Skip to content

topminipie/FedoraSecurityPlus

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

104 Commits

FedoraSecurityPlus.sh

FedoraSecurityPlus.sh

 
 

LICENSE

LICENSE

 
 

README.md

README.md

 
 

basic-dnf.txt

basic-dnf.txt

 
 

extras-dnf.txt

extras-dnf.txt

 
 

flatpak-install.sh

flatpak-install.sh

 
 

flatpak-packages.txt

flatpak-packages.txt

 
 

Repository files navigation

FedoraSecurityPlus

GPLv3 license

FedoraSecurityPlus is a script for enhancing Fedora security.

This script has been tested for: Fedora 40, Fedora 39.

Install

Clone this repo

git clone https://github.com/topminipie/FedoraSecurityPlus

Switch directory

cd ./FedoraSecurityPlus

Make it executable

chmod +x FedoraSecurityPlus.sh

Execute it (read Usage before executing)

./FedoraSecurityPlus.sh

Usage

basic-dnf.txt > Really basic software, and needed for the script anyway. You probably don't want to edit it (but you CAN).

extras-dns.txt > Bunch of software that you probably need, you MUST edit it to fit your needs.

flatpak-packages.txt > Bunch of most used flatpak softwares, you MUST edit it to fit your needs. Check Flathub and search your software to find the flatpak ID.

Known Issues

ptrace

(0) - Full allow ptrace for all processes

  sudo sed -i 's/kernel.yama.ptrace_scope=2/kernel.yama.ptrace_scope=0/g' /etc/sysctl.d/990-security-misc.conf

(1) - Kernel Doc

  sudo sed -i 's/kernel.yama.ptrace_scope=2/kernel.yama.ptrace_scope=1/g' /etc/sysctl.d/990-security-misc.conf

(2) - Only processes with CAP_SYS_PTRACE (or root) may use ptrace (default in FedoraSecurityPlus)

  sudo sed -i 's/kernel.yama.ptrace_scope=2/kernel.yama.ptrace_scope=2/g' /etc/sysctl.d/990-security-misc.conf

A workaround for WINE would be to give the wineserver and wine-preloader ptrace capabilities. Fix:

  sudo dnf install libcap
  sudo setcap cap_sys_ptrace=eip /usr/bin/wineserver
  sudo setcap cap_sys_ptrace=eip /usr/bin/wine-preloader

MAC randomization and IPv6 Privacy...

Read more about the problems here

Delete configs:

  sudo rm -f /etc/NetworkManager/conf.d/80_ipv6-privacy.conf
  sudo rm -f /etc/NetworkManager/conf.d/80_randomize-mac.conf
  sudo rm -f /etc/systemd/networkd.conf.d/80_ipv6-privacy-extensions.conf

Credits

PYFO (GPL-3.0)

fedora-setup (GPL-3.0)

Brace (GPL-3.0)

Privacy.sexy (AGPL-3.0)

GrapheneOS Configs (MIT)

Kicksecure Configs (AGPL-3+)

Privsec Linux Hardening (CC BY-SA 4.0)

Madaidans Linux Hardening (¯\ _ (ツ)_/¯)

PrivacyGuides.org (CC BY-SA 4.0)

About

Improving the security of Fedora Linux

Topics

security fedora post-installation linux-hardening fedora-workstation post-install kernel-hardening hardened-malloc linux-hardened

Resources

Readme

License

GPL-3.0 license
Activity

Stars

2 stars

Watchers

2 watching

Forks

0 forks
Report repository

Languages