Awesome Open Source
Awesome Open Source

image::logo/horizontal.png[Ubuntu Hardening]

= Hardening Ubuntu. Systemd edition. :icons: font

A quick way to make a Ubuntu server a bit more secure.

Tested on Ubuntu 20.04 Focal Fossa, Ubuntu 21.04 Hirsute Hippo and Ubuntu 21.10 Impish Indri (development branch).

Systemd required.

If you're just interested in the security focused systemd configuration, it's available as a link:systemd.adoc[separate document].

If you're interested in testing your host settings, you'll find the link:README.adoc#tests[instructions here].

NOTE: This is a constant work in progress. Make sure you understand what it does. Read the code and do not run this script without first testing in a non-operational environment.

When possible, use the newly installed and configured system as a reference, or golden, image. Use that image as a baseline installation media and ensure that any future installation comply with benchmarks and policies using a configuration management tool, e.g https://www.ansible.com/[Ansible] or https://puppet.com/[Puppet].

== Packer template and Ansible playbook A https://www.packer.io/[Packer] template is available in the https://github.com/konstruktoid/hardening-geniso[konstruktoid/hardening-geniso] repository.

An Ansible playbook is available in the https://github.com/konstruktoid/ansible-role-hardening[konstruktoid/ansible-role-hardening] repository.

== Howto Start the installation of the server. + Pick language, keyboard layout, timezone and so on as you usually would.

=== Partition the system [source,shell]

/ /boot (rw) /home (rw,nosuid,nodev) swap /var /var/log (rw,nosuid,nodev,noexec) /var/log/audit (rw,nosuid,nodev,noexec) /var/tmp (rw,noexec,nodev,nosuid)

Note that /tmp will be added automatically by the script.

=== Login, set a Grub2 password, configure and run ubuntu.sh Do not add any packages. + Log in. + Select a Grub2 password with grub-mkpasswd-pbkdf2. + Download the script: git clone https://github.com/konstruktoid/hardening.git. + Change the configuration options in the ubuntu.cfg file. + Run the script: sudo bash ubuntu.sh. + Reboot.

== Configuration options [source,shell]

FW_ADMIN='127.0.0.1' // <1> SSH_GRPS='sudo' // <2> SSH_PORT='22' // <3> SYSCTL_CONF='./misc/sysctl.conf' // <4> AUDITD_MODE='1' // <5> AUDITD_RULES='./misc/audit-base.rules ./misc/audit-aggressive.rules ./misc/audit-docker.rules' // <6> LOGROTATE_CONF='./misc/logrotate.conf' // <7> NTPSERVERPOOL='0.ubuntu.pool.ntp.org 1.ubuntu.pool.ntp.org 2.ubuntu.pool.ntp.org 3.ubuntu.pool.ntp.org pool.ntp.org' // <8> TIMEDATECTL='' // <9> VERBOSE='N' // <10> AUTOFILL='N' // <11> ADMINEMAIL="[email protected]" // <12> CHANGEME='' // <13>

Configuration files

ADDUSER='/etc/adduser.conf' AUDITDCONF='/etc/audit/auditd.conf' AUDITRULES='/etc/audit/rules.d/hardening.rules' COMMONPASSWD='/etc/pam.d/common-password' COMMONACCOUNT='/etc/pam.d/common-account' COMMONAUTH='/etc/pam.d/common-auth' COREDUMPCONF='/etc/systemd/coredump.conf' DEFAULTGRUB='/etc/default/grub.d' DISABLEFS='/etc/modprobe.d/disablefs.conf' DISABLEMOD='/etc/modprobe.d/disablemod.conf' DISABLENET='/etc/modprobe.d/disablenet.conf' JOURNALDCONF='/etc/systemd/journald.conf' LIMITSCONF='/etc/security/limits.conf' LOGINDCONF='/etc/systemd/logind.conf' LOGINDEFS='/etc/login.defs' LOGROTATE='/etc/logrotate.conf' PAMLOGIN='/etc/pam.d/login' PSADCONF='/etc/psad/psad.conf' PSADDL='/etc/psad/auto_dl' RESOLVEDCONF='/etc/systemd/resolved.conf' RKHUNTERCONF='/etc/default/rkhunter' RSYSLOGCONF='/etc/rsyslog.conf' SECURITYACCESS='/etc/security/access.conf' SSHFILE='/etc/ssh/ssh_config' SSHDFILE='/etc/ssh/sshd_config' SYSCTL='/etc/sysctl.conf' SYSTEMCONF='/etc/systemd/system.conf' TIMESYNCD='/etc/systemd/timesyncd.conf' UFWDEFAULT='/etc/default/ufw' USERADD='/etc/default/useradd' USERCONF='/etc/systemd/user.conf'


<1> The IP addresses that will be able to connect with SSH, separated by spaces. <2> Which group the users have to be member of in order to acess via SSH, separated by spaces. <3> Configure SSH port. <4> Stricter sysctl settings. <5> Auditd failure mode. 0=silent 1=printk 2=panic. <6> Auditd rules. <7> Logrotate settings. <8> NTP server pool. <9> Add a specific time zone or use the system default by leaving it empty. <10> If you want all the details or not. <11> Let the script guess the FW_ADMIN and SSH_GRPS settings. <12> Add a valid email address, so PSAD can send notifications. <13> Add something just to verify that you actually glanced the code.

== Functions

=== Function list

==== 01_pre Setup script, sets APT flags and permission checks.

==== 02_firewall Enable ufw, use /etc/sysctl.conf, prepare to psad, and allow port 22 from $FW_ADMIN.

==== 03_disablenet Disable dccp sctp rds tipc protocols.

==== 04_disablemnt Disable cramfs freevxfs jffs2 hfs hfsplus udf vfat file systems.

==== 05_systemdconf Disable coredumps and crash shells, set DefaultLimitNOFILE and DefaultLimitNPROC to 1024.

==== 06_journalctl Compress logs, forward to syslog and make log storage persistent. Ensure rsyslog writes logs with stricter permissions.

==== 07_timesyncd Add four NTP-servers with a latency < 50ms from $NTPSERVERPOOL.

==== 08_fstab Configure /tmp/ and /var/tmp/. Remove floppy drivers from /etc/fstab and add hidepid=2 to /proc.

==== 09_prelink Undo prelinking, and remove prelink package.

==== 10_aptget Configure dpkg and apt-get. apt-get update and upgrade.

==== 11_hosts /etc/hosts.allow and /etc/hosts.deny restrictions.

==== 12_logindefs Modify /etc/login.defs, e.g. UMASK, password age limits and SHA_CRYPT_MAX_ROUNDS.

==== 13_sysctl Update $SYSCTL with $SYSCTL_CONF.

==== 14_limits Set hard and soft limits.

==== 15_adduser Configure useradd and adduser to set /bin/false as default shell, home directory permissions to 0750 and lock users 30 days after password expires.

==== 16_rootaccess Limit /etc/securetty to console, and root from 127.0.0.1 in /etc/security/access.conf.

==== 17_packages Installs acct aide-common apparmor-profiles apparmor-utils auditd audispd-plugins debsums gnupg2 haveged libpam-apparmor libpam-pwquality libpam-tmpdir needrestart openssh-server postfix rkhunter sysstat systemd-coredump tcpd psad update-notifier-common vlock.

Removes apport* autofs avahi* beep git pastebinit popularity-contest rsh* rsync talk* telnet* tftp* whoopsie xinetd yp-tools ypbind.

==== 18_sshdconfig Configure the OpenSSH-daemon.

==== 19_password Configure pam_pwquality.so and pam_tally2.so.

==== 20_cron Allow root to use cron. Mask atd.

==== 21_ctraltdel Disable Ctrl-alt-delete.

==== 22_auditd Configure auditd, use $AUDITD_RULES and set failure mode $AUDITD_MODE.

==== 23_disablemod Disable bluetooth bnep btusb cpia2 firewire-core floppy n_hdlc net-pf-31 pcspkr soundcore thunderbolt usb-midi usb-storage uvcvideo v4l2_common kernel modules.

Note that disabling the usb-storage will disable any usage of USB storage devices, if such devices are needed USBGuard should be configured accordingly.

==== 24_aide Configure aide.

==== 25_rhosts Remove hosts.equiv and .rhosts.

==== 26_users Remove games gnats irc list news sync uucp users.

==== 27_suid Remove suid bits from the executables listed in link:misc/suid.list[this document].

==== 28_umask Set bash and /etc/profile umask.

==== 29_apparmor Enforce present apparmor profiles.

==== 30_path Set root path to /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin, and user path to /usr/local/bin:/usr/bin:/bin.

==== 31_logindconf Configure systemd/logind.conf and use KillUserProcesses.

==== 32_resolvedconf Configure systemd/resolved.conf.

==== 33_rkhunter Configure rkhunter.

==== 34_issue Update /etc/issue /etc/issue.net /etc/motd.

==== 35_apport Disable apport, ubuntu-report and popularity-contest.

==== 36_lockroot Lock the root user account.

==== 37_coredump Disable coredumps with systemd/coredump.conf.

==== 38_postfix Disable the VRFY command, configure smtpd_banner, smtpd_client_restrictions and inet_interfaces.

==== 39_motdnews Disable motd-news.

==== 40_usbguard Install and configure usbguard.

==== 41_compilers Restrict compiler access.

==== 42_kernel Set lockdown=confidentiality if /sys/kernel/security/lockdown is present.

==== 43_sudo Configure sudo with use_pty, logfile, !visiblepw, !pwfeedback, passwd_timeout and timestamp_timeout.

Restrict su to the sudo group.

==== 44_psad Configure psad.

==== 98_systemddelta If verbose, show systemd-delta.

==== 99_post Ensure secureboot-db is installed, update grub and ensure strict permissions on boot files.

==== 99_reboot Print if a reboot is required.

=== Function execution order [source,shell]

f_pre f_kernel f_firewall f_disablenet f_disablefs f_disablemod f_systemdconf f_resolvedconf f_logindconf f_journalctl f_timesyncd f_fstab f_prelink f_aptget_configure f_aptget f_hosts f_issue f_sudo f_logindefs f_sysctl f_limitsconf f_adduser f_rootaccess f_package_install f_coredump f_usbguard f_postfix f_apport f_motdnews f_rkhunter f_sshconfig f_sshdconfig f_password f_cron f_ctrlaltdel f_auditd f_psad f_aide f_rhosts f_users f_lockroot f_package_remove f_suid f_restrictcompilers f_umask f_path f_aa_enforce f_aide_post f_aide_timer f_aptget_noexec f_aptget_clean f_systemddelta f_post f_checkreboot

== Tests There are approximately 700 https://github.com/sstephenson/bats[Bats tests] for most of the above settings available in the link:tests/[tests directory].

[source,shell]

sudo apt-get -y install bats git clone https://github.com/konstruktoid/hardening.git cd hardening/tests/ sudo bats .

=== Test automation using Vagrant Running bash ./runTests.sh will use https://www.vagrantup.com/[Vagrant] to run all above tests and https://github.com/CISOfy/Lynis[Lynis] on all supported Ubuntu versions. The script will generate a file named TESTRESULTS.adoc.

=== Testing a host Running bash ./runHostTests.sh, located in the link:tests/[tests directory], will generate a TESTRESULTS-<HOSTNAME>.adoc report.

== Issues: snapd In order to use snapd you will have to disable the https://man7.org/linux/man-pages/man7/kernel_lockdown.7.html[kernel_lockdown] setting, update grub, reboot the host and then reinstall snapd.

[source,shell]

sudo sed -i 's/^/# /g' /etc/default/grub.d/99-hardening-lockdown.cfg sudo update-grub sudo reboot sudo apt-get --assume-yes --reinstall install snapd

== Recommended reading https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux[Canonical Ubuntu 18.04 LTS STIG - Ver 2, Rel 1] + https://www.cisecurity.org/benchmark/distribution_independent_linux/[CIS Distribution Independent Linux Benchmark] + https://www.cisecurity.org/benchmark/ubuntu_linux/[CIS Ubuntu Linux Benchmark] + https://www.ncsc.gov.uk/collection/end-user-device-security/platform-specific-guidance/ubuntu-18-04-lts[EUD Security Guidance: Ubuntu 18.04 LTS] + https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux[Red Hat Enterprise Linux 7 - Ver 2, Rel 3 STIG] + https://wiki.ubuntu.com/Security/Features + https://help.ubuntu.com/community/StricterDefaults +

== Contributing Do you want to contribute? That's great! Contributions are always welcome, no matter how large or small. If you found something odd, feel free to https://github.com/konstruktoid/hardening/issues/[submit a new issue], improve the code by https://github.com/konstruktoid/hardening/pulls[creating a pull request], or by https://github.com/sponsors/konstruktoid[sponsoring this project].

Logo by https://github.com/reallinfo[reallinfo].


Get A Weekly Email With Trending Projects For These Topics
No Spam. Unsubscribe easily at any time.
shell (10,203
security (1,874
security-tools (402
ubuntu (345
security-automation (62
security-hardening (59
hardening (55
systemd (52
information-security (49