Merge remote-tracking branch 'unitoo/master'
This commit is contained in:
commit
ff89f858e9
|
@ -0,0 +1,18 @@
|
||||||
|
# Emacs server unit service for systemd (start emacs as a server)
|
||||||
|
# This file is meant to be placed into your .config/systemd/user/ folder
|
||||||
|
# and started + enabled with systemctl enable emacs --user --now
|
||||||
|
# It is advised to add an alias for emacs to run it as client
|
||||||
|
# ex. for the terminal version: alias emacs='emacsclient -t'
|
||||||
|
[Unit]
|
||||||
|
Description=Emacs text editor
|
||||||
|
Documentation=info:emacs man:emacs(1) https://gnu.org/software/emacs/
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
Type=forking
|
||||||
|
ExecStart=/usr/bin/emacs --daemon
|
||||||
|
ExecStop=/usr/bin/emacsclient --eval "(kill-emacs)"
|
||||||
|
Environment=SSH_AUTH_SOCK=%t/keyring/ssh
|
||||||
|
Restart=on-failure
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy=default.target
|
|
@ -0,0 +1,9 @@
|
||||||
|
# These rules are not meant to be copied and pasted as there will
|
||||||
|
# likely be other options enabled on your machine.
|
||||||
|
# Instead add them to the already existing ones in your /etc/default/grub
|
||||||
|
#
|
||||||
|
# NOTE: remove ipv6 disable at the end if needed
|
||||||
|
# NOTE: remove module.sig_enforce=1 and lockdown=confidentiality on some systems to enable loading
|
||||||
|
# of wireguard module
|
||||||
|
|
||||||
|
GRUB_CMDLINE_LINUX="slab_nomerge slub_debug=FZ init_on_alloc=1 init_on_free=1 page_alloc.shuffle=1 pti=on vsyscall=none debugfs=off oops=panic module.sig_enforce=1 lockdown=confidentiality mce=0 quiet loglevel=0 ipv6.disable=1"
|
|
@ -0,0 +1,26 @@
|
||||||
|
# Disable some tests that are not useful in cloud-based servers
|
||||||
|
skip-test=AUTH-9286
|
||||||
|
skip-test=PRNT-2307
|
||||||
|
skip-test=USB-1000
|
||||||
|
skip-test=STRG-1846
|
||||||
|
skip-test=STRG-1840
|
||||||
|
skip-test=PRNT-2308
|
||||||
|
skip-test=FILE-6310
|
||||||
|
skip-test=BOOT-5122
|
||||||
|
skip-test=BOOT-5260
|
||||||
|
skip-test=KRNL-5788
|
||||||
|
skip-test=AUTH-9308
|
||||||
|
|
||||||
|
# Disable /etc/issue checking
|
||||||
|
skip-test=BANN-7126
|
||||||
|
skip-test=BANN-7130
|
||||||
|
|
||||||
|
# Disable some SSH feature checks that we intend to keep
|
||||||
|
skip-test=SSH-7408:tcpkeepalive
|
||||||
|
skip-test=SSH-7408:allowtcpforwarding
|
||||||
|
skip-test=SSH-7408:compression
|
||||||
|
skip-test=SSH-7408:port
|
||||||
|
|
||||||
|
# Old packages
|
||||||
|
skip-test=CUST-0810
|
||||||
|
skip-test=CUST-0285
|
|
@ -0,0 +1 @@
|
||||||
|
install ipv6 /bin/true
|
|
@ -0,0 +1,6 @@
|
||||||
|
# Disable only if not used
|
||||||
|
install cifs /bin/true
|
||||||
|
install nfs /bin/true
|
||||||
|
install nfsv3 /bin/true
|
||||||
|
install nfsv4 /bin/true
|
||||||
|
install gfs2 /bin/true
|
|
@ -0,0 +1,7 @@
|
||||||
|
install cramfs /bin/false
|
||||||
|
install freevxfs /bin/false
|
||||||
|
install jffs2 /bin/false
|
||||||
|
install hfs /bin/false
|
||||||
|
install hfsplus /bin/false
|
||||||
|
install squashfs /bin/false
|
||||||
|
install udf /bin/false
|
|
@ -0,0 +1,19 @@
|
||||||
|
install dccp /bin/false
|
||||||
|
install sctp /bin/false
|
||||||
|
install rds /bin/false
|
||||||
|
install tipc /bin/false
|
||||||
|
install n-hdlc /bin/false
|
||||||
|
install ax25 /bin/false
|
||||||
|
install netrom /bin/false
|
||||||
|
install x25 /bin/false
|
||||||
|
install rose /bin/false
|
||||||
|
install decnet /bin/false
|
||||||
|
install econet /bin/false
|
||||||
|
install af_802154 /bin/false
|
||||||
|
install ipx /bin/false
|
||||||
|
install appletalk /bin/false
|
||||||
|
install psnap /bin/false
|
||||||
|
install p8023 /bin/false
|
||||||
|
install p8022 /bin/false
|
||||||
|
install can /bin/false
|
||||||
|
install atm /bin/false
|
|
@ -0,0 +1 @@
|
||||||
|
install vivid /bin/false
|
|
@ -0,0 +1,13 @@
|
||||||
|
#%PAM-1.0
|
||||||
|
auth required pam_env.so
|
||||||
|
auth sufficient pam_rootok.so
|
||||||
|
# Uncomment the following line to require a user to be in the "wheel" group.
|
||||||
|
auth required pam_wheel.so use_uid
|
||||||
|
auth substack system-auth
|
||||||
|
auth include postlogin
|
||||||
|
account sufficient pam_succeed_if.so uid = 0 use_uid quiet
|
||||||
|
account include system-auth
|
||||||
|
password include system-auth
|
||||||
|
session include system-auth
|
||||||
|
session include postlogin
|
||||||
|
session optional pam_xauth.so
|
|
@ -0,0 +1,7 @@
|
||||||
|
#%PAM-1.0
|
||||||
|
auth include su
|
||||||
|
account include su
|
||||||
|
password include su
|
||||||
|
session optional pam_keyinit.so force revoke
|
||||||
|
session include su
|
||||||
|
auth required pam_wheel.so use_uid
|
|
@ -0,0 +1,59 @@
|
||||||
|
#
|
||||||
|
# The PAM configuration file for the Shadow `su' service
|
||||||
|
#
|
||||||
|
|
||||||
|
# This allows root to su without passwords (normal operation)
|
||||||
|
auth sufficient pam_rootok.so
|
||||||
|
|
||||||
|
# Uncomment this to force users to be a member of group root
|
||||||
|
# before they can use `su'. You can also add "group=foo"
|
||||||
|
# to the end of this line if you want to use a group other
|
||||||
|
# than the default "root" (but this may have side effect of
|
||||||
|
# denying "root" user, unless she's a member of "foo" or explicitly
|
||||||
|
# permitted earlier by e.g. "sufficient pam_rootok.so").
|
||||||
|
# (Replaces the `SU_WHEEL_ONLY' option from login.defs)
|
||||||
|
auth required pam_wheel.so
|
||||||
|
|
||||||
|
# Uncomment this if you want wheel members to be able to
|
||||||
|
# su without a password.
|
||||||
|
# auth sufficient pam_wheel.so trust
|
||||||
|
|
||||||
|
# Uncomment this if you want members of a specific group to not
|
||||||
|
# be allowed to use su at all.
|
||||||
|
# auth required pam_wheel.so deny group=nosu
|
||||||
|
|
||||||
|
# Uncomment and edit /etc/security/time.conf if you need to set
|
||||||
|
# time restrainst on su usage.
|
||||||
|
# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs
|
||||||
|
# as well as /etc/porttime)
|
||||||
|
# account requisite pam_time.so
|
||||||
|
|
||||||
|
# This module parses environment configuration file(s)
|
||||||
|
# and also allows you to use an extended config
|
||||||
|
# file /etc/security/pam_env.conf.
|
||||||
|
#
|
||||||
|
# parsing /etc/environment needs "readenv=1"
|
||||||
|
session required pam_env.so readenv=1
|
||||||
|
# locale variables are also kept into /etc/default/locale in etch
|
||||||
|
# reading this file *in addition to /etc/environment* does not hurt
|
||||||
|
session required pam_env.so readenv=1 envfile=/etc/default/locale
|
||||||
|
|
||||||
|
# Defines the MAIL environment variable
|
||||||
|
# However, userdel also needs MAIL_DIR and MAIL_FILE variables
|
||||||
|
# in /etc/login.defs to make sure that removing a user
|
||||||
|
# also removes the user's mail spool file.
|
||||||
|
# See comments in /etc/login.defs
|
||||||
|
#
|
||||||
|
# "nopen" stands to avoid reporting new mail when su'ing to another user
|
||||||
|
session optional pam_mail.so nopen
|
||||||
|
|
||||||
|
# Sets up user limits according to /etc/security/limits.conf
|
||||||
|
# (Replaces the use of /etc/limits in old login)
|
||||||
|
session required pam_limits.so
|
||||||
|
|
||||||
|
# The standard Unix authentication modules, used with
|
||||||
|
# NIS (man nsswitch) as well as normal /etc/passwd and
|
||||||
|
# /etc/shadow entries.
|
||||||
|
@include common-auth
|
||||||
|
@include common-account
|
||||||
|
@include common-session
|
|
@ -0,0 +1,7 @@
|
||||||
|
#%PAM-1.0
|
||||||
|
auth include su
|
||||||
|
account include su
|
||||||
|
password include su
|
||||||
|
session optional pam_keyinit.so force revoke
|
||||||
|
session include su
|
||||||
|
auth required pam_wheel.so
|
|
@ -0,0 +1,9 @@
|
||||||
|
#!/bin/bash
|
||||||
|
# /etc/rc.local
|
||||||
|
|
||||||
|
# file needed to correctly load kernel parameters at boot time
|
||||||
|
# on Ubuntu (ex. to disable ipv6) without modifying grub
|
||||||
|
/etc/sysctl.d
|
||||||
|
/etc/init.d/procps restart
|
||||||
|
|
||||||
|
exit 0
|
|
@ -0,0 +1,62 @@
|
||||||
|
# /etc/security/limits.conf
|
||||||
|
#
|
||||||
|
#This file sets the resource limits for the users logged in via PAM.
|
||||||
|
#It does not affect resource limits of the system services.
|
||||||
|
#
|
||||||
|
#Also note that configuration files in /etc/security/limits.d directory,
|
||||||
|
#which are read in alphabetical order, override the settings in this
|
||||||
|
#file in case the domain is the same or more specific.
|
||||||
|
#That means for example that setting a limit for wildcard domain here
|
||||||
|
#can be overriden with a wildcard setting in a config file in the
|
||||||
|
#subdirectory, but a user specific setting here can be overriden only
|
||||||
|
#with a user specific setting in the subdirectory.
|
||||||
|
#
|
||||||
|
#Each line describes a limit for a user in the form:
|
||||||
|
#
|
||||||
|
#<domain> <type> <item> <value>
|
||||||
|
#
|
||||||
|
#Where:
|
||||||
|
#<domain> can be:
|
||||||
|
# - a user name
|
||||||
|
# - a group name, with @group syntax
|
||||||
|
# - the wildcard *, for default entry
|
||||||
|
# - the wildcard %, can be also used with %group syntax,
|
||||||
|
# for maxlogin limit
|
||||||
|
#
|
||||||
|
#<type> can have the two values:
|
||||||
|
# - "soft" for enforcing the soft limits
|
||||||
|
# - "hard" for enforcing hard limits
|
||||||
|
#
|
||||||
|
#<item> can be one of the following:
|
||||||
|
# - core - limits the core file size (KB)
|
||||||
|
# - data - max data size (KB)
|
||||||
|
# - fsize - maximum filesize (KB)
|
||||||
|
# - memlock - max locked-in-memory address space (KB)
|
||||||
|
# - nofile - max number of open file descriptors
|
||||||
|
# - rss - max resident set size (KB)
|
||||||
|
# - stack - max stack size (KB)
|
||||||
|
# - cpu - max CPU time (MIN)
|
||||||
|
# - nproc - max number of processes
|
||||||
|
# - as - address space limit (KB)
|
||||||
|
# - maxlogins - max number of logins for this user
|
||||||
|
# - maxsyslogins - max number of logins on the system
|
||||||
|
# - priority - the priority to run user process with
|
||||||
|
# - locks - max number of file locks the user can hold
|
||||||
|
# - sigpending - max number of pending signals
|
||||||
|
# - msgqueue - max memory used by POSIX message queues (bytes)
|
||||||
|
# - nice - max nice priority allowed to raise to values: [-20, 19]
|
||||||
|
# - rtprio - max realtime priority
|
||||||
|
#
|
||||||
|
#<domain> <type> <item> <value>
|
||||||
|
#
|
||||||
|
|
||||||
|
* soft core 0
|
||||||
|
* hard core 0
|
||||||
|
#* hard rss 10000
|
||||||
|
#@student hard nproc 20
|
||||||
|
#@faculty soft nproc 20
|
||||||
|
#@faculty hard nproc 50
|
||||||
|
#ftp hard nproc 0
|
||||||
|
#@student - maxlogins 4
|
||||||
|
|
||||||
|
# End of file
|
|
@ -0,0 +1,27 @@
|
||||||
|
HostKey /etc/ssh/ssh_host_rsa_key
|
||||||
|
HostKey /etc/ssh/ssh_host_ecdsa_key
|
||||||
|
HostKey /etc/ssh/ssh_host_ed25519_key
|
||||||
|
|
||||||
|
SyslogFacility AUTHPRIV
|
||||||
|
|
||||||
|
AllowGroups sshlogin
|
||||||
|
|
||||||
|
PermitRootLogin WITHOUT-PASSWORD
|
||||||
|
PubkeyAuthentication yes
|
||||||
|
AuthorizedKeysFile .ssh/authorized_keys
|
||||||
|
IgnoreRhosts yes
|
||||||
|
MaxSessions 4
|
||||||
|
MaxAuthTries 4
|
||||||
|
ClientAliveCountMax 2
|
||||||
|
LogLevel VERBOSE
|
||||||
|
PasswordAuthentication no
|
||||||
|
ChallengeResponseAuthentication no
|
||||||
|
GSSAPIAuthentication no
|
||||||
|
UsePAM yes
|
||||||
|
PrintMotd no
|
||||||
|
X11Forwarding no
|
||||||
|
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
|
||||||
|
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
|
||||||
|
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
|
||||||
|
AcceptEnv XMODIFIERS
|
||||||
|
Subsystem sftp /usr/lib/openssh/sftp-server
|
|
@ -0,0 +1,66 @@
|
||||||
|
# Hardened sysctl conf
|
||||||
|
|
||||||
|
fs.protected_regular = 2
|
||||||
|
fs.protected_fifos = 2
|
||||||
|
fs.protected_hardlinks = 1
|
||||||
|
fs.protected_symlinks = 1
|
||||||
|
fs.suid_dumpable = 0
|
||||||
|
|
||||||
|
kernel.core_uses_pid = 1
|
||||||
|
kernel.ctrl-alt-del = 0
|
||||||
|
kernel.dmesg_restrict = 1
|
||||||
|
kernel.kptr_restrict = 2
|
||||||
|
kernel.randomize_va_space = 2
|
||||||
|
kernel.sysrq = 0
|
||||||
|
kernel.unprivileged_bpf_disabled = 1
|
||||||
|
|
||||||
|
|
||||||
|
net.core.bpf_jit_harden = 2
|
||||||
|
net.ipv4.conf.all.accept_redirects = 0
|
||||||
|
net.ipv4.conf.all.accept_source_route = 0
|
||||||
|
net.ipv4.conf.all.bootp_relay = 0
|
||||||
|
net.ipv4.conf.all.forwarding = 0
|
||||||
|
net.ipv4.conf.all.log_martians = 1
|
||||||
|
net.ipv4.conf.all.mc_forwarding = 0
|
||||||
|
net.ipv4.conf.all.proxy_arp = 0
|
||||||
|
net.ipv4.conf.all.rp_filter = 1
|
||||||
|
net.ipv4.conf.all.send_redirects = 0
|
||||||
|
net.ipv4.conf.all.secure_redirects=0
|
||||||
|
net.ipv4.tcp_rfc1337=1
|
||||||
|
net.ipv4.tcp_sack=0
|
||||||
|
net.ipv4.tcp_dsack=0
|
||||||
|
net.ipv4.tcp_fack=0
|
||||||
|
|
||||||
|
net.ipv4.conf.default.accept_redirects = 0
|
||||||
|
net.ipv4.conf.default.accept_source_route = 0
|
||||||
|
net.ipv4.conf.default.log_martians = 1
|
||||||
|
net.ipv4.conf.default.rp_filter=1
|
||||||
|
net.ipv4.conf.default.send_redirects=0
|
||||||
|
net.ipv4.conf.default.secure_redirects=0
|
||||||
|
|
||||||
|
net.ipv4.icmp_echo_ignore_broadcasts = 1
|
||||||
|
net.ipv4.icmp_ignore_bogus_error_responses = 1
|
||||||
|
net.ipv4.tcp_syncookies = 1
|
||||||
|
net.ipv4.tcp_timestamps = 1
|
||||||
|
|
||||||
|
dev.tty.ldisc_autoload=0
|
||||||
|
vm.unprivileged_userfaultfd=0
|
||||||
|
kernel.kexec_load_disabled=1
|
||||||
|
kernel.perf_event_paranoid=2
|
||||||
|
kernel.yama.ptrace_scope=2
|
||||||
|
|
||||||
|
vm.mmap_rnd_bits=32
|
||||||
|
vm.mmap_rnd_compat_bits=16
|
||||||
|
|
||||||
|
# Uncomment do disable ipv6
|
||||||
|
#net.ipv6.conf.all.disable_ipv6=1
|
||||||
|
#net.ipv6.conf.default.disable_ipv6=1
|
||||||
|
#net.ipv6.conf.lo.disable_ipv6=1
|
||||||
|
|
||||||
|
net.ipv6.conf.all.accept_redirects = 0
|
||||||
|
net.ipv6.conf.all.accept_source_route = 0
|
||||||
|
|
||||||
|
net.ipv6.conf.default.accept_redirects = 0
|
||||||
|
net.ipv6.conf.default.accept_source_route = 0
|
||||||
|
|
||||||
|
vm.swappiness = 15
|
Loading…
Reference in New Issue