Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

https://github.com/konstruktoid/hardening

Hardening Ubuntu. Systemd edition.
https://github.com/konstruktoid/hardening

hacktoberfest hardening information-security security security-automation security-compliance security-hardening security-tools shell systemd ubuntu ubuntu-server

Last synced: about 2 months ago
JSON representation

Hardening Ubuntu. Systemd edition.

Lists

README 

        
image::logo/horizontal.png[Ubuntu Hardening]

= Hardening Ubuntu. Systemd edition.



:icons: font

:hide-uri-scheme:



A quick way to make a Ubuntu server a bit more secure.



Use the newly installed and configured system as a reference,

or golden, image. Use that image as a baseline installation media and ensure

that any future installation comply with benchmarks and policies using a

configuration management tool, e.g https://www.ansible.com/[Ansible] or

https://puppet.com/[Puppet].



Tested on `Ubuntu 20.04 Focal Fossa` and `Ubuntu 22.04 Jammy Jellyfish`.



If you're just interested in the security focused systemd configuration, it's

available as a link:systemd.adoc[separate document].



If you're interested in testing your host settings, you'll find the

link:README.adoc#tests[instructions here].



NOTE: This is a constant work in progress. Make sure you understand what it

does. Read the code and do not run this script without first testing in a

non-operational environment. The code is *not* idempotent.



NOTE: There is a https://slsa.dev/[SLSA] artifact present under the

https://github.com/konstruktoid/hardening/actions/workflows/slsa.yml[slsa workflow]

for file checksum verification.



== Packer template and Ansible playbook



A https://www.packer.io/[Packer] template is available in the link:packer/[Packer directory].



An Ansible playbook is available in the https://github.com/konstruktoid/ansible-role-hardening[konstruktoid/ansible-role-hardening]

repository.



== Howto



. Start the server installation.

. Pick language and keyboard layout.

. Select "Ubuntu Server (minimized)".

. Configure network connections.

. Partition the system, see below for recommendations.

. Do not install the OpenSSH server, "Featured Server Snaps", or any other packages.

. Finish the installation and reboot.

. Log in.

. If wanted, set a Grub2 password with `grub-mkpasswd-pbkdf2`. See https://help.ubuntu.com/community/Grub2/Passwords[https://help.ubuntu.com/community/Grub2/Passwords]

for more information.

. Install necessary packages: `sudo apt-get -y install git net-tools procps --no-install-recommends`.

. Download the script: `git clone https://github.com/konstruktoid/hardening.git`.

. Change the configuration options in the `ubuntu.cfg` file.

. Run the script: `sudo bash ubuntu.sh`.

. Reboot.



=== Recommended partitions and options



[source,shell]

----

/boot (rw)

/home (rw,nosuid,nodev)

/var/log (rw,nosuid,nodev,noexec)

/var/log/audit (rw,nosuid,nodev,noexec)

/var/tmp (rw,nosuid,nodev,noexec)

----



Note that `/tmp` will be added automatically by the script.



== Configuration options



[source,shell]

----

FW_ADMIN='127.0.0.1' // <1>

SSH_GRPS='sudo' // <2>

SSH_PORT='22' // <3>

SYSCTL_CONF='./misc/sysctl.conf' // <4>

AUDITD_MODE='1' // <5>

AUDITD_RULES='./misc/audit-base.rules ./misc/audit-aggressive.rules ./misc/audit-docker.rules' // <6>

LOGROTATE_CONF='./misc/logrotate.conf' // <7>

NTPSERVERPOOL='0.ubuntu.pool.ntp.org 1.ubuntu.pool.ntp.org 2.ubuntu.pool.ntp.org 3.ubuntu.pool.ntp.org pool.ntp.org' // <8>

TIMEDATECTL='' // <9>

VERBOSE='N' // <10>

AUTOFILL='N' // <11>

ADMINEMAIL="root@localhost" // <12>

KEEP_SNAPD='Y' // <13>

CHANGEME='' // <14>



# Configuration files // <15>

ADDUSER='/etc/adduser.conf'

AUDITDCONF='/etc/audit/auditd.conf'

AUDITRULES='/etc/audit/rules.d/hardening.rules'

COMMONPASSWD='/etc/pam.d/common-password'

COMMONACCOUNT='/etc/pam.d/common-account'

COMMONAUTH='/etc/pam.d/common-auth'

COREDUMPCONF='/etc/systemd/coredump.conf'

DEFAULTGRUB='/etc/default/grub.d'

DISABLEFS='/etc/modprobe.d/disablefs.conf'

DISABLEMOD='/etc/modprobe.d/disablemod.conf'

DISABLENET='/etc/modprobe.d/disablenet.conf'

FAILLOCKCONF='/etc/security/faillock.conf'

JOURNALDCONF='/etc/systemd/journald.conf'

LIMITSCONF='/etc/security/limits.conf'

LOGINDCONF='/etc/systemd/logind.conf'

LOGINDEFS='/etc/login.defs'

LOGROTATE='/etc/logrotate.conf'

PAMLOGIN='/etc/pam.d/login'

PSADCONF='/etc/psad/psad.conf'

PSADDL='/etc/psad/auto_dl'

RESOLVEDCONF='/etc/systemd/resolved.conf'

RKHUNTERCONF='/etc/default/rkhunter'

RSYSLOGCONF='/etc/rsyslog.conf'

SECURITYACCESS='/etc/security/access.conf'

SSHFILE='/etc/ssh/ssh_config'

SSHDFILE='/etc/ssh/sshd_config'

SYSCTL='/etc/sysctl.conf'

SYSTEMCONF='/etc/systemd/system.conf'

TIMESYNCD='/etc/systemd/timesyncd.conf'

UFWDEFAULT='/etc/default/ufw'

USERADD='/etc/default/useradd'

USERCONF='/etc/systemd/user.conf'



----

<1> The IP addresses that will be able to connect with SSH, separated by spaces.

<2> Which group the users have to be member of in order to acess via SSH, separated by spaces.

<3> Configure SSH port.

<4> Stricter sysctl settings.

<5> Auditd failure mode. 0=silent 1=printk 2=panic.

<6> Auditd rules.

<7> Logrotate settings.

<8> NTP server pool.

<9> Add a specific time zone or use the system default by leaving it empty.

<10> If you want all the details or not.

<11> Let the script guess the `FW_ADMIN` and `SSH_GRPS` settings.

<12> Add a valid email address, so PSAD can send notifications.

<13> If `'Y'` then the `snapd` package will be held to prevent removal.

<14> Add something just to verify that you actually glanced the code.

<15> Default configuration file locations.



== Functions



=== Function list in execution order



Note that all functions has the `f_` prefix in the code.



==== `pre`



Sets `apt` flags and performs basic permission check.



The `pre` function is located in link:scripts/pre[./scripts/pre].



==== `kernel`



Sets https://github.com/jeffmurphy/NetPass/blob/master/doc/netfilter_conntrack_perf.txt#L175[/sys/module/nf_conntrack/parameters/hashsize]

to 1048576 if `hashsize` exists and is writable.



Sets https://man7.org/linux/man-pages/man7/kernel_lockdown.7.html[/sys/kernel/security/lockdown]

to `confidentiality` if `lockdown` exists and is writable.



The `kernel` function is located in link:scripts/kernel[./scripts/kernel].



==== `firewall`



Configures https://help.ubuntu.com/community/UFW[UFW] if installed.



Allows connections from the adresses in `$FW_ADMIN` to the `$SSH_PORT`.



Sets logging and `IPT_SYSCTL=/etc/sysctl.conf`.



The `firewall` function is located in link:scripts/ufw[./scripts/ufw].



==== `disablenet`



Disables the `dccp`, `sctp`, `rds` and `tipc` kernel modules.



The `disablenet` function is located in link:scripts/disablenet[./scripts/disablenet].



==== `disablefs`



Disables the `cramfs` `freevxfs` `jffs2` `ksmbd` `hfs` `hfsplus` `udf` kernel

modules.



The `disablefs` function is located in link:scripts/disablefs[./scripts/disablefs].



==== `disablemod`



Disables the `bluetooth`, `bnep`, `btusb`, `cpia2`, `firewire-core`, `floppy`,

`n_hdlc`, `net-pf-31`, `pcspkr`, `soundcore`, `thunderbolt`, `usb-midi`,

`usb-storage`, `uvcvideo`, `v4l2_common` kernel modules.



Note that disabling the `usb-storage` module will disable any usage of USB

storage devices, if such devices are needed `USBGuard` should be configured

accordingly.



The `disablemod` function is located in link:scripts/disablemod[./scripts/disablemod].



==== `systemdconf`



Sets `CrashShell=no`, `DefaultLimitCORE=0`, `DefaultLimitNOFILE=1024`,

`DefaultLimitNPROC=1024`, `DumpCore=no` in `$SYSTEMCONF`

and `$USERCONF`.



The `systemdconf` function is located in link:scripts/systemdconf[./scripts/systemdconf].



==== `resolvedconf`



Sets `DNS=$dnslist`, `DNSOverTLS=opportunistic`, `DNSSEC=allow-downgrade`, `FallbackDNS=1.0.0.1`

in `$RESOLVEDCONF`, where `$dnslist` is an array with the nameservers present

in `/etc/resolv.conf`.



The `resolvedconf` function is located in link:scripts/resolvedconf[./scripts/resolvedconf].



==== `logindconf`



Sets `IdleAction=lock`, `IdleActionSec=15min`, `KillExcludeUsers=root`,

`KillUserProcesses=1`, `RemoveIPC=yes` in `$LOGINDCONF`.



The `logindconf` function is located in link:scripts/logindconf[./scripts/logindconf].



==== `journalctl`



Copies link:misc/logrotate.conf[./misc/logrotate.conf] to `$LOGROTATE`.



Sets `Compress=yes`, `ForwardToSyslog=yes`, `Storage=persistent` in

`$JOURNALDCONF`.



Sets `$FileCreateMode 0600/` in `$RSYSLOGCONF`.

if `RSYSLOGCONF` is writable.



The `journalctl` function is located in link:scripts/journalctl[./scripts/journalctl].



==== `timesyncd`



Sets `NTP=${SERVERARRAY}`, `FallbackNTP=${FALLBACKARRAY}`, `RootDistanceMaxSec=1`

in `$TIMESYNCD` where the arrays are up to four time servers with < 50ms

latency.



The `timesyncd` function is located in link:scripts/timesyncd[./scripts/timesyncd].



==== `fstab`



Configures the `/boot` and `/home` partitions with `defaults,nosuid,nodev` if

they are available in `/etc/fstab`.



Configures the `/var/log`, `/var/log/audit` and `/var/tmp` partitions with

`defaults,nosuid,nodev,noexec` if they are available in `/etc/fstab`.



Adds `/run/shm tmpfs rw,noexec,nosuid,nodev`,

`/dev/shm tmpfs rw,noexec,nosuid,nodev` and

`/proc proc rw,nosuid,nodev,noexec,relatime,hidepid=2` to `/etc/fstab` if

the partition isn't present in `/etc/fstab`.



Removes any floppy drivers from `/etc/fstab`.



Copies ./config/tmp.mount[./config/tmp.mount] to

`/etc/systemd/system/tmp.mount`, removes `/tmp` from `/etc/fstab`

and enables the tmpfs `/tmp` mount instead.



The `/proc` `hidepid` option is described in https://www.kernel.org/doc/html/latest/filesystems/proc.html#mount-options[https://www.kernel.org/doc/html/latest/filesystems/proc.html#mount-options].



The `fstab` function is located in link:scripts/fstab[./scripts/fstab].



==== `prelink`



Reverts binaries and libraries to their original content before they were

prelinked and uninstalls `prelink`.



The `prelink` function is located in link:scripts/prelink[./scripts/prelink].



==== `aptget_configure`



Sets `apt` options `Acquire::http::AllowRedirect "false";`, `APT::Get::AllowUnauthenticated "false";`,

`APT::Periodic::AutocleanInterval "7";`,

`APT::Install-Recommends "false";`, `APT::Get::AutomaticRemove "true";`,

`APT::Install-Suggests "false";`, `Acquire::AllowDowngradeToInsecureRepositories "false";`,

`Acquire::AllowInsecureRepositories "false";`, `APT::Sandbox::Seccomp "1";`



See https://manpages.ubuntu.com/manpages/jammy/man5/apt.conf.5.html[https://manpages.ubuntu.com/manpages/jammy/man5/apt.conf.5.html].



The `aptget_configure` function is located in link:scripts/aptget[./scripts/aptget].



==== `aptget`



Upgrades installed packages.



The `aptget` function is located in link:scripts/aptget[./scripts/aptget].



==== `hosts`



Sets `sshd : ALL : ALLOW`, `ALL: LOCAL, 127.0.0.1` in `/etc/hosts.allow` and

`ALL: ALL` in `/etc/hosts.deny`.



See https://manpages.ubuntu.com/manpages/jammy/man5/hosts_access.5.html[https://manpages.ubuntu.com/manpages/jammy/man5/hosts_access.5.html]

for the format of host access control files.



The `hosts` function is located in link:scripts/hosts[./scripts/hosts].



==== `issue`



Writes a notice regarding authorized use only to `/etc/issue`, `/etc/issue.net`

and `/etc/motd`.



Removes the executable flag from every file in `/etc/update-motd.d/`.



The `issue` function is located in link:scripts/issue[./scripts/issue].



==== `sudo`



Restricts `su` access to members of the `sudo` group using

https://manpages.ubuntu.com/manpages/jammy/man8/pam_wheel.8.html[pam_wheel].



Sets `!pwfeedback`, `!visiblepw`, `logfile=/var/log/sudo.log`, `passwd_timeout=1`,

`timestamp_timeout=5`, `use_pty` https://manpages.ubuntu.com/manpages/jammy/man5/sudoers.5.html[sudo options].



The `sudo` function is located in link:scripts/sudo[./scripts/sudo].



==== `logindefs`



Writes `LOG_OK_LOGINS yes`, `UMASK 077`, `PASS_MIN_DAYS 1`, `PASS_MAX_DAYS 60`,

`DEFAULT_HOME no`, `ENCRYPT_METHOD SHA512`, `USERGROUPS_ENAB no`,

`SHA_CRYPT_MIN_ROUNDS 10000`, `SHA_CRYPT_MAX_ROUNDS 65536` to

https://manpages.ubuntu.com/manpages/jammy/man5/login.defs.5.html[$LOGINDEFS]



The `logindefs` function is located in link:scripts/logindefs[./scripts/logindefs].



==== `sysctl`



Copies link:misc/sysctl.conf[./misc/sysctl.conf] to `$SYSCTL`.



For an explanation of the options set, see

https://www.kernel.org/doc/html/latest/admin-guide/sysctl/[https://www.kernel.org/doc/html/latest/admin-guide/sysctl/].



The `sysctl` function is located in link:scripts/sysctl[./scripts/sysctl].



==== `limitsconf`



Sets `hard maxlogins 10`, `hard core 0`, `soft nproc 512`, `hard nproc 1024` in

https://manpages.ubuntu.com/manpages/jammy/en/man5/limits.conf.5.html[$LIMITSCONF]



The `limitsconf` function is located in link:scripts/limits[./scripts/limits].



==== `adduser`



Sets `DIR_MODE=0750`,`DSHELL=/bin/false`, and `USERGROUPS=yes` in `$ADDUSER`.



Sets `INACTIVE=30` and `SHELL=/bin/false` in `$USERADD`.



The `adduser` function is located in link:scripts/adduser[./scripts/adduser].



==== `rootaccess`



Writes `+:root:127.0.0.1/'` to `$SECURITYACCESS` and `console` to

`/etc/securetty`.



Masks https://freedesktop.org/wiki/Software/systemd/Debugging/[debug-shell].



The `rootaccess` function is located in link:scripts/rootaccess[./scripts/rootaccess].



==== `package_install`



Installs `acct`, `aide-common`, `cracklib-runtime`, `debsums`, `gnupg2`,

`haveged`, `libpam-pwquality`, `libpam-tmpdir`, `needrestart`, `openssh-server`,

`postfix`, `psad`, `rkhunter`, `sysstat`, `systemd-coredump`, `tcpd`,

`update-notifier-common`, `vlock`.



The `package_install` function is located in link:scripts/packages[./scripts/packages].



==== `psad`



Installs and configures https://cipherdyne.org/psad/[PSAD]



The `psad` function is located in link:scripts/psad[./scripts/psad].



==== `coredump`



Writes `Storage=none` and `ProcessSizeMax=0` to `$COREDUMPCONF`.



The `coredump` function is located in link:scripts/coredump[./scripts/coredump].



==== `usbguard`



Installs and configures https://usbguard.github.io/[USBGuard].



The `usbguard` function is located in link:scripts/usbguard[./scripts/usbguard].



==== `postfix`



Installs `postfix` and sets `disable_vrfy_command=yes`,

`inet_interfaces=loopback-only`,

`smtpd_banner="\$myhostname`,

`smtpd_client_restrictions=permit_mynetworks,reject` using https://manpages.ubuntu.com/manpages/jammy/en/man1/postconf.1.html[postconf].



The `postfix` function is located in link:scripts/postfix[./scripts/postfix].



==== `apport`



Disables

https://manpages.ubuntu.com/manpages/jammy/man1/apport-cli.1.html[apport],

https://github.com/Ubuntu/ubuntu-report[ubuntu-report] and

https://manpages.ubuntu.com/manpages/jammy/en/man8/popularity-contest.8.html[popularity-contest].



The `apport` function is located in link:scripts/apport[./scripts/apport].



==== `motdnews`



Disables `apt_news` and https://ubuntu.com/legal/motd[motd-news].



The `motdnews` function is located in link:scripts/motdnews[./scripts/motdnews].



==== `rkhunter`



Sets `CRON_DAILY_RUN="yes"`, `APT_AUTOGEN="yes"` in `$RKHUNTERCONF`.



The `rkhunter` function is located in link:scripts/rkhunter[./scripts/rkhunter].



==== `sshconfig`



Sets `HashKnownHosts yes`, `Ciphers [email protected],[email protected],aes256-ctr`

and `MACs [email protected],[email protected],hmac-sha2-512,hmac-sha2-256`

in `$SSHFILE`.



The `sshconfig` function is located in link:scripts/sshdconfig[./scripts/sshdconfig].



==== `sshdconfig`



Configures the `OpenSSH` daemon. The configuration changes will be placed in

the directory defined by the `Include` option if present, otherwise

https://manpages.ubuntu.com/manpages/jammy/en/man5/sshd_config.5.html[$SSHDFILE]

will be modified.



By default `/etc/ssh/sshd_config.d/hardening.conf` will contain the following:



[source,shell]

----

AcceptEnv LANG LC_*

AllowAgentForwarding no

AllowGroups sudo

AllowTcpForwarding no

Banner /etc/issue.net

Ciphers [email protected],[email protected],aes256-ctr

ClientAliveCountMax 3

ClientAliveInterval 200

Compression no

GSSAPIAuthentication no

HostbasedAuthentication no

IgnoreUserKnownHosts yes

KbdInteractiveAuthentication no

KerberosAuthentication no

KexAlgorithms [email protected],ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256

LogLevel VERBOSE

LoginGraceTime 20

Macs [email protected],[email protected],hmac-sha2-512,hmac-sha2-256

MaxAuthTries 3

MaxSessions 3

MaxStartups 10:30:60

PasswordAuthentication no

PermitEmptyPasswords no

PermitRootLogin no

PermitUserEnvironment no

Port 22

PrintLastLog yes

PrintMotd no

RekeyLimit 512M 1h

StrictModes yes

TCPKeepAlive no

UseDNS no

UsePAM yes

X11Forwarding no

----



The `sshdconfig` function is located in link:scripts/sshdconfig[./scripts/sshdconfig].



==== `password`



Copies ./config/pwquality.conf[./config/pwquality.conf] to `/etc/security/pwquality.conf`,



Removes `nullok` from https://manpages.ubuntu.com/manpages/jammy/man5/pam.conf.5.html[PAM]

`$COMMONAUTH`.



Configures https://manpages.ubuntu.com/manpages/jammy/en/man8/faillock.8.html[faillock]

or https://manpages.ubuntu.com/manpages/jammy/man8/pam_tally2.8.html[pam_tally2]

depending on which is installed.



Adds a link:misc/passwords.list[password list] to https://manpages.ubuntu.com/manpages/jammy/man8/update-cracklib.8.html[cracklib].



The `password` function is located in link:scripts/password[./scripts/password].



==== `cron`



Disables https://manpages.ubuntu.com/manpages/jammy/en/man8/atd.8.html[atd]

and only allow root to use https://manpages.ubuntu.com/manpages/jammy/en/man1/at.1.html[at]

or https://manpages.ubuntu.com/manpages/jammy/en/man8/cron.8.html[cron].



The `cron` function is located in link:scripts/cron[./scripts/cron].



==== `ctrlaltdel`



Masks https://manpages.ubuntu.com/manpages/jammy/man1/systemd.1.html#signals[ctrl-alt-del.target].



The `ctrlaltdel` function is located in link:scripts/ctraltdel[./scripts/ctraltdel].



==== `auditd`



Configures https://manpages.ubuntu.com/manpages/jammy/en/man8/auditd.8.html[auditd].



See link:misc/audit-base.rules[./misc/audit-base.rules],

link:misc/audit-aggressive.rules[./misc/audit-aggressive.rules] and link:misc/audit-docker.rules[./misc/audit-docker.rules]

for the rules used.



The `auditd` function is located in link:scripts/auditd[./scripts/auditd].



==== `aide`



Excludes `/var/lib/lxcfs/cgroup` and `/var/lib/docker` from https://manpages.ubuntu.com/manpages/jammy/en/man1/aide.1.html[AIDE].



The `aide` function is located in link:scripts/aide[./scripts/aide].



==== `rhosts`



Removes any existing `hosts.equiv` or `.rhosts` files.



The `rhosts` function is located in link:scripts/rhosts[./scripts/rhosts].



==== `users`



Removes the `games`, `gnats`, `irc`, `list`, `news`, `sync`, `uucp` users.



The `users` function is located in link:scripts/users[./scripts/users].



==== `lockroot`



Locks root account



The `lockroot` function is located in link:scripts/lockroot[./scripts/lockroot].



==== `package_remove`



Removes the `apport*`, `autofs`, `avahi*`, `beep`, `git`, `pastebinit`,

`popularity-contest`, `rsh*`, `rsync`, `talk*`, `telnet*`, `tftp*`, `whoopsie`,

`xinetd`, `yp-tools`, `ypbind` packages.



The `package_remove` function is located in link:scripts/packages[./scripts/packages].



==== `suid`



Ensures the executables in link:misc/suid.list[./misc/suid.list] don't have suid

bits set.



The `suid` function is located in link:scripts/suid[./scripts/suid].



==== `restrictcompilers`



Changes mode to `0750` on any installed compilers.



The `restrictcompilers` function is located in link:scripts/compilers[./scripts/compilers].



==== `umask`



Sets the default https://manpages.ubuntu.com/manpages/jammy/man2/umask.2.html[umask] to `077`



The `umask` function is located in link:scripts/umask[./scripts/umask].



==== `path`



Copies ./config/initpath.sh[./config/initpath.sh] to `/etc/profile.d/initpath.sh`

and sets `PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin`

for the `root` user and `PATH=/usr/local/bin:/usr/sbin:/usr/bin:/bin:/snap/bin`

for everyone else.



The `path` function is located in link:scripts/path[./scripts/path].



==== `aa_enforce`



Enforces available https://manpages.ubuntu.com/manpages/jammy/en/man7/apparmor.7.html[apparmor]

profiles.



The `aa_enforce` function is located in link:scripts/apparmor[./scripts/apparmor].



==== `aide_post`



Creates a new AIDE database.



The `aide_post` function is located in link:scripts/aide[./scripts/aide].



==== `aide_timer`



Copies a systemd AIDE check service and timer to /etc/systemd/system/.



The `aide_timer` function is located in link:scripts/aide[./scripts/aide].



==== `aptget_noexec`



Adds a `DPkg::Pre-Invoke` and `DPkg::Post-Invoke` to ensure package updates

don't fail on a `noexec` `/tmp` partition.



The `aptget_noexec` function is located in link:scripts/aptget[./scripts/aptget].



==== `aptget_clean`



Runs https://manpages.ubuntu.com/manpages/jammy/en/man8/apt-get.8.html[apt-get] `clean` and `autoremove`.



The `aptget_clean` function is located in link:scripts/aptget[./scripts/aptget].



==== `systemddelta`



Runs https://manpages.ubuntu.com/manpages/jammy/man1/systemd-delta.1.html[systemd-delta] if running in verbose mode.



The `systemddelta` function is located in link:scripts/systemddelta[./scripts/systemddelta].



==== `post`



Ensures https://manpages.ubuntu.com/manpages/jammy/man1/fwupdmgr.1.html[fwupdmgr]

and https://packages.ubuntu.com/jammy/secureboot-db[secureboot-db] is installed

and GRUB is updated.



The `post` function is located in link:scripts/post[./scripts/post].



==== `checkreboot`



Checks if a reboot is required.



The `checkreboot` function is located in link:scripts/reboot[./scripts/reboot].



== Tests

There are approximately 760 https://github.com/bats-core/bats-core[Bats tests]

for most of the above settings available in the link:tests/[tests directory].



[source,shell]

----

sudo apt-get -y install bats

git clone https://github.com/konstruktoid/hardening.git

cd hardening/tests/

sudo bats .

----



=== Test automation using Vagrant

Running `bash ./runTests.sh` will use https://www.vagrantup.com/[Vagrant] to run

all above tests, https://github.com/CISOfy/Lynis[Lynis] and

https://www.open-scap.org/[OpenSCAP] with a

https://www.cisecurity.org/benchmark/ubuntu_linux[CIS Ubuntu benchmark] on all

supported Ubuntu versions.



The script will generate a file named `TESTRESULTS.adoc` and CIS report in

HTML-format.



=== Testing a host

Running `bash ./runHostTests.sh`, located in the link:tests/[tests directory],

will generate a `TESTRESULTS-.adoc` report.



== Recommended reading

https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux[Canonical Ubuntu 20.04 LTS STIG - Ver 1, Rel 3] +

https://www.cisecurity.org/benchmark/distribution_independent_linux/[CIS Distribution Independent Linux Benchmark] +

https://www.cisecurity.org/benchmark/ubuntu_linux/[CIS Ubuntu Linux Benchmark] +

https://www.ncsc.gov.uk/collection/end-user-device-security/platform-specific-guidance/ubuntu-18-04-lts[EUD Security Guidance: Ubuntu 18.04 LTS] +

https://wiki.ubuntu.com/Security/Features +

https://help.ubuntu.com/community/StricterDefaults +



== Contributing

Do you want to contribute? That's great! Contributions are always welcome,

no matter how large or small. If you found something odd, feel free to

https://github.com/konstruktoid/hardening/issues/[submit a new issue],

improve the code by https://github.com/konstruktoid/hardening/pulls[creating a pull request],

or by https://github.com/sponsors/konstruktoid[sponsoring this project].



Logo by https://github.com/reallinfo[reallinfo].