Function list in execution order
Note that all functions has the f_ prefix in the code.
firewall
Configures UFW if installed.
Allows connections from the adresses in $FW_ADMIN to the $SSH_PORT.
Sets logging and IPT_SYSCTL=/etc/sysctl.conf.
disablemod
Disables the bluetooth, bnep, btusb, cpia2, firewire-core, floppy,
n_hdlc, net-pf-31, pcspkr, soundcore, thunderbolt, usb-midi,
usb-storage, uvcvideo, v4l2_common kernel modules.
Note that disabling the usb-storage module will disable any usage of USB
storage devices, if such devices are needed USBGuard should be configured
accordingly and usb-storage removed from the disablemod function.
systemdconf
Sets CrashShell=no, DefaultLimitCORE=0, DefaultLimitNOFILE=1024,
DefaultLimitNPROC=1024, DumpCore=no in $SYSTEMCONF
and $USERCONF.
resolvedconf
Sets DNS=$dnslist, DNSOverTLS=opportunistic, DNSSEC=allow-downgrade, FallbackDNS=1.0.0.1
in $RESOLVEDCONF, where $dnslist is an array with the nameservers present
in /etc/resolv.conf.
logindconf
Sets IdleAction=lock, IdleActionSec=15min, KillExcludeUsers=root,
KillUserProcesses=1, RemoveIPC=yes in $LOGINDCONF.
journalctl
Sets Compress=yes, ForwardToSyslog=yes, Storage=persistent in
$JOURNALDCONF.
Sets $FileCreateMode 0600/ in $RSYSLOGCONF.
if RSYSLOGCONF is writable.
timesyncd
Sets NTP=${SERVERARRAY}, FallbackNTP=${FALLBACKARRAY}, RootDistanceMaxSec=1
in $TIMESYNCD where the arrays are up to four time servers with < 50ms
latency.
fstab
Configures the /boot and /home partitions with defaults,nosuid,nodev if
they are available in /etc/fstab.
Configures the /var/log, /var/log/audit and /var/tmp partitions with
defaults,nosuid,nodev,noexec if they are available in /etc/fstab.
Adds /run/shm tmpfs rw,noexec,nosuid,nodev,
/dev/shm tmpfs rw,noexec,nosuid,nodev and
/proc proc rw,nosuid,nodev,noexec,relatime,hidepid=2 to /etc/fstab if
the partition isn’t present in /etc/fstab.
Removes any floppy drivers from /etc/fstab.
Copies ./config/tmp.mount[./config/tmp.mount] to
/etc/systemd/system/tmp.mount, removes /tmp from /etc/fstab
and enables the tmpfs /tmp mount instead.
prelink
Reverts binaries and libraries to their original content before they were
prelinked and uninstalls prelink.
aptget_configure
Sets apt options Acquire::http::AllowRedirect "false";, APT::Get::AllowUnauthenticated "false";,
APT::Periodic::AutocleanInterval "7";,
APT::Install-Recommends "false";, APT::Get::AutomaticRemove "true";,
APT::Install-Suggests "false";, Acquire::AllowDowngradeToInsecureRepositories "false";,
Acquire::AllowInsecureRepositories "false";, APT::Sandbox::Seccomp "1";
hosts
Sets sshd : ALL : ALLOW, ALL: LOCAL, 127.0.0.1 in /etc/hosts.allow and
ALL: ALL in /etc/hosts.deny.
issue
Writes a notice regarding authorized use only to /etc/issue, /etc/issue.net
and /etc/motd.
Removes the executable flag from every file in /etc/update-motd.d/.
sudo
Restricts su access to members of the sudo group using
pam_wheel.
Sets !pwfeedback, !visiblepw, logfile=/var/log/sudo.log, passwd_timeout=1,
timestamp_timeout=5, use_pty sudo options.
logindefs
Writes LOG_OK_LOGINS yes, UMASK 077, PASS_MIN_DAYS 1, PASS_MAX_DAYS 60,
DEFAULT_HOME no, ENCRYPT_METHOD SHA512, USERGROUPS_ENAB no,
SHA_CRYPT_MIN_ROUNDS 10000, SHA_CRYPT_MAX_ROUNDS 65536 to
$LOGINDEFS
adduser
Sets DIR_MODE=0750,DSHELL=/bin/false, and USERGROUPS=yes in $ADDUSER.
Sets INACTIVE=30 and SHELL=/bin/false in $USERADD.
package_install
Installs acct, aide-common, cracklib-runtime, debsums, gnupg2,
haveged, libpam-pwquality, libpam-tmpdir, needrestart, openssh-server,
postfix, psad, rkhunter, sysstat, systemd-coredump, tcpd,
update-notifier-common, vlock.
postfix
Installs postfix and sets disable_vrfy_command=yes,
inet_interfaces=loopback-only,
smtpd_banner="\$myhostname,
smtpd_client_restrictions=permit_mynetworks,reject using postconf.
sshdconfig
Configures the OpenSSH daemon. The configuration changes will be placed in
the directory defined by the Include option if present, otherwise
$SSHDFILE
will be modified.
By default /etc/ssh/sshd_config.d/hardening.conf will contain the following:
AcceptEnv LANG LC_*
AllowAgentForwarding no
AllowGroups sudo
AllowTcpForwarding no
Banner /etc/issue.net
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
ClientAliveCountMax 3
ClientAliveInterval 200
Compression no
GSSAPIAuthentication no
HostbasedAuthentication no
IgnoreUserKnownHosts yes
KbdInteractiveAuthentication no
KerberosAuthentication no
KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
LogLevel VERBOSE
LoginGraceTime 20
Macs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256
MaxAuthTries 3
MaxSessions 3
MaxStartups 10:30:60
PasswordAuthentication no
PermitEmptyPasswords no
PermitRootLogin no
PermitUserEnvironment no
Port 22
PrintLastLog yes
PrintMotd no
RekeyLimit 512M 1h
StrictModes yes
TCPKeepAlive no
UseDNS no
UsePAM yes
X11Forwarding nopassword
Copies ./config/pwquality.conf[./config/pwquality.conf] to /etc/security/pwquality.conf,
Removes nullok from PAM
$COMMONAUTH.
package_remove
Removes the apport*, autofs, avahi*, beep, git, pastebinit,
popularity-contest, rsh*, rsync, talk*, telnet*, tftp*, whoopsie,
xinetd, yp-tools, ypbind packages.
path
Copies ./config/initpath.sh[./config/initpath.sh] to /etc/profile.d/initpath.sh
and sets PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin
for the root user and PATH=/usr/local/bin:/usr/sbin:/usr/bin:/bin:/snap/bin
for everyone else.