From 4e108abbbdb8fadffd8ac5268007a27e5425f5db Mon Sep 17 00:00:00 2001 From: FollieHiyuki Date: Sun, 13 Jun 2021 07:37:06 +0300 Subject: [PATCH] system: add configurations --- README.md | 8 +- home/.bashrc | 3 + home/.bashrc-bloated | 3 + home/.config/amfora/config.toml | 4 +- home/.config/fish/conf.d/umask.fish | 1 + home/.config/zsh/.zshrc | 1 + home/.local/bin/currency | 3 - system/etc/cron.weekly/btrfs-scrub | 12 ++ system/etc/cron.weekly/fstrim | 3 + system/etc/default/grub | 28 +++ system/etc/dracut.conf.d/flags.conf | 3 + system/etc/modprobe.d/blacklist.conf | 4 + system/etc/nftables.conf | 81 +++++++ system/etc/sysctl.d/50-coredump.conf | 1 + system/etc/sysctl.d/harden.conf | 264 +++++++++++++++++++++++ system/etc/udev/rules.d/51-android.rules | 1 + 16 files changed, 408 insertions(+), 12 deletions(-) create mode 100644 home/.config/fish/conf.d/umask.fish delete mode 100755 home/.local/bin/currency create mode 100755 system/etc/cron.weekly/btrfs-scrub create mode 100755 system/etc/cron.weekly/fstrim create mode 100644 system/etc/default/grub create mode 100644 system/etc/dracut.conf.d/flags.conf create mode 100644 system/etc/modprobe.d/blacklist.conf create mode 100644 system/etc/nftables.conf create mode 100644 system/etc/sysctl.d/50-coredump.conf create mode 100644 system/etc/sysctl.d/harden.conf create mode 100644 system/etc/udev/rules.d/51-android.rules diff --git a/README.md b/README.md index 96d9b25..7028d8a 100644 --- a/README.md +++ b/README.md @@ -37,19 +37,13 @@ ### :star2: Credits - [@ChristianChiarulli](https://github.com/ChristianChiarulli)'s Neovim config - - [@hlissner](https://github.com/hlissner)'s zsh config - - [@daviwil](https://github.com/daviwil)'s Emacs streams - - [@tecosaur](https://tecosaur.github.io/emacs-config/config.html)'s Emacs configuration - - [@begs](https://git.sr.ht/~begs/dotfiles)'s Waybar config - - [@nathanielevan](https://github.com/nathanielevan/dotfiles)'s weechat config - - [some fzf scripts](https://github.com/DanielFGray/fzf-scripts) - +- [sysctl.conf template](https://github.com/k4yt3x/sysctl). And also check out [this article](https://madaidans-insecurities.github.io/guides/linux-hardening.html) - Artists for **kawaii** wallpapers: [@rimuu](https://rimuu.com/), [@hiten](https://www.pixiv.net/users/490219/artworks), [@Tiv](https://www.pixiv.net/en/users/35081), [@mery](https://www.pixiv.net/en/users/2750098), [@Mashima_saki](https://www.pixiv.net/en/users/18403608), [@Yuuki_Tatsuya](https://www.pixiv.net/en/users/27691), [@Bison倉鼠](https://www.pixiv.net/en/users/333556/artworks), [@Dana](https://twitter.com/hapong07), [@gomzi](https://twitter.com/gcmzi), [@Rella](https://twitter.com/Rellakinoko), [@dnwls3010](https://twitter.com/dnwls3010), [@Shigure_Ui](https://www.pixiv.net/en/users/431873), [@QuAn_](https://www.pixiv.net/en/users/6657532/artworks), [@杉87](https://twitter.com/k_su_keke1121), [@fuzichoco](https://twitter.com/fuzichoco), [@Astero](https://twitter.com/asteroid_ill), [@shin556](https://www.pixiv.net/en/users/642762), [@kaynimatic](https://twitter.com/kaynimatic) ### :label: License diff --git a/home/.bashrc b/home/.bashrc index cd90906..1d2246c 100644 --- a/home/.bashrc +++ b/home/.bashrc @@ -14,6 +14,9 @@ export HISTFILE="$BASH_COMPLETION_USER_DIR/bash_history" # vi mode set -o vi +# Better default modes +umask 0027 + # ignore upper and lowercase when TAB completion bind "set completion-ignore-case on" diff --git a/home/.bashrc-bloated b/home/.bashrc-bloated index 08446e7..1f7d28e 100644 --- a/home/.bashrc-bloated +++ b/home/.bashrc-bloated @@ -649,6 +649,9 @@ bind 'set vi-ins-mode-string "\e[01;32mI "' # ignore upper and lowercase when TAB completion bind "set completion-ignore-case on" +# Better default modes +umask 0027 + # Shell options shopt -s autocd shopt -s cdspell diff --git a/home/.config/amfora/config.toml b/home/.config/amfora/config.toml index 008bd90..7f1c0b5 100644 --- a/home/.config/amfora/config.toml +++ b/home/.config/amfora/config.toml @@ -314,7 +314,7 @@ bottombar_bg = "#3b4252" hdg_1 = "#5e81ac" hdg_2 = "#81a1c1" -hdg_3 = "#8fbcbb" +hdg_3 = "#ebcb8b" amfora_link = "#88c0d0" foreign_link = "#b48ead" link_number = "#a3be8c" @@ -367,7 +367,7 @@ bkmk_modal_field_text = "#eceff4" # bottombar_label = "#282c34" # hdg_1 = "#e06c75" -# hdg_2 = "#c678dd" +# hdg_2 = "#d19a66" # hdg_3 = "#c678dd" # amfora_link = "#61afef" # foreign_link = "#56b6c2" diff --git a/home/.config/fish/conf.d/umask.fish b/home/.config/fish/conf.d/umask.fish new file mode 100644 index 0000000..7124adf --- /dev/null +++ b/home/.config/fish/conf.d/umask.fish @@ -0,0 +1 @@ +umask 0027 diff --git a/home/.config/zsh/.zshrc b/home/.config/zsh/.zshrc index 6cfb043..ec99af6 100644 --- a/home/.config/zsh/.zshrc +++ b/home/.config/zsh/.zshrc @@ -158,3 +158,4 @@ zinit light olets/zsh-abbr source $ZDOTDIR/plugins.zsh $HOME/.local/bin/bunny +umask 0027 diff --git a/home/.local/bin/currency b/home/.local/bin/currency deleted file mode 100755 index eb379d1..0000000 --- a/home/.local/bin/currency +++ /dev/null @@ -1,3 +0,0 @@ -#!/bin/sh - -curl -s "https://api.exchangeratesapi.io/latest?base=$1" | jq . diff --git a/system/etc/cron.weekly/btrfs-scrub b/system/etc/cron.weekly/btrfs-scrub new file mode 100755 index 0000000..d9fadd1 --- /dev/null +++ b/system/etc/cron.weekly/btrfs-scrub @@ -0,0 +1,12 @@ +#!/bin/sh + +# Repeate with btrfs-balance if using RAID + +btrfs scrub start / + +# Scrub 1 disk at a time +while btrfs scrub status / | grep running; do + sleep 20 +done + +btrfs scrub start /media diff --git a/system/etc/cron.weekly/fstrim b/system/etc/cron.weekly/fstrim new file mode 100755 index 0000000..cef8892 --- /dev/null +++ b/system/etc/cron.weekly/fstrim @@ -0,0 +1,3 @@ +#!/bin/sh + +fstrim / diff --git a/system/etc/default/grub b/system/etc/default/grub new file mode 100644 index 0000000..0c15550 --- /dev/null +++ b/system/etc/default/grub @@ -0,0 +1,28 @@ +# +# Configuration file for GRUB. +# +GRUB_DEFAULT=0 +#GRUB_HIDDEN_TIMEOUT=0 +#GRUB_HIDDEN_TIMEOUT_QUIET=false +GRUB_TIMEOUT=10 +GRUB_DISTRIBUTOR="Void" +GRUB_CMDLINE_LINUX_DEFAULT="loglevel=4 init_on_free=1 page_alloc.shuffle=1 apparmor=1 security=apparmor" +# Uncomment to use basic console +#GRUB_TERMINAL_INPUT="console" +# Uncomment to disable graphical terminal +#GRUB_TERMINAL_OUTPUT=console +GRUB_BACKGROUND=/usr/share/grub/background.png +GRUB_GFXMODE=1920x1080x32,1280x720x32,auto +GRUB_GFXPAYLOAD_LINUX=keep +GRUB_FONT=/boot/grub/fonts/hack.pf2 +#GRUB_DISABLE_LINUX_UUID=true +#GRUB_DISABLE_RECOVERY=true +# Uncomment and set to the desired menu colors. Used by normal and wallpaper +# modes only. Entries specified as foreground/background. +GRUB_COLOR_NORMAL="white/black" +GRUB_COLOR_HIGHLIGHT="black/white" +#GRUB_DISABLE_OS_PROBER=true +GRUB_ENABLE_CRYPTODISK=y + +# To generate new font: +# grub-mkfont -s 24 -o /boot/grub/fonts/hack.pf2 ~/Hack-Regular.ttf diff --git a/system/etc/dracut.conf.d/flags.conf b/system/etc/dracut.conf.d/flags.conf new file mode 100644 index 0000000..745eeb0 --- /dev/null +++ b/system/etc/dracut.conf.d/flags.conf @@ -0,0 +1,3 @@ +hostonly=yes +compress=zstd +install_items+=" /etc/cryptsetup-keys.d/root-crypt.key /etc/crypttab " diff --git a/system/etc/modprobe.d/blacklist.conf b/system/etc/modprobe.d/blacklist.conf new file mode 100644 index 0000000..f7f47a8 --- /dev/null +++ b/system/etc/modprobe.d/blacklist.conf @@ -0,0 +1,4 @@ +# Blacklist modules you don't want +blacklist vivid +blacklist bluetooth +blacklist btusb diff --git a/system/etc/nftables.conf b/system/etc/nftables.conf new file mode 100644 index 0000000..bbc98a6 --- /dev/null +++ b/system/etc/nftables.conf @@ -0,0 +1,81 @@ +#!/sbin/nft -f + +# References +# https://wiki.gentoo.org/wiki/Nftables/Examples +# https://wiki.archlinux.org/title/Nftables +# https://github.com/krabelize/nftables-firewall-config/blob/master/nftables.conf +# https://github.com/atweiden/archvault/blob/master/resources/etc/nftables.conf + +flush ruleset + +# TCP ports to accept (both IPv4 and IPv6) +#define ACCEPT_TCP_PORTS = {} + +# UDP ports to accept (both IPv4 and IPv6) +#define ACCEPT_UDP_PORTS = {} + +table inet filter { + # Default to drop all inbound traffic, unless they meet our criteria + chain input { + type filter hook input priority 0; policy drop; + + ct state invalid counter drop + ct state {established,related} counter accept + + iif lo accept + iif != lo ip daddr 127.0.0.1/8 counter drop + iif != lo ip6 daddr ::1/128 counter drop + + # Accept user-defined ports + #tcp dport $ACCEPT_TCP_PORTS counter accept + #udp dport $ACCEPT_UDP_PORTS counter accept + + # Rate limit on SSH port + #tcp dport ssh ct state new limit rate 6/minute accept + + # Mitigate ping floods + ip protocol icmp icmp type {echo-reply, echo-request} limit rate over 6/second burst 4 packets drop + ip6 nexthdr icmpv6 icmpv6 type {echo-reply, echo-request} limit rate over 6/second burst 4 packets drop + + ip protocol icmp icmp type { + echo-reply, + echo-request, + destination-unreachable, + time-exceeded, + parameter-problem, + router-advertisement, + router-solicitation + } counter accept + + ip6 nexthdr icmpv6 icmpv6 type { + echo-reply, + echo-request, + destination-unreachable, + mld-listener-query, + mld-listener-reduction, + mld-listener-report, + mld2-listener-report, + packet-too-big, + time-exceeded, + parameter-problem + } counter accept + + counter comment "Count dropped packets" + #log prefix "[nftables] Inbound Denied: " flags all counter drop + } + + # Route your own packets! I'm not your router. + # Can be enabled while using VPN (for tunneling) + chain forward { + type filter hook forward priority 0; policy drop; + counter comment "Count dropped packets" + #log prefix "[nftables] Forward Denied: " flags all counter drop + } + + # Accept all outbound traffic + chain output { + type filter hook output priority 0; policy accept; + counter comment "Count accepted packets" + #log prefix "[nftables] Outbound Accepted: " flags all counter accpet + } +} diff --git a/system/etc/sysctl.d/50-coredump.conf b/system/etc/sysctl.d/50-coredump.conf new file mode 100644 index 0000000..33ce3bc --- /dev/null +++ b/system/etc/sysctl.d/50-coredump.conf @@ -0,0 +1 @@ +kernel.core_pattern=|/bin/false diff --git a/system/etc/sysctl.d/harden.conf b/system/etc/sysctl.d/harden.conf new file mode 100644 index 0000000..c7443ba --- /dev/null +++ b/system/etc/sysctl.d/harden.conf @@ -0,0 +1,264 @@ +# NOTE: THIS IS ONLY A TEMPLATE. CHANGE IT BEFORE APPLYING IT + +########## Kernel ########## + +# enable ExecShield protection +# 2 enables ExecShield by default unless applications bits are set to disabled +# uncomment on systems without NX/XD protections +# check with: dmesg | grep --color '[NX|DX]*protection' +#kernel.exec-shield = 2 + +# enable ASLR +# turn on protection and randomize stack, vdso page and mmap + randomize brk base address +kernel.randomize_va_space = 2 + +# controls the System Request debugging functionality of the kernel +kernel.sysrq = 0 + +# controls whether core dumps will append the PID to the core filename +# useful for debugging multi-threaded applications +kernel.core_uses_pid = 1 + +# restrict access to kernel address +# kernel pointers printed using %pK will be replaced with 0’s regardless of privileges +kernel.kptr_restrict = 2 + +# Ptrace protection using Yama +# - 1: only a parent process can be debugged +# - 2: only admins canuse ptrace (CAP_SYS_PTRACE capability required) +# - 3: disables ptrace completely, reboot is required to re-enable ptrace +kernel.yama.ptrace_scope = 3 + +# restrict kernel logs to root only +kernel.dmesg_restrict = 1 + +# restrict BPF JIT compiler to root only +kernel.unprivileged_bpf_disabled = 1 + +# disables kexec as it can be used to livepatch the running kernel +kernel.kexec_load_disabled = 1 + +# disable unprivileged user namespaces to decrease attack surface +kernel.unprivileged_userns_clone = 0 + +# allow for more PIDs +# this value can be up to: +# - 32768 (2^15) on a 32-bit system +# - 4194304 (2^22) on a 64-bit system +kernel.pid_max = 4194304 + +# reboot machine after kernel panic +#kernel.panic = 10 + +# restrict perf subsystem usage +kernel.perf_event_paranoid = 3 +kernel.perf_cpu_time_max_percent = 1 +kernel.perf_event_max_sample_rate = 1 + +########## File System ########## + +# disallow core dumping by SUID/SGID programs +fs.suid_dumpable = 0 + +# protect the creation of hard links +# one of the following conditions must be fulfilled +# - the user can only link to files that he or she owns +# - the user must first have read and write access to a file, that he/she wants to link to +fs.protected_hardlinks = 1 + +# protect the creation of symbolic links +# one of the following conditions must be fulfilled +# - the process following the symbolic link is the owner of the symbolic link +# - the owner of the directory is also the owner of the symbolic link +fs.protected_symlinks = 1 + +# enable extended FIFO protection +fs.protected_fifos = 2 + +# similar to protected_fifos, but it avoids writes to an attacker-controlled regular file +fs.protected_regular = 2 + +# increase system file descriptor limit +# this value can be up to: +# - 2147483647 (0x7fffffff) on a 32-bit system +# - 9223372036854775807 (0x7fffffffffffffff) on a 64-bit system +# be aware that the Linux kernel documentation suggests that inode-max should be 3-4 times +# larger than this value +fs.file-max = 9223372036854775807 + +# increase the amount of files that can be watched +# each file watch handle takes 1080 bytes +# up to 540 MiB of memory will be consumed if all 524288 handles are used +fs.inotify.max_user_watches = 524288 + +########## Virtualization ########## + +# do not allow mmap in lower addresses +vm.mmap_min_addr = 65536 + +# improve mmap ASLR effectness +vm.mmap_rnd_bits=32 +vm.mmap_rnd_compat_bits=16 + +########## Networking ########## + +# increase the maximum length of processor input queues +net.core.netdev_max_backlog = 250000 + +# enable BPF JIT hardening for all users +# this trades off performance, but can mitigate JIT spraying +net.core.bpf_jit_harden = 2 + +# increase TCP max buffer size setable using setsockopt() +#net.core.rmem_max = 8388608 +#net.core.wmem_max = 8388608 +#net.core.rmem_default = 8388608 +#net.core.wmem_default = 8388608 +#net.core.optmem_max = 8388608 + +########## IPv4 Networking ########## + +# enable BBR congestion control +net.ipv4.tcp_congestion_control = bbr + +# disallow IPv4 packet forwarding +net.ipv4.ip_forward = 0 + +# enable SYN cookies for SYN flooding protection +net.ipv4.tcp_syncookies = 1 + +# number of times SYNACKs for a passive TCP connection attempt will be retransmitted +net.ipv4.tcp_synack_retries = 5 + +# do not send redirects +net.ipv4.conf.default.send_redirects = 0 +net.ipv4.conf.all.send_redirects = 0 + +# do not accept packets with SRR option +net.ipv4.conf.default.accept_source_route = 0 +net.ipv4.conf.all.accept_source_route = 0 + +# enable reverse path source validation (BCP38) +# refer to RFC1812, RFC2827, and BCP38 (http://www.bcp38.info) +net.ipv4.conf.default.rp_filter = 1 +net.ipv4.conf.all.rp_filter = 1 + +# log packets with impossible addresses to kernel log +net.ipv4.conf.default.log_martians = 1 +net.ipv4.conf.all.log_martians = 1 + +# do not accept ICMP redirect messages +net.ipv4.conf.default.accept_redirects = 0 +net.ipv4.conf.default.secure_redirects = 0 +net.ipv4.conf.all.accept_redirects = 0 +net.ipv4.conf.all.secure_redirects = 0 + +# disable sending and receiving of shared media redirects +# this setting overwrites net.ipv4.conf.all.secure_redirects +# refer to RFC1620 +net.ipv4.conf.default.shared_media = 0 +net.ipv4.conf.all.shared_media = 0 + +# always use the best local address for announcing local IP via ARP +net.ipv4.conf.default.arp_announce = 2 +net.ipv4.conf.all.arp_announce = 2 + +# reply only if the target IP address is local address configured on the incoming interface +net.ipv4.conf.default.arp_ignore = 1 +net.ipv4.conf.all.arp_ignore = 1 + +# drop Gratuitous ARP frames to prevent ARP poisoning +# this can cause issues when ARP proxies are used in the network +net.ipv4.conf.default.drop_gratuitous_arp = 1 +net.ipv4.conf.all.drop_gratuitous_arp = 1 + +# ignore all ICMP echo requests +#net.ipv4.icmp_echo_ignore_all = 1 + +# ignore all ICMP echo and timestamp requests sent to broadcast/multicast +net.ipv4.icmp_echo_ignore_broadcasts = 1 + +# ignore bad ICMP errors +net.ipv4.icmp_ignore_bogus_error_responses = 1 + +# mitigate TIME-WAIT Assassination hazards in TCP +# refer to RFC1337 +net.ipv4.tcp_rfc1337 = 1 + +# disable TCP window scaling +# this makes the host less susceptible to TCP RST DoS attacks +net.ipv4.tcp_window_scaling = 0 + +# increase system IP port limits +net.ipv4.ip_local_port_range = 1024 65535 + +# TCP timestamps could provide protection against wrapped sequence numbers, +# but the host's uptime can be calculated precisely from its timestamps +# it is also possible to differentiate operating systems based on their use of timestamps +# - 0: disable TCP timestamps +# - 1: enable timestamps as defined in RFC1323 and use random offset for +# each connection rather than only using the current time +# - 2: enable timestamps without random offsets +net.ipv4.tcp_timestamps = 0 + +# enabling SACK can increase the throughput +# but SACK is commonly exploited and rarely used +net.ipv4.tcp_sack = 0 + +# divide socket buffer evenly between TCP window size and application +net.ipv4.tcp_adv_win_scale = 1 + +# increase memory thresholds to prevent packet dropping +#net.ipv4.tcp_rmem = 4096 87380 8388608 +#net.ipv4.tcp_wmem = 4096 87380 8388608 + +########## IPv6 Networking ########## + +# disallow IPv6 packet forwarding +net.ipv6.conf.default.forwarding = 0 +net.ipv6.conf.all.forwarding = 0 + +# number of Router Solicitations to send until assuming no routers are present +net.ipv6.conf.default.router_solicitations = 0 +net.ipv6.conf.all.router_solicitations = 0 + +# do not accept Router Preference from RA +net.ipv6.conf.default.accept_ra_rtr_pref = 0 +net.ipv6.conf.all.accept_ra_rtr_pref = 0 + +# learn prefix information in router advertisement +net.ipv6.conf.default.accept_ra_pinfo = 0 +net.ipv6.conf.all.accept_ra_pinfo = 0 + +# setting controls whether the system will accept Hop Limit settings from a router advertisement +net.ipv6.conf.default.accept_ra_defrtr = 0 +net.ipv6.conf.all.accept_ra_defrtr = 0 + +# router advertisements can cause the system to assign a global unicast address to an interface +net.ipv6.conf.default.autoconf = 0 +net.ipv6.conf.all.autoconf = 0 + +# number of neighbor solicitations to send out per address +net.ipv6.conf.default.dad_transmits = 0 +net.ipv6.conf.all.dad_transmits = 0 + +# number of global unicast IPv6 addresses can be assigned to each interface +net.ipv6.conf.default.max_addresses = 1 +net.ipv6.conf.all.max_addresses = 1 + +# enable IPv6 Privacy Extensions (RFC3041) and prefer the temporary address +net.ipv6.conf.default.use_tempaddr = 2 +net.ipv6.conf.all.use_tempaddr = 2 + +# ignore IPv6 ICMP redirect messages +net.ipv6.conf.default.accept_redirects = 0 +net.ipv6.conf.all.accept_redirects = 0 + +# do not accept packets with SRR option +net.ipv6.conf.default.accept_source_route = 0 +net.ipv6.conf.all.accept_source_route = 0 + +# ignore all ICMPv6 echo requests +#net.ipv6.icmp.echo_ignore_all = 1 +#net.ipv6.icmp.echo_ignore_anycast = 1 +#net.ipv6.icmp.echo_ignore_multicast = 1 diff --git a/system/etc/udev/rules.d/51-android.rules b/system/etc/udev/rules.d/51-android.rules new file mode 100644 index 0000000..a085037 --- /dev/null +++ b/system/etc/udev/rules.d/51-android.rules @@ -0,0 +1 @@ +SUBSYSTEM=="usb", ATTR{idVendor}=="04e8", ATTR{idProduct}=="6860", MODE="0666", OWNER="users", ENV{ID_MTP_DEVICE}="1", SYMLINK+="libmtp"