-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathmisc.sh
258 lines (190 loc) · 12.6 KB
/
misc.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
#!/bin/bash
del /etc/sysctl.conf
cp -rf ./data/sysctl/sysctl.conf /etc/sysctl.conf
unalias -a
dpkg-statoverride --update --add root sudo 4750 /bin/su
# Disable IP Forwarding
egrep -q "^(\s*)net.ipv4.ip_forward\s*=\s*\S+(\s*#.*)?\s*$" /etc/sysctl.conf && sed -ri "s/^(\s*)net.ipv4.ip_forward\s*=\s*\S+(\s*#.*)?\s*$/\1net.ipv4.ip_forward = 0\2/" /etc/sysctl.conf || echo "net.ipv4.ip_forward = 0" >> /etc/sysctl.conf
# Disable Send Packet Redirects
egrep -q "^(\s*)net.ipv4.conf.all.send_redirects\s*=\s*\S+(\s*#.*)?\s*$" /etc/sysctl.conf && sed -ri "s/^(\s*)net.ipv4.conf.all.send_redirects\s*=\s*\S+(\s*#.*)?\s*$/\1net.ipv4.conf.all.send_redirects = 0\2/" /etc/sysctl.conf || echo "net.ipv4.conf.all.send_redirects = 0" >> /etc/sysctl.conf
egrep -q "^(\s*)net.ipv4.conf.default.send_redirects\s*=\s*\S+(\s*#.*)?\s*$" /etc/sysctl.conf && sed -ri "s/^(\s*)net.ipv4.conf.default.send_redirects\s*=\s*\S+(\s*#.*)?\s*$/\1net.ipv4.conf.default.send_redirects = 0\2/" /etc/sysctl.conf || echo "net.ipv4.conf.default.send_redirects = 0" >> /etc/sysctl.conf
# Disable Source Routed Packet Acceptance
egrep -q "^(\s*)net.ipv4.conf.all.accept_source_route\s*=\s*\S+(\s*#.*)?\s*$" /etc/sysctl.conf && sed -ri "s/^(\s*)net.ipv4.conf.all.accept_source_route\s*=\s*\S+(\s*#.*)?\s*$/\1net.ipv4.conf.all.accept_source_route = 0\2/" /etc/sysctl.conf || echo "net.ipv4.conf.all.accept_source_route = 0" >> /etc/sysctl.conf
egrep -q "^(\s*)net.ipv4.conf.default.accept_source_route\s*=\s*\S+(\s*#.*)?\s*$" /etc/sysctl.conf && sed -ri "s/^(\s*)net.ipv4.conf.default.accept_source_route\s*=\s*\S+(\s*#.*)?\s*$/\1net.ipv4.conf.default.accept_source_route = 0\2/" /etc/sysctl.conf || echo "net.ipv4.conf.default.accept_source_route = 0" >> /etc/sysctl.conf
# Disable ICMP Redirect Acceptance
egrep -q "^(\s*)net.ipv4.conf.all.accept_redirects\s*=\s*\S+(\s*#.*)?\s*$" /etc/sysctl.conf && sed -ri "s/^(\s*)net.ipv4.conf.all.accept_redirects\s*=\s*\S+(\s*#.*)?\s*$/\1net.ipv4.conf.all.accept_redirects = 0\2/" /etc/sysctl.conf || echo "net.ipv4.conf.all.accept_redirects = 0" >> /etc/sysctl.conf
egrep -q "^(\s*)net.ipv4.conf.default.accept_redirects\s*=\s*\S+(\s*#.*)?\s*$" /etc/sysctl.conf && sed -ri "s/^(\s*)net.ipv4.conf.default.accept_redirects\s*=\s*\S+(\s*#.*)?\s*$/\1net.ipv4.conf.default.accept_redirects = 0\2/" /etc/sysctl.conf || echo "net.ipv4.conf.default.accept_redirects = 0" >> /etc/sysctl.conf
# Disable Secure ICMP Redirect Acceptance
egrep -q "^(\s*)net.ipv4.conf.all.secure_redirects\s*=\s*\S+(\s*#.*)?\s*$" /etc/sysctl.conf && sed -ri "s/^(\s*)net.ipv4.conf.all.secure_redirects\s*=\s*\S+(\s*#.*)?\s*$/\1net.ipv4.conf.all.secure_redirects = 0\2/" /etc/sysctl.conf || echo "net.ipv4.conf.all.secure_redirects = 0" >> /etc/sysctl.conf
egrep -q "^(\s*)net.ipv4.conf.default.secure_redirects\s*=\s*\S+(\s*#.*)?\s*$" /etc/sysctl.conf && sed -ri "s/^(\s*)net.ipv4.conf.default.secure_redirects\s*=\s*\S+(\s*#.*)?\s*$/\1net.ipv4.conf.default.secure_redirects = 0\2/" /etc/sysctl.conf || echo "net.ipv4.conf.default.secure_redirects = 0" >> /etc/sysctl.conf
# Log Suspicious Packets
egrep -q "^(\s*)net.ipv4.conf.all.log_martians\s*=\s*\S+(\s*#.*)?\s*$" /etc/sysctl.conf && sed -ri "s/^(\s*)net.ipv4.conf.all.log_martians\s*=\s*\S+(\s*#.*)?\s*$/\1net.ipv4.conf.all.log_martians = 1\2/" /etc/sysctl.conf || echo "net.ipv4.conf.all.log_martians = 1" >> /etc/sysctl.conf
egrep -q "^(\s*)net.ipv4.conf.default.log_martians\s*=\s*\S+(\s*#.*)?\s*$" /etc/sysctl.conf && sed -ri "s/^(\s*)net.ipv4.conf.default.log_martians\s*=\s*\S+(\s*#.*)?\s*$/\1net.ipv4.conf.default.log_martians = 1\2/" /etc/sysctl.conf || echo "net.ipv4.conf.default.log_martians = 1" >> /etc/sysctl.conf
# Enable Ignore Broadcast Requests
egrep -q "^(\s*)net.ipv4.icmp_echo_ignore_broadcasts\s*=\s*\S+(\s*#.*)?\s*$" /etc/sysctl.conf && sed -ri "s/^(\s*)net.ipv4.icmp_echo_ignore_broadcasts\s*=\s*\S+(\s*#.*)?\s*$/\1net.ipv4.icmp_echo_ignore_broadcasts = 1\2/" /etc/sysctl.conf || echo "net.ipv4.icmp_echo_ignore_broadcasts = 1" >> /etc/sysctl.conf
# Enable Bad Error Message Protection
egrep -q "^(\s*)net.ipv4.icmp_ignore_bogus_error_responses\s*=\s*\S+(\s*#.*)?\s*$" /etc/sysctl.conf && sed -ri "s/^(\s*)net.ipv4.icmp_ignore_bogus_error_responses\s*=\s*\S+(\s*#.*)?\s*$/\1net.ipv4.icmp_ignore_bogus_error_responses = 1\2/" /etc/sysctl.conf || echo "net.ipv4.icmp_ignore_bogus_error_responses = 1" >> /etc/sysctl.conf
# Enable RFC-recommended Source Route Validation
egrep -q "^(\s*)net.ipv4.conf.all.rp_filter\s*=\s*\S+(\s*#.*)?\s*$" /etc/sysctl.conf && sed -ri "s/^(\s*)net.ipv4.conf.all.rp_filter\s*=\s*\S+(\s*#.*)?\s*$/\1net.ipv4.conf.all.rp_filter = 1\2/" /etc/sysctl.conf || echo "net.ipv4.conf.all.rp_filter = 1" >> /etc/sysctl.conf
egrep -q "^(\s*)net.ipv4.conf.default.rp_filter\s*=\s*\S+(\s*#.*)?\s*$" /etc/sysctl.conf && sed -ri "s/^(\s*)net.ipv4.conf.default.rp_filter\s*=\s*\S+(\s*#.*)?\s*$/\1net.ipv4.conf.default.rp_filter = 1\2/" /etc/sysctl.conf || echo "net.ipv4.conf.default.rp_filter = 1" >> /etc/sysctl.conf
# Enable TCP SYN Cookies
egrep -q "^(\s*)net.ipv4.tcp_syncookies\s*=\s*\S+(\s*#.*)?\s*$" /etc/sysctl.conf && sed -ri "s/^(\s*)net.ipv4.tcp_syncookies\s*=\s*\S+(\s*#.*)?\s*$/\1net.ipv4.tcp_syncookies = 1\2/" /etc/sysctl.conf || echo "net.ipv4.tcp_syncookies = 1" >> /etc/sysctl.conf
# Install TCP Wrappers
dpkg -s tcpd || apt-get -y install tcpd
wait
# Verify Permissions on /etc/hosts.allow
chmod u+r+w-x,g+r-w-x,o+r-w-x /etc/hosts.allow
# Verify Permissions on /etc/hosts.deny
chmod u+r+w-x,g+r-w-x,o+r-w-x /etc/hosts.deny
# Install the rsyslog package
dpkg -s rsyslog || apt-get -y install rsyslog
wait
# Ensure the rsyslog Service is activated
systemctl enable rsyslog
# Enable cron Daemon
systemctl enable cron
systemctl enable anacron
# Set User/Group Owner and Permission on /etc/crontab
chmod g-r-w-x,o-r-w-x /etc/crontab
chown 0:0 /etc/crontab
# Set User/Group Owner and Permission on /etc/cron.hourly
chmod g-r-w-x,o-r-w-x /etc/cron.hourly/
chown 0:0 /etc/cron.hourly/
# Set User/Group Owner and Permission on /etc/cron.daily
chmod g-r-w-x,o-r-w-x /etc/cron.daily/
chown 0:0 /etc/cron.daily/
# Set User/Group Owner and Permission on /etc/cron.weekly
chmod g-r-w-x,o-r-w-x /etc/cron.weekly/
chown 0:0 /etc/cron.weekly/
# Set User/Group Owner and Permission on /etc/cron.monthly
chmod g-r-w-x,o-r-w-x /etc/cron.monthly/
chown 0:0 /etc/cron.monthly/
# Set User/Group Owner and Permission on /etc/cron.d
chmod g-r-w-x,o-r-w-x /etc/cron.d/
chown 0:0 /etc/cron.d/
# Restrict at/cron to Authorized Users
rm -rf /etc/cron.deny
touch /etc/cron.allow
chmod g-r-w-x,o-r-w-x /etc/cron.allow
chown 0:0 /etc/cron.allow
rm -rf /etc/at.deny
touch /etc/at.allow
chmod g-r-w-x,o-r-w-x /etc/at.allow
chown 0:0 /etc/at.allow
sed -i 's/^#cron./cron./' /etc/rsyslog.d/50-default.conf
crontab -r
/bin/rm -f cron.deny at.deny
echo root > /etc/cron.allow
echo root > /etc/at.allow
/bin/chown root:root /etc/cron.allow /etc/at.allow
/bin/chmod 644 /etc/cron.allow /etc/at.allow
# Disable System Accounts
for user in `awk -F: '($3 < 1000) {print $1 }' /etc/passwd`; do
if [ $user != "root" ]
then
/usr/sbin/usermod -L $user
if [ $user != "sync" ] && [ $user != "shutdown" ] && [ $user != "halt" ]
then
/usr/sbin/usermod -s /usr/sbin/nologin $user
fi
fi
done
# Disable login for root user
/usr/sbin/usermod -s /usr/sbin/nologin root
# Set Default Group for root Account
usermod -g 0 root
# Set Default umask for Users
egrep -q "^(\s*)umask\s+\S+(\s*#.*)?\s*$" /etc/bash.bashrc && sed -ri "s/^(\s*)umask\s+\S+(\s*#.*)?\s*$/\1umask 077\2/" /etc/bash.bashrc || echo "umask 077" >> /etc/bash.bashrc
touch /etc/motd
# Set Warning Banner for Standard Login Services
chmod u+r+w-x,g+r-w-x,o+r-w-x /etc/motd
chown 0:0 /etc/motd
chmod u+r+w-x,g+r-w-x,o+r-w-x /etc/issue
chown 0:0 /etc/issue
chmod u+r+w-x,g+r-w-x,o+r-w-x /etc/issue.net
chown 0:0 /etc/issue.net
# Remove OS Information from Login Warning Banners
sed -ri 's/(\\v|\\r|\\m|\\s)//g' /etc/issue
sed -ri 's/(\\v|\\r|\\m|\\s)//g' /etc/issue.net
sed -ri 's/(\\v|\\r|\\m|\\s)//g' /etc/motd
# Verify Permissions on /etc/passwd
chmod u+r+w-x,g+r-w-x,o+r-w-x /etc/passwd
# Verify Permissions on /etc/shadow
chmod u+r+w-x,g+r-w-x,o-r-w-x /etc/shadow
# Verify Permissions on /etc/group
chmod u+r+w-x,g+r-w-x,o+r-w-x /etc/group
# Verify User/Group Ownership on /etc/passwd
chown 0:0 /etc/passwd
# Verify User/Group Ownership on /etc/shadow
chown 0:42 /etc/shadow
# Verify User/Group Ownership on /etc/group
chown 0:0 /etc/group
# Verify No Legacy "+" Entries Exist in /etc/passwd File
sed -ri '/^\+:.*$/ d' /etc/passwd
# Verify No Legacy "+" Entries Exist in /etc/shadow File
sed -ri '/^\+:.*$/ d' /etc/shadow
# Verify No Legacy "+" Entries Exist in /etc/group File
sed -ri '/^\+:.*$/ d' /etc/group
find /bin/ -name "*.sh" -type f -delete
# Set nodev option for /tmp Partition
egrep -q "^(\s*\S+\s+)/tmp(\s+\S+\s+\S+)(\s+\S+\s+\S+)(\s*#.*)?\s*$" /etc/fstab && sed -ri "s/^(\s*\S+\s+)/tmp(\s+\S+\s+\S+)(\s+\S+\s+\S+)(\s*#.*)?\s*$/\1/tmp\2nodev\3\4/" /etc/fstab
# Set nosuid option for /tmp Partition
egrep -q "^(\s*\S+\s+)/tmp(\s+\S+\s+\S+)(\s+\S+\s+\S+)(\s*#.*)?\s*$" /etc/fstab && sed -ri "s/^(\s*\S+\s+)/tmp(\s+\S+\s+\S+)(\s+\S+\s+\S+)(\s*#.*)?\s*$/\1/tmp\2nosuid\3\4/" /etc/fstab
egrep -q "^(\s*\S+\s+)/tmp(\s+\S+\s+\S+)(\s+\S+\s+\S+)(\s*#.*)?\s*$" /etc/fstab && sed -ri "s/^(\s*\S+\s+)/tmp(\s+\S+\s+\S+)(\s+\S+\s+\S+)(\s*#.*)?\s*$/\1/tmp\2noexec\3\4/" /etc/fstab
# Add nodev Option to /home
egrep -q "^(\s*\S+\s+)/home(\s+\S+\s+\S+)(\s+\S+\s+\S+)(\s*#.*)?\s*$" /etc/fstab && sed -ri "s/^(\s*\S+\s+)/home(\s+\S+\s+\S+)(\s+\S+\s+\S+)(\s*#.*)?\s*$/\1/home\2nodev\3\4/" /etc/fstab
# Add nodev Option to /run/shm Partition
egrep -q "^(\s*\S+\s+)/run/shm(\s+\S+\s+\S+)(\s+\S+\s+\S+)(\s*#.*)?\s*$" /etc/fstab && sed -ri "s/^(\s*\S+\s+)/run/shm(\s+\S+\s+\S+)(\s+\S+\s+\S+)(\s*#.*)?\s*$/\1/run/shm\2nodev\3\4/" /etc/fstab
# Add nosuid Option to /run/shm Partition
egrep -q "^(\s*\S+\s+)/run/shm(\s+\S+\s+\S+)(\s+\S+\s+\S+)(\s*#.*)?\s*$" /etc/fstab && sed -ri "s/^(\s*\S+\s+)/run/shm(\s+\S+\s+\S+)(\s+\S+\s+\S+)(\s*#.*)?\s*$/\1/run/shm\2nosuid\3\4/" /etc/fstab
# Add noexec Option to /run/shm Partition
egrep -q "^(\s*\S+\s+)/run/shm(\s+\S+\s+\S+)(\s+\S+\s+\S+)(\s*#.*)?\s*$" /etc/fstab && sed -ri "s/^(\s*\S+\s+)/run/shm(\s+\S+\s+\S+)(\s+\S+\s+\S+)(\s*#.*)?\s*$/\1/run/shm\2noexec\3\4/" /etc/fstab
# Restrict Core Dumps
egrep -q "^(\s*)\*\s+hard\s+core\s+\S+(\s*#.*)?\s*$" /etc/security/limits.conf && sed -ri "s/^(\s*)\*\s+hard\s+core\s+\S+(\s*#.*)?\s*$/\1* hard core 0\2/" /etc/security/limits.conf || echo "* hard core 0" >> /etc/security/limits.conf
egrep -q "^(\s*)fs.suid_dumpable\s*=\s*\S+(\s*#.*)?\s*$" /etc/sysctl.conf && sed -ri "s/^(\s*)fs.suid_dumpable\s*=\s*\S+(\s*#.*)?\s*$/\1fs.suid_dumpable = 0\2/" /etc/sysctl.conf || echo "fs.suid_dumpable = 0" >> /etc/sysctl.conf
# Enable Randomized Virtual Memory Region Placement
egrep -q "^(\s*)kernel.randomize_va_space\s*=\s*\S+(\s*#.*)?\s*$" /etc/sysctl.conf && sed -ri "s/^(\s*)kernel.randomize_va_space\s*=\s*\S+(\s*#.*)?\s*$/\1kernel.randomize_va_space = 2\2/" /etc/sysctl.conf || echo "kernel.randomize_va_space = 2" >> /etc/sysctl.conf
# Disable Prelink
dpkg -s prelink && apt-get -y purge prelink
# Disable Automounting
update-rc.d autofs disable
# Set Permissions on bootloader config
chmod g-r-w-x,o-r-w-x /boot/grub/grub.cfg
echo 'exit 0' > /etc/rc.local
chmod a-w /etc/sysctl.conf
rm -rf /usr/games/
rm -rf /usr/local/games
echo "ALL: LOCAL, 127.0.0.1" >> /etc/hosts.allow
echo "ALL: PARANOID" > /etc/hosts.deny
sed -i 's/PATH=.*/PATH=\"\/usr\/local\/bin:\/usr\/bin:\/bin"/' /etc/environment
for users in games gnats irc list news uucp; do
userdel -r "$users"
done
if [ -f /etc/init.d/rc ]; then
sed -i 's/umask 022/umask 027/g' /etc/init.d/rc
fi
if ! grep -q -i "umask" "/etc/profile" ; then
echo "umask 027" >> /etc/profile
fi
if ! grep -q -i "umask" "/etc/bash.bashrc" ; then
echo "umask 027" >> /etc/bash.bashrc
fi
if ! grep -q -i "TMOUT" "/etc/profile.d/*" ; then
echo -e 'TMOUT=900\nreadonly TMOUT\nexport TMOUT' > '/etc/profile.d/autologout.sh'
chmod +x /etc/profile.d/autologout.sh
fi
for f in /etc/issue /etc/issue.net /etc/motd; do
if [ -f $f ]; then
echo -e "\\nwarning : No scrubs from CyPat Discord... Not gonna name any names but uh *cough* lighthouse64 *cough*\\n" > $f
fi
done
sed -i 's/ENABLED=.*/ENABLED=0/' /etc/default/motd-news
systemctl disable motd-news.timer
if [ -f /etc/cups/cupsd.conf ]; then
chmod 644 /etc/cups/cupsd.conf
fi
##Sets default broswer
update-alternatives --set x-www-browser /usr/bin/firefox
gsettings set org.gnome.desktop.session idle-delay 900
gsettings set org.gnome.desktop.screensaver lock-delay 0
gsettings set org.gnome.desktop.screensaver lock-enabled true