├── LICENSE ├── README.md └── openscap_stig_harden_ubuntu.sh /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2024 am 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | ![GitHub stars](https://img.shields.io/github/stars/alokemajumder/Ubuntu-Security-Hardening-Script?style=social) 4 | ![GitHub forks](https://img.shields.io/github/forks/alokemajumder/Ubuntu-Security-Hardening-Script?style=social) 5 | ![GitHub issues](https://img.shields.io/github/issues/alokemajumder/Ubuntu-Security-Hardening-Script) 6 | ![GitHub pull requests](https://img.shields.io/github/issues-pr/alokemajumder/Ubuntu-Security-Hardening-Script) 7 | ![GitHub](https://img.shields.io/github/license/alokemajumder/Ubuntu-Security-Hardening-Script) 8 | ![GitHub release (latest by date)](https://img.shields.io/github/v/release/alokemajumder/Ubuntu-Security-Hardening-Script) 9 | ![GitHub contributors](https://img.shields.io/github/contributors/alokemajumder/Ubuntu-Security-Hardening-Script) 10 | ![GitHub last commit](https://img.shields.io/github/last-commit/alokemajumder/Ubuntu-Security-Hardening-Script) 11 | ![GitHub top language](https://img.shields.io/github/languages/top/alokemajumder/Ubuntu-Security-Hardening-Script) 12 | ![Dependencies](https://img.shields.io/librariesio/github/alokemajumder/Ubuntu-Security-Hardening-Script) 13 | ![Code size](https://img.shields.io/github/languages/code-size/alokemajumder/Ubuntu-Security-Hardening-Script) 14 | ![Open Source Love](https://badges.frapsoft.com/os/v1/open-source.png?v=103) 15 | 16 | ## Ubuntu Security Hardening Script 17 | 18 | This script provides a comprehensive approach to hardening Ubuntu systems, aligning with DISA-STIG compliance for Ubuntu 20.04 LTS minimum. It includes a range of security enhancements and configurations designed to strengthen the security posture of Ubuntu servers. 19 | 20 | ## Features 21 | 22 | - **System Updates**: Applies the latest security patches to the system. 23 | - **Firewall Configuration**: Sets up and configures UFW (Uncomplicated Firewall) to deny all incoming connections by default, while allowing all outgoing connections. 24 | - **Fail2Ban Setup**: Configures Fail2Ban to protect against brute-force attacks, particularly against SSH. 25 | - **Auditd Configuration**: Sets up Auditd with rules recommended by DISA-STIG to monitor changes to critical system files. 26 | - **Account Security**: Ensures only the root user has UID 0 and disables root SSH login. 27 | - **Password Policies**: Enforces policies to disable empty passwords and ensure all accounts have strong authentication. 28 | - **Network Hardening**: Applies measures to harden the TCP/IP stack. 29 | - **Vulnerability Scanning**: Integrates ClamAV for malware scanning and Debsecan for vulnerability scanning. 30 | - **Cron Job Security**: Secures cron jobs by restricting permissions. 31 | - **Core Dump Restrictions**: Limits the system's ability to create core dumps. 32 | - **OpenSCAP Integration**: Automates the scanning process using the SCAP Security Guide to assess system compliance with security standards. 33 | - **Comprehensive Logs and Reports**: Generates detailed reports on system compliance and vulnerabilities. 34 | - **Added UFW Firewall Logging**: 35 | - Introduced the command `ufw logging on` to enable firewall logging in UFW. 36 | - This addition ensures that firewall activities are logged for better visibility and auditing of network traffic and security events. 37 | 38 | 39 | ## Prerequisites 40 | 41 | Before running the script, ensure you have root access to your Ubuntu server. 42 | 43 | ## Installation 44 | 45 | 1. **Download the Script**: 46 | 47 | 48 | You can download the script directly using wget or curl, or you can clone this repository. 49 | 50 | 51 | 52 | 2. **Make the Script Executable**: Change the script's permissions to make it executable. 53 | 54 | 55 | 56 | `chmod +x openscap_stig_harden_ubuntu.sh` 57 | 58 | 3. **Run the Script**: Execute the script as the root user to apply the security configurations. 59 | 60 | 61 | 62 | `sudo ./openscap_stig_harden_ubuntu.sh` 63 | 64 | 65 | ## Usage 66 | 67 | Run the script on a fresh installation of minimum Ubuntu 20.04 LTS to ensure that there are no conflicts with existing configurations. It can also be run on existing systems to apply security enhancements but review the changes and backup important data before running the script in production environments. 68 | 69 | ## Contributions 70 | 71 | Contributions are always welcome! If you have suggestions for improving the script or have identified issues, please open an issue or submit a pull request. 72 | 73 | ## License 74 | 75 | This project is licensed under the MIT License 76 | 77 | ## Disclaimer 78 | 79 | This script is provided "as is", without warranty of any kind, express or implied. Always test in a staging environment before deploying into production. 80 | -------------------------------------------------------------------------------- /openscap_stig_harden_ubuntu.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Ubuntu Security Hardening Script 4 | # Author: Alok Majumder 5 | # GitHub: https://github.com/alokemajumder 6 | # License: MIT License 7 | 8 | # DISCLAIMER: 9 | # This script is provided "AS IS" without warranty of any kind, express or implied. The author expressly disclaims any and all warranties, 10 | # express or implied, including any warranties as to the usability, suitability or effectiveness of any methods or measures this script 11 | # attempts to apply. By using this script, you agree that the author shall not be held liable for any damages resulting from the use of this script. 12 | 13 | # Ensure the script is run as root 14 | if [[ $EUID -ne 0 ]]; then 15 | echo "This script must be run as root" 1>&2 16 | exit 1 17 | fi 18 | 19 | echo "Beginning Ubuntu security hardening process..." 20 | 21 | # Update and upgrade existing packages 22 | echo "Updating and upgrading installed packages..." 23 | apt update && apt upgrade -y 24 | 25 | # Install necessary packages 26 | echo "Installing necessary tools and packages..." 27 | apt install -y aide auditd debsums apparmor apparmor-utils clamav clamav-daemon unattended-upgrades ufw openscap-scanner # Installed new packages: debsums for checksum verification 28 | 29 | # Initialize AIDE 30 | echo "Initializing AIDE, the file integrity checker..." 31 | aideinit 32 | mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db 33 | 34 | # Configure Auditd 35 | echo "Configuring auditd..." 36 | cp /etc/audit/auditd.conf /etc/audit/auditd.conf.backup 37 | echo " 38 | log_file = /var/log/audit/audit.log 39 | log_group = root 40 | log_format = ENRICHED 41 | priority_boost = 4 42 | flush = INCREMENTAL_ASYNC 43 | freq = 20 44 | num_logs = 5 45 | disp_qos = lossy 46 | dispatcher = /sbin/audispd 47 | name_format = HOSTNAME 48 | max_log_file = 8 49 | max_log_file_action = ROTATE 50 | space_left = 75 51 | space_left_action = SYSLOG 52 | action_mail_acct = root 53 | admin_space_left = 50 54 | admin_space_left_action = SUSPEND 55 | disk_full_action = SUSPEND 56 | disk_error_action = SUSPEND 57 | " > /etc/audit/auditd.conf 58 | service auditd restart 59 | 60 | # Configure AppArmor 61 | echo "Configuring AppArmor..." 62 | aa-enforce /etc/apparmor.d/* 63 | 64 | # Configure ClamAV 65 | echo "Scheduling ClamAV scans..." 66 | echo "Please enter how often you want ClamAV scans to run (daily, weekly, monthly):" 67 | read scan_frequency 68 | echo "0 1 * * * root clamscan --infected --remove --recursive /" > /etc/cron.$scan_frequency/clamav_scan # Updated cron syntax to avoid errors 69 | 70 | # Configure Unattended-Upgrades 71 | echo "Configuring automatic security updates..." 72 | dpkg-reconfigure --priority=low unattended-upgrades # Ensures unattended upgrades are enabled 73 | 74 | # Setup Firewall with UFW 75 | echo "Setting up UFW firewall..." 76 | ufw enable 77 | ufw default deny incoming 78 | ufw default allow outgoing 79 | ufw allow ssh 80 | # **NEW CHANGE**: Enable logging for UFW firewall for better visibility and monitoring. 81 | ufw logging on # **NEW CHANGE**: Enable logging for UFW firewall for better visibility and monitoring. 82 | 83 | # Setup OpenSCAP 84 | echo "Configuring OpenSCAP..." 85 | echo "Please enter how often you want OpenSCAP scans to run (daily, weekly, monthly):" 86 | read oscap_frequency 87 | echo "30 2 * * * root oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_standard --report /var/log/oscap_report.html /usr/share/xml/scap/ssg/content/ssg-ubuntu1804-ds.xml" > /etc/cron.$oscap_frequency/oscap_scan 88 | 89 | # Finalizing and generating report 90 | echo "Generating final report..." 91 | echo " 92 | System Hardening Completed Successfully 93 | - All packages updated 94 | - AIDE, Auditd, AppArmor, ClamAV, and OpenSCAP configured 95 | - Unattended upgrades and firewall configured 96 | - Security scans scheduled 97 | - Firewall logging enabled # **NEW CHANGE**: Added log about firewall logging being enabled 98 | " > /var/log/hardening_report.txt # **NEW CHANGE**: Added log about firewall logging being enabled 99 | 100 | echo "Hardening report can be found at /var/log/hardening_report.txt" 101 | 102 | # Notify user 103 | echo "Ubuntu hardening process completed. Please check the report at /var/log/hardening_report.txt for details." 104 | --------------------------------------------------------------------------------