
Debian Hardener - 6123
https://github.com/CrystalX127/Shield
======
6123
Would anybody mind just checking out this Debian Hardener I've created.

~~~
duskwuff
I see a lot of problems here. Consider scaling back what you are attempting to
do.

\- The auditd rules you're using look highly application-specific. Installing
them blindly is probably not appropriate.

\- Some of the changes made by this script are not persistent. In particular,
changes made using "mount" will not persist beyond a restart, and changes to
permissions on files installed by packages will be overridden when the package
is updated.

\- Your script attempts to disable USB storage, FireWire, and some filesystems
(like HFS+). These steps may be unexpected and undesirable for desktop
systems.

\- Your script attempts to write to paths which will not exist on a Debian
system, like "/etc/sysconfig/init".

\- Many of the snippets used by this script make assumptions about the base
system configuration, like the names and purposes of its network interfaces.
These assumptions need to be checked.

\- The IPtables rules installed by this script are extremely questionable.
They include a number of sample rules (like one that allows IP forwarding on
weekdays between 9:30 and 10:30 PM, one that blocks packets containing the
strings ".com" or ".exe", or one that blocks certain traffic from 1.2.3.4),
some rules which will limit the functionality of the system (like the rate-
limit rules for port 80, or the rule to "force fragments packets check", which
actually _rejects_ fragmented packets), and some rules which do nothing at all
(like the unreferenced "port-scanning" chain, or a rule that attempts to
"block new packets that aren't SYN packets"). Additionally, the rules will
block all traffic from/to RFC1918 networks, which will block all network
connectivity on any system that's on a private network (like a home network or
a VPC).

\- The three (!) firewalls which this script will attempt to install
(iptables-persistent, shorewall, and ufw) are incompatible with each other.

\- The "core file permissions" snippet does nothing, because it attempts to
change permissions on files in the current working directory.

\- Some of the features that this script prompts for (like
"revert_/root_permissions") are simply unimplemented, and will throw an error
if selected.

~~~
ReallyOldLurker
also to add some items (of course this is all my opinion, so ignore it if you
want):

\- break up the script into modules and work on one at a time until its solid
\- don't assume that items like unattended-upgrades are desirable. In general,
where you want to install more software than the user already has installed,
it should be an optional module or prompted. Without that I wouldn't use this
script for that reason alone. \- some people have a purpose in using firewire
and USB. Make it an option (my example: high end studio cameras) \- consider
reviewing
[https://wiki.mozilla.org/Security/Guidelines/OpenSSH](https://wiki.mozilla.org/Security/Guidelines/OpenSSH)
and the release notes for the version of OpenSSH you are configuring. I
wouldn't use your configuration. \- why ask how many users to enforce
diskquotas on and then ask for which user to enforce a disquota on? Simpler
would be to read /etc/passwd (or count /home/<users>), provide a list to mark
and then do it.

