Slackware hardening script
Ansible playbook to harden your Linux system.
For a complete list you can run ansible-playbook --list-tasks harden.yml
.
logrotate
to shred
filesansible-playbook --list-tasks --tags logging harden.yml
for a full listansible-playbook --list-tasks --tags accounting harden.yml
for a full listmodprobe
(see newconfs/modprobe.d/)usb-storage
, which will disable support for USB mass mediasdmesg
by regular usersptrace
)ansible-playbook --list-tasks --tags kernel harden.yml
for a full list/etc/fstab.new
) (see fstab.awk)permissions
tag for a complete list)/tmp
during boot (see tmp.conf.new)ansible-playbook --list-tasks --tags suid,sgid harden.yml
for details)sshd_config
and ssh_config
(see ansible-playbook --list-tasks --tags ssh harden.yml
for details)/etc/ssh/moduli
ssh-keysign
, so host-based authentication will stop working. Host-based authentication shouldn’t be used anyway./etc/sudoers.d/
that match our become: true
tasks that do not have explicit EXEC
, it can “break” sudo
as we define Defaults noexec
in the main sudoers
file. There is a “Fix NOPASSWD rules” task in sudoers.yml
which tries to tackle this problem, but it’s not guaranteed to work.sudo_iolog
in vars.yml
to true
to enable I/O loggingsudo_ids
in vars.yml
to true
to enable “Intrusion Detection” as described in Sudo Mastery chapter 9 (#59)clamd
& freshclam
by first generating fresh configurations with clamconftigerrc
& tiger.ignore
php.ini
) hardening077
(see https://github.com/pyllyukko/harden.yml/wiki/umask)$TMOUT
(Bash)SYS_UID_MAX
&& !root
)/sbin/nologin
RLIMIT_NPROC
to 0
in pam_limits for those system accounts that don’t need to run any processesansible-playbook --list-tasks --tags passwords harden.yml
to list all password related tasksansible-playbook --list-tasks --tags accounts harden.yml
for details.securetty
/etc/ftpusers
at
ansible-playbook --list-tasks --tags authorization
for a full list/etc/security/namespace.conf
/etc/security/access.conf
for pam_access
(authorization) (see access.conf.j2)/etc/security/pwquality.conf
if available/etc/pam.d/su
/etc/security/limits.conf
as follows:nproc
to 0 for system users that don’t need to run any processesansible-playbook --list-tasks --tags pam harden.yml
to list all PAM related tasksansible-playbook --check --diff --tags pam harden.yml
to see details of the changes/etc/shells
)sshd
service because of the required PAM configuration changes (regarding pam_env
& enforcing PATH
)ansible-playbook --list-tasks --tags slackware harden.yml
for a full listadm
readable (as in Debian)cron
so that only users in the wheel) group are able to create cronjobs (as described in /usr/doc/dcron-4.5/README)hidepid=2
installpkg
store the MD5 checksumsacct
)inittab
to use shutdown -a
(and /etc/shutdown.allow
)ansible-playbook --list-tasks --tags slackware harden.yml | grep '\bservices\b'
for a full list)libcgroup
) into /etc/cg{config,rules}.conf
bootlogd
CONFIG_LEGACY_PTYS
(which KSPP recommends to disable)/etc/pam.d/system-auth
, which has the following changes:pam_faildelay
pam_faillock
pam_access
nullok
from pam_unix
pam_unix
minlen
from 6 to 14/etc/pam.d/postlogin
:pam_umask
pam_cgroup
pam_keyinit
pam_namespace
to /etc/pam.d/{login,sddm,sshd,xdm}
auth include postlogin
from several files, as postlogin
should (and has) only session
module types/etc/pam.d/sudo
, as that seemed to be missingsu
(see su.new)/etc/pam.d/remote
(see /etc/pam.d/remote)SUITE
in debsecan
debsums
and enable weekly cron jobchkrootkit
and enables daily checksCreates bunch of pam-config
s that are toggleable with pam-auth-update
:
PAM module | Type | Description |
---|---|---|
🛞 pam_wheel1 | auth | Require wheel group membership (su ) |
🎟️ pam_succeed_if | auth & account | Require UID >= 1000 && UID <= 60000 (or 0 & login ) |
![]() |
auth | Remove nullok |
![]() |
auth | Delay on authentication failure |
pam_ssh_agent_auth | auth | SSH agent authentication for sudo3 |
🎟️ pam_faillock |
auth & account | Deter brute-force attacks |
🎟️ pam_access | account | Use login ACL (/etc/security/access.conf ) |
🎟️ pam_time | account | /etc/security/time.conf |
🎟️ pam_lastlog | account | Lock out inactive users (no login in 90 days) |
pam_namespace | session | Polyinstantiated temp directories |
pam_umask | session | Set file mode creation mask |
pam_lastlog | session | Display info about last login and update the lastlog and wtmp files2 |
pam_pwhistory | password | Limit password reuse |
pam-config
, but a modification to existing /etc/pam.d/
fileskrb5
or other password auths.sshd
needs to have AllowAgentForwarding yes
sudo
with Defaults env_keep += "SSH_AUTH_SOCK"
harden.yml
and modify hosts
or create a completely new playbook by making a copy of the harden.yml
filevars.yml
in case you want to tweak some of the settingsansible-playbook --list-tasks harden.yml
ansible-playbook harden.yml
allowed_group
groupnoexec
is on by default, so you need to take this into account in your custom rulesroot
have timeout, so use screen
for those longer administrative tasksloginuid
enabled in auditing in non-systemd systems (Slackware). See longer description of this in the wiki./etc/fstab.new
manually and deploy applicable changes to /etc/fstab
Tags that you can use with ansible-playbook --tags
:
pki
kernel
rng
network
firewall
ipv6
logging
permissions
fstab
suid
& sgid
sysstat
ssh
rkhunter
chkrootkit
aide
audit
(use --skip-tags audit
in Slackware if you don’t have audit installed)debsecan
debsums
lynis
(to only configure Lynis you can use --tags lynis --skip-tags packages
)sudo
kerberos
clamav
(use --skip-tags clamav
in Slackware if you don’t have clamav installed)yara
apparmor
cron
(also includes tasks regarding at
)php
apache
hsts
ntp
lightdm
gnome
tiger
john
banners
accounting
(includes sysstat
)authorization
passwords
accounts
pam
limits
cgroup
(Slackware)hidepid
(Slackware)inittab
(Slackware)shells
umask
timeout
There are also operating system tags for tasks that only apply to specific OS.
You can speed up the hardening by skipping OSs that don’t apply. E.g. if you’re
hardening a Slackware system you can use --skip-tags debian
.
Other tags are just metadata for now. You can list all the tags withansible-playbook --list-tags harden.yml
.
lock_account.yml
playbook that you can use to lock user accounts. Just modify the hosts
& user
.sudo_ids
in vars.yml
, it enables “Sudo Intrusion Detection” as seen in chapter 9 of Sudo MasterySHELLS
Cmnd_Alias
for nowmake pamcheck
to see how the hardening modifies your PAM configurations in Slackwaremake /etc/ssh/moduli.new
See tests README
Some of these documents are quite old, but most of the stuff still applies.