Skip to content

Instantly share code, notes, and snippets.

@VltraHeaven

VltraHeaven/armbian_hardening

Last active August 31, 2022 22:09
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save VltraHeaven/35ea2c68fdcd2764c517e9a14a5a8e23 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save VltraHeaven/35ea2c68fdcd2764c517e9a14a5a8e23 to your computer and use it in GitHub Desktop.
Download ZIP

Revisions

  1. VltraHeaven revised this gist Aug 3, 2022. 1 changed file with 2 additions and 0 deletions.
    2 changes: 2 additions & 0 deletions armbian_hardening
    View file
    Original file line number Diff line number Diff line change
    @@ -36,6 +36,8 @@ EOF
    ## Boot Parameters
    ```
    apparmor=1 security=apparmor slab_nomerge init_on_alloc=1 init_on_free=1 page_alloc.shuffle=1 pti=on randomize_kstack_offset=on vsyscall=none debugfs=off module.sig_enforce=1 lockdown=confidentiality spectre_v2=on spec_store_bypass_disable=on tsx=off tsx_async_abort=full,nosmt mds=full,nosmt l1tf=full,force nosmt=force kvm.nx_huge_pages=force ipv6.disable=1

    apt install apparmor-profiles apparmor-profiles-extra apparmor-utils
    ```

    ## Modules
  2. VltraHeaven revised this gist Aug 3, 2022. 1 changed file with 5 additions and 0 deletions.
    5 changes: 5 additions & 0 deletions armbian_hardening
    View file
    Original file line number Diff line number Diff line change
    @@ -71,4 +71,9 @@ install vivid /bin/false
    install bluetooth /bin/false
    install uvcvideo /bin/false
    EOF
    ```

    ## Filesystem Permissions
    ```
    chmod 750 /boot
    ```
  3. VltraHeaven revised this gist Aug 3, 2022. 1 changed file with 1 addition and 14 deletions.
    15 changes: 1 addition & 14 deletions armbian_hardening
    View file
    Original file line number Diff line number Diff line change
    @@ -10,7 +10,6 @@ dev.tty.ldisc_autoload=0
    vm.unprivileged_userfaultfd=0
    kernel.kexec_load_disabled=1
    kernel.sysrq=4
    kernel.unprivileged_userns_clone=0
    kernel.perf_event_paranoid=3

    # Networking
    @@ -20,19 +19,14 @@ net.ipv4.conf.all.rp_filter=1
    net.ipv4.conf.default.rp_filter=1
    net.ipv4.conf.all.accept_source_route=0
    net.ipv4.conf.default.accept_source_route=0
    net.ipv6.conf.all.accept_source_route=0
    net.ipv6.conf.default.accept_source_route=0
    net.ipv6.conf.all.accept_ra=0
    net.ipv6.conf.default.accept_ra=0
    net.ipv4.tcp_sack=0
    net.ipv4.tcp_dsack=0
    net.ipv4.tcp_fack=0

    # Userspace
    fs.protected_symlinks=1
    fs.protected_hardlinks=1
    kernel.yama.ptrace_scope=2
    vm.mmap_rnd_bits=32
    vm.mmap_rnd_bits=24
    vm.mmap_rnd_compat_bits=16
    fs.protected_fifos=2
    fs.protected_regular=2
    @@ -44,13 +38,6 @@ EOF
    apparmor=1 security=apparmor slab_nomerge init_on_alloc=1 init_on_free=1 page_alloc.shuffle=1 pti=on randomize_kstack_offset=on vsyscall=none debugfs=off module.sig_enforce=1 lockdown=confidentiality spectre_v2=on spec_store_bypass_disable=on tsx=off tsx_async_abort=full,nosmt mds=full,nosmt l1tf=full,force nosmt=force kvm.nx_huge_pages=force ipv6.disable=1
    ```

    ## AppArmor MAC
    ```
    apt install apparmor-profiles apparmor-profiles-extra apparmor auditd
    systemctl enable apparmor
    systemctl enable auditd
    ```

    ## Modules
    ```
    cat <<EOF> /etc/modprobe.d/hardening.conf
  4. VltraHeaven revised this gist Aug 3, 2022. 1 changed file with 8 additions and 1 deletion.
    9 changes: 8 additions & 1 deletion armbian_hardening
    View file
    Original file line number Diff line number Diff line change
    @@ -41,7 +41,14 @@ EOF

    ## Boot Parameters
    ```
    slab_nomerge init_on_alloc=1 init_on_free=1 page_alloc.shuffle=1 pti=on randomize_kstack_offset=on vsyscall=none debugfs=off module.sig_enforce=1 lockdown=confidentiality spectre_v2=on spec_store_bypass_disable=on tsx=off tsx_async_abort=full,nosmt mds=full,nosmt l1tf=full,force nosmt=force kvm.nx_huge_pages=force ipv6.disable=1
    apparmor=1 security=apparmor slab_nomerge init_on_alloc=1 init_on_free=1 page_alloc.shuffle=1 pti=on randomize_kstack_offset=on vsyscall=none debugfs=off module.sig_enforce=1 lockdown=confidentiality spectre_v2=on spec_store_bypass_disable=on tsx=off tsx_async_abort=full,nosmt mds=full,nosmt l1tf=full,force nosmt=force kvm.nx_huge_pages=force ipv6.disable=1
    ```

    ## AppArmor MAC
    ```
    apt install apparmor-profiles apparmor-profiles-extra apparmor auditd
    systemctl enable apparmor
    systemctl enable auditd
    ```

    ## Modules
  5. VltraHeaven renamed this gist Aug 3, 2022. 1 changed file with 0 additions and 0 deletions.
    0 armbian_hardening.sh → armbian_hardening
    View file
    File renamed without changes.
  6. VltraHeaven revised this gist Aug 3, 2022. 1 changed file with 0 additions and 1 deletion.
    1 change: 0 additions & 1 deletion armbian_hardening.sh
    View file
    Original file line number Diff line number Diff line change
    @@ -45,7 +45,6 @@ EOF
    ```
    ## Modules
    ```
    cat <<EOF> /etc/modprobe.d/hardening.conf
    install dccp /bin/false
  7. VltraHeaven created this gist Aug 3, 2022.
    81 changes: 81 additions & 0 deletions armbian_hardening.sh
    View file
    Original file line number Diff line number Diff line change
    @@ -0,0 +1,81 @@
    ## Sysctl Hardening
    ```
    cat <<EOF> /etc/sysctl.d/20-hardening.conf
    # Kernel
    kernel.kptr_restrict=2
    kernel.dmesg_restrict=1
    kernel.unprivileged_bpf_disabled=1
    net.core.bpf_jit_harden=2
    dev.tty.ldisc_autoload=0
    vm.unprivileged_userfaultfd=0
    kernel.kexec_load_disabled=1
    kernel.sysrq=4
    kernel.unprivileged_userns_clone=0
    kernel.perf_event_paranoid=3
    # Networking
    net.ipv4.tcp_syncookies=1
    net.ipv4.tcp_rfc1337=1
    net.ipv4.conf.all.rp_filter=1
    net.ipv4.conf.default.rp_filter=1
    net.ipv4.conf.all.accept_source_route=0
    net.ipv4.conf.default.accept_source_route=0
    net.ipv6.conf.all.accept_source_route=0
    net.ipv6.conf.default.accept_source_route=0
    net.ipv6.conf.all.accept_ra=0
    net.ipv6.conf.default.accept_ra=0
    net.ipv4.tcp_sack=0
    net.ipv4.tcp_dsack=0
    net.ipv4.tcp_fack=0
    # Userspace
    fs.protected_symlinks=1
    fs.protected_hardlinks=1
    kernel.yama.ptrace_scope=2
    vm.mmap_rnd_bits=32
    vm.mmap_rnd_compat_bits=16
    fs.protected_fifos=2
    fs.protected_regular=2
    EOF
    ```
    ## Boot Parameters
    ```
    slab_nomerge init_on_alloc=1 init_on_free=1 page_alloc.shuffle=1 pti=on randomize_kstack_offset=on vsyscall=none debugfs=off module.sig_enforce=1 lockdown=confidentiality spectre_v2=on spec_store_bypass_disable=on tsx=off tsx_async_abort=full,nosmt mds=full,nosmt l1tf=full,force nosmt=force kvm.nx_huge_pages=force ipv6.disable=1
    ```
    ## Modules
    ```
    cat <<EOF> /etc/modprobe.d/hardening.conf
    install dccp /bin/false
    install sctp /bin/false
    install rds /bin/false
    install tipc /bin/false
    install n-hdlc /bin/false
    install ax25 /bin/false
    install netrom /bin/false
    install x25 /bin/false
    install rose /bin/false
    install decnet /bin/false
    install econet /bin/false
    install af_802154 /bin/false
    install ipx /bin/false
    install appletalk /bin/false
    install psnap /bin/false
    install p8023 /bin/false
    install p8022 /bin/false
    install can /bin/false
    install atm /bin/false
    install cramfs /bin/false
    install freevxfs /bin/false
    install jffs2 /bin/false
    install hfs /bin/false
    install hfsplus /bin/false
    install squashfs /bin/false
    install udf /bin/false
    install vivid /bin/false
    install bluetooth /bin/false
    install uvcvideo /bin/false
    EOF
    ```