From 36e0b962ac316fd043fa90d8d13fc4a5e18918f3 Mon Sep 17 00:00:00 2001
From: Lorenzo Tucci <yamabiiko@protonmail.com>
Date: Sun, 22 Aug 2021 22:13:37 +0200
Subject: [PATCH 1/5] feat: add sshd_config, sysctl.conf, lynis custom

---
 lynis/etc/lynis/custom.prf | 13 +++++++++++
 ssh/etc/ssh/sshd_config    | 21 ++++++++++++++++++
 systcl/etc/sysctl.conf     | 45 ++++++++++++++++++++++++++++++++++++++
 3 files changed, 79 insertions(+)
 create mode 100644 lynis/etc/lynis/custom.prf
 create mode 100644 ssh/etc/ssh/sshd_config
 create mode 100644 systcl/etc/sysctl.conf

diff --git a/lynis/etc/lynis/custom.prf b/lynis/etc/lynis/custom.prf
new file mode 100644
index 0000000..38d246e
--- /dev/null
+++ b/lynis/etc/lynis/custom.prf
@@ -0,0 +1,13 @@
+# Disable some tests that are not useful in cloud-based servers
+skip-test=AUTH-9286
+skip-test=PRNT-2307
+skip-test=USB-1000
+skip-test=STRG-1846
+skip-test=PRNT-2308
+skip-test=FILE-6310
+skip-test=SSH-7408:tcpkeepalive
+skip-test=SSH-7408:allowtcpforwarding
+skip-test=SSH-7408:compression
+skip-test=SSH-7408:port
+skip-test=BANN-7126
+skip-test=BANN-7130
diff --git a/ssh/etc/ssh/sshd_config b/ssh/etc/ssh/sshd_config
new file mode 100644
index 0000000..c13c440
--- /dev/null
+++ b/ssh/etc/ssh/sshd_config
@@ -0,0 +1,21 @@
+HostKey /etc/ssh/ssh_host_rsa_key
+HostKey /etc/ssh/ssh_host_ecdsa_key
+HostKey /etc/ssh/ssh_host_ed25519_key
+
+SyslogFacility AUTHPRIV
+
+AllowGroups sshlogin
+
+PermitRootLogin WITHOUT-PASSWORD
+PubkeyAuthentication yes
+AuthorizedKeysFile .ssh/authorized_keys
+IgnoreRhosts yes
+PasswordAuthentication no
+ChallengeResponseAuthentication no
+GSSAPIAuthentication no
+UsePAM yes
+X11Forwarding no
+AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
+AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
+AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
+AcceptEnv XMODIFIERS
diff --git a/systcl/etc/sysctl.conf b/systcl/etc/sysctl.conf
new file mode 100644
index 0000000..0729e28
--- /dev/null
+++ b/systcl/etc/sysctl.conf
@@ -0,0 +1,45 @@
+# Hardened sysctl conf
+
+fs.protected_regular = 2
+fs.protected_fifos = 2
+fs.protected_hardlinks = 1
+fs.protected_symlinks = 1
+fs.suid_dumpable = 0
+
+kernel.core_uses_pid = 1
+kernel.ctrl-alt-del = 0
+kernel.dmesg_restrict = 1
+kernel.kptr_restrict = 2
+kernel.randomize_va_space = 2
+kernel.sysrq = 0
+kernel.unprivileged_bpf_disabled = 1
+
+
+net.core.bpf_jit_harden = 2
+net.ipv4.conf.all.accept_redirects = 0
+net.ipv4.conf.all.accept_source_route = 0
+net.ipv4.conf.all.bootp_relay = 0
+net.ipv4.conf.all.forwarding = 0
+net.ipv4.conf.all.log_martians = 1
+net.ipv4.conf.all.mc_forwarding = 0
+net.ipv4.conf.all.proxy_arp = 0
+net.ipv4.conf.all.rp_filter = 0
+net.ipv4.conf.all.send_redirects = 0
+
+net.ipv4.conf.default.accept_redirects = 0
+net.ipv4.conf.default.accept_source_route = 0
+net.ipv4.conf.default.log_martians = 1
+
+net.ipv4.icmp_echo_ignore_broadcasts = 1
+net.ipv4.icmp_ignore_bogus_error_responses = 1
+net.ipv4.tcp_syncookies = 1
+net.ipv4.tcp_timestamps = 1
+
+
+net.ipv6.conf.all.accept_redirects = 0
+net.ipv6.conf.all.accept_source_route = 0
+
+net.ipv6.conf.default.accept_redirects = 0
+net.ipv6.conf.default.accept_source_route = 0
+
+vm.swappiness = 15

From 164bc16e95aaa062ecb258dfd5b6f1f37cc8760b Mon Sep 17 00:00:00 2001
From: Lorenzo Tucci <yamabiiko@protonmail.com>
Date: Mon, 23 Aug 2021 14:50:54 +0200
Subject: [PATCH 2/5] feat: add modprobe.d

---
 modprobe/etc/modprobe.d/disable-ipv6.conf           | 1 +
 modprobe/etc/modprobe.d/disable-rare-protocols.conf | 4 ++++
 2 files changed, 5 insertions(+)
 create mode 100644 modprobe/etc/modprobe.d/disable-ipv6.conf
 create mode 100644 modprobe/etc/modprobe.d/disable-rare-protocols.conf

diff --git a/modprobe/etc/modprobe.d/disable-ipv6.conf b/modprobe/etc/modprobe.d/disable-ipv6.conf
new file mode 100644
index 0000000..84b10fc
--- /dev/null
+++ b/modprobe/etc/modprobe.d/disable-ipv6.conf
@@ -0,0 +1 @@
+install ipv6 /bin/true
diff --git a/modprobe/etc/modprobe.d/disable-rare-protocols.conf b/modprobe/etc/modprobe.d/disable-rare-protocols.conf
new file mode 100644
index 0000000..92966bd
--- /dev/null
+++ b/modprobe/etc/modprobe.d/disable-rare-protocols.conf
@@ -0,0 +1,4 @@
+install dccp /bin/true
+install sctp /bin/true
+install rds /bin/true
+install tipc /bin/true

From a3d00bd2383bc00ca4d83d0efd0dd77a89ea7813 Mon Sep 17 00:00:00 2001
From: Lorenzo Tucci <yamabiiko@protonmail.com>
Date: Mon, 23 Aug 2021 15:28:11 +0200
Subject: [PATCH 3/5] fix: change sshd_config

---
 ssh/etc/ssh/sshd_config            | 6 ++++++
 {systcl => sysctl}/etc/sysctl.conf | 0
 2 files changed, 6 insertions(+)
 rename {systcl => sysctl}/etc/sysctl.conf (100%)

diff --git a/ssh/etc/ssh/sshd_config b/ssh/etc/ssh/sshd_config
index c13c440..842db0f 100644
--- a/ssh/etc/ssh/sshd_config
+++ b/ssh/etc/ssh/sshd_config
@@ -10,12 +10,18 @@ PermitRootLogin WITHOUT-PASSWORD
 PubkeyAuthentication yes
 AuthorizedKeysFile .ssh/authorized_keys
 IgnoreRhosts yes
+MaxSessions 4
+MaxAuthTries 4
+ClientAliveCountMax 2
+LogLevel VERBOSE
 PasswordAuthentication no
 ChallengeResponseAuthentication no
 GSSAPIAuthentication no
 UsePAM yes
+PrintMotd no
 X11Forwarding no
 AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
 AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
 AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
 AcceptEnv XMODIFIERS
+Subsystem       sftp    /usr/lib/openssh/sftp-server
diff --git a/systcl/etc/sysctl.conf b/sysctl/etc/sysctl.conf
similarity index 100%
rename from systcl/etc/sysctl.conf
rename to sysctl/etc/sysctl.conf

From 3ed5844553e766af3a8e6df70ff882c79342a153 Mon Sep 17 00:00:00 2001
From: Lorenzo Tucci <yamabiiko@protonmail.com>
Date: Mon, 23 Aug 2021 20:05:42 +0200
Subject: [PATCH 4/5] feat: add rc.local, update lynis

---
 lynis/etc/lynis/custom.prf | 15 +++++++++++++--
 rc.local/etc/rc.local      |  9 +++++++++
 sysctl/etc/sysctl.conf     |  4 ++++
 3 files changed, 26 insertions(+), 2 deletions(-)
 create mode 100644 rc.local/etc/rc.local

diff --git a/lynis/etc/lynis/custom.prf b/lynis/etc/lynis/custom.prf
index 38d246e..c367c83 100644
--- a/lynis/etc/lynis/custom.prf
+++ b/lynis/etc/lynis/custom.prf
@@ -5,9 +5,20 @@ skip-test=USB-1000
 skip-test=STRG-1846
 skip-test=PRNT-2308
 skip-test=FILE-6310
+skip-test=BOOT-5122
+skip-test=BOOT-5260
+skip-test=BOOT-5260
+
+# Disable /etc/issue checking
+skip-test=BANN-7126
+skip-test=BANN-7130
+
+# Disable some SSH feature checks that we intend to keep
 skip-test=SSH-7408:tcpkeepalive
 skip-test=SSH-7408:allowtcpforwarding
 skip-test=SSH-7408:compression
 skip-test=SSH-7408:port
-skip-test=BANN-7126
-skip-test=BANN-7130
+
+# Old packages
+skip-test=CUST-0810
+skip-test=CUST-0285
diff --git a/rc.local/etc/rc.local b/rc.local/etc/rc.local
new file mode 100644
index 0000000..6f8eb97
--- /dev/null
+++ b/rc.local/etc/rc.local
@@ -0,0 +1,9 @@
+#!/bin/bash
+# /etc/rc.local
+
+# file needed to correctly load kernel parameters at boot time
+# on Ubuntu (ex. to disable ipv6) without modifying grub
+/etc/sysctl.d
+/etc/init.d/procps restart
+
+exit 0
diff --git a/sysctl/etc/sysctl.conf b/sysctl/etc/sysctl.conf
index 0729e28..bd29550 100644
--- a/sysctl/etc/sysctl.conf
+++ b/sysctl/etc/sysctl.conf
@@ -35,6 +35,10 @@ net.ipv4.icmp_ignore_bogus_error_responses = 1
 net.ipv4.tcp_syncookies = 1
 net.ipv4.tcp_timestamps = 1
 
+# Uncomment do disable ipv6
+#net.ipv6.conf.all.disable_ipv6=1
+#net.ipv6.conf.default.disable_ipv6=1
+#net.ipv6.conf.lo.disable_ipv6=1
 
 net.ipv6.conf.all.accept_redirects = 0
 net.ipv6.conf.all.accept_source_route = 0

From 31ff66c2d2577c9e42a49b8d55817cce669822f1 Mon Sep 17 00:00:00 2001
From: Lorenzo Tucci <yamabiiko@protonmail.com>
Date: Mon, 23 Aug 2021 21:44:13 +0200
Subject: [PATCH 5/5] feat: add security/limits.conf, update lynis, close #2

---
 lynis/etc/lynis/custom.prf        |  4 +-
 security/etc/security/limits.conf | 62 +++++++++++++++++++++++++++++++
 2 files changed, 65 insertions(+), 1 deletion(-)
 create mode 100644 security/etc/security/limits.conf

diff --git a/lynis/etc/lynis/custom.prf b/lynis/etc/lynis/custom.prf
index c367c83..7dfa2ce 100644
--- a/lynis/etc/lynis/custom.prf
+++ b/lynis/etc/lynis/custom.prf
@@ -3,11 +3,13 @@ skip-test=AUTH-9286
 skip-test=PRNT-2307
 skip-test=USB-1000
 skip-test=STRG-1846
+skip-test=STRG-1840
 skip-test=PRNT-2308
 skip-test=FILE-6310
 skip-test=BOOT-5122
 skip-test=BOOT-5260
-skip-test=BOOT-5260
+skip-test=KRNL-5788
+skip-test=AUTH-9308
 
 # Disable /etc/issue checking
 skip-test=BANN-7126
diff --git a/security/etc/security/limits.conf b/security/etc/security/limits.conf
new file mode 100644
index 0000000..06db731
--- /dev/null
+++ b/security/etc/security/limits.conf
@@ -0,0 +1,62 @@
+# /etc/security/limits.conf
+#
+#This file sets the resource limits for the users logged in via PAM.
+#It does not affect resource limits of the system services.
+#
+#Also note that configuration files in /etc/security/limits.d directory,
+#which are read in alphabetical order, override the settings in this
+#file in case the domain is the same or more specific.
+#That means for example that setting a limit for wildcard domain here
+#can be overriden with a wildcard setting in a config file in the
+#subdirectory, but a user specific setting here can be overriden only
+#with a user specific setting in the subdirectory.
+#
+#Each line describes a limit for a user in the form:
+#
+#<domain>        <type>  <item>  <value>
+#
+#Where:
+#<domain> can be:
+#        - a user name
+#        - a group name, with @group syntax
+#        - the wildcard *, for default entry
+#        - the wildcard %, can be also used with %group syntax,
+#                 for maxlogin limit
+#
+#<type> can have the two values:
+#        - "soft" for enforcing the soft limits
+#        - "hard" for enforcing hard limits
+#
+#<item> can be one of the following:
+#        - core - limits the core file size (KB)
+#        - data - max data size (KB)
+#        - fsize - maximum filesize (KB)
+#        - memlock - max locked-in-memory address space (KB)
+#        - nofile - max number of open file descriptors
+#        - rss - max resident set size (KB)
+#        - stack - max stack size (KB)
+#        - cpu - max CPU time (MIN)
+#        - nproc - max number of processes
+#        - as - address space limit (KB)
+#        - maxlogins - max number of logins for this user
+#        - maxsyslogins - max number of logins on the system
+#        - priority - the priority to run user process with
+#        - locks - max number of file locks the user can hold
+#        - sigpending - max number of pending signals
+#        - msgqueue - max memory used by POSIX message queues (bytes)
+#        - nice - max nice priority allowed to raise to values: [-20, 19]
+#        - rtprio - max realtime priority
+#
+#<domain>      <type>  <item>         <value>
+#
+
+*               soft    core            0
+*               hard    core            0
+#*               hard    rss             10000
+#@student        hard    nproc           20
+#@faculty        soft    nproc           20
+#@faculty        hard    nproc           50
+#ftp             hard    nproc           0
+#@student        -       maxlogins       4
+
+# End of file