From dddf1a381c7034db91b412499f796cf97cfe1ce7 Mon Sep 17 00:00:00 2001 From: Lorenzo Tucci Date: Thu, 26 Aug 2021 22:32:11 +0200 Subject: [PATCH] feat: add pam.d restricting su binary, add more modules to be disabled, add grub commandline options for security --- grub/grub | 5 ++ .../disable-network-filesystems.conf | 6 ++ .../modprobe.d/disable-rare-filesystems.conf | 7 +++ .../modprobe.d/disable-rare-protocols.conf | 23 ++++++-- modprobe/etc/modprobe.d/disable-vivid.conf | 1 + pam/etc/pam.d/rocky-linux/su | 13 ++++ pam/etc/pam.d/rocky-linux/su-l | 7 +++ pam/etc/pam.d/ubuntu/su | 59 +++++++++++++++++++ pam/etc/pam.d/ubuntu/su-l | 7 +++ sysctl/etc/sysctl.conf | 19 +++++- 10 files changed, 142 insertions(+), 5 deletions(-) create mode 100644 grub/grub create mode 100644 modprobe/etc/modprobe.d/disable-network-filesystems.conf create mode 100644 modprobe/etc/modprobe.d/disable-rare-filesystems.conf create mode 100644 modprobe/etc/modprobe.d/disable-vivid.conf create mode 100644 pam/etc/pam.d/rocky-linux/su create mode 100644 pam/etc/pam.d/rocky-linux/su-l create mode 100644 pam/etc/pam.d/ubuntu/su create mode 100644 pam/etc/pam.d/ubuntu/su-l diff --git a/grub/grub b/grub/grub new file mode 100644 index 0000000..fc4b202 --- /dev/null +++ b/grub/grub @@ -0,0 +1,5 @@ +# These rules are not meant to be copied and pasted as there will +# likely be other options enabled on your machine. +# Instead add them to the already existing ones in your /etc/default/grub +# remove ipv6 disable at the end if needed +GRUB_CMDLINE_LINUX="slab_nomerge slub_debug=FZ init_on_alloc=1 init_on_free=1 page_alloc.shuffle=1 pti=on vsyscall=none debugfs=off oops=panic module.sig_enforce=1 lockdown=confidentiality mce=0 quiet loglevel=0 ipv6.disable=1" diff --git a/modprobe/etc/modprobe.d/disable-network-filesystems.conf b/modprobe/etc/modprobe.d/disable-network-filesystems.conf new file mode 100644 index 0000000..c9032a8 --- /dev/null +++ b/modprobe/etc/modprobe.d/disable-network-filesystems.conf @@ -0,0 +1,6 @@ +# Disable only if not used +install cifs /bin/true +install nfs /bin/true +install nfsv3 /bin/true +install nfsv4 /bin/true +install gfs2 /bin/true diff --git a/modprobe/etc/modprobe.d/disable-rare-filesystems.conf b/modprobe/etc/modprobe.d/disable-rare-filesystems.conf new file mode 100644 index 0000000..10016ee --- /dev/null +++ b/modprobe/etc/modprobe.d/disable-rare-filesystems.conf @@ -0,0 +1,7 @@ +install cramfs /bin/false +install freevxfs /bin/false +install jffs2 /bin/false +install hfs /bin/false +install hfsplus /bin/false +install squashfs /bin/false +install udf /bin/false diff --git a/modprobe/etc/modprobe.d/disable-rare-protocols.conf b/modprobe/etc/modprobe.d/disable-rare-protocols.conf index 92966bd..5610011 100644 --- a/modprobe/etc/modprobe.d/disable-rare-protocols.conf +++ b/modprobe/etc/modprobe.d/disable-rare-protocols.conf @@ -1,4 +1,19 @@ -install dccp /bin/true -install sctp /bin/true -install rds /bin/true -install tipc /bin/true +install dccp /bin/false +install sctp /bin/false +install rds /bin/false +install tipc /bin/false +install n-hdlc /bin/false +install ax25 /bin/false +install netrom /bin/false +install x25 /bin/false +install rose /bin/false +install decnet /bin/false +install econet /bin/false +install af_802154 /bin/false +install ipx /bin/false +install appletalk /bin/false +install psnap /bin/false +install p8023 /bin/false +install p8022 /bin/false +install can /bin/false +install atm /bin/false diff --git a/modprobe/etc/modprobe.d/disable-vivid.conf b/modprobe/etc/modprobe.d/disable-vivid.conf new file mode 100644 index 0000000..79dd0ff --- /dev/null +++ b/modprobe/etc/modprobe.d/disable-vivid.conf @@ -0,0 +1 @@ +install vivid /bin/false diff --git a/pam/etc/pam.d/rocky-linux/su b/pam/etc/pam.d/rocky-linux/su new file mode 100644 index 0000000..c870601 --- /dev/null +++ b/pam/etc/pam.d/rocky-linux/su @@ -0,0 +1,13 @@ +#%PAM-1.0 +auth required pam_env.so +auth sufficient pam_rootok.so +# Uncomment the following line to require a user to be in the "wheel" group. +auth required pam_wheel.so use_uid +auth substack system-auth +auth include postlogin +account sufficient pam_succeed_if.so uid = 0 use_uid quiet +account include system-auth +password include system-auth +session include system-auth +session include postlogin +session optional pam_xauth.so diff --git a/pam/etc/pam.d/rocky-linux/su-l b/pam/etc/pam.d/rocky-linux/su-l new file mode 100644 index 0000000..b44e266 --- /dev/null +++ b/pam/etc/pam.d/rocky-linux/su-l @@ -0,0 +1,7 @@ +#%PAM-1.0 +auth include su +account include su +password include su +session optional pam_keyinit.so force revoke +session include su +auth required pam_wheel.so use_uid diff --git a/pam/etc/pam.d/ubuntu/su b/pam/etc/pam.d/ubuntu/su new file mode 100644 index 0000000..e7edba4 --- /dev/null +++ b/pam/etc/pam.d/ubuntu/su @@ -0,0 +1,59 @@ +# +# The PAM configuration file for the Shadow `su' service +# + +# This allows root to su without passwords (normal operation) +auth sufficient pam_rootok.so + +# Uncomment this to force users to be a member of group root +# before they can use `su'. You can also add "group=foo" +# to the end of this line if you want to use a group other +# than the default "root" (but this may have side effect of +# denying "root" user, unless she's a member of "foo" or explicitly +# permitted earlier by e.g. "sufficient pam_rootok.so"). +# (Replaces the `SU_WHEEL_ONLY' option from login.defs) + auth required pam_wheel.so + +# Uncomment this if you want wheel members to be able to +# su without a password. +# auth sufficient pam_wheel.so trust + +# Uncomment this if you want members of a specific group to not +# be allowed to use su at all. +# auth required pam_wheel.so deny group=nosu + +# Uncomment and edit /etc/security/time.conf if you need to set +# time restrainst on su usage. +# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs +# as well as /etc/porttime) +# account requisite pam_time.so + +# This module parses environment configuration file(s) +# and also allows you to use an extended config +# file /etc/security/pam_env.conf. +# +# parsing /etc/environment needs "readenv=1" +session required pam_env.so readenv=1 +# locale variables are also kept into /etc/default/locale in etch +# reading this file *in addition to /etc/environment* does not hurt +session required pam_env.so readenv=1 envfile=/etc/default/locale + +# Defines the MAIL environment variable +# However, userdel also needs MAIL_DIR and MAIL_FILE variables +# in /etc/login.defs to make sure that removing a user +# also removes the user's mail spool file. +# See comments in /etc/login.defs +# +# "nopen" stands to avoid reporting new mail when su'ing to another user +session optional pam_mail.so nopen + +# Sets up user limits according to /etc/security/limits.conf +# (Replaces the use of /etc/limits in old login) +session required pam_limits.so + +# The standard Unix authentication modules, used with +# NIS (man nsswitch) as well as normal /etc/passwd and +# /etc/shadow entries. +@include common-auth +@include common-account +@include common-session diff --git a/pam/etc/pam.d/ubuntu/su-l b/pam/etc/pam.d/ubuntu/su-l new file mode 100644 index 0000000..eb23e9e --- /dev/null +++ b/pam/etc/pam.d/ubuntu/su-l @@ -0,0 +1,7 @@ +#%PAM-1.0 +auth include su +account include su +password include su +session optional pam_keyinit.so force revoke +session include su +auth required pam_wheel.so diff --git a/sysctl/etc/sysctl.conf b/sysctl/etc/sysctl.conf index bd29550..2350204 100644 --- a/sysctl/etc/sysctl.conf +++ b/sysctl/etc/sysctl.conf @@ -23,18 +23,35 @@ net.ipv4.conf.all.forwarding = 0 net.ipv4.conf.all.log_martians = 1 net.ipv4.conf.all.mc_forwarding = 0 net.ipv4.conf.all.proxy_arp = 0 -net.ipv4.conf.all.rp_filter = 0 +net.ipv4.conf.all.rp_filter = 1 net.ipv4.conf.all.send_redirects = 0 +net.ipv4.conf.all.secure_redirects=0 +net.ipv4.tcp_rfc1337=1 +net.ipv4.tcp_sack=0 +net.ipv4.tcp_dsack=0 +net.ipv4.tcp_fack=0 net.ipv4.conf.default.accept_redirects = 0 net.ipv4.conf.default.accept_source_route = 0 net.ipv4.conf.default.log_martians = 1 +net.ipv4.conf.default.rp_filter=1 +net.ipv4.conf.default.send_redirects=0 +net.ipv4.conf.default.secure_redirects=0 net.ipv4.icmp_echo_ignore_broadcasts = 1 net.ipv4.icmp_ignore_bogus_error_responses = 1 net.ipv4.tcp_syncookies = 1 net.ipv4.tcp_timestamps = 1 +dev.tty.ldisc_autoload=0 +vm.unprivileged_userfaultfd=0 +kernel.kexec_load_disabled=1 +kernel.perf_event_paranoid=2 +kernel.yama.ptrace_scope=2 + +vm.mmap_rnd_bits=32 +vm.mmap_rnd_compat_bits=16 + # Uncomment do disable ipv6 #net.ipv6.conf.all.disable_ipv6=1 #net.ipv6.conf.default.disable_ipv6=1