mirror of
https://github.com/Kicksecure/security-misc.git
synced 2025-01-26 11:25:55 -05:00
improve usr/bin/hardening-enable
This commit is contained in:
Patrick Schleizer
parent
a345a0fb64
commit
ac96708b24
@ -3,13 +3,68 @@
|
||||
## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
|
||||
## See the file COPYING for copying conditions.
|
||||
|
||||
set -x
|
||||
set -e
|
||||
|
||||
if [ -f /usr/lib/helper-scripts/pre.bsh ]; then
|
||||
source /usr/lib/helper-scripts/pre.bsh
|
||||
fi
|
||||
|
||||
## Thanks to:
|
||||
## http://mywiki.wooledge.org/BashFAQ/035
|
||||
|
||||
while :
|
||||
do
|
||||
case $1 in
|
||||
--ssh)
|
||||
ssh=true
|
||||
shift
|
||||
;;
|
||||
--nossh)
|
||||
ssh=false
|
||||
shift
|
||||
;;
|
||||
--)
|
||||
shift
|
||||
break
|
||||
;;
|
||||
-*)
|
||||
echo "$0 unknown option: $1" >&2
|
||||
exit 2
|
||||
;;
|
||||
*)
|
||||
break
|
||||
;;
|
||||
esac
|
||||
done
|
||||
|
||||
## If there are input files (for example) that follow the options, they
|
||||
## will remain in the "$@" positional parameters.
|
||||
|
||||
if [ "$ssh" = "" ]; then
|
||||
echo "${red}ERROR${reset}: must use either --ssh or --nossh. For example:" >&2
|
||||
echo "$0 --nossh" >&2
|
||||
exit 2
|
||||
fi
|
||||
|
||||
echo "${bold}[Hide Hardware Info]${reset}"
|
||||
echo "Enabling enable hide-hardware-info.service by running 'systemctl enable hide-hardware-info.service'..."
|
||||
|
||||
systemctl enable hide-hardware-info.service
|
||||
|
||||
echo "${green}Success.${reset}"
|
||||
echo ""
|
||||
|
||||
echo "${bold}[NOEXEC]${reset}"
|
||||
echo "Enabling noexec by creating file /etc/noexec ..."
|
||||
|
||||
touch /etc/noexec
|
||||
|
||||
echo "${green}Success.${reset}"
|
||||
echo ""
|
||||
|
||||
echo "${bold}[LKRG - Linux Kernel Runtime Guard]${reset}"
|
||||
echo "LKRG hardening by creating /etc/sysctl.d/40-security-misc-autogenerated.conf ..."
|
||||
|
||||
mkdir -p /etc/sysctl.d
|
||||
|
||||
echo "\
|
||||
@ -22,4 +77,15 @@ echo "\
|
||||
lkrg.ci_panic=1
|
||||
lkrg.umh_lock=1" > /etc/sysctl.d/40-security-misc-autogenerated.conf
|
||||
|
||||
pam-auth-update --enable console-lockdown-security-misc
|
||||
echo "${green}Success.${reset}"
|
||||
echo ""
|
||||
|
||||
if [ "$ssh" = "false" ]; then
|
||||
echo "${bold}[Console Lockdown]${reset}"
|
||||
echo "Enabling Console Lockdown by removing user 'user' from group 'ssh'."
|
||||
|
||||
delgroup user ssh &>/dev/null || true
|
||||
|
||||
echo "${green}Success.${reset}"
|
||||
echo ""
|
||||
fi
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user