From 36e0b962ac316fd043fa90d8d13fc4a5e18918f3 Mon Sep 17 00:00:00 2001 From: Lorenzo Tucci Date: Sun, 22 Aug 2021 22:13:37 +0200 Subject: [PATCH] feat: add sshd_config, sysctl.conf, lynis custom --- lynis/etc/lynis/custom.prf | 13 +++++++++++ ssh/etc/ssh/sshd_config | 21 ++++++++++++++++++ systcl/etc/sysctl.conf | 45 ++++++++++++++++++++++++++++++++++++++ 3 files changed, 79 insertions(+) create mode 100644 lynis/etc/lynis/custom.prf create mode 100644 ssh/etc/ssh/sshd_config create mode 100644 systcl/etc/sysctl.conf diff --git a/lynis/etc/lynis/custom.prf b/lynis/etc/lynis/custom.prf new file mode 100644 index 0000000..38d246e --- /dev/null +++ b/lynis/etc/lynis/custom.prf @@ -0,0 +1,13 @@ +# Disable some tests that are not useful in cloud-based servers +skip-test=AUTH-9286 +skip-test=PRNT-2307 +skip-test=USB-1000 +skip-test=STRG-1846 +skip-test=PRNT-2308 +skip-test=FILE-6310 +skip-test=SSH-7408:tcpkeepalive +skip-test=SSH-7408:allowtcpforwarding +skip-test=SSH-7408:compression +skip-test=SSH-7408:port +skip-test=BANN-7126 +skip-test=BANN-7130 diff --git a/ssh/etc/ssh/sshd_config b/ssh/etc/ssh/sshd_config new file mode 100644 index 0000000..c13c440 --- /dev/null +++ b/ssh/etc/ssh/sshd_config @@ -0,0 +1,21 @@ +HostKey /etc/ssh/ssh_host_rsa_key +HostKey /etc/ssh/ssh_host_ecdsa_key +HostKey /etc/ssh/ssh_host_ed25519_key + +SyslogFacility AUTHPRIV + +AllowGroups sshlogin + +PermitRootLogin WITHOUT-PASSWORD +PubkeyAuthentication yes +AuthorizedKeysFile .ssh/authorized_keys +IgnoreRhosts yes +PasswordAuthentication no +ChallengeResponseAuthentication no +GSSAPIAuthentication no +UsePAM yes +X11Forwarding no +AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES +AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT +AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE +AcceptEnv XMODIFIERS diff --git a/systcl/etc/sysctl.conf b/systcl/etc/sysctl.conf new file mode 100644 index 0000000..0729e28 --- /dev/null +++ b/systcl/etc/sysctl.conf @@ -0,0 +1,45 @@ +# Hardened sysctl conf + +fs.protected_regular = 2 +fs.protected_fifos = 2 +fs.protected_hardlinks = 1 +fs.protected_symlinks = 1 +fs.suid_dumpable = 0 + +kernel.core_uses_pid = 1 +kernel.ctrl-alt-del = 0 +kernel.dmesg_restrict = 1 +kernel.kptr_restrict = 2 +kernel.randomize_va_space = 2 +kernel.sysrq = 0 +kernel.unprivileged_bpf_disabled = 1 + + +net.core.bpf_jit_harden = 2 +net.ipv4.conf.all.accept_redirects = 0 +net.ipv4.conf.all.accept_source_route = 0 +net.ipv4.conf.all.bootp_relay = 0 +net.ipv4.conf.all.forwarding = 0 +net.ipv4.conf.all.log_martians = 1 +net.ipv4.conf.all.mc_forwarding = 0 +net.ipv4.conf.all.proxy_arp = 0 +net.ipv4.conf.all.rp_filter = 0 +net.ipv4.conf.all.send_redirects = 0 + +net.ipv4.conf.default.accept_redirects = 0 +net.ipv4.conf.default.accept_source_route = 0 +net.ipv4.conf.default.log_martians = 1 + +net.ipv4.icmp_echo_ignore_broadcasts = 1 +net.ipv4.icmp_ignore_bogus_error_responses = 1 +net.ipv4.tcp_syncookies = 1 +net.ipv4.tcp_timestamps = 1 + + +net.ipv6.conf.all.accept_redirects = 0 +net.ipv6.conf.all.accept_source_route = 0 + +net.ipv6.conf.default.accept_redirects = 0 +net.ipv6.conf.default.accept_source_route = 0 + +vm.swappiness = 15