Admin: Text replacement - "Category:Wiki" to "Category:Wiki '''''[https://it-arts.net/index.php/Category:Wiki Return to Wiki Index]''''' "

2026-01-17T08:52:34Z

Text replacement - "Category:Wiki" to "Category:Wiki '''''[https://it-arts.net/index.php/Category:Wiki Return to Wiki Index]''''' "

← Older revision		Revision as of 08:52, 17 January 2026
Line 1:		Line 1:
	[[Category:Wiki]]		[[Category:Wiki]]

			'''''[https://it-arts.net/index.php/Category:Wiki Return to Wiki Index]'''''


	== Scope and Threat Model ==		== Scope and Threat Model ==

Admin: Created page with "Category:Wiki == Scope and Threat Model == This hardening post-install script is designed to reduce the attack surface of a freshly installed Ubuntu system (server or workstation) by enforcing secure defaults, disabling unnecessary components, and applying defense-in-depth controls. The threat model assumes: * Remote network-based attacks * Local privilege escalation attempts * Misconfiguration exploitation * Persistence via services, cron jobs, or kernel paramete..."

2025-12-20T16:47:57Z

Created page with "Category:Wiki == Scope and Threat Model == This hardening post-install script is designed to reduce the attack surface of a freshly installed Ubuntu system (server or workstation) by enforcing secure defaults, disabling unnecessary components, and applying defense-in-depth controls. The threat model assumes: * Remote network-based attacks * Local privilege escalation attempts * Misconfiguration exploitation * Persistence via services, cron jobs, or kernel paramete..."

New page

[[Category:Wiki]]

== Scope and Threat Model ==

This hardening post-install script is designed to reduce the attack surface of a freshly installed Ubuntu system (server or workstation) by enforcing secure defaults, disabling unnecessary components, and applying defense-in-depth controls.

The threat model assumes:
* Remote network-based attacks
* Local privilege escalation attempts
* Misconfiguration exploitation
* Persistence via services, cron jobs, or kernel parameters
* Credential brute-force and reuse attacks

== Security Principles Applied ==

=== Least Privilege ===
Users, services, and applications are granted only the minimal permissions required.

=== Defense in Depth ===
Multiple layers of security controls are applied (firewall, kernel hardening, MAC, auditing).

=== Secure by Default ===
Insecure defaults are replaced with hardened configurations immediately after installation.

=== Auditable and Reversible ===
All changes are logged and configuration backups are created before modification.

== Script Architecture ==

The hardening script is modular and idempotent.

Recommended structure:
* 00-preflight.sh
* 10-system-updates.sh
* 20-user-and-auth.sh
* 30-ssh-hardening.sh
* 40-firewall.sh
* 50-kernel-hardening.sh
* 60-filesystem.sh
* 70-auditing.sh
* 80-mandatory-access-control.sh
* 90-services-cleanup.sh

Each module:
* Verifies prerequisites
* Applies configuration
* Validates results
* Logs changes

Example dispatcher:
<nowiki>
for module in modules/*.sh; do
bash "$module"
done</nowiki>

== System Update and Package Hardening ==

=== Automatic Security Updates ===

Enable unattended upgrades for security patches:
<nowiki>
apt install -y unattended-upgrades
dpkg-reconfigure --priority=low unattended-upgrades</nowiki>

Security concept: *Vulnerability window reduction*

=== Package Minimization ===

Remove unnecessary packages:
<nowiki>
apt purge -y telnet ftp rsh-server xinetd</nowiki>

Disable unused package managers:
<nowiki>
chmod -x /usr/bin/snap</nowiki>

== User Accounts and Authentication ==

=== Password Policy ===

Configure PAM password quality:
<nowiki>
apt install -y libpam-pwquality</nowiki>

Example `/etc/security/pwquality.conf` settings:
* minlen = 14
* retry = 3
* enforce_for_root

=== Account Lockout ===

Mitigate brute-force attacks:
<nowiki>
pam_tally2 --user testuser</nowiki>

Security concept: *Credential attack mitigation*

=== Disable Root Login ===

<nowiki>
passwd -l root</nowiki>

== SSH Hardening ==

=== Secure SSH Configuration ===

Example hardened settings in `/etc/ssh/sshd_config`:
<nowiki>
PermitRootLogin no
PasswordAuthentication no
X11Forwarding no
AllowTcpForwarding no
MaxAuthTries 3
ClientAliveInterval 300
ClientAliveCountMax 0</nowiki>

Restart service:
<nowiki>
systemctl restart ssh</nowiki>

Security concepts:
* Attack surface reduction
* Strong authentication enforcement

== Firewall and Network Hardening ==

=== UFW Configuration ===

Default deny policy:
<nowiki>
ufw default deny incoming
ufw default allow outgoing</nowiki>

Allow required services only:
<nowiki>
ufw allow 22/tcp
ufw enable</nowiki>

=== Kernel Network Parameters ===

Example sysctl hardening:
<nowiki>
net.ipv4.conf.all.rp_filter=1
net.ipv4.tcp_syncookies=1
net.ipv4.icmp_echo_ignore_broadcasts=1</nowiki>

Apply:
<nowiki>
sysctl -p</nowiki>

Security concept: *Network-level attack mitigation*

== Kernel and Memory Hardening ==

=== Address Space Layout Randomization ===

Verify ASLR:
<nowiki>
cat /proc/sys/kernel/randomize_va_space</nowiki>

Expected value: `2`

=== Restrict Kernel Information ===

<nowiki>
kernel.kptr_restrict=2
kernel.dmesg_restrict=1</nowiki>

Security concept: *Information leakage prevention*

== Filesystem and Mount Options ==

=== Secure Mount Flags ===

Example `/etc/fstab` entries:
* noexec
* nodev
* nosuid

<nowiki>
tmpfs /tmp tmpfs defaults,noexec,nosuid,nodev 0 0</nowiki>

=== File Permission Auditing ===

<nowiki>
find / -xdev -type f -perm -4000</nowiki>

Security concept: *Privilege escalation prevention*

== Auditing and Logging ==

=== Auditd Configuration ===

Install and enable:
<nowiki>
apt install -y auditd audispd-plugins
systemctl enable auditd</nowiki>

Example rule:
<nowiki>
-w /etc/passwd -p wa -k identity</nowiki>

=== Log Retention and Protection ===

<nowiki>
chmod 600 /var/log/auth.log</nowiki>

Security concept: *Forensic readiness*

== Mandatory Access Control (AppArmor) ==

=== Enforcing Mode ===

<nowiki>
aa-status</nowiki>

Enable profiles:
<nowiki>
aa-enforce /etc/apparmor.d/*</nowiki>

Security concept: *Application-level isolation*

== Service Hardening and Cleanup ==

=== Disable Unused Services ===

<nowiki>
systemctl disable avahi-daemon
systemctl disable cups</nowiki>

List listening services:
<nowiki>
ss -tulpen</nowiki>

Security concept: *Service exposure reduction*

== Example Execution Output ==

<nowiki>
[OK] Firewall enabled
[OK] SSH hardened
[WARN] AppArmor profile missing for custom app
[OK] Audit rules loaded</nowiki>

== Troubleshooting ==

=== SSH Lockout ===

**Symptom:** Cannot connect via SSH
**Resolution:**
* Use console access
* Re-enable password authentication temporarily:
<nowiki>
PasswordAuthentication yes</nowiki>

=== Firewall Blocking Services ===

**Symptom:** Service unreachable
**Resolution:**
<nowiki>
ufw status verbose
ufw allow <port>/<protocol></nowiki>

=== System Boot Issues After Sysctl Changes ===

**Symptom:** Boot hangs or networking fails
**Resolution:**
* Boot into recovery mode
* Comment problematic entries in `/etc/sysctl.conf`

=== Auditd Performance Impact ===

**Symptom:** High I/O usage
**Resolution:**
* Reduce audit rule verbosity
* Exclude high-frequency paths

== Useful Links ==

* https://ubuntu.com/security
* https://wiki.ubuntu.com/Security
* https://www.cisecurity.org/cis-benchmarks
* https://manpages.ubuntu.com
* https://owasp.org
* https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening
* https://linux-audit.com

UBUNTU - Hardening - Revision history

Admin: Text replacement - "Category:Wiki" to "Category:Wiki '''''[https://it-arts.net/index.php/Category:Wiki Return to Wiki Index]''''' "