Last active
August 31, 2022 22:09
-
-
Save VltraHeaven/35ea2c68fdcd2764c517e9a14a5a8e23 to your computer and use it in GitHub Desktop.
Armbian OS Hardening
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ## Sysctl Hardening | |
| ``` | |
| cat <<EOF> /etc/sysctl.d/20-hardening.conf | |
| # Kernel | |
| kernel.kptr_restrict=2 | |
| kernel.dmesg_restrict=1 | |
| kernel.unprivileged_bpf_disabled=1 | |
| net.core.bpf_jit_harden=2 | |
| dev.tty.ldisc_autoload=0 | |
| vm.unprivileged_userfaultfd=0 | |
| kernel.kexec_load_disabled=1 | |
| kernel.sysrq=4 | |
| kernel.perf_event_paranoid=3 | |
| # Networking | |
| net.ipv4.tcp_syncookies=1 | |
| net.ipv4.tcp_rfc1337=1 | |
| net.ipv4.conf.all.rp_filter=1 | |
| net.ipv4.conf.default.rp_filter=1 | |
| net.ipv4.conf.all.accept_source_route=0 | |
| net.ipv4.conf.default.accept_source_route=0 | |
| net.ipv4.tcp_sack=0 | |
| net.ipv4.tcp_dsack=0 | |
| net.ipv4.tcp_fack=0 | |
| # Userspace | |
| fs.protected_symlinks=1 | |
| fs.protected_hardlinks=1 | |
| vm.mmap_rnd_bits=24 | |
| vm.mmap_rnd_compat_bits=16 | |
| fs.protected_fifos=2 | |
| fs.protected_regular=2 | |
| EOF | |
| ``` | |
| ## Boot Parameters | |
| ``` | |
| apparmor=1 security=apparmor slab_nomerge init_on_alloc=1 init_on_free=1 page_alloc.shuffle=1 pti=on randomize_kstack_offset=on vsyscall=none debugfs=off module.sig_enforce=1 lockdown=confidentiality spectre_v2=on spec_store_bypass_disable=on tsx=off tsx_async_abort=full,nosmt mds=full,nosmt l1tf=full,force nosmt=force kvm.nx_huge_pages=force ipv6.disable=1 | |
| apt install apparmor-profiles apparmor-profiles-extra apparmor-utils | |
| ``` | |
| ## Modules | |
| ``` | |
| cat <<EOF> /etc/modprobe.d/hardening.conf | |
| install dccp /bin/false | |
| install sctp /bin/false | |
| install rds /bin/false | |
| install tipc /bin/false | |
| install n-hdlc /bin/false | |
| install ax25 /bin/false | |
| install netrom /bin/false | |
| install x25 /bin/false | |
| install rose /bin/false | |
| install decnet /bin/false | |
| install econet /bin/false | |
| install af_802154 /bin/false | |
| install ipx /bin/false | |
| install appletalk /bin/false | |
| install psnap /bin/false | |
| install p8023 /bin/false | |
| install p8022 /bin/false | |
| install can /bin/false | |
| install atm /bin/false | |
| install cramfs /bin/false | |
| install freevxfs /bin/false | |
| install jffs2 /bin/false | |
| install hfs /bin/false | |
| install hfsplus /bin/false | |
| install squashfs /bin/false | |
| install udf /bin/false | |
| install vivid /bin/false | |
| install bluetooth /bin/false | |
| install uvcvideo /bin/false | |
| EOF | |
| ``` | |
| ## Filesystem Permissions | |
| ``` | |
| chmod 750 /boot | |
| ``` |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment