A quick way to make a Ubuntu server a bit more secure.
Tested on Ubuntu 20.04 Focal Fossa and Ubuntu 20.10 Groovy Gorilla (development branch).
Systemd required.
If you’re just interested in the security focused systemd configuration, it’s available as a separate document.
If you’re interested in testing your host settings, you’ll find the instructions here.
If you’re using Ansible, a playbook with most of the above functions implemented is available in my Ansible repository konstruktoid/ansible-role-hardening.
A basic ISO-generation script is available in the konstruktoid/hardening-geniso repository.
|
Note
|
This is a constant work in progress. Make sure you understand what it
does. Read the code.
|
Start the installation of the server.
Pick language, keyboard layout, timezone and so on as you usually would.
/
/boot (rw)
/home (rw,nosuid,nodev)
swap
/var
/var/log (rw,nosuid,nodev,noexec)
/var/log/audit (rw,nosuid,nodev,noexec)Note that /tmp and /var/tmp will be added automatically by the script.
Do not add any packages.
Log in.
Select a Grub2 password (using grub-mkpasswd-pbkdf2).
Download the script using git clone https://github.com/konstruktoid/hardening.git.
Change the configuration options in the ubuntu.cfg file and last but not least
run the script, sudo bash ubuntu.sh.
FW_ADMIN='127.0.0.1' // (1)
SSH_GRPS='sudo' // (2)
SSH_PORT='22' // (3)
SYSCTL_CONF='./misc/sysctl.conf' // (4)
AUDITD_MODE='1' // (5)
AUDITD_RULES='./misc/audit-base.rules ./misc/audit-aggressive.rules ./misc/audit-docker.rules' // (6)
LOGROTATE_CONF='./misc/logrotate.conf' // (7)
NTPSERVERPOOL='0.ubuntu.pool.ntp.org 1.ubuntu.pool.ntp.org 2.ubuntu.pool.ntp.org 3.ubuntu.pool.ntp.org pool.ntp.org' // (8)
TIMEDATECTL='' // (9)
VERBOSE='N' // (10)
AUTOFILL='N' // (11)
CHANGEME='' // (12)
# Configuration files
ADDUSER='/etc/adduser.conf'
AUDITDCONF='/etc/audit/auditd.conf'
AUDITRULES='/etc/audit/rules.d/hardening.rules'
COMMONPASSWD='/etc/pam.d/common-password'
COMMONACCOUNT='/etc/pam.d/common-account'
COMMONAUTH='/etc/pam.d/common-auth'
COREDUMPCONF='/etc/systemd/coredump.conf'
DEFAULTGRUB='/etc/default/grub.d'
DISABLEFS='/etc/modprobe.d/disablefs.conf'
DISABLEMOD='/etc/modprobe.d/disablemod.conf'
DISABLENET='/etc/modprobe.d/disablenet.conf'
JOURNALDCONF='/etc/systemd/journald.conf'
LIMITSCONF='/etc/security/limits.conf'
LOGINDCONF='/etc/systemd/logind.conf'
LOGINDEFS='/etc/login.defs'
LOGROTATE='/etc/logrotate.conf'
PAMLOGIN='/etc/pam.d/login'
RESOLVEDCONF='/etc/systemd/resolved.conf'
RKHUNTERCONF='/etc/default/rkhunter'
RSYSLOGCONF='/etc/rsyslog.conf'
SECURITYACCESS='/etc/security/access.conf'
SSHFILE='/etc/ssh/ssh_config'
SSHDFILE='/etc/ssh/sshd_config'
SYSCTL='/etc/sysctl.conf'
SYSTEMCONF='/etc/systemd/system.conf'
TIMESYNCD='/etc/systemd/timesyncd.conf'
UFWDEFAULT='/etc/default/ufw'
USERADD='/etc/default/useradd'
USERCONF='/etc/systemd/user.conf'-
The IP addresses that will be able to connect with SSH, separated by spaces.
-
Which group the users have to be member of in order to acess via SSH, separated by spaces.
-
Configure SSH port.
-
Stricter sysctl settings.
-
Auditd failure mode. 0=silent 1=printk 2=panic.
-
Auditd rules.
-
Logrotate settings.
-
NTP server pool.
-
Add a specific time zone or use the system default by leaving it empty.
-
If you want all the details or not.
-
Let the script guess the
FW_ADMINandSSH_GRPSsettings. -
Add something just to verify that you actually glanced the code.
CCE-80137-3, CCE-80138-1, CCE-80139-9, CCE-80140-7, CCE-80141-5, CCE-80142-3, CCE-80143-1, UBTU-16-010070
Disable cramfs freevxfs jffs2 hfs hfsplus squashfs udf vfat file
systems.
Disable coredumps and crash shells, set DefaultLimitNOFILE and
DefaultLimitNPROC to 1024.
Compress logs, forward to syslog and make log storage persistent. Ensure rsyslog writes logs with stricter permissions.
Configure /tmp/ and /var/tmp/. Remove floppy drivers from /etc/fstab
and add hidepid=2 to /proc.
CCE-26895-3, UBTU-16-010010, UBTU-16-010560, UBTU-16-010570
Configure dpkg and apt-get. apt-get update and upgrade.
CCE-80205-8, UBTU-16-010150, UBTU-16-010170, UBTU-16-010190, UBTU-16-010210, UBTU-16-010220, UBTU-16-010640
Modify /etc/login.defs, e.g. UMASK, password age limits and
SHA_CRYPT_MAX_ROUNDS.
Limit /etc/securetty to console, and root from 127.0.0.1 in
/etc/security/access.conf.
UBTU-16-010050, UBTU-16-010500, UBTU-16-010600
Installs acct aide-common apparmor-profiles apparmor-utils auditd
audispd-plugins debsums gnupg2 haveged libpam-apparmor
libpam-cracklib libpam-tmpdir needrestart openssh-server postfix
rkhunter sysstat systemd-coredump tcpd update-notifier-common
vlock.
Removes apport* autofs avahi* beep git pastebinit
popularity-contest rsh* rsync talk* telnet* tftp* whoopsie
xinetd yp-tools ypbind.
CCE-27471-2, CCE-27082-7, CCE-27433-2, CCE-27314-4, CCE-27363-1, CCE-27413-4, CCE-80222-3, CCE-80223-1, CCE-80225-6, CCE-80224-9, CCE-27445-6, UBTU-16-030200, UBTU-16-030210, UBTU-16-030270, UBTU-16-030350
Configure the OpenSSH-daemon.
UBTU-16-010090, UBTU-16-010100, UBTU-16-010110, UBTU-16-010120, UBTU-16-010120, UBTU-16-010130, UBTU-16-010140, UBTU-16-010180, UBTU-16-010230, UBTU-16-010240, UBTU-16-010250, UBTU-16-010290, UBTU-16-010320, UBTU-16-010340
Configure pam_cracklib.so and pam_tally2.so.
CCE-27407-6, UBTU-16-020000
Configure auditd, use $AUDITD_RULES and set failure mode $AUDITD_MODE.
CCE-27327-6, CCE-27277-3, UBTU-16-010580
Disable bluetooth bnep btusb cpia2 firewire-core floppy n_hdlc
net-pf-31 pcspkr soundcore thunderbolt usb-midi usb-storage
uvcvideo v4l2_common kernel modules.
Remove suid bits from the executables listed in
this document.
UBTU-16-010780
Set root path to /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin,
and user path to /usr/local/bin:/usr/bin:/bin.
Disable the VRFY command, configure smtpd_banner, smtpd_client_restrictions
and inet_interfaces.
f_pre
f_kernel
f_firewall
f_disablenet
f_disablefs
f_disablemod
f_systemdconf
f_resolvedconf
f_logindconf
f_journalctl
f_timesyncd
f_fstab
f_prelink
f_aptget_configure
f_aptget
f_hosts
f_issue
f_sudo
f_logindefs
f_sysctl
f_limitsconf
f_adduser
f_rootaccess
f_package_install
f_coredump
f_usbguard
f_postfix
f_apport
f_motdnews
f_rkhunter
f_sshconfig
f_sshdconfig
f_password
f_cron
f_ctrlaltdel
f_auditd
f_aide
f_rhosts
f_users
f_lockroot
f_package_remove
f_aptget_clean
f_suid
f_restrictcompilers
f_umask
f_path
f_aa_enforce
f_aide_post
f_aide_timer
f_aptget_noexec
f_systemddelta
f_post
f_checkrebootThere are approximately 700 Bats tests for most of the above settings available in the tests directory.
sudo apt-get -y install bats
git clone https://github.com/konstruktoid/hardening.git
cd hardening/tests/
sudo bats .Running bash ./runHostTests.sh, located in the tests directory,
will generate a TESTRESULTS-<HOSTNAME>.adoc report.
To run a OpenSCAP test on a
Ubuntu host, where v0.1.49 should be replaced with the latest available
version:
sudo apt-get -y install libopenscap8 unzip
wget https://github.com/ComplianceAsCode/content/releases/download/v0.1.49/scap-security-guide-0.1.49-oval-510.zip
unzip scap-security-guide-0.1.49-oval-510.zip
cd scap-security-guide-0.1.49-oval-5.10
oscap info --fetch-remote-resources ./ssg-ubuntu1804-ds.xml
sudo oscap xccdf eval --fetch-remote-resources \
--profile xccdf_org.ssgproject.content_profile_anssi_np_nt28_high \
--report ../bionic_stig-report.html ./ssg-ubuntu1804-ds.xml.
├── LICENSE
├── README.adoc
├── Vagrantfile
├── action-shellcheck
│ ├── Dockerfile
│ ├── README.md
│ └── entrypoint.sh
├── checkScore.sh
├── config
│ ├── aidecheck.service
│ ├── aidecheck.timer
│ ├── initpath.sh
│ └── tmp.mount
├── createPartitions.sh
├── logo
│ ├── horizontal.png
│ ├── icon.png
│ └── vertical.png
├── misc
│ ├── audit-aggressive.rules
│ ├── audit-base.rules
│ ├── audit-docker.rules
│ ├── audit.footer
│ ├── audit.header
│ ├── auditgenerator.sh
│ ├── fdcount.sh
│ ├── logrotate.conf
│ ├── mozilla-firefox-user.js
│ ├── proc_check.sh
│ ├── suid.list
│ ├── sysctl.conf
│ └── systemd_scan.sh
├── renovate.json
├── runTests.sh
├── scripts
│ ├── 01_pre
│ ├── 02_ufw
│ ├── 03_disablenet
│ ├── 04_disablefs
│ ├── 05_systemdconf
│ ├── 06_journalctl
│ ├── 07_timesyncd
│ ├── 08_fstab
│ ├── 09_prelink
│ ├── 10_aptget
│ ├── 11_hosts
│ ├── 12_logindefs
│ ├── 13_sysctl
│ ├── 14_limits
│ ├── 15_adduser
│ ├── 16_rootaccess
│ ├── 17_packages
│ ├── 18_sshdconfig
│ ├── 19_password
│ ├── 20_cron
│ ├── 21_ctraltdel
│ ├── 22_auditd
│ ├── 23_disablemod
│ ├── 24_aide
│ ├── 25_rhosts
│ ├── 26_users
│ ├── 27_suid
│ ├── 28_umask
│ ├── 29_apparmor
│ ├── 30_path
│ ├── 31_logindconf
│ ├── 32_resolvedconf
│ ├── 33_rkhunter
│ ├── 34_issue
│ ├── 35_apport
│ ├── 36_lockroot
│ ├── 37_coredump
│ ├── 38_postfix
│ ├── 39_motdnews
│ ├── 40_usbguard
│ ├── 41_compilers
│ ├── 42_kernel
│ ├── 43_sudo
│ ├── 98_systemddelta
│ ├── 99_post
│ └── 99_reboot
├── systemd.adoc
├── tests
│ ├── 01_pre.bats
│ ├── 02_ufw.bats
│ ├── 03_disablenet.bats
│ ├── 04_disablefs.bats
│ ├── 05_systemdconf.bats
│ ├── 06_journalctl.bats
│ ├── 07_timesyncd.bats
│ ├── 08_fstab.bats
│ ├── 10_aptget.bats
│ ├── 11_hosts.bats
│ ├── 12_logindefs.bats
│ ├── 13_sysctl.bats
│ ├── 14_limits.bats
│ ├── 15_adduser.bats
│ ├── 16_rootaccess.bats
│ ├── 17_packages.bats
│ ├── 18_sshd.bats
│ ├── 19_password.bats
│ ├── 20_cron.bats
│ ├── 21_ctrlaltdel.bats
│ ├── 22_auditd.bats
│ ├── 23_disablemod.bats
│ ├── 24_aide.bats
│ ├── 26_users.bats
│ ├── 27_suid.bats
│ ├── 28_umask.bats
│ ├── 29_apparmor.bats
│ ├── 31_logindconf.bats
│ ├── 32_resolvedconf.bats
│ ├── 33_rkhunter.bats
│ ├── 35_apport.bats
│ ├── 36_lockroot.bats
│ ├── 37_coredump.bats
│ ├── 38_postfix.bats
│ ├── 39_motdnews.bats
│ ├── 40_usbguard.bats
│ ├── 41_compilers.bats
│ ├── 42_kernel.bats
│ ├── 43_sudo.bats
│ ├── 99_misc.bats
│ ├── runHostTests.sh
│ └── test_helper.bash
├── ubuntu.cfg
└── ubuntu.sh
6 directories, 121 filesDo you want to contribute? That’s great! Contributions are always welcome, no matter how large or small. If you found something odd, feel free to submit a new issue, improve the code by creating a pull request, or by sponsoring this project.
Logo by reallinfo.