Semi-automated bash scripts that provide security hardening for Linux, Debian based, 2024, attempts DISA STIG and CIS Compliance
OTHER License
This project consists of two scripts designed to enhance the security of Ubuntu based distros and other Debian-based Linux systems. The main script implements a variety of security measures and best practices to harden your system against common threats, while the GRUB configuration script specifically focuses on securing the boot process. This latest version adheres more closely to DISA STIG and CIS Compliance standards.
The goal is to provide a tool that balances robust security measures with accessibility for average users. While the scripts implement many professional-grade security standards, I've aimed to make the process as user-friendly as possible for desktop machines. Check the Frequently Asked Questions (FAQ) if you are having issues.
improved_harden_linux.sh
(v2.0): The main security hardening scriptupdate_grub_config.sh
(v2.0): A script to update GRUB configuration with additional security parametersBoth scripts now include options for:
wget https://raw.githubusercontent.com/captainzero93/ubuntu-security-script/main/improved_harden_linux.sh
chmod +x improved_harden_linux.sh
sudo ./improved_harden_linux.sh
wget https://raw.githubusercontent.com/captainzero93/ubuntu-security-script/main/update_grub_config.sh
chmod +x update_grub_config.sh
sudo ./update_grub_config.sh
Both scripts support the following command-line options:
-h, --help
: Display help message--version
: Display script version--dry-run
: Perform a dry run without making changesThe main script also supports:
-v, --verbose
: Enable verbose output--restore
: Restore system from the most recent backup/root/security_backup_[timestamp]
, and the GRUB script backs up to /etc/default/grub.bak.[timestamp]
.You may want to review and customize the scripts before running them, particularly:
setup_firewall
function of the main scriptsetup_audit
function of the main scriptsetup_apparmor
function of the main scriptconfigure_sysctl
function of the main scriptadditional_security
function of the main scriptPARAMS
array of the update_grub_config.sh
scriptThese scripts aim to align with DISA STIG and CIS Compliance standards. While not exhaustive, they implement many best practices from these standards. Users are encouraged to review these standards and further customize the scripts to meet specific compliance needs.
/root/security_backup_[timestamp]
/etc/default/grub.bak.[timestamp]
sudo ./improved_harden_linux.sh --restore
/var/log/security_hardening.log
/var/log/grub_config_update.log
It is crucial to test these scripts in a non-production environment before applying them to critical systems. Consider using a virtual machine or a test system that mirrors your production environment.
If you encounter issues after running the scripts:
Contributions to improve the scripts are welcome. Please submit pull requests or open issues on the GitHub repository. We especially encourage contributions that:
I welcome feedback and bug reports. Please open an issue GitHub Issues page for any problems, questions, or suggestions.
These scripts are provided as-is, without any warranty. The authors are not responsible for any damage or data loss that may occur from using these scripts. Use at your own risk and always back up your system before making significant changes.
This project is available under a dual license:
Non-Commercial Use: For non-commercial purposes, this project is licensed under the Creative Commons Attribution-NonCommercial 4.0 International License (CC BY-NC 4.0). This allows for sharing and adaptation of the code for non-commercial purposes, with appropriate attribution.
Commercial Use: Any commercial use, including but not limited to selling the code, using it in commercial products or services, or any revenue-generating activities, requires a separate commercial license. You must contact the project owner to discuss terms before deployment.
Please see the LICENSE file for full details on both licenses.
A1: For the main script, check the log file at /var/log/security_hardening.log
. For the GRUB script, check the log at /var/log/grub_config_update.log
. These logs will contain details of all actions taken by the scripts.
A2: The main script creates backups in /root/security_backup_[timestamp]
, and the GRUB script creates a backup at /etc/default/grub.bak.[timestamp]
. You can manually restore these files, but be cautious as it may revert security improvements. For the main script, you can also use the --restore option:
sudo ./improved_harden_linux.sh --restore
A3: While the scripts are designed to be as safe as possible, it's always recommended to test them on a non-production system first. They make significant changes to your system configuration. Use the --dry-run option to preview changes before applying them.
A4: You can check the UFW status using the command:
sudo ufw status verbose
A5: You can add or remove rules using the ufw
command. For example:
sudo ufw allow 8080/tcp
sudo ufw reload
A6: You can check the IPv6 status using:
cat /proc/sys/net/ipv6/conf/all/disable_ipv6
If it returns 1, IPv6 is disabled.
A7: The audit logs are typically located in /var/log/audit/audit.log
. You can view them using:
sudo ausearch -ts today -i
A8: You can list all active audit rules using:
sudo auditctl -l
A9: By default, AIDE doesn't run automatic checks. You need to run it manually or set up a cron job:
sudo aide --check
A10: You can see the status of AppArmor profiles using:
sudo aa-status
A11: You can set a profile to complain mode instead of enforce mode:
sudo aa-complain /path/to/binary
A12: You can view the current password policy settings in /etc/login.defs
. For specific user info:
sudo chage -l username
A13: You can modify /etc/login.defs
for global settings, or use the chage
command for individual users. For example:
sudo chage -M 60 -W 7 username
This command modifies the password policy for a specific user:
You can adjust these values based on your security requirements. For a stricter policy, you might use shorter periods, while for a more lenient policy, you could use longer periods.
A14: Check the status of the unattended-upgrades service:
systemctl status unattended-upgrades
A15: Edit the configuration file at /etc/apt/apt.conf.d/50unattended-upgrades
.
A16: After running the update_grub_config.sh script, check the GRUB configuration file:
cat /etc/default/grub
Look for the added security parameters in the GRUB_CMDLINE_LINUX_DEFAULT line.
A17: The new parameters enhance kernel security. For example:
A18: Generally, no, here's why;
A18: Check the service status, review logs, and if it's AppArmor-related, you might need to adjust the AppArmor profile. You can also try to restore the specific configuration file from the backup created by the script.
A19: Use the backup files created by the scripts to restore specific configurations. Always understand the implications before reverting changes. For example, to restore the original GRUB configuration:
sudo cp /etc/default/grub.bak.[timestamp] /etc/default/grub
sudo update-grub
A20: This could be due to increased logging, stricter firewall rules, or security measures. Review and adjust settings as needed. Common areas to check include:
Security is an ongoing process. Regularly review your system's security settings, keep your system updated, and stay informed about new security practices and vulnerabilities.
If you use these concepts or code in your research or projects, please cite it as follows:
[Joe Faulkner] (captainzero93). (2024). https://github.com/captainzero93/security_harden_linux