feat: add pam.d restricting su binary, add more modules to be disabled, add grub commandline options for security

This commit is contained in:
Lorenzo Tucci 2021-08-26 22:32:11 +02:00
parent 31ff66c2d2
commit dddf1a381c
10 changed files with 142 additions and 5 deletions

5
grub/grub Normal file
View file

@ -0,0 +1,5 @@
# These rules are not meant to be copied and pasted as there will
# likely be other options enabled on your machine.
# Instead add them to the already existing ones in your /etc/default/grub
# remove ipv6 disable at the end if needed
GRUB_CMDLINE_LINUX="slab_nomerge slub_debug=FZ init_on_alloc=1 init_on_free=1 page_alloc.shuffle=1 pti=on vsyscall=none debugfs=off oops=panic module.sig_enforce=1 lockdown=confidentiality mce=0 quiet loglevel=0 ipv6.disable=1"

View file

@ -0,0 +1,6 @@
# Disable only if not used
install cifs /bin/true
install nfs /bin/true
install nfsv3 /bin/true
install nfsv4 /bin/true
install gfs2 /bin/true

View file

@ -0,0 +1,7 @@
install cramfs /bin/false
install freevxfs /bin/false
install jffs2 /bin/false
install hfs /bin/false
install hfsplus /bin/false
install squashfs /bin/false
install udf /bin/false

View file

@ -1,4 +1,19 @@
install dccp /bin/true install dccp /bin/false
install sctp /bin/true install sctp /bin/false
install rds /bin/true install rds /bin/false
install tipc /bin/true install tipc /bin/false
install n-hdlc /bin/false
install ax25 /bin/false
install netrom /bin/false
install x25 /bin/false
install rose /bin/false
install decnet /bin/false
install econet /bin/false
install af_802154 /bin/false
install ipx /bin/false
install appletalk /bin/false
install psnap /bin/false
install p8023 /bin/false
install p8022 /bin/false
install can /bin/false
install atm /bin/false

View file

@ -0,0 +1 @@
install vivid /bin/false

View file

@ -0,0 +1,13 @@
#%PAM-1.0
auth required pam_env.so
auth sufficient pam_rootok.so
# Uncomment the following line to require a user to be in the "wheel" group.
auth required pam_wheel.so use_uid
auth substack system-auth
auth include postlogin
account sufficient pam_succeed_if.so uid = 0 use_uid quiet
account include system-auth
password include system-auth
session include system-auth
session include postlogin
session optional pam_xauth.so

View file

@ -0,0 +1,7 @@
#%PAM-1.0
auth include su
account include su
password include su
session optional pam_keyinit.so force revoke
session include su
auth required pam_wheel.so use_uid

59
pam/etc/pam.d/ubuntu/su Normal file
View file

@ -0,0 +1,59 @@
#
# The PAM configuration file for the Shadow `su' service
#
# This allows root to su without passwords (normal operation)
auth sufficient pam_rootok.so
# Uncomment this to force users to be a member of group root
# before they can use `su'. You can also add "group=foo"
# to the end of this line if you want to use a group other
# than the default "root" (but this may have side effect of
# denying "root" user, unless she's a member of "foo" or explicitly
# permitted earlier by e.g. "sufficient pam_rootok.so").
# (Replaces the `SU_WHEEL_ONLY' option from login.defs)
auth required pam_wheel.so
# Uncomment this if you want wheel members to be able to
# su without a password.
# auth sufficient pam_wheel.so trust
# Uncomment this if you want members of a specific group to not
# be allowed to use su at all.
# auth required pam_wheel.so deny group=nosu
# Uncomment and edit /etc/security/time.conf if you need to set
# time restrainst on su usage.
# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs
# as well as /etc/porttime)
# account requisite pam_time.so
# This module parses environment configuration file(s)
# and also allows you to use an extended config
# file /etc/security/pam_env.conf.
#
# parsing /etc/environment needs "readenv=1"
session required pam_env.so readenv=1
# locale variables are also kept into /etc/default/locale in etch
# reading this file *in addition to /etc/environment* does not hurt
session required pam_env.so readenv=1 envfile=/etc/default/locale
# Defines the MAIL environment variable
# However, userdel also needs MAIL_DIR and MAIL_FILE variables
# in /etc/login.defs to make sure that removing a user
# also removes the user's mail spool file.
# See comments in /etc/login.defs
#
# "nopen" stands to avoid reporting new mail when su'ing to another user
session optional pam_mail.so nopen
# Sets up user limits according to /etc/security/limits.conf
# (Replaces the use of /etc/limits in old login)
session required pam_limits.so
# The standard Unix authentication modules, used with
# NIS (man nsswitch) as well as normal /etc/passwd and
# /etc/shadow entries.
@include common-auth
@include common-account
@include common-session

View file

@ -0,0 +1,7 @@
#%PAM-1.0
auth include su
account include su
password include su
session optional pam_keyinit.so force revoke
session include su
auth required pam_wheel.so

View file

@ -23,18 +23,35 @@ net.ipv4.conf.all.forwarding = 0
net.ipv4.conf.all.log_martians = 1 net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.all.mc_forwarding = 0 net.ipv4.conf.all.mc_forwarding = 0
net.ipv4.conf.all.proxy_arp = 0 net.ipv4.conf.all.proxy_arp = 0
net.ipv4.conf.all.rp_filter = 0 net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.all.secure_redirects=0
net.ipv4.tcp_rfc1337=1
net.ipv4.tcp_sack=0
net.ipv4.tcp_dsack=0
net.ipv4.tcp_fack=0
net.ipv4.conf.default.accept_redirects = 0 net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.accept_source_route = 0 net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.default.log_martians = 1 net.ipv4.conf.default.log_martians = 1
net.ipv4.conf.default.rp_filter=1
net.ipv4.conf.default.send_redirects=0
net.ipv4.conf.default.secure_redirects=0
net.ipv4.icmp_echo_ignore_broadcasts = 1 net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1 net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.tcp_syncookies = 1 net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_timestamps = 1 net.ipv4.tcp_timestamps = 1
dev.tty.ldisc_autoload=0
vm.unprivileged_userfaultfd=0
kernel.kexec_load_disabled=1
kernel.perf_event_paranoid=2
kernel.yama.ptrace_scope=2
vm.mmap_rnd_bits=32
vm.mmap_rnd_compat_bits=16
# Uncomment do disable ipv6 # Uncomment do disable ipv6
#net.ipv6.conf.all.disable_ipv6=1 #net.ipv6.conf.all.disable_ipv6=1
#net.ipv6.conf.default.disable_ipv6=1 #net.ipv6.conf.default.disable_ipv6=1