Blue team hardening scripts

Hardening scripts for blue team competitions.

Requires some environment variables to be set to operate correctly. Make sure to read the script before running it!

This script will produce excessive noise in the logs, so this is not recommended for real-world use without changes.

Depends on the firewall script from https://mivirl.dev/git/?p=firewall-scripts.git

Actions taken:

Drop all traffic except dns (optionally also ssh, ldap)
Require encryption and/or signatures for repositories
Create minimal /etc/hosts
- Add github
- Add repositories (and several mirrors for fedora-based)
Allow outgoing traffic to github and repositories
Configure sudo to log output and only allow admin users
Enable haveged for entropy
Configure password policies
Check for nonexistent groups
Check for duplicate UIDs, GIDs, user names, and group names
Create a logging group for accessing /var/log
Reset all user passwords to random passwords
Reset admin and root passwords
Disable root logins
Set permissions for users' home directories
Set permissions for root directories
Set default umask
Configure ssh
- Regenerate host keys
- Use strong cryptography
- Set login banners
Update packages for services listening on ports first
Install rsyslog and forward journald to it
Install auditd and set rules
Allow incoming traffic to listening services
Update all packages
Set up kernel and userspace protections using sysctl
Disable uncommon kernel modules
Hide hardware info
Disable unneeded inetd services
Disable common unneeded services
Configure apache
- Set permissions for configuration directories
- Disable trace requests
- List directories that might be writable
- List all .ht files that may change configs
- Install mod-security
- Sandbox apache using systemd service sandboxing
Configure nginx
- Set permissions for configuration directories
- Install mod-security if the package exists for nginx
- Sandbox apache using systemd service sandboxing
Configure usbguard
Configure aide
Verify that packages aren't corrupted/modified
List world-writable files and directories
List suid and sgid binaries, highlight risky ones

description	Blue team scripts for hardening machines
last change	Tue, 25 Jun 2024 02:03:18 +0000 (21:03 -0500)
URL	http://mivirldevekbr6wvubebfbxbzhxnqdv2z6ehnojgv63qsgnukfiix4yd.onion/git/hardening-scripts.git
	https://mivirl.dev/git/hardening-scripts.git

2024-06-25	mivirl	backup,media: add backup and find media modules master	commit \| commitdiff \| tree \| snapshot
2024-06-25	mivirl	all: separate script into modules	commit \| commitdiff \| tree \| snapshot
2024-06-25	mivirl	hide-hardware: remove hide-hardware.sh	commit \| commitdiff \| tree \| snapshot
2024-05-26	mivirl	sandbox: Improve systemd template overrides	commit \| commitdiff \| tree \| snapshot
2024-05-22	mivirl	Initial commit	commit \| commitdiff \| tree \| snapshot