBIAN_FRONTEND="noninteractive" apt-get -qq --yes -o Dpkg::Options::="--force-confold" install \
virt-what \ virt-what \
auditd \
audispd-plugins \
aide \
htop \ htop \
dstat \ dstat \
snmpd \ snmpd \
@@ -226,7 +221,6 @@ net-tools \
dos2unix \ dos2unix \
gpg \ gpg \
molly-guard \ molly-guard \
fail2ban \
lshw \ lshw \
fzf \ fzf \
ripgrep \ ripgrep \
@@ -237,7 +231,6 @@ sl \
rsyslog \ rsyslog \
logwatch \ logwatch \
git \ git \
rsync \
net-tools \ net-tools \
tshark \ tshark \
tcpdump \ tcpdump \
@@ -255,8 +248,7 @@ cockpit \
iptables \ iptables \
netfilter-persistent \ netfilter-persistent \
iptables-persistent \ iptables-persistent \
postfix \ postfix
telnet
export KALI_CHECK export KALI_CHECK
KALI_CHECK="$(distro |grep -c kali ||true)" KALI_CHECK="$(distro |grep -c kali ||true)"
@@ -289,10 +281,8 @@ if [[ $IS_KVM_GUEST = 1 ]]; then
apt -y install qemu-guest-agent apt -y install qemu-guest-agent
fi fi
export PHYSICAL_HOST
PHYSICAL_HOST="$(dmidecode -t System|grep -c Dell ||true)"
if [[ $PHYSICAL_HOST -gt 0 ]]; then if [[ $IS_PHYSICAL_HOST -gt 0 ]]; then
export DEBIAN_FRONTEND="noninteractive" && apt-get -qq --yes -o Dpkg::Options::="--force-confold" install \ export DEBIAN_FRONTEND="noninteractive" && apt-get -qq --yes -o Dpkg::Options::="--force-confold" install \
i7z \ i7z \
thermald \ thermald \
@@ -309,10 +299,11 @@ function global-postPackageConfiguration()
echo Now running "$FUNCNAME" echo Now running "$FUNCNAME"
systemctl --now enable auditd
systemctl stop postfix systemctl stop postfix
curl --silent ${DL_ROOT}/ConfigFiles/SMTP/postfix_generic> /etc/postfix/generic curl --silent ${DL_ROOT}/ConfigFiles/SMTP/postfix_generic> /etc/postfix/generic
dos2unix /etc/postfix/generic
postmap /etc/postfix/generic postmap /etc/postfix/generic
postconf -e "inet_protocols = ipv4" postconf -e "inet_protocols = ipv4"
@@ -348,7 +339,7 @@ sed -i "s|-Lsd|-LS6d|" /lib/systemd/system/snmpd.service
pi-detect pi-detect
if [ "$IS_RASPI" -eq 1 ] ; then if [ "$IS_RASPI" = 1 ] ; then
curl --silent ${DL_ROOT}/ConfigFiles/SNMP/snmpd-rpi.conf > /etc/snmp/snmpd.conf curl --silent ${DL_ROOT}/ConfigFiles/SNMP/snmpd-rpi.conf > /etc/snmp/snmpd.conf
fi fi
@@ -381,7 +372,7 @@ systemctl start postfix
/usr/sbin/accton on /usr/sbin/accton on
if [ "$PHYSICAL_HOST" -gt 0 ]; then if [ "$IS_PHYSICAL_HOST" -gt 0 ]; then
cpufreq-set -r -g performance cpufreq-set -r -g performance
cpupower frequency-set --governor performance cpupower frequency-set --governor performance
@@ -452,7 +443,7 @@ echo Completed running "$FUNCNAME"
function secharden-scap-stig() function secharden-scap-stig()
{ {
echo Now running "$FUNCNAME" echo Now running "$FUNCNAME"
#curl --silent ${DL_ROOT}/Modules/Security/secharden-scap-stig.sh|$(which bash) curl --silent ${DL_ROOT}/Modules/Security/secharden-scap-stig.sh|$(which bash)
echo Completed running "$FUNCNAME" echo Completed running "$FUNCNAME"
} }