Merge remote-tracking branch 'unitoo/master'

emacs/emacs.service

@@ -0,0 +1,18 @@
+# Emacs server unit service for systemd (start emacs as a server)
+# This file is meant to be placed into your .config/systemd/user/ folder
+# and started + enabled with systemctl enable emacs --user --now
+# It is advised to add an alias for emacs to run it as client
+# ex. for the terminal version: alias emacs='emacsclient -t'
+[Unit]
+Description=Emacs text editor
+Documentation=info:emacs man:emacs(1) https://gnu.org/software/emacs/
+
+[Service]
+Type=forking
+ExecStart=/usr/bin/emacs --daemon
+ExecStop=/usr/bin/emacsclient --eval "(kill-emacs)"
+Environment=SSH_AUTH_SOCK=%t/keyring/ssh
+Restart=on-failure
+
+[Install]
+WantedBy=default.target

grub/grub

@@ -0,0 +1,9 @@
+# These rules are not meant to be copied and pasted as there will
+# likely be other options enabled on your machine.
+# Instead add them to the already existing ones in your /etc/default/grub
+#
+# NOTE: remove ipv6 disable at the end if needed
+# NOTE: remove module.sig_enforce=1 and lockdown=confidentiality on some systems to enable loading 
+# of wireguard module
+
+GRUB_CMDLINE_LINUX="slab_nomerge slub_debug=FZ init_on_alloc=1 init_on_free=1 page_alloc.shuffle=1 pti=on vsyscall=none debugfs=off oops=panic module.sig_enforce=1 lockdown=confidentiality mce=0 quiet loglevel=0 ipv6.disable=1"

lynis/etc/lynis/custom.prf

@@ -0,0 +1,26 @@
+# Disable some tests that are not useful in cloud-based servers
+skip-test=AUTH-9286
+skip-test=PRNT-2307
+skip-test=USB-1000
+skip-test=STRG-1846
+skip-test=STRG-1840
+skip-test=PRNT-2308
+skip-test=FILE-6310
+skip-test=BOOT-5122
+skip-test=BOOT-5260
+skip-test=KRNL-5788
+skip-test=AUTH-9308
+
+# Disable /etc/issue checking
+skip-test=BANN-7126
+skip-test=BANN-7130
+
+# Disable some SSH feature checks that we intend to keep
+skip-test=SSH-7408:tcpkeepalive
+skip-test=SSH-7408:allowtcpforwarding
+skip-test=SSH-7408:compression
+skip-test=SSH-7408:port
+
+# Old packages
+skip-test=CUST-0810
+skip-test=CUST-0285

modprobe/etc/modprobe.d/disable-ipv6.conf

@@ -0,0 +1 @@
+install ipv6 /bin/true

modprobe/etc/modprobe.d/disable-network-filesystems.conf

@@ -0,0 +1,6 @@
+# Disable only if not used
+install cifs /bin/true
+install nfs /bin/true
+install nfsv3 /bin/true
+install nfsv4 /bin/true
+install gfs2 /bin/true

modprobe/etc/modprobe.d/disable-rare-filesystems.conf

@@ -0,0 +1,7 @@
+install cramfs /bin/false
+install freevxfs /bin/false
+install jffs2 /bin/false
+install hfs /bin/false
+install hfsplus /bin/false
+install squashfs /bin/false
+install udf /bin/false

modprobe/etc/modprobe.d/disable-rare-protocols.conf

@@ -0,0 +1,19 @@
+install dccp /bin/false
+install sctp /bin/false
+install rds /bin/false
+install tipc /bin/false
+install n-hdlc /bin/false
+install ax25 /bin/false
+install netrom /bin/false
+install x25 /bin/false
+install rose /bin/false
+install decnet /bin/false
+install econet /bin/false
+install af_802154 /bin/false
+install ipx /bin/false
+install appletalk /bin/false
+install psnap /bin/false
+install p8023 /bin/false
+install p8022 /bin/false
+install can /bin/false
+install atm /bin/false

modprobe/etc/modprobe.d/disable-vivid.conf

@@ -0,0 +1 @@
+install vivid /bin/false

pam/etc/pam.d/rocky-linux/su

@@ -0,0 +1,13 @@
+#%PAM-1.0
+auth            required        pam_env.so
+auth            sufficient      pam_rootok.so
+# Uncomment the following line to require a user to be in the "wheel" group.
+auth            required        pam_wheel.so use_uid
+auth            substack        system-auth
+auth            include         postlogin
+account         sufficient      pam_succeed_if.so uid = 0 use_uid quiet
+account         include         system-auth
+password        include         system-auth
+session         include         system-auth
+session         include         postlogin
+session         optional        pam_xauth.so

pam/etc/pam.d/rocky-linux/su-l

@@ -0,0 +1,7 @@
+#%PAM-1.0
+auth            include         su
+account         include         su
+password        include         su
+session         optional        pam_keyinit.so force revoke
+session         include         su
+auth            required        pam_wheel.so use_uid

pam/etc/pam.d/ubuntu/su

@@ -0,0 +1,59 @@
+#
+# The PAM configuration file for the Shadow `su' service
+#
+
+# This allows root to su without passwords (normal operation)
+auth       sufficient pam_rootok.so
+
+# Uncomment this to force users to be a member of group root
+# before they can use `su'. You can also add "group=foo"
+# to the end of this line if you want to use a group other
+# than the default "root" (but this may have side effect of
+# denying "root" user, unless she's a member of "foo" or explicitly
+# permitted earlier by e.g. "sufficient pam_rootok.so").
+# (Replaces the `SU_WHEEL_ONLY' option from login.defs)
+ auth       required   pam_wheel.so
+
+# Uncomment this if you want wheel members to be able to
+# su without a password.
+# auth       sufficient pam_wheel.so trust
+
+# Uncomment this if you want members of a specific group to not
+# be allowed to use su at all.
+# auth       required   pam_wheel.so deny group=nosu
+
+# Uncomment and edit /etc/security/time.conf if you need to set
+# time restrainst on su usage.
+# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs
+# as well as /etc/porttime)
+# account    requisite  pam_time.so
+
+# This module parses environment configuration file(s)
+# and also allows you to use an extended config
+# file /etc/security/pam_env.conf.
+#
+# parsing /etc/environment needs "readenv=1"
+session       required   pam_env.so readenv=1
+# locale variables are also kept into /etc/default/locale in etch
+# reading this file *in addition to /etc/environment* does not hurt
+session       required   pam_env.so readenv=1 envfile=/etc/default/locale
+
+# Defines the MAIL environment variable
+# However, userdel also needs MAIL_DIR and MAIL_FILE variables
+# in /etc/login.defs to make sure that removing a user
+# also removes the user's mail spool file.
+# See comments in /etc/login.defs
+#
+# "nopen" stands to avoid reporting new mail when su'ing to another user
+session    optional   pam_mail.so nopen
+
+# Sets up user limits according to /etc/security/limits.conf
+# (Replaces the use of /etc/limits in old login)
+session    required   pam_limits.so
+
+# The standard Unix authentication modules, used with
+# NIS (man nsswitch) as well as normal /etc/passwd and
+# /etc/shadow entries.
+@include common-auth
+@include common-account
+@include common-session

pam/etc/pam.d/ubuntu/su-l

@@ -0,0 +1,7 @@
+#%PAM-1.0
+auth            include         su
+account         include         su
+password        include         su
+session         optional        pam_keyinit.so force revoke
+session         include         su
+auth            required        pam_wheel.so

rc.local/etc/rc.local

@@ -0,0 +1,9 @@
+#!/bin/bash
+# /etc/rc.local
+
+# file needed to correctly load kernel parameters at boot time
+# on Ubuntu (ex. to disable ipv6) without modifying grub
+/etc/sysctl.d
+/etc/init.d/procps restart
+
+exit 0

security/etc/security/limits.conf

@@ -0,0 +1,62 @@
+# /etc/security/limits.conf
+#
+#This file sets the resource limits for the users logged in via PAM.
+#It does not affect resource limits of the system services.
+#
+#Also note that configuration files in /etc/security/limits.d directory,
+#which are read in alphabetical order, override the settings in this
+#file in case the domain is the same or more specific.
+#That means for example that setting a limit for wildcard domain here
+#can be overriden with a wildcard setting in a config file in the
+#subdirectory, but a user specific setting here can be overriden only
+#with a user specific setting in the subdirectory.
+#
+#Each line describes a limit for a user in the form:
+#
+#<domain>        <type>  <item>  <value>
+#
+#Where:
+#<domain> can be:
+#        - a user name
+#        - a group name, with @group syntax
+#        - the wildcard *, for default entry
+#        - the wildcard %, can be also used with %group syntax,
+#                 for maxlogin limit
+#
+#<type> can have the two values:
+#        - "soft" for enforcing the soft limits
+#        - "hard" for enforcing hard limits
+#
+#<item> can be one of the following:
+#        - core - limits the core file size (KB)
+#        - data - max data size (KB)
+#        - fsize - maximum filesize (KB)
+#        - memlock - max locked-in-memory address space (KB)
+#        - nofile - max number of open file descriptors
+#        - rss - max resident set size (KB)
+#        - stack - max stack size (KB)
+#        - cpu - max CPU time (MIN)
+#        - nproc - max number of processes
+#        - as - address space limit (KB)
+#        - maxlogins - max number of logins for this user
+#        - maxsyslogins - max number of logins on the system
+#        - priority - the priority to run user process with
+#        - locks - max number of file locks the user can hold
+#        - sigpending - max number of pending signals
+#        - msgqueue - max memory used by POSIX message queues (bytes)
+#        - nice - max nice priority allowed to raise to values: [-20, 19]
+#        - rtprio - max realtime priority
+#
+#<domain>      <type>  <item>         <value>
+#
+
+*               soft    core            0
+*               hard    core            0
+#*               hard    rss             10000
+#@student        hard    nproc           20
+#@faculty        soft    nproc           20
+#@faculty        hard    nproc           50
+#ftp             hard    nproc           0
+#@student        -       maxlogins       4
+
+# End of file

ssh/etc/ssh/sshd_config

@@ -0,0 +1,27 @@
+HostKey /etc/ssh/ssh_host_rsa_key
+HostKey /etc/ssh/ssh_host_ecdsa_key
+HostKey /etc/ssh/ssh_host_ed25519_key
+
+SyslogFacility AUTHPRIV
+
+AllowGroups sshlogin
+
+PermitRootLogin WITHOUT-PASSWORD
+PubkeyAuthentication yes
+AuthorizedKeysFile .ssh/authorized_keys
+IgnoreRhosts yes
+MaxSessions 4
+MaxAuthTries 4
+ClientAliveCountMax 2
+LogLevel VERBOSE
+PasswordAuthentication no
+ChallengeResponseAuthentication no
+GSSAPIAuthentication no
+UsePAM yes
+PrintMotd no
+X11Forwarding no
+AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
+AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
+AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
+AcceptEnv XMODIFIERS
+Subsystem       sftp    /usr/lib/openssh/sftp-server

sysctl/etc/sysctl.conf

@@ -0,0 +1,66 @@
+# Hardened sysctl conf
+
+fs.protected_regular = 2
+fs.protected_fifos = 2
+fs.protected_hardlinks = 1
+fs.protected_symlinks = 1
+fs.suid_dumpable = 0
+
+kernel.core_uses_pid = 1
+kernel.ctrl-alt-del = 0
+kernel.dmesg_restrict = 1
+kernel.kptr_restrict = 2
+kernel.randomize_va_space = 2
+kernel.sysrq = 0
+kernel.unprivileged_bpf_disabled = 1
+
+
+net.core.bpf_jit_harden = 2
+net.ipv4.conf.all.accept_redirects = 0
+net.ipv4.conf.all.accept_source_route = 0
+net.ipv4.conf.all.bootp_relay = 0
+net.ipv4.conf.all.forwarding = 0
+net.ipv4.conf.all.log_martians = 1
+net.ipv4.conf.all.mc_forwarding = 0
+net.ipv4.conf.all.proxy_arp = 0
+net.ipv4.conf.all.rp_filter = 1
+net.ipv4.conf.all.send_redirects = 0
+net.ipv4.conf.all.secure_redirects=0
+net.ipv4.tcp_rfc1337=1
+net.ipv4.tcp_sack=0
+net.ipv4.tcp_dsack=0
+net.ipv4.tcp_fack=0
+
+net.ipv4.conf.default.accept_redirects = 0
+net.ipv4.conf.default.accept_source_route = 0
+net.ipv4.conf.default.log_martians = 1
+net.ipv4.conf.default.rp_filter=1
+net.ipv4.conf.default.send_redirects=0
+net.ipv4.conf.default.secure_redirects=0
+
+net.ipv4.icmp_echo_ignore_broadcasts = 1
+net.ipv4.icmp_ignore_bogus_error_responses = 1
+net.ipv4.tcp_syncookies = 1
+net.ipv4.tcp_timestamps = 1
+
+dev.tty.ldisc_autoload=0
+vm.unprivileged_userfaultfd=0
+kernel.kexec_load_disabled=1
+kernel.perf_event_paranoid=2
+kernel.yama.ptrace_scope=2
+
+vm.mmap_rnd_bits=32
+vm.mmap_rnd_compat_bits=16
+
+# Uncomment do disable ipv6
+#net.ipv6.conf.all.disable_ipv6=1
+#net.ipv6.conf.default.disable_ipv6=1
+#net.ipv6.conf.lo.disable_ipv6=1
+
+net.ipv6.conf.all.accept_redirects = 0
+net.ipv6.conf.all.accept_source_route = 0
+
+net.ipv6.conf.default.accept_redirects = 0
+net.ipv6.conf.default.accept_source_route = 0
+
+vm.swappiness = 15