FedoraSecurityPlus is a script for enhancing Fedora security.
This script has been tested for: Fedora 40, Fedora 39.
Clone this repo
git clone https://github.com/topminipie/FedoraSecurityPlus
Switch directory
cd ./FedoraSecurityPlus
Make it executable
chmod +x FedoraSecurityPlus.sh
Execute it (read Usage before executing)
./FedoraSecurityPlus.sh
basic-dnf.txt
> Really basic software, and needed for the script anyway. You probably don't want to edit it (but you CAN).
extras-dns.txt
> Bunch of software that you probably need, you MUST edit it to fit your needs.
flatpak-packages.txt
> Bunch of most used flatpak softwares, you MUST edit it to fit your needs. Check Flathub and search your software to find the flatpak ID.
(0) - Full allow ptrace for all processes
sudo sed -i 's/kernel.yama.ptrace_scope=2/kernel.yama.ptrace_scope=0/g' /etc/sysctl.d/990-security-misc.conf
(1) - Kernel Doc
sudo sed -i 's/kernel.yama.ptrace_scope=2/kernel.yama.ptrace_scope=1/g' /etc/sysctl.d/990-security-misc.conf
(2) - Only processes with CAP_SYS_PTRACE (or root) may use ptrace (default in FedoraSecurityPlus)
sudo sed -i 's/kernel.yama.ptrace_scope=2/kernel.yama.ptrace_scope=2/g' /etc/sysctl.d/990-security-misc.conf
A workaround for WINE would be to give the wineserver and wine-preloader ptrace capabilities. Fix:
sudo dnf install libcap
sudo setcap cap_sys_ptrace=eip /usr/bin/wineserver
sudo setcap cap_sys_ptrace=eip /usr/bin/wine-preloader
Read more about the problems here
Delete configs:
sudo rm -f /etc/NetworkManager/conf.d/80_ipv6-privacy.conf
sudo rm -f /etc/NetworkManager/conf.d/80_randomize-mac.conf
sudo rm -f /etc/systemd/networkd.conf.d/80_ipv6-privacy-extensions.conf
Privsec Linux Hardening (CC BY-SA 4.0)
Madaidans Linux Hardening (¯\ _ (ツ)_/¯)