-
Notifications
You must be signed in to change notification settings - Fork 4
/
vm-hardening.sh
104 lines (90 loc) · 5.93 KB
/
vm-hardening.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
#!/bin/bash
permissions() {
if [[ "$EUID" -ne 0 ]] ; then
echo 'run script with SUDO permissions'
exit 1
fi
}
apt_upgrade() {
echo "running apt update"
apt update -y && echo "apt update completed" || { echo "apt update failed"; exit 1; }
apt upgrade -y && echo "apt upgrade completed" || { echo "apt upgrade failed"; exit 1; }
}
install_sysstat() {
echo "installing sysstat"
apt install -y sysstat && echo "sysstat install completed" || { echo "sysstat install failed"; exit 1; }
sed -i 's/ENABLED="false"/ENABLED="true"/g' /etc/default/sysstat && echo "updated sysstat conf" || { echo "sysstat conf update failed"; exit 1; }
sed -i 's/5-55\/10/*\/1/g' /etc/cron.d/sysstat && echo "updated sysstat cron" || { echo "sysstat cron update failed"; exit 1; }
}
set_security_limits() {
echo "setting security limits"
echo "* soft nproc 100000" >> /etc/security/limits.conf && echo "* soft nproc set" || { echo "* soft nproc set failed"; exit 1; }
echo "* hard nproc 100000" >> /etc/security/limits.conf && echo "* hard nproc set" || { echo "* hard nproc set failed"; exit 1; }
echo "* soft nofile 100000" >> /etc/security/limits.conf && echo "* soft nofile set" || { echo "* soft nofile set failed"; exit 1; }
echo "* hard nofile 100000" >> /etc/security/limits.conf && echo "* hard nofile set" || { echo "* hard nofile set failed"; exit 1; }
echo "root soft nproc 100000" >> /etc/security/limits.conf && echo "root soft nproc set" || { echo "root soft nproc set failed"; exit 1; }
echo "root hard nproc 100000" >> /etc/security/limits.conf && echo "root hard nproc set" || { echo "root hard nproc set failed"; exit 1; }
echo "root soft nofile 100000" >> /etc/security/limits.conf && echo "root soft nofile set" || { echo "root soft nofile set failed"; exit 1; }
echo "root hard nofile 100000" >> /etc/security/limits.conf && echo "root hard nofile set" || { echo "root hard nofile set failed"; exit 1; }
}
set_systemd_user() {
echo "setting systemd user conf"
echo "DefaultLimitNOFILE=100000" >> /etc/systemd/user.conf && echo "systemd user set" || { echo "systemd user set failed"; exit 1; }
}
set_systemd_system() {
echo "setting systemd system conf"
echo "DefaultLimitNOFILE=100000" >> /etc/systemd/system.conf && echo "systemd system set" || { echo "systemd system set failed"; exit 1; }
}
set_sysctl_conf() {
echo "setting sysctl conf"
echo "fs.file-max = 65536" >> /etc/sysctl.conf && echo "sysctl file-max set" || { echo "sysctl file-max set failed"; exit 1; }
echo "vm.overcommit_memory = 1" >> /etc/sysctl.conf && echo "sysctl overcommit_memory set" || { echo "sysctl overcommit_memory set failed"; exit 1; }
echo "net.ipv4.tcp_max_syn_backlog = 4096" >> /etc/sysctl.conf && echo "sysctl tcp_max_syn_backlog set" || { echo "sysctl tcp_max_syn_backlog set failed"; exit 1; }
echo "net.ipv4.tcp_fin_timeout = 30" >> /etc/sysctl.conf && echo "sysctl tcp_fin_timeout set" || { echo "sysctl tcp_fin_timeout set failed"; exit 1; }
echo "net.ipv4.tcp_tw_recycle = 1" >> /etc/sysctl.conf && echo "sysctl tcp_tw_recycle set" || { echo "sysctl tcp_tw_recycle set failed"; exit 1; }
echo "net.ipv6.conf.all.disable_ipv6=1" >> /etc/sysctl.conf && echo "sysctl all disable_ipv6 set" || { echo "sysctl all disable_ipv6 set failed"; exit 1; }
echo "net.ipv6.conf.default.disable_ipv6=1" >> /etc/sysctl.conf && echo "sysctl default disable_ipv6 set" || { echo "sysctl default disable_ipv6 set failed"; exit 1; }
echo "net.ipv6.conf.lo.disable_ipv6=1" >> /etc/sysctl.conf && echo "sysctl lo disable_ipv6 set" || { echo "sysctl lo disable_ipv6 set failed"; exit 1; }
echo "vm.swappiness = 10" >> /etc/sysctl.conf && echo "sysctl swappiness set" || { echo "sysctl swappiness set failed"; exit 1; }
}
install_ntp() {
echo "installing ntp"
apt update -y && echo "apt update completed" || { echo "apt update failed"; exit 1; }
apt install ntp -y && echo "ntp install completed" || { echo "ntp install failed"; exit 1; }
service ntp stop && echo "ntp service stopped successfully" || { echo "ntp service stop failed"; exit 1; }
ntpd -gq && echo "ntp check passed successfully" || { echo "ntp check failed, set nameserver in /etc/resolv.conf"; exit 1; }
service ntp start && echo "ntp service started successfully" || { echo "ntp service start failed"; exit 1; }
}
set_profile() {
echo "setting profile"
echo 'export HISTTIMEFORMAT="%F %T "' >> /etc/profile && echo "added entry in profile" || { echo "entry on profile failed"; exit 1; }
source /etc/profile && echo "profile source done" || { echo "profile source failed"; exit 1; }
}
set_bashrc() {
echo "setting bashrc"
echo "PROMPT_COMMAND='history -a >(tee -a ~/.bash_history | logger -p local6.info -t "$USER[$$] $SSH_CONNECTION")'" >> /etc/bash.bashrc && echo "added entry in bashrc" || { echo "entry on bashrc failed"; exit 1; }
source /etc/bash.bashrc && echo "bashrc source done" || { echo "bashrc source failed"; exit 1; }
}
set_rsyslog() {
echo "setting rsyslog"
echo "local6.info /var/log/history.log" >> /etc/rsyslog.d/50-default.conf && echo "added entry in rsyslog" || { echo "entry on rsyslog failed"; exit 1; }
touch /var/log/history.log && echo "added history log file" || { echo "failed to add history log file"; exit 1; }
chmod -R 777 /var/log/history.log && echo "permissions added to log file" || { echo "failed to add permissions to log file"; exit 1; }
chown -R syslog:adm /var/log/history.log && echo "ownership set to log file" || { echo "setting ownership of log file failed"; exit 1; }
/etc/init.d/rsyslog restart && echo "rsyslog service restarted successfully" || { echo "rsyslog service restart failed"; exit 1; }
}
run_script() {
permissions
apt_upgrade
install_sysstat
set_security_limits
set_systemd_user
set_systemd_system
set_sysctl_conf
install_ntp
set_profile
set_bashrc
set_rsyslog
exit
}
run_script