13 comments

[ 2.5 ms ] story [ 37.1 ms ] thread
> [top of readme] lockdown a newly installed linux os

> [bottom of readme] Supported OS: Debian

Not all Linux is Debian or a Debian derivative.

> Remounts /tmp /proc /dev /run to be more restrictive

Unfortunately it only appears to remount, which will not persist across reboots (unless I’m missing something).

> Restrict access to compilers

Is this actually meaningful from a security perspective? If one can get some source onto a machine and execute a compiler and then execute that binary, how is that substantially different than them just getting a binary onto the machine and executing that instead?

the whole script is a beautiful exercise in cargo-cult security

it's so far out there that I almost think it's intended as performance art, rather than something anyone is supposed to actually use

> Unfortunately it only appears to remount, which will not persist across reboots (unless I’m missing something).

Yeah and then it also reboots immediately. What's the point? Has this even been tested?

Wow nice! This will be useful both for expert users who can go through and learn about various security options and apply manually, but also useful for non-expert users who can just run the script.
> useful for non-expert users who can just run the script.

Running random scripts one doesn’t understand as root has its potential problems, though. Non-experts should still audit what this script (or any script requiring elevated privileges) is doing and strive to understand it.

True that. After looking through the script in more details, I wouldn't recommend running without checking. I thought it was doing just basic ssh + firewall, but it does a lot more things, so probably better to run piecemeal even for non-experts.

Maybe this could be turned into some interactive script that explains a little (in beginner-friendly language) what each step does? It would be also nice to have a log of which steps were performed, and instructions for the undo-step in case users want to go back... wishlist.append( ^ ).

    # Add legal banner
    echo "
    Unauthorized access to this server is prohibited.
    Legal action will be taken. Disconnect now.
    " > /etc/issue
Heh.
We already have sensible OS level and app level baselines in CIS workbenches. There's also code to apply the policies and check the policies. It's nice that this is an attempt to set some kind of sanity in a single shell script but unless the author is a known quantity expert in this area, it's not a good idea to use this, unless you are also capable of vetting this code, in which case you probably don't need it.
Can u reccomended somethings I can refer to?
Would love to see this as an interactive informing and asking leaving you with the parts you want.
Hey, thanks for the feedback. I've just updated it so each section prompts you with the commands its about to run and whether or not to run them.