diff --git a/emacs/emacs.service b/emacs/emacs.service new file mode 100644 index 0000000..3bb60db --- /dev/null +++ b/emacs/emacs.service @@ -0,0 +1,18 @@ +# Emacs server unit service for systemd (start emacs as a server) +# This file is meant to be placed into your .config/systemd/user/ folder +# and started + enabled with systemctl enable emacs --user --now +# It is advised to add an alias for emacs to run it as client +# ex. for the terminal version: alias emacs='emacsclient -t' +[Unit] +Description=Emacs text editor +Documentation=info:emacs man:emacs(1) https://gnu.org/software/emacs/ + +[Service] +Type=forking +ExecStart=/usr/bin/emacs --daemon +ExecStop=/usr/bin/emacsclient --eval "(kill-emacs)" +Environment=SSH_AUTH_SOCK=%t/keyring/ssh +Restart=on-failure + +[Install] +WantedBy=default.target diff --git a/grub/grub b/grub/grub new file mode 100644 index 0000000..31c7f16 --- /dev/null +++ b/grub/grub @@ -0,0 +1,9 @@ +# These rules are not meant to be copied and pasted as there will +# likely be other options enabled on your machine. +# Instead add them to the already existing ones in your /etc/default/grub +# +# NOTE: remove ipv6 disable at the end if needed +# NOTE: remove module.sig_enforce=1 and lockdown=confidentiality on some systems to enable loading +# of wireguard module + +GRUB_CMDLINE_LINUX="slab_nomerge slub_debug=FZ init_on_alloc=1 init_on_free=1 page_alloc.shuffle=1 pti=on vsyscall=none debugfs=off oops=panic module.sig_enforce=1 lockdown=confidentiality mce=0 quiet loglevel=0 ipv6.disable=1" diff --git a/lynis/etc/lynis/custom.prf b/lynis/etc/lynis/custom.prf new file mode 100644 index 0000000..7dfa2ce --- /dev/null +++ b/lynis/etc/lynis/custom.prf @@ -0,0 +1,26 @@ +# Disable some tests that are not useful in cloud-based servers +skip-test=AUTH-9286 +skip-test=PRNT-2307 +skip-test=USB-1000 +skip-test=STRG-1846 +skip-test=STRG-1840 +skip-test=PRNT-2308 +skip-test=FILE-6310 +skip-test=BOOT-5122 +skip-test=BOOT-5260 +skip-test=KRNL-5788 +skip-test=AUTH-9308 + +# Disable /etc/issue checking +skip-test=BANN-7126 +skip-test=BANN-7130 + +# Disable some SSH feature checks that we intend to keep +skip-test=SSH-7408:tcpkeepalive +skip-test=SSH-7408:allowtcpforwarding +skip-test=SSH-7408:compression +skip-test=SSH-7408:port + +# Old packages +skip-test=CUST-0810 +skip-test=CUST-0285 diff --git a/modprobe/etc/modprobe.d/disable-ipv6.conf b/modprobe/etc/modprobe.d/disable-ipv6.conf new file mode 100644 index 0000000..84b10fc --- /dev/null +++ b/modprobe/etc/modprobe.d/disable-ipv6.conf @@ -0,0 +1 @@ +install ipv6 /bin/true diff --git a/modprobe/etc/modprobe.d/disable-network-filesystems.conf b/modprobe/etc/modprobe.d/disable-network-filesystems.conf new file mode 100644 index 0000000..c9032a8 --- /dev/null +++ b/modprobe/etc/modprobe.d/disable-network-filesystems.conf @@ -0,0 +1,6 @@ +# Disable only if not used +install cifs /bin/true +install nfs /bin/true +install nfsv3 /bin/true +install nfsv4 /bin/true +install gfs2 /bin/true diff --git a/modprobe/etc/modprobe.d/disable-rare-filesystems.conf b/modprobe/etc/modprobe.d/disable-rare-filesystems.conf new file mode 100644 index 0000000..10016ee --- /dev/null +++ b/modprobe/etc/modprobe.d/disable-rare-filesystems.conf @@ -0,0 +1,7 @@ +install cramfs /bin/false +install freevxfs /bin/false +install jffs2 /bin/false +install hfs /bin/false +install hfsplus /bin/false +install squashfs /bin/false +install udf /bin/false diff --git a/modprobe/etc/modprobe.d/disable-rare-protocols.conf b/modprobe/etc/modprobe.d/disable-rare-protocols.conf new file mode 100644 index 0000000..5610011 --- /dev/null +++ b/modprobe/etc/modprobe.d/disable-rare-protocols.conf @@ -0,0 +1,19 @@ +install dccp /bin/false +install sctp /bin/false +install rds /bin/false +install tipc /bin/false +install n-hdlc /bin/false +install ax25 /bin/false +install netrom /bin/false +install x25 /bin/false +install rose /bin/false +install decnet /bin/false +install econet /bin/false +install af_802154 /bin/false +install ipx /bin/false +install appletalk /bin/false +install psnap /bin/false +install p8023 /bin/false +install p8022 /bin/false +install can /bin/false +install atm /bin/false diff --git a/modprobe/etc/modprobe.d/disable-vivid.conf b/modprobe/etc/modprobe.d/disable-vivid.conf new file mode 100644 index 0000000..79dd0ff --- /dev/null +++ b/modprobe/etc/modprobe.d/disable-vivid.conf @@ -0,0 +1 @@ +install vivid /bin/false diff --git a/pam/etc/pam.d/rocky-linux/su b/pam/etc/pam.d/rocky-linux/su new file mode 100644 index 0000000..c870601 --- /dev/null +++ b/pam/etc/pam.d/rocky-linux/su @@ -0,0 +1,13 @@ +#%PAM-1.0 +auth required pam_env.so +auth sufficient pam_rootok.so +# Uncomment the following line to require a user to be in the "wheel" group. +auth required pam_wheel.so use_uid +auth substack system-auth +auth include postlogin +account sufficient pam_succeed_if.so uid = 0 use_uid quiet +account include system-auth +password include system-auth +session include system-auth +session include postlogin +session optional pam_xauth.so diff --git a/pam/etc/pam.d/rocky-linux/su-l b/pam/etc/pam.d/rocky-linux/su-l new file mode 100644 index 0000000..b44e266 --- /dev/null +++ b/pam/etc/pam.d/rocky-linux/su-l @@ -0,0 +1,7 @@ +#%PAM-1.0 +auth include su +account include su +password include su +session optional pam_keyinit.so force revoke +session include su +auth required pam_wheel.so use_uid diff --git a/pam/etc/pam.d/ubuntu/su b/pam/etc/pam.d/ubuntu/su new file mode 100644 index 0000000..e7edba4 --- /dev/null +++ b/pam/etc/pam.d/ubuntu/su @@ -0,0 +1,59 @@ +# +# The PAM configuration file for the Shadow `su' service +# + +# This allows root to su without passwords (normal operation) +auth sufficient pam_rootok.so + +# Uncomment this to force users to be a member of group root +# before they can use `su'. You can also add "group=foo" +# to the end of this line if you want to use a group other +# than the default "root" (but this may have side effect of +# denying "root" user, unless she's a member of "foo" or explicitly +# permitted earlier by e.g. "sufficient pam_rootok.so"). +# (Replaces the `SU_WHEEL_ONLY' option from login.defs) + auth required pam_wheel.so + +# Uncomment this if you want wheel members to be able to +# su without a password. +# auth sufficient pam_wheel.so trust + +# Uncomment this if you want members of a specific group to not +# be allowed to use su at all. +# auth required pam_wheel.so deny group=nosu + +# Uncomment and edit /etc/security/time.conf if you need to set +# time restrainst on su usage. +# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs +# as well as /etc/porttime) +# account requisite pam_time.so + +# This module parses environment configuration file(s) +# and also allows you to use an extended config +# file /etc/security/pam_env.conf. +# +# parsing /etc/environment needs "readenv=1" +session required pam_env.so readenv=1 +# locale variables are also kept into /etc/default/locale in etch +# reading this file *in addition to /etc/environment* does not hurt +session required pam_env.so readenv=1 envfile=/etc/default/locale + +# Defines the MAIL environment variable +# However, userdel also needs MAIL_DIR and MAIL_FILE variables +# in /etc/login.defs to make sure that removing a user +# also removes the user's mail spool file. +# See comments in /etc/login.defs +# +# "nopen" stands to avoid reporting new mail when su'ing to another user +session optional pam_mail.so nopen + +# Sets up user limits according to /etc/security/limits.conf +# (Replaces the use of /etc/limits in old login) +session required pam_limits.so + +# The standard Unix authentication modules, used with +# NIS (man nsswitch) as well as normal /etc/passwd and +# /etc/shadow entries. +@include common-auth +@include common-account +@include common-session diff --git a/pam/etc/pam.d/ubuntu/su-l b/pam/etc/pam.d/ubuntu/su-l new file mode 100644 index 0000000..eb23e9e --- /dev/null +++ b/pam/etc/pam.d/ubuntu/su-l @@ -0,0 +1,7 @@ +#%PAM-1.0 +auth include su +account include su +password include su +session optional pam_keyinit.so force revoke +session include su +auth required pam_wheel.so diff --git a/rc.local/etc/rc.local b/rc.local/etc/rc.local new file mode 100644 index 0000000..6f8eb97 --- /dev/null +++ b/rc.local/etc/rc.local @@ -0,0 +1,9 @@ +#!/bin/bash +# /etc/rc.local + +# file needed to correctly load kernel parameters at boot time +# on Ubuntu (ex. to disable ipv6) without modifying grub +/etc/sysctl.d +/etc/init.d/procps restart + +exit 0 diff --git a/security/etc/security/limits.conf b/security/etc/security/limits.conf new file mode 100644 index 0000000..06db731 --- /dev/null +++ b/security/etc/security/limits.conf @@ -0,0 +1,62 @@ +# /etc/security/limits.conf +# +#This file sets the resource limits for the users logged in via PAM. +#It does not affect resource limits of the system services. +# +#Also note that configuration files in /etc/security/limits.d directory, +#which are read in alphabetical order, override the settings in this +#file in case the domain is the same or more specific. +#That means for example that setting a limit for wildcard domain here +#can be overriden with a wildcard setting in a config file in the +#subdirectory, but a user specific setting here can be overriden only +#with a user specific setting in the subdirectory. +# +#Each line describes a limit for a user in the form: +# +# +# +#Where: +# can be: +# - a user name +# - a group name, with @group syntax +# - the wildcard *, for default entry +# - the wildcard %, can be also used with %group syntax, +# for maxlogin limit +# +# can have the two values: +# - "soft" for enforcing the soft limits +# - "hard" for enforcing hard limits +# +# can be one of the following: +# - core - limits the core file size (KB) +# - data - max data size (KB) +# - fsize - maximum filesize (KB) +# - memlock - max locked-in-memory address space (KB) +# - nofile - max number of open file descriptors +# - rss - max resident set size (KB) +# - stack - max stack size (KB) +# - cpu - max CPU time (MIN) +# - nproc - max number of processes +# - as - address space limit (KB) +# - maxlogins - max number of logins for this user +# - maxsyslogins - max number of logins on the system +# - priority - the priority to run user process with +# - locks - max number of file locks the user can hold +# - sigpending - max number of pending signals +# - msgqueue - max memory used by POSIX message queues (bytes) +# - nice - max nice priority allowed to raise to values: [-20, 19] +# - rtprio - max realtime priority +# +# +# + +* soft core 0 +* hard core 0 +#* hard rss 10000 +#@student hard nproc 20 +#@faculty soft nproc 20 +#@faculty hard nproc 50 +#ftp hard nproc 0 +#@student - maxlogins 4 + +# End of file diff --git a/ssh/etc/ssh/sshd_config b/ssh/etc/ssh/sshd_config new file mode 100644 index 0000000..842db0f --- /dev/null +++ b/ssh/etc/ssh/sshd_config @@ -0,0 +1,27 @@ +HostKey /etc/ssh/ssh_host_rsa_key +HostKey /etc/ssh/ssh_host_ecdsa_key +HostKey /etc/ssh/ssh_host_ed25519_key + +SyslogFacility AUTHPRIV + +AllowGroups sshlogin + +PermitRootLogin WITHOUT-PASSWORD +PubkeyAuthentication yes +AuthorizedKeysFile .ssh/authorized_keys +IgnoreRhosts yes +MaxSessions 4 +MaxAuthTries 4 +ClientAliveCountMax 2 +LogLevel VERBOSE +PasswordAuthentication no +ChallengeResponseAuthentication no +GSSAPIAuthentication no +UsePAM yes +PrintMotd no +X11Forwarding no +AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES +AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT +AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE +AcceptEnv XMODIFIERS +Subsystem sftp /usr/lib/openssh/sftp-server diff --git a/sysctl/etc/sysctl.conf b/sysctl/etc/sysctl.conf new file mode 100644 index 0000000..2350204 --- /dev/null +++ b/sysctl/etc/sysctl.conf @@ -0,0 +1,66 @@ +# Hardened sysctl conf + +fs.protected_regular = 2 +fs.protected_fifos = 2 +fs.protected_hardlinks = 1 +fs.protected_symlinks = 1 +fs.suid_dumpable = 0 + +kernel.core_uses_pid = 1 +kernel.ctrl-alt-del = 0 +kernel.dmesg_restrict = 1 +kernel.kptr_restrict = 2 +kernel.randomize_va_space = 2 +kernel.sysrq = 0 +kernel.unprivileged_bpf_disabled = 1 + + +net.core.bpf_jit_harden = 2 +net.ipv4.conf.all.accept_redirects = 0 +net.ipv4.conf.all.accept_source_route = 0 +net.ipv4.conf.all.bootp_relay = 0 +net.ipv4.conf.all.forwarding = 0 +net.ipv4.conf.all.log_martians = 1 +net.ipv4.conf.all.mc_forwarding = 0 +net.ipv4.conf.all.proxy_arp = 0 +net.ipv4.conf.all.rp_filter = 1 +net.ipv4.conf.all.send_redirects = 0 +net.ipv4.conf.all.secure_redirects=0 +net.ipv4.tcp_rfc1337=1 +net.ipv4.tcp_sack=0 +net.ipv4.tcp_dsack=0 +net.ipv4.tcp_fack=0 + +net.ipv4.conf.default.accept_redirects = 0 +net.ipv4.conf.default.accept_source_route = 0 +net.ipv4.conf.default.log_martians = 1 +net.ipv4.conf.default.rp_filter=1 +net.ipv4.conf.default.send_redirects=0 +net.ipv4.conf.default.secure_redirects=0 + +net.ipv4.icmp_echo_ignore_broadcasts = 1 +net.ipv4.icmp_ignore_bogus_error_responses = 1 +net.ipv4.tcp_syncookies = 1 +net.ipv4.tcp_timestamps = 1 + +dev.tty.ldisc_autoload=0 +vm.unprivileged_userfaultfd=0 +kernel.kexec_load_disabled=1 +kernel.perf_event_paranoid=2 +kernel.yama.ptrace_scope=2 + +vm.mmap_rnd_bits=32 +vm.mmap_rnd_compat_bits=16 + +# Uncomment do disable ipv6 +#net.ipv6.conf.all.disable_ipv6=1 +#net.ipv6.conf.default.disable_ipv6=1 +#net.ipv6.conf.lo.disable_ipv6=1 + +net.ipv6.conf.all.accept_redirects = 0 +net.ipv6.conf.all.accept_source_route = 0 + +net.ipv6.conf.default.accept_redirects = 0 +net.ipv6.conf.default.accept_source_route = 0 + +vm.swappiness = 15