Slackware hardening script
Ansible playbook to harden your Linux system.
Debian (Bookworm)
Kali
Why I made this What does it do?For a complete list you can run ansible-playbook --list-tasks harden.yml.
Some people consider TCP wrappers as obsolete and unnecessary, because nowadays firewall(s) take care of this kind of network level access. I disagree, because TCP wrappers still provide an additional layer of control in a case where the firewall(s) might fail for any number of reasons (usually misconfiguration). TCP wrappers also work as an network level ACL for the programs that utilize it and is a “native” control for those programs.
Logging
Configure log retention time to be 6 monthslogrotate to shred files
NOTE: Read the fine print in SHRED(1): “CAUTION: shred assumes the file system and hardware overwrite data in place. Although this is common, many platforms operate otherwise.”ansible-playbook --list-tasks --tags logging harden.yml for a full list
Accounting Sets it’s log retention to 99999 days (the logs are really small, so it doesn’t eat up disk space)ansible-playbook --list-tasks --tags accounting harden.yml for a full list
Disables the use of certain kernel modules via modprobe (see newconfs/modprobe.d/)
WARNING: Also disables usb-storage, which will disable support for USB mass medias
Enables SAK and disables the other magic SysRq stuff Restricts the use of dmesg by regular users Enable YAMA (disallow ptrace)ansible-playbook --list-tasks --tags kernel harden.yml for a full list
Filesystem/etc/fstab.new) (see fstab.awk)
Sets strict permissions to users home directories Limits permissions to various configuration files and directories that might contain sensitive content (see permissions tag for a complete list)
Clean up /tmp during boot (see tmp.conf.new)ansible-playbook --list-tasks --tags suid,sgid harden.yml for details)
Configures sshd_config and ssh_config (see ansible-playbook --list-tasks --tags ssh harden.yml for details)/etc/ssh/moduli Removes SUID bit from ssh-keysign, so host-based authentication will stop working. Host-based authentication shouldn’t be used anyway.
Configures sudo (see sudoers.j2) WARNING: If there are rules in /etc/sudoers.d/ that match our become: true tasks that do not have explicit EXEC, it can “break” sudo as we define Defaults noexec in the main sudoers file. There is a “Fix NOPASSWD rules” task in sudoers.yml which tries to tackle this problem, but it’s not guaranteed to work. You can set the sudo_iolog in vars.yml to true to enable I/O loggingsudo_ids in vars.yml to true to enable “Intrusion Detection” as described in Sudo Mastery chapter 9 (#59)
ClamAV configuration (see clamav.yml)clamd & freshclam by first generating fresh configurations with clamconf WARNING: ClamAV consumes a lot of memory, so it might not be suitable for all systems. See Recommended System Requirements.
Tiger: Configures tigerrc & tiger.ignore Disables guest sessions and VNC in LightDM
Minor Apache HTTP server hardeningphp.ini) hardening077 (see https://github.com/pyllyukko/harden.yml/wiki/umask)
Sets console session timeout via $TMOUT (Bash)SYS_UID_MAX && !root) Lock the user’s password
Sets shell to /sbin/nologin Set RLIMIT_NPROC to 0 in pam_limits for those system accounts that don’t need to run any processesansible-playbook --list-tasks --tags passwords harden.yml to list all password related tasks
Makes minor modifications to existing accounts. See ansible-playbook --list-tasks --tags accounts harden.yml for details.securetty
/etc/ftpusersatansible-playbook --list-tasks --tags authorization for a full list/etc/security/namespace.conf/etc/security/access.conf for pam_access (authorization) (see access.conf.j2)/etc/security/pwquality.conf if available/etc/pam.d/su Creates a secure /etc/pam.d/other/etc/security/limits.conf as follows: Sets nproc to 0 for system users that don’t need to run any processesansible-playbook --list-tasks --tags pam harden.yml to list all PAM related tasksansible-playbook --check --diff --tags pam harden.yml to see details of the changes
Creates legal banners (see banners.yml)
make /etc/ssl/certs/ca-certificates.crt to update the CAs Restricts the number of available shells (/etc/shells) Creates an option to use a restricted shell (rbash)sshd service because of the required PAM configuration changes (regarding pam_env & enforcing PATH) See Restricted shell WARNING: Contains plenty of caveats, details and hazards. Make sure you read and understand (at least) everything in the aforementioned wiki page, test it thoroughly and accept the risk that it may contain escapes.ansible-playbook --list-tasks --tags slackware harden.yml for a full list Makes default log files group adm readable (as in Debian)cron so that only users in the wheel) group are able to create cronjobs (as described in /usr/doc/dcron-4.5/README)hidepid=2 Make installpkg store the MD5 checksums Enable process accounting (acct) Does some housekeeping regarding group memberships (see login_defs-slackware.yml)inittab to use shutdown -a (and /etc/shutdown.allow)ansible-playbook --list-tasks --tags slackware harden.yml | grep '\bservices\b' for a full list)libcgroup) into /etc/cg{config,rules}.confbootlogd NOTE: Requires CONFIG_LEGACY_PTYS (which KSPP recommends to disable)/etc/pam.d/system-auth, which has the following changes: Use pam_faildelaypam_faillockpam_access Removes nullok from pam_unixpam_unixminlen from 6 to 14/etc/pam.d/postlogin:pam_umaskpam_cgrouppam_keyinitpam_namespace to /etc/pam.d/{login,sddm,sshd,xdm}auth include postlogin from several files, as postlogin should (and has) only session module types Creates /etc/pam.d/sudo, as that seemed to be missingsu (see su.new) Block /etc/pam.d/remote (see /etc/pam.d/remote)
Enables AppArmorSUITE in debsecandebsums and enable weekly cron jobchkrootkit and enables daily checksCreates bunch of pam-configs that are toggleable with pam-auth-update:
| PAM module | Type | Description |
|---|---|---|
| 🛞 pam_wheel1 | auth | Require wheel group membership (su) |
| 🎟️ pam_succeed_if | auth & account | Require UID >= 1000 && UID <= 60000 (or 0 & login) |
| pam_unix1 |
auth | Remove nullok |
| pam_faildelay |
auth | Delay on authentication failure |
| pam_ssh_agent_auth | auth | SSH agent authentication for sudo3 |
🎟️ pam_faillock |
auth & account | Deter brute-force attacks |
| 🎟️ pam_access | account | Use login ACL (/etc/security/access.conf) |
| 🎟️ pam_time | account | /etc/security/time.conf |
| 🎟️ pam_lastlog | account | Lock out inactive users (no login in 90 days) |
| pam_namespace | session | Polyinstantiated temp directories |
| pam_umask | session | Set file mode creation mask |
| pam_lastlog | session | Display info about last login and update the lastlog and wtmp files2 |
| pam_pwhistory | password | Limit password reuse |
pam-config, but a modification to existing /etc/pam.d/ fileskrb5 or other password auths.sshd needs to have AllowAgentForwarding yessudo with Defaults env_keep += "SSH_AUTH_SOCK"harden.yml and modify hosts or create a completely new playbook by making a copy of the harden.yml filevars.yml in case you want to tweak some of the settingsansible-playbook --list-tasks harden.ymlansible-playbook harden.yml
Notes Make sure regular users that should be able to login are members of the allowed_group group Sudo hardening:noexec is on by default, so you need to take this into account in your custom rules Interactive shells to root have timeout, so use screen for those longer administrative tasks
Rebooting the system after running this is highly recommended You might want to get additional (unofficial) rules for ClamAV with clamav-unofficial-sigs (although see #425). At least the following rulesets are freely available: WARNING: There is a hazard with immutable loginuid enabled in auditing in non-systemd systems (Slackware). See longer description of this in the wiki. Review /etc/fstab.new manually and deploy applicable changes to /etc/fstab Consider running a hardened kernel. For Slackware you can check out my other project kspp_confnbuild that has been (mostly) configured according to KSPP‘s recommendations. You can use kernel-hardening-checker to check your kernel configs.
Make sure your system is able to send e-mails somehow. Many of the tools will be sending alerts about various anomalies.
Consider installing and configuring LogwatchTags that you can use with ansible-playbook --tags:
pkikernelrngnetworkfirewallipv6 logging Filesystem related: permissionsfstabsuid & sgid sysstat sshrkhunterchkrootkitaideaudit (use --skip-tags audit in Slackware if you don’t have audit installed)debsecandebsumslynis (to only configure Lynis you can use --tags lynis --skip-tags packages) sudokerberos clamav (use --skip-tags clamav in Slackware if you don’t have clamav installed)yara apparmorcron (also includes tasks regarding at)php apachehsts
ntplightdmgnome tigerjohn banners accounting (includes sysstat)authorizationpasswords accountspamlimitscgroup (Slackware)hidepid (Slackware)inittab (Slackware) shellsumask timeoutThere are also operating system tags for tasks that only apply to specific OS.
You can speed up the hardening by skipping OSs that don’t apply. E.g. if you’re
hardening a Slackware system you can use --skip-tags debian.
Other tags are just metadata for now. You can list all the tags withansible-playbook --list-tags harden.yml.
There is a lock_account.yml playbook that you can use to lock user accounts. Just modify the hosts & user. Experimental feature: If you enable sudo_ids in vars.yml, it enables “Sudo Intrusion Detection” as seen in chapter 9 of Sudo MasterySHELLS Cmnd_Alias for nowmake pamcheck to see how the hardening modifies your PAM configurations in Slackware You can create a new SSH moduli with make /etc/ssh/moduli.newSee tests README
Some of these documents are quite old, but most of the stuff still applies.
Alien’s Wiki: Security issues
Wikipedia: Fork bomb Prevention Filesystem Hierarchy Standard 2.3 PAM Mastery book by Michael W Lucas Sudo Mastery, 2nd Edition Linux Firewalls Secure Secure Shell