hardened-tumbleweed is a program, or more correctly a collection of scripts, that is designed to harden any openSUSE Tumbleweed installation as much as possible. The project specifically aims to harden your GNU/Linux workstation. This hardening is not aimed for servers. The project is also able to reverse every piece of hardening it does. The following content is covered, and new options are on the way, the project is not complete yet. For the time being, do no proceed without prior testing in a safe environment.
- Kernel Settings Hardening
- Kernel Modules Hardening
- Network Hardening
- Mac-Address Randomization
- Disabling Core Dumps
- Hardened Boot Parameters
- Firewall Configuration
- Entropy Improvements
- Brute Force Protection
- Access Rights Hardening
- Improved Password Hashing
- Hardened Home Directories
- Improved Login Banners
- Improved Bluetooth Options
- Protected Bootloader
- Improved Entropy
- HTTPS-Secured Outgoing Zypper Connections
- USB-Guard Configuration
- Hardened Mount Options
- Hardened Umask
- Improved Mandatory Access Control with apparmor.d
- Using hardened-malloc For All 'Root' Processes
This collection of hardening script and configuration files is targeted to be used on openSUSE Tumbleweed, and on personal computers, not servers. Most functionality might work on other distros, but some of them won't and this also applies to other RPM-based distros. On Tumbleweed, the project aims to be a no-config, install and forget kind of program. No configuration is expected on the user end. Everything is automated and will work in any case. The program adapts to different Tumbleweed systems with different packages installed, different partitioning schemes and different file systems. The user does not need to worry about compatibility, give they are on openSUSE Tumbleweed and using it as their workstation. Needless to say, back up your sensitive data. Especially now that the project is not complete yet, also do your testing in a VM first. There are no 'dependencies' per se. But it is 'assumed' you are on a x86_64 system. Your Tumbleweed installation can be very different and unique and the hardening will still work, but don't go too far as to changing the init system or replacing the GNU core utils.
For the most part, the project is not 'completely' tested, expecially not all component as a whole. This will happen very shortly, and the project will be more or less complete in a short time.
You can either git clone the repository or do a manual download using your browser. Then, depending what you want, you would just have to run the scripts hardening_apply or hardening_reverse, that are in the main diretory.
When preparing this script I used various tools and sources. The most notable tool I used is Lynis. This project is also somewhat losely based on one of my previous projects, namely 'chainmail' that does similar stuff but on debian.
Notable resources I used for the aforementioned project and by extension this one are:
- Kicksecure Wiki
- Kernel Self Protection Project
- Whonix Forums | Kernel Hardening - security-misc
- Securing Debian Manual
- Debian | Setup Guides - Secure Personal Computer
The fact that anybody can contribute is what makes Free and Open Source Software the best tool to learn and create. If you have any suggestions regarding the project, do not hesitate fork the repo and create a pull request.
hardened-tumbleweed is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.
See LICENSE for more details.
If you need to contact me regarding the project for any reason, please open an issue or create a pull request.
Project Link: https://github.com/monsieuremre/hardened-tumbleweed