{"id":13591668,"url":"https://github.com/solidc0re/solidcore-scripts","last_synced_at":"2025-04-08T17:32:14.503Z","repository":{"id":190634901,"uuid":"683051997","full_name":"solidc0re/solidcore-scripts","owner":"solidc0re","description":"Hardening scripts for immutable Fedora","archived":false,"fork":false,"pushed_at":"2023-11-02T11:43:45.000Z","size":677,"stargazers_count":9,"open_issues_count":3,"forks_count":0,"subscribers_count":2,"default_branch":"main","last_synced_at":"2024-11-06T12:44:58.648Z","etag":null,"topics":["fedora","fedora-kinoite","fedora-silverblue","hardened-fedora","hardening","hardening-settings","security","security-tools"],"latest_commit_sha":null,"homepage":"","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/solidc0re.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null}},"created_at":"2023-08-25T13:34:19.000Z","updated_at":"2024-10-20T07:28:12.000Z","dependencies_parsed_at":"2023-08-25T17:57:56.842Z","dependency_job_id":"4e7533b4-357d-4c59-9790-afc1e2489073","html_url":"https://github.com/solidc0re/solidcore-scripts","commit_stats":null,"previous_names":["solidc0re/solidcore-scripts"],"tags_count":7,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/solidc0re%2Fsolidcore-scripts","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/solidc0re%2Fsolidcore-scripts/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/solidc0re%2Fsolidcore-scripts/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/solidc0re%2Fsolidcore-scripts/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/solidc0re","download_url":"https://codeload.github.com/solidc0re/solidcore-scripts/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247892645,"owners_count":21013753,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["fedora","fedora-kinoite","fedora-silverblue","hardened-fedora","hardening","hardening-settings","security","security-tools"],"created_at":"2024-08-01T16:01:00.437Z","updated_at":"2025-04-08T17:32:09.493Z","avatar_url":"https://github.com/solidc0re.png","language":"Shell","funding_links":[],"categories":["Automation"],"sub_categories":["SELinux"],"readme":"# solidcore-scripts\n### Hardening scripts for immutable Fedora.\n\n**:cupid: Love [Fedora](https://fedoraproject.org/)?**\n\n**:sparkling_heart: Love the immutable desktops?**\n\n**:hushed: Thought you were safe?**\n\nWhilst it is true that a read-only (immutable) filesystem during run-time does reduce a lot of attack surface exploited by malware, security depends on much more than that.\n\n- **What if someone gains physical access to your device?**\n- **What if someone else who uses your computer downloads malware?**\n- **What if you are the target of malicious network activity?** ... You get the picture.\n\nThese are just some of the issues that solidcore hardening aims to protect against.\n\n# Aims\n**This project aims to protect immutable Fedora variants against a variety of attack vectors by:**\n- **Securing the bootloader**\n- **Hardening the kernel**\n- **Locking down root and implementing stronger password policies**\n- **Blocking malicious domains**\n- **Disabling all unused ports and interfaces**\n- **Improving the firewall settings**\n- :fire: ***... plus more!!*** :fire:\n\n# Current features\n**v0.2.7 alpha released September 10th 2023.**\n\n**Despite the low version number of v0.2.7, this script implements some serious hardening:**\n\n- Guided user interface :heavy_check_mark:\n- Auto-generate backups of important config files :heavy_check_mark:\n- Sysctl kernel, network and userspace hardening :heavy_check_mark:\n- Hardened GRUB boot parameters :heavy_check_mark:\n- Kernel module blacklist :heavy_check_mark:\n- High risk and unused services disabled and masked :heavy_check_mark:\n- Processes hidden from other users (hidepid) :heavy_check_mark:\n- New files only viewable to owner/creator :heavy_check_mark:\n- Core dumps disabled (stops sensitive information about the system being available) :heavy_check_mark:\n- Improved password policies :heavy_check_mark:\n- Root account locked :heavy_check_mark:\n- Update user password to align with new policies :heavy_check_mark:\n- Firewalld zone set to drop (drops all incoming connections) :heavy_check_mark:\n- Automatic updates for rpm-ostree and flatpaks :heavy_check_mark:\n- Fedora flatpaks replaced with Flathub flatpaks :heavy_check_mark:\n- Mute microphone by default on login :heavy_check_mark:\n- Flatseal installed :heavy_check_mark:\n- Firstboot script installed to ensure:\n  - New password set :heavy_check_mark:\n  - GRUB password set (optional, but recommended) :heavy_check_mark:\n  - Wireless technologies blocked (optional) :heavy_check_mark:\n  - Unused ports are disabled and blacklisted :heavy_check_mark:\n  - USBGuard installed (if required) :heavy_check_mark:\n  - Enable hardware key support (optional) :heavy_check_mark:\n- [DNSCrypt-proxy](https://github.com/DNSCrypt/dnscrypt-proxy) installed (uses the encrypted, more secure [DNSCrypt protocol](https://dnscrypt.info/) for all your DNS lookups) :heavy_check_mark:\n- DNS blocklists added (blocks ad, malicious and tracking domains by default; adult content optional) :heavy_check_mark:\n- Updates scheduled for dnscrypt-proxy and DNS blocklists :heavy_check_mark:\n- MAC randomization :heavy_check_mark:\n- Checks in place for SELinux mode, known CPU vulnerabilities and insecure HTTP URLs in the repos :heavy_check_mark:\n- Chrony (NTP) config updated to match GrapheneOS configuration :heavy_check_mark:\n- Hardened USBGuard config :heavy_check_mark:\n- Uninstall file (untested in current version - may throw out unexpected errors, but should be operational)\n\n**Tested on Fedora Silverblue 38.**\n\n# Planned features and future goals\nThe long-term goal (probably for v1.0) is to have the hardening provided by this script work both client-side - i.e. manual running of the script on any existing immutable Fedora system - and server-side, so people can carry out an rpm-ostree rebase to a pre-hardened and constantly updated system.\n\nIn the meantime, there's plenty of work to do. Including the following, in no particular order:\n- create testing VMs of all official immutable Fedora variants\n- create solidcore aliases for common post-install actions (e.g. `solidcore uninstall`, `solidcore add-blocklist`, `solidcore allow [domain]`, `solidcore status` [to check whether settings are still valid \u0026 active])\n- develop the `-test` flag further for more verbosity\n- align as much as immutable Fedora will allow with the Center for Internet Security's RHEL 9 Workstation Level 1 \u0026 Level 2 benchmark\n- research and improve sysctl, kernel module and bootloader hardening\n- install and sign hardened kernel (removing any currently implemented kernel hardening)\n- progress on getting the hardened malloc to work\n- create scripts to audit all relevant settings on new versions of Fedora to make keeping it up-to-date easier\n- research and possibly implement clam-tk and AIDE\n- research anti-forensic tools\n- set up full installation of hardware keys, i.e. creation of U2F pam module key and required modification to solidcore pam profile\n- develop the `-server` flag further to eliminate all user interaction\n- establish blocklist review process\n\nFor the next release:\n- implement conditional conf_msg and error reporting\n- user-testing and implement feedback\n- test uninstall process thoroughly\n- continue work on developing `-test` flag\n\nThe plan is to open up to public testing in version 0.3 when the whole process has undergone more testing.\n\n# Instructions\n\u003e [!NOTE]\n\u003e **Currently in alpha stage.** Only install for testing purposes or if you're really keen. The uninstall script is not fully tested, but all changes instigated by the script are reversible.\n\n## Installation\n\n### Pre-install recommendations\n\n1. It is strongly recommended to install your favourite immutable Fedora variant on an encrypted drive. Drive encryption is best done during the installation process of the OS, [although may be possible after](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/encrypting-block-devices-using-luks_security-hardening#encrypting-existing-data-on-a-block-device-using-luks2_encrypting-block-devices-using-luks). See the [Fedora docs](https://docs.fedoraproject.org/en-US/quick-docs/encrypting-drives-using-LUKS/#_creating_encrypted_block_devices_in_anaconda) for information on how to encrypt the drive during the installation process.\n\n1. If you haven't added a password to your BIOS yet, either, then please do so and ensure that - in the boot order section - your device boots from the encrypted drive before any USB drives. Please also ensure that SecureBoot is enabled.\n\n### Installing\n\nTo install the solidcore-scripts, type in the following command and follow the on-screen instructions:\n```\nwget https://raw.githubusercontent.com/solidc0re/solidcore-scripts/main/solidcore-install.sh \u0026\u0026 sudo bash solidcore-install.sh\n```\n\n\n## Upgrading\n\nUninstall first, then re-install, just to be safe.\n\nUninstall:\n```\nsudo bash /etc/soldicore/solidcore-uninstall.sh\n```\n\nRe-install:\n```\nwget https://raw.githubusercontent.com/solidc0re/solidcore-scripts/main/solidcore-install.sh \u0026\u0026 sudo bash solidcore-install.sh\n```\n\n\n## Uninstalling\nUninstalling reverts all changed system settings to how they previously were, along with uninstalling any solidcore-installed packages.\n```\nsudo bash /etc/soldicore/solidcore-uninstall.sh\n```\n\n\n# Post-install information\nCongratulations! You have hardened your immutable Fedora installation.\n\nYour GRUB username is 'root' - you will need this if you want to change your GRUB entries. The password is what you set it as during the firstboot script.\n\nMost computer security threats come from online sources. It is therefore strongly recommended that you install a more secure browser, such as [Brave](https://brave.com/) (Chrome-based, boo!) or [Librewolf](https://librewolf.net/) (pre-hardened Firefox).\n\n```\nflatpak install io.gitlab.librewolf-community\n```\n\nIf you are a [Mullvad](https://mullvad.net/) user then [Mullvad browser](https://flathub.org/apps/net.mullvad.MullvadBrowser) is by far the best browser option available, unless you want to use [Tor](https://flathub.org/apps/com.github.micahflee.torbrowser-launcher).\n\nYour system will automatically update the following:\n- dnscrypt-proxy and DNS blocklists, 20 seconds after boot and every 24 hours\n- rpm-ostree, 10 minutes after boot and every 3 hours\n- Flatpak apps, 20 minutes after boot and every 3 hours 10 minutes\n\nIf USBGuard was installed when running solidcore-scripts, then I recommend reviewing the allowed devices and blocking any you don't use (such as fingerprint readers):\n\n```\nusbguard list-devices\n```\n```\nusbguard block-device \u003cdevice number\u003e\n```\n\nPlease report any issues and suggested improvements on [this Github page](https://github.com/solidc0re/solidcore-scripts/issues).\n\n# 'How to' guides\n\n\u003cdetails\u003e\n\u003csummary\u003eHow to: add a domain to the DNS allowlist\u003c/summary\u003e\n\n### How to: add a domain to the DNS allowlist\n\nIf you're happy with the blocklist set up but there's still the odd domain that you want to allow that's currently being blocked, then the allowlist is for you. The allowlist is located here: '/usr/local/sbin/dnscrypt-proxy/domains-allowlist.txt'.\n\nTo edit:\n```\nsudo nano /usr/local/sbin/dnscrypt-proxy/domains-allowlist.txt\n```\nSimply add a domain, such as 'github.com', with each domain on a new line. Once changes have been made to 'domains-allowlist.txt', run the following command to apply them:\n```\nsudo systemctl start dnscrypt-proxy-update\n```\n\nRefer to the https://github.com/DNSCrypt/dnscrypt-proxy/wiki if you need further assistance.\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003eHow to: change the DNS blocklists\u003c/summary\u003e\n\n### How to: change the DNS blocklists\n  \nThe blocklists are stored in '/usr/local/sbin/dnscrypt-proxy/domains-blocklist.conf'. To edit:\n```\nsudo nano /usr/local/sbin/dnscrypt-proxy/domains-blocklist.conf\n```\n\nOnce changes have been made to 'domains-blocklist.conf', run the following command to apply them:\n```\nsudo systemctl start dnscrypt-proxy-update\n```\n\nRefer to https://github.com/DNSCrypt/dnscrypt-proxy/wiki if you need further assistance.\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003eHow to: unblock bluetooth\u003c/summary\u003e\n\n### How to: unblock bluetooth\n  \nFirst:\n```\nsudo sed -i 's/^install bluetooth /bin/true/#\u0026/' /etc/modprobe.d/solidcore-blacklist.conf\n```\n```\nsudo sed -i 's/^install btusb /bin/true/#\u0026/' /etc/modprobe.d/solidcore-blacklist.conf\n```\n```\nsudo modprobe bluetooth btusb\n```\n```\nrkfill unblock bluetooth\n```\n```\nsudo systemctl unmask bluetooth.service\n```\n```\nsudo systemctl enable --now bluetooth.service\n```\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003eHow to: unblock Firewire\u003c/summary\u003e\n\n### How to: unblock Firewire\n  \nFirst:\n```\nsudo sed -i 's/^install firewire-core /bin/true/#\u0026/' /etc/modprobe.d/solidcore-blacklist.conf\n```\n```\nsudo sed -i 's/^install ohcil394 /bin/true/#\u0026/' /etc/modprobe.d/solidcore-blacklist.conf\n```\n```\nsudo sed -i 's/^install sbp2 /bin/true/#\u0026/' /etc/modprobe.d/solidcore-blacklist.conf\n```\n\nThen reboot. After reboot:\n```\nsudo modprobe firewire_core ohcil394 sbp2\n```\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003eHow to: unblock Thunderbolt\u003c/summary\u003e\n\n### How to: unblock Thunderbolt\n  \n```\nsudo sed -i 's/^install thunderbolt /bin/true/#\u0026/' /etc/modprobe.d/solidcore-blacklist.conf\n```\n\nThen reboot. After reboot:\n\n```\nsudo boltctl list\n```\n\nThen use:\n```\nsudo boltctl enable \u003cdomain\u003e\n```\n... for the Thunderbolt domain you wish to enable.\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003eHow to: unblock USB\u003c/summary\u003e\n\n### How to: unblock USB\n\nThis is for those who blacklisted the USB kernel module - NOT FOR THOSE WHO INSTALLED USBGUARD. To unblock the USB modules:\n```\nsudo sed -i 's/^install usbcore /bin/true/#\u0026/' /etc/modprobe.d/solidcore-blacklist.conf\n```\n```\nsudo sed -i 's/^install usb_storage /bin/true/#\u0026/' /etc/modprobe.d/solidcore-blacklist.conf\n```\n```\nsudo modprobe usbcore usb_storage\n```\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003eHow to: allow/unblock a USB device using USBGuard\u003c/summary\u003e\n  \n### How to: allow/unblock a USB device using USBGuard\n\nIf you notified solidcore-script that you use USB ports, it will have installed USBGuard to protect these ports. This means that all unknown USB devices will not be accessible. To whitelist devices:\n```\nusbguard list-devices\n```\n```\nusbguard allow-device \u003cdevice number\u003e\n```\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003eHow to: block a USB device using USBGuard\u003c/summary\u003e\n  \n### How to: block a USB device using USBGuard\n\nIf you notified solidcore-script that you use USB ports, it will have installed USBGuard to protect these ports. This means that all unknown USB devices will not be accessible. To whitelist devices:\n```\nusbguard list-devices\n```\n```\nusbguard block-device \u003cdevice number\u003e\n```\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003eHow to: unblock webcam\u003c/summary\u003e\n  \n### How to: unblock webcam\n  \nFirst:\n```\nsudo sed -i 's/^install uvcvideo /bin/true/#\u0026/' /etc/modprobe.d/solidcore-blacklist.conf\n```\n```\nsudo modprobe uvcvideo\n```\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003eHow to: unblock Wi-Fi\u003c/summary\u003e\n\n### How to: unblock Wi-Fi\n  \n```\nrfkill unblock wifi\n```\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003eHow to: stop microphone being muted on login\u003c/summary\u003e\n\n### How to: stop microphone being muted on login\n  \n```\nsudo rm /etc/xdg/autostart/solidcore-mute-mic.desktop\n```\n\u003c/details\u003e\n\n# Comments\n\nThe focus of this project is OS hardening, not changing the default Fedora software choices.\n\nThat said, some opinionated choices had to be made. These include the installation of dnscrypt-proxy, the DNS blocklists used, keeping IPv6 active and switiching all Fedora project flatpaks to Flathub source flatpaks. If you don't agree with these then feel free to contact me, or download the scripts and manually undo the changes, or fork the repo and implement your own preferences.\n\n# Acknowledgements\nThis project is made possible by the diligent and forward-thinking work of the Fedora and RedHat developers and community. A special shout out to the CoreOS and rpm-ostree developers for their excellent work.\n\nMany of the hardening improvements implemented by the solidcore-scripts are recommendations from these sources:\n- [madaidan's Linux Hardening Guide](https://madaidans-insecurities.github.io/guides/linux-hardening.html) - the initial inspiration for this project\n- [Arch Wiki](https://wiki.archlinux.org/title/Security)\n- [Red Hat Enterprise Linux 9 Security Hardening Documentations](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/index)\n- [Center for Internet Security's Red Hat Benchmark](https://www.cisecurity.org/benchmark/red_hat_linux)\n- [OpenSCAP](https://github.com/ComplianceAsCode/content)\n- [OpenSCAP Fedora Guide](https://static.open-scap.org/ssg-guides/ssg-fedora-guide-index.html)\n- [k-config-hardened-check](https://github.com/a13xp0p0v/kconfig-hardened-check/)\n- [Tommy's Desktop Linux Hardening Guide](https://privsec.dev/posts/linux/desktop-linux-hardening/)\n\n# Introductory resources\nIf you're relatively new to the infosec (information security) world, then the following resources come recommended:\n\n🎥 **YouTube channels**\n- [NBTV, with Naomi Brockwell](https://www.youtube.com/@NaomiBrockwellTV)\n- [The New Oil](https://www.youtube.com/channel/UCH5DsMZAgdx5Fkk9wwMNwCA)\n- [Side of Burritos](https://www.youtube.com/@sideofburritos)\n- [Techlore](https://www.youtube.com/@techlore)\n\n🎧 **Podcasts**\n- [Malwarebytes Podcast](https://www.malwarebytes.com/blog/category/podcast)\n- [Surveillance Report](https://surveillancereport.tech/)\n\n👀 **Websites \u0026 guides**\n- [National Cyber Security Centre (UK)](https://www.ncsc.gov.uk/section/advice-guidance/all-topics)\n- [The New Oil](https://thenewoil.org/)\n- [Privacy Guides](https://www.privacyguides.org/en/)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsolidc0re%2Fsolidcore-scripts","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsolidc0re%2Fsolidcore-scripts","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsolidc0re%2Fsolidcore-scripts/lists"}