Admin: Text replacement - "Category:Wiki" to "Category:Wiki '''''[https://it-arts.net/index.php/Category:Wiki Return to Wiki Index]''''' "

2026-01-17T06:30:10Z

Text replacement - "Category:Wiki" to "Category:Wiki '''''[https://it-arts.net/index.php/Category:Wiki Return to Wiki Index]''''' "

← Older revision		Revision as of 06:30, 17 January 2026
Line 1:		Line 1:
	[[Category:Wiki]]		[[Category:Wiki]]

			'''''[https://it-arts.net/index.php/Category:Wiki Return to Wiki Index]'''''


	== Scope and Assumptions ==		== Scope and Assumptions ==

Admin: Created page with "Category:Wiki == Scope and Assumptions == This documentation describes a post-installation hardening script targeting Debian GNU/Linux (stable or LTS). The script is assumed to be executed with root privileges in a controlled environment and adapted to the system’s role (server, VM, workstation, appliance). Assumptions: * System is freshly installed or recently provisioned * Administrator has console or out-of-band access * System role is clearly defined before a..."

2025-12-20T16:44:46Z

Created page with "Category:Wiki == Scope and Assumptions == This documentation describes a post-installation hardening script targeting Debian GNU/Linux (stable or LTS). The script is assumed to be executed with root privileges in a controlled environment and adapted to the system’s role (server, VM, workstation, appliance). Assumptions: * System is freshly installed or recently provisioned * Administrator has console or out-of-band access * System role is clearly defined before a..."

New page

[[Category:Wiki]]

== Scope and Assumptions ==
This documentation describes a post-installation hardening script targeting Debian GNU/Linux (stable or LTS).
The script is assumed to be executed with root privileges in a controlled environment and adapted to the system’s role (server, VM, workstation, appliance).

Assumptions:
* System is freshly installed or recently provisioned
* Administrator has console or out-of-band access
* System role is clearly defined before applying hardening
* No automated configuration management is yet enforcing security state

== Security Concepts and Threat Model ==
The hardening script is designed around the following security concepts:

* '''Principle of Least Privilege''' – services, users, and processes only receive strictly required permissions
* '''Defense in Depth''' – multiple independent layers (kernel, filesystem, network, services)
* '''Secure by Default''' – deny-all baseline, explicit allow rules
* '''Attack Surface Reduction''' – disable unused services, protocols, and kernel features
* '''Auditability''' – security-relevant events are logged and traceable
* '''Fail-Safe Defaults''' – misconfiguration leads to denial rather than silent allowance

Threats addressed:
* Remote service exploitation
* Credential brute-force and lateral movement
* Local privilege escalation
* Persistence via scheduled tasks or startup units
* Data exfiltration and log tampering

== Script Architecture and Execution Model ==
The hardening script should be modular and idempotent.

Recommended structure:
* 00-env-check.sh
* 10-packages.sh
* 20-kernel.sh
* 30-auth.sh
* 40-network.sh
* 50-services.sh
* 60-filesystem.sh
* 70-audit.sh
* 80-maintenance.sh

Example execution guard:
<nowiki>
if [ "$(id -u)" -ne 0 ]; then
echo "Must be run as root"
exit 1
fi</nowiki>

Idempotency is achieved by:
* Using declarative configuration files
* Avoiding destructive inline edits
* Checking state before applying changes

== Package Management Hardening ==
Remove unnecessary packages and enforce secure package handling.

Example:
<nowiki>
apt purge telnet rsh-client rsh-server talk talkd xinetd -y
apt install --no-install-recommends \
sudo ufw fail2ban auditd apparmor apparmor-utils -y</nowiki>

Disable automatic installation of suggested packages:
<nowiki>
echo 'APT::Install-Suggests "false";' > /etc/apt/apt.conf.d/99nosuggests</nowiki>

== User Accounts and Authentication ==
Ensure proper password policies and account controls.

Password aging and complexity:
<nowiki>
sed -i 's/^PASS_MAX_DAYS.*/PASS_MAX_DAYS 90/' /etc/login.defs
sed -i 's/^PASS_MIN_DAYS.*/PASS_MIN_DAYS 7/' /etc/login.defs
sed -i 's/^PASS_WARN_AGE.*/PASS_WARN_AGE 14/' /etc/login.defs</nowiki>

Lock system accounts:
<nowiki>
for u in sync shutdown halt games; do
usermod -L "$u"
done</nowiki>

Restrict su access:
<nowiki>
dpkg-statoverride --update --add root sudo 4750 /bin/su</nowiki>

== SSH Daemon Hardening ==
Harden remote access while preventing lockout.

Configuration changes in /etc/ssh/sshd_config:
<nowiki>
PermitRootLogin no
PasswordAuthentication no
ChallengeResponseAuthentication no
UsePAM yes
X11Forwarding no
MaxAuthTries 3
LoginGraceTime 20
AllowGroups sshusers</nowiki>

Validate before restart:
<nowiki>
sshd -t && systemctl reload ssh</nowiki>

== Network Stack and Firewall ==
Apply a default-deny firewall policy.

UFW example:
<nowiki>
ufw default deny incoming
ufw default allow outgoing
ufw allow 22/tcp
ufw enable</nowiki>

Kernel network hardening:
<nowiki>
cat <<EOF > /etc/sysctl.d/99-hardening.conf
net.ipv4.conf.all.rp_filter=1
net.ipv4.conf.default.rp_filter=1
net.ipv4.tcp_syncookies=1
net.ipv4.icmp_echo_ignore_broadcasts=1
net.ipv4.conf.all.accept_redirects=0
net.ipv4.conf.all.send_redirects=0
EOF
sysctl --system</nowiki>

== Kernel and Memory Protections ==
Enable exploit mitigation features.

Example:
<nowiki>
echo "kernel.kptr_restrict=2" >> /etc/sysctl.d/99-hardening.conf
echo "kernel.dmesg_restrict=1" >> /etc/sysctl.d/99-hardening.conf
echo "fs.protected_symlinks=1" >> /etc/sysctl.d/99-hardening.conf
echo "fs.protected_hardlinks=1" >> /etc/sysctl.d/99-hardening.conf</nowiki>

== Filesystem and Mount Options ==
Harden mount points against code execution and abuse.

Example /etc/fstab entries:
<nowiki>
tmpfs /tmp tmpfs defaults,noexec,nosuid,nodev 0 0
tmpfs /var/tmp tmpfs defaults,noexec,nosuid,nodev 0 0</nowiki>

Apply immediately:
<nowiki>
mount -o remount /tmp</nowiki>

== Mandatory Access Control (AppArmor) ==
Enforce confinement for critical services.

Enable and enforce:
<nowiki>
systemctl enable apparmor
systemctl start apparmor
aa-enforce /etc/apparmor.d/*</nowiki>

Check status:
<nowiki>
aa-status</nowiki>

== Auditing and Logging ==
Ensure security-relevant events are recorded.

Audit rules example:
<nowiki>
cat <<EOF > /etc/audit/rules.d/hardening.rules
-w /etc/passwd -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/sudoers -p wa -k scope
-w /var/log/auth.log -p wa -k authlog
EOF
augenrules --load</nowiki>

Prevent log tampering:
<nowiki>
chattr +a /var/log/auth.log</nowiki>

== Scheduled Tasks and Persistence Controls ==
Review and restrict scheduled execution.

Example:
<nowiki>
chmod 700 /etc/cron.*
ls -l /etc/cron.d</nowiki>

Disable atd if unused:
<nowiki>
systemctl disable --now atd</nowiki>

== Automatic Security Updates ==
Ensure timely patching.

Enable unattended-upgrades:
<nowiki>
apt install unattended-upgrades -y
dpkg-reconfigure unattended-upgrades</nowiki>

Verification:
<nowiki>
unattended-upgrade --dry-run</nowiki>

== Troubleshooting ==
Common issues and recovery guidance.

* '''Lost SSH access'''
** Verify sshd configuration syntax with <nowiki>sshd -t</nowiki>
** Use local console or recovery mode
** Temporarily allow password authentication

* '''Firewall blocking services'''
** Check active rules: <nowiki>ufw status verbose</nowiki>
** Disable temporarily: <nowiki>ufw disable</nowiki>

* '''AppArmor breaking services'''
** Identify denied actions in <nowiki>/var/log/syslog</nowiki>
** Switch profile to complain mode:
<nowiki>
aa-complain /etc/apparmor.d/profile-name</nowiki>

* '''System boot issues after sysctl changes'''
** Boot with single-user mode
** Remove problematic file from <nowiki>/etc/sysctl.d/</nowiki>

== Useful Links ==
* Debian Security Documentation
https://www.debian.org/security/

* Debian Hardening Guide
https://www.debian.org/doc/manuals/securing-debian-manual/

* CIS Debian Linux Benchmark
https://www.cisecurity.org/

* AppArmor Documentation
https://gitlab.com/apparmor/apparmor/-/wikis/home

* Linux Audit Framework
https://linux-audit.com/

* NIST Security Guidelines
https://csrc.nist.gov/

DEBIAN - Hardening - Revision history

Admin: Text replacement - "Category:Wiki" to "Category:Wiki '''''[https://it-arts.net/index.php/Category:Wiki Return to Wiki Index]''''' "