konstruktoid / Hardening
Programming Languages
Labels
Projects that are alternatives of or similar to Hardening
image::logo/horizontal.png[Ubuntu Hardening]
= Hardening Ubuntu. Systemd edition. :icons: font
A quick way to make a Ubuntu server a bit more secure.
Tested on Ubuntu 20.04 Focal Fossa, Ubuntu 20.10 Groovy Gorilla
and Ubuntu 21.04 Hirsute Hippo (development branch).
Systemd required.
If you're just interested in the security focused systemd configuration, it's available as a link:systemd.adoc[separate document].
If you're interested in testing your host settings, you'll find the link:README.adoc#tests[instructions here].
NOTE: This is a constant work in progress. Make sure you understand what it does. Read the code and do not run this script without first testing in a non-operational environment.
When possible, use the newly installed and configured system as a reference, or golden, image. Use that image as a baseline installation media and ensure that any future installation comply with benchmarks and policies using a configuration management tool, e.g https://www.ansible.com/[Ansible] or https://puppet.com/[Puppet].
== Packer template and Ansible playbook A https://www.packer.io/[Packer] template is available in the https://github.com/konstruktoid/hardening-geniso[konstruktoid/hardening-geniso] repository.
An Ansible playbook is available in the https://github.com/konstruktoid/ansible-role-hardening[konstruktoid/ansible-role-hardening] repository.
== Howto Start the installation of the server. + Pick language, keyboard layout, timezone and so on as you usually would.
=== Partition the system [source,shell]
/ /boot (rw) /home (rw,nosuid,nodev) swap /var /var/log (rw,nosuid,nodev,noexec) /var/log/audit (rw,nosuid,nodev,noexec) /var/tmp (rw,noexec,nodev,nosuid)
Note that /tmp will be added automatically by the script.
=== Login, set a Grub2 password, configure and run ubuntu.sh
Do not add any packages. +
Log in. +
Select a Grub2 password with grub-mkpasswd-pbkdf2. +
Download the script: git clone https://github.com/konstruktoid/hardening.git. +
Change the configuration options in the ubuntu.cfg file. +
Run the script: sudo bash ubuntu.sh. +
Reboot.
== Configuration options [source,shell]
FW_ADMIN='127.0.0.1' // <1> SSH_GRPS='sudo' // <2> SSH_PORT='22' // <3> SYSCTL_CONF='./misc/sysctl.conf' // <4> AUDITD_MODE='1' // <5> AUDITD_RULES='./misc/audit-base.rules ./misc/audit-aggressive.rules ./misc/audit-docker.rules' // <6> LOGROTATE_CONF='./misc/logrotate.conf' // <7> NTPSERVERPOOL='0.ubuntu.pool.ntp.org 1.ubuntu.pool.ntp.org 2.ubuntu.pool.ntp.org 3.ubuntu.pool.ntp.org pool.ntp.org' // <8> TIMEDATECTL='' // <9> VERBOSE='N' // <10> AUTOFILL='N' // <11> CHANGEME='' // <12>
Configuration files
ADDUSER='/etc/adduser.conf' AUDITDCONF='/etc/audit/auditd.conf' AUDITRULES='/etc/audit/rules.d/hardening.rules' COMMONPASSWD='/etc/pam.d/common-password' COMMONACCOUNT='/etc/pam.d/common-account' COMMONAUTH='/etc/pam.d/common-auth' COREDUMPCONF='/etc/systemd/coredump.conf' DEFAULTGRUB='/etc/default/grub.d' DISABLEFS='/etc/modprobe.d/disablefs.conf' DISABLEMOD='/etc/modprobe.d/disablemod.conf' DISABLENET='/etc/modprobe.d/disablenet.conf' JOURNALDCONF='/etc/systemd/journald.conf' LIMITSCONF='/etc/security/limits.conf' LOGINDCONF='/etc/systemd/logind.conf' LOGINDEFS='/etc/login.defs' LOGROTATE='/etc/logrotate.conf' PAMLOGIN='/etc/pam.d/login' RESOLVEDCONF='/etc/systemd/resolved.conf' RKHUNTERCONF='/etc/default/rkhunter' RSYSLOGCONF='/etc/rsyslog.conf' SECURITYACCESS='/etc/security/access.conf' SSHFILE='/etc/ssh/ssh_config' SSHDFILE='/etc/ssh/sshd_config' SYSCTL='/etc/sysctl.conf' SYSTEMCONF='/etc/systemd/system.conf' TIMESYNCD='/etc/systemd/timesyncd.conf' UFWDEFAULT='/etc/default/ufw' USERADD='/etc/default/useradd' USERCONF='/etc/systemd/user.conf'
<1> The IP addresses that will be able to connect with SSH, separated by spaces.
<2> Which group the users have to be member of in order to acess via SSH, separated by spaces.
<3> Configure SSH port.
<4> Stricter sysctl settings.
<5> Auditd failure mode. 0=silent 1=printk 2=panic.
<6> Auditd rules.
<7> Logrotate settings.
<8> NTP server pool.
<9> Add a specific time zone or use the system default by leaving it empty.
<10> If you want all the details or not.
<11> Let the script guess the FW_ADMIN and SSH_GRPS settings.
<12> Add something just to verify that you actually glanced the code.
== Functions
=== Function list
==== 01_pre Setup script, sets APT flags and permission checks.
==== 02_firewall
Enable ufw, use /etc/sysctl.conf, and allow port 22 from $FW_ADMIN.
==== 03_disablenet
Disable dccp sctp rds tipc protocols.
==== 04_disablemnt
Disable cramfs freevxfs jffs2 hfs hfsplus udf vfat file systems.
==== 05_systemdconf
Disable coredumps and crash shells, set DefaultLimitNOFILE and
DefaultLimitNPROC to 1024.
==== 06_journalctl Compress logs, forward to syslog and make log storage persistent. Ensure rsyslog writes logs with stricter permissions.
==== 07_timesyncd
Add four NTP-servers with a latency < 50ms from $NTPSERVERPOOL.
==== 08_fstab
Configure /tmp/ and /var/tmp/. Remove floppy drivers from /etc/fstab
and add hidepid=2 to /proc.
==== 09_prelink
Undo prelinking, and remove prelink package.
==== 10_aptget
Configure dpkg and apt-get. apt-get update and upgrade.
==== 11_hosts
/etc/hosts.allow and /etc/hosts.deny restrictions.
==== 12_logindefs
Modify /etc/login.defs, e.g. UMASK, password age limits and
SHA_CRYPT_MAX_ROUNDS.
==== 13_sysctl
Update $SYSCTL with $SYSCTL_CONF.
==== 14_limits Set hard and soft limits.
==== 15_adduser
Configure useradd and adduser to set /bin/false as default shell,
home directory permissions to 0750 and lock users 30 days after password
expires.
==== 16_rootaccess
Limit /etc/securetty to console, and root from 127.0.0.1 in
/etc/security/access.conf.
==== 17_packages
Installs acct aide-common apparmor-profiles apparmor-utils auditd
audispd-plugins debsums gnupg2 haveged
libpam-apparmor libpam-pwquality libpam-tmpdir needrestart
openssh-server postfix rkhunter sysstat systemd-coredump tcpd
update-notifier-common vlock.
Removes apport* autofs avahi* beep git pastebinit
popularity-contest rsh* rsync talk* telnet* tftp* whoopsie
xinetd yp-tools ypbind.
==== 18_sshdconfig
Configure the OpenSSH-daemon.
==== 19_password
Configure pam_pwquality.so and pam_tally2.so.
==== 20_cron
Allow root to use cron. Mask atd.
==== 21_ctraltdel Disable Ctrl-alt-delete.
==== 22_auditd
Configure auditd, use $AUDITD_RULES and set failure mode $AUDITD_MODE.
==== 23_disablemod
Disable bluetooth bnep btusb cpia2 firewire-core floppy n_hdlc
net-pf-31 pcspkr soundcore thunderbolt usb-midi usb-storage
uvcvideo v4l2_common kernel modules.
Note that disabling the usb-storage will disable any usage of USB storage
devices, if such devices are needed USBGuard should be configured accordingly.
==== 24_aide
Configure aide.
==== 25_rhosts
Remove hosts.equiv and .rhosts.
==== 26_users
Remove games gnats irc list news sync uucp users.
==== 27_suid
Remove suid bits from the executables listed in
link:misc/suid.list[this document].
==== 28_umask
Set bash and /etc/profile umask.
==== 29_apparmor
Enforce present apparmor profiles.
==== 30_path
Set root path to /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin,
and user path to /usr/local/bin:/usr/bin:/bin.
==== 31_logindconf
Configure systemd/logind.conf and use KillUserProcesses.
==== 32_resolvedconf
Configure systemd/resolved.conf.
==== 33_rkhunter
Configure rkhunter.
==== 34_issue
Update /etc/issue /etc/issue.net /etc/motd.
==== 35_apport
Disable apport, ubuntu-report and popularity-contest.
==== 36_lockroot
Lock the root user account.
==== 37_coredump
Disable coredumps with systemd/coredump.conf.
==== 38_postfix
Disable the VRFY command, configure smtpd_banner, smtpd_client_restrictions
and inet_interfaces.
==== 39_motdnews
Disable motd-news.
==== 40_usbguard
Install and configure usbguard.
==== 41_compilers Restrict compiler access.
==== 42_kernel
Set lockdown=confidentiality if /sys/kernel/security/lockdown is present.
==== 43_sudo
Configure sudo with use_pty, logfile, !visiblepw, !pwfeedback,
passwd_timeout and timestamp_timeout.
Restrict su to the sudo group.
==== 98_systemddelta
If verbose, show systemd-delta.
==== 99_post
Ensure secureboot-db is installed, update grub and ensure strict permissions
on boot files.
==== 99_reboot Print if a reboot is required.
=== Function execution order [source,shell]
f_pre f_kernel f_firewall f_disablenet f_disablefs f_disablemod f_systemdconf f_resolvedconf f_logindconf f_journalctl f_timesyncd f_fstab f_prelink f_aptget_configure f_aptget f_hosts f_issue f_sudo f_logindefs f_sysctl f_limitsconf f_adduser f_rootaccess f_package_install f_coredump f_usbguard f_postfix f_apport f_motdnews f_rkhunter f_sshconfig f_sshdconfig f_password f_cron f_ctrlaltdel f_auditd f_aide f_rhosts f_users f_lockroot f_package_remove f_suid f_restrictcompilers f_umask f_path f_aa_enforce f_aide_post f_aide_timer f_aptget_noexec f_aptget_clean f_systemddelta f_post f_checkreboot
== Tests There are approximately 700 https://github.com/sstephenson/bats[Bats tests] for most of the above settings available in the link:tests/[tests directory].
[source,shell]
sudo apt-get -y install bats git clone https://github.com/konstruktoid/hardening.git cd hardening/tests/ sudo bats .
=== Test automation using Vagrant
Running bash ./runTests.sh will use https://www.vagrantup.com/[Vagrant] to run
all above tests and https://github.com/CISOfy/Lynis[Lynis] on all supported Ubuntu
versions. The script will generate a file named TESTRESULTS.adoc.
=== Testing a host
Running bash ./runHostTests.sh, located in the link:tests/[tests directory],
will generate a TESTRESULTS-<HOSTNAME>.adoc report.
== Issues: snapd
In order to use snapd you will have to disable the https://man7.org/linux/man-pages/man7/kernel_lockdown.7.html[kernel_lockdown]
setting, update grub, reboot the host and then reinstall
snapd.
[source,shell]
sudo sed -i 's/^/# /g' /etc/default/grub.d/99-hardening-lockdown.cfg sudo update-grub sudo reboot sudo apt-get --assume-yes --reinstall install snapd
== Recommended reading https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux[Canonical Ubuntu 18.04 LTS STIG - Ver 2, Rel 1] + https://www.cisecurity.org/benchmark/distribution_independent_linux/[CIS Distribution Independent Linux Benchmark] + https://www.cisecurity.org/benchmark/ubuntu_linux/[CIS Ubuntu Linux Benchmark] + https://www.ncsc.gov.uk/collection/end-user-device-security/platform-specific-guidance/ubuntu-18-04-lts[EUD Security Guidance: Ubuntu 18.04 LTS] + https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux[Red Hat Enterprise Linux 7 - Ver 2, Rel 3 STIG] + https://wiki.ubuntu.com/Security/Features + https://help.ubuntu.com/community/StricterDefaults +
== Contributing Do you want to contribute? That's great! Contributions are always welcome, no matter how large or small. If you found something odd, feel free to https://github.com/konstruktoid/hardening/issues/[submit a new issue], improve the code by https://github.com/konstruktoid/hardening/pulls[creating a pull request], or by https://github.com/sponsors/konstruktoid[sponsoring this project].