Skip to content
/ bastion Public

Security auditing and hardening for Ubuntu 22.04+ desktops

0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

spanklitch/bastion

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
README.md
README.md
 
 
bastion.sh
bastion.sh
 
 

Repository files navigation

Bastion

Security auditing and hardening for Ubuntu 22.04+ desktops.

Bastion scans your system across 9 security areas, reports findings with color-coded PASS/WARN/FAIL results, then lets you selectively apply fixes. It backs up every file before modifying it and never reboots your machine.

Quick Start

git clone https://github.com/spanklitch/bastion.git
cd bastion
chmod +x bastion.sh
sudo ./bastion.sh

Audit only (no changes):

sudo ./bastion.sh --audit-only

What It Checks

Area What's Audited
Firewall UFW installed, active, default deny incoming. Tailscale-aware.
SSH Root login, password auth, empty passwords, idle timeouts. Skipped if openssh-server isn't installed.
Auto Updates unattended-upgrades installed, enabled, service running.
Fail2ban Installed, running, SSH jail configured. Skipped if no SSH server.
Kernel/Sysctl 21 parameters: SYN cookies, ICMP redirects, source routing, martian logging, ASLR, ptrace, and more.
Services Lists all TCP/UDP listeners. Flags anything bound to 0.0.0.0 or [::] that isn't a known-safe service.
User Accounts Empty passwords, extra UID 0 accounts, sudo group, home directory permissions.
File Permissions /etc/passwd, /etc/shadow, /etc/gshadow, /etc/sudoers, SSH configs. World-writable files in /etc.
Logging rsyslog/journald running, persistent journal, auditd installed, log files present.

How Fixes Work

After the audit, Bastion presents all actionable findings and prompts you:

  • a - Apply all fixes
  • s - Select individually (y/n for each)
  • n - Skip, no changes

Every config file is backed up to /var/backups/bastion/<timestamp>/ before modification. All actions are logged to /var/log/bastion.log.

Tailscale Support

Bastion detects the tailscale0 interface and automatically adds a UFW rule to allow all traffic on it. Since Tailscale authenticates traffic via WireGuard, restricting the interface further would break connectivity. The Tailscale rule is added before enabling UFW to avoid any connectivity gap.

What It Does NOT Touch

Bastion is designed for desktop/workstation use and intentionally avoids:

  • AppArmor profiles
  • PAM configuration
  • Disk encryption (LUKS/ZFS)
  • /etc/fstab or mount options
  • USB, Bluetooth, audio, or display manager
  • Kernel module loading
  • Automatic reboots

Requirements

  • Ubuntu 22.04 or later
  • Root access (sudo)
  • Bash 4.0+

Rollback

Backups are saved with preserved permissions to /var/backups/bastion/<timestamp>/. To roll back a change, copy the backed-up file back to its original location:

sudo cp -p /var/backups/bastion/<timestamp>/etc/ssh/sshd_config.d/99-hardening.conf \
           /etc/ssh/sshd_config.d/99-hardening.conf

Or delete a config file that Bastion created:

sudo rm /etc/sysctl.d/99-hardening.conf
sudo sysctl --system

License

MIT

About

Security auditing and hardening for Ubuntu 22.04+ desktops

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 2

  •  
  •  

Languages