├── LICENSE
├── README.md
└── openscap_stig_harden_ubuntu.sh


/LICENSE:
--------------------------------------------------------------------------------
 1 | MIT License
 2 | 
 3 | Copyright (c) 2024 am
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining a copy
 6 | of this software and associated documentation files (the "Software"), to deal
 7 | in the Software without restriction, including without limitation the rights
 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 | 
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 | 
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | 
 2 | 
 3 | ![GitHub stars](https://img.shields.io/github/stars/alokemajumder/Ubuntu-Security-Hardening-Script?style=social)
 4 | ![GitHub forks](https://img.shields.io/github/forks/alokemajumder/Ubuntu-Security-Hardening-Script?style=social)
 5 | ![GitHub issues](https://img.shields.io/github/issues/alokemajumder/Ubuntu-Security-Hardening-Script)
 6 | ![GitHub pull requests](https://img.shields.io/github/issues-pr/alokemajumder/Ubuntu-Security-Hardening-Script)
 7 | ![GitHub](https://img.shields.io/github/license/alokemajumder/Ubuntu-Security-Hardening-Script)
 8 | ![GitHub release (latest by date)](https://img.shields.io/github/v/release/alokemajumder/Ubuntu-Security-Hardening-Script)
 9 | ![GitHub contributors](https://img.shields.io/github/contributors/alokemajumder/Ubuntu-Security-Hardening-Script)
10 | ![GitHub last commit](https://img.shields.io/github/last-commit/alokemajumder/Ubuntu-Security-Hardening-Script)
11 | ![GitHub top language](https://img.shields.io/github/languages/top/alokemajumder/Ubuntu-Security-Hardening-Script)
12 | ![Dependencies](https://img.shields.io/librariesio/github/alokemajumder/Ubuntu-Security-Hardening-Script)
13 | ![Code size](https://img.shields.io/github/languages/code-size/alokemajumder/Ubuntu-Security-Hardening-Script)
14 | ![Open Source Love](https://badges.frapsoft.com/os/v1/open-source.png?v=103)
15 | 
16 | ## Ubuntu Security Hardening Script
17 | 
18 | This script provides a comprehensive approach to hardening Ubuntu systems, aligning with DISA-STIG compliance for Ubuntu 20.04 LTS minimum. It includes a range of security enhancements and configurations designed to strengthen the security posture of Ubuntu servers.
19 | 
20 | ## Features
21 | 
22 | - **System Updates**: Applies the latest security patches to the system.
23 | - **Firewall Configuration**: Sets up and configures UFW (Uncomplicated Firewall) to deny all incoming connections by default, while allowing all outgoing connections.
24 | - **Fail2Ban Setup**: Configures Fail2Ban to protect against brute-force attacks, particularly against SSH.
25 | - **Auditd Configuration**: Sets up Auditd with rules recommended by DISA-STIG to monitor changes to critical system files.
26 | - **Account Security**: Ensures only the root user has UID 0 and disables root SSH login.
27 | - **Password Policies**: Enforces policies to disable empty passwords and ensure all accounts have strong authentication.
28 | - **Network Hardening**: Applies measures to harden the TCP/IP stack.
29 | - **Vulnerability Scanning**: Integrates ClamAV for malware scanning and Debsecan for vulnerability scanning.
30 | - **Cron Job Security**: Secures cron jobs by restricting permissions.
31 | - **Core Dump Restrictions**: Limits the system's ability to create core dumps.
32 | - **OpenSCAP Integration**: Automates the scanning process using the SCAP Security Guide to assess system compliance with security standards.
33 | - **Comprehensive Logs and Reports**: Generates detailed reports on system compliance and vulnerabilities.
34 | - **Added UFW Firewall Logging**: 
35 |   - Introduced the command `ufw logging on` to enable firewall logging in UFW.
36 |   - This addition ensures that firewall activities are logged for better visibility and auditing of network traffic and security events.
37 | 
38 | 
39 | ## Prerequisites
40 | 
41 | Before running the script, ensure you have root access to your Ubuntu  server.
42 | 
43 | ## Installation
44 | 
45 | 1. **Download the Script**:
46 | 
47 | 
48 |    You can download the script directly using wget or curl, or you can clone this repository.
49 | 
50 |   
51 | 
52 | 2.  **Make the Script Executable**: Change the script's permissions to make it executable.
53 |     
54 |   
55 |     
56 |     `chmod +x openscap_stig_harden_ubuntu.sh` 
57 |     
58 | 3.  **Run the Script**: Execute the script as the root user to apply the security configurations.
59 |     
60 |    
61 |     
62 |     `sudo ./openscap_stig_harden_ubuntu.sh` 
63 |     
64 | 
65 | ## Usage
66 | 
67 | Run the script on a fresh installation of minimum Ubuntu 20.04 LTS to ensure that there are no conflicts with existing configurations. It can also be run on existing systems to apply security enhancements but review the changes and backup important data before running the script in production environments.
68 | 
69 | ## Contributions
70 | 
71 | Contributions are always welcome! If you have suggestions for improving the script or have identified issues, please open an issue or submit a pull request.
72 | 
73 | ## License
74 | 
75 | This project is licensed under the MIT License 
76 | 
77 | ## Disclaimer
78 | 
79 | This script is provided "as is", without warranty of any kind, express or implied. Always test in a staging environment before deploying into production.
80 | 


--------------------------------------------------------------------------------
/openscap_stig_harden_ubuntu.sh:
--------------------------------------------------------------------------------
  1 | #!/bin/bash
  2 | 
  3 | # Ubuntu Security Hardening Script
  4 | # Author: Alok Majumder
  5 | # GitHub: https://github.com/alokemajumder
  6 | # License: MIT License
  7 | 
  8 | # DISCLAIMER:
  9 | # This script is provided "AS IS" without warranty of any kind, express or implied. The author expressly disclaims any and all warranties, 
 10 | # express or implied, including any warranties as to the usability, suitability or effectiveness of any methods or measures this script 
 11 | # attempts to apply. By using this script, you agree that the author shall not be held liable for any damages resulting from the use of this script.
 12 | 
 13 | # Ensure the script is run as root
 14 | if [[ $EUID -ne 0 ]]; then
 15 |    echo "This script must be run as root" 1>&2
 16 |    exit 1
 17 | fi
 18 | 
 19 | echo "Beginning Ubuntu security hardening process..."
 20 | 
 21 | # Update and upgrade existing packages
 22 | echo "Updating and upgrading installed packages..."
 23 | apt update && apt upgrade -y  
 24 | 
 25 | # Install necessary packages
 26 | echo "Installing necessary tools and packages..."
 27 | apt install -y aide auditd debsums apparmor apparmor-utils clamav clamav-daemon unattended-upgrades ufw openscap-scanner  # Installed new packages: debsums for checksum verification
 28 | 
 29 | # Initialize AIDE
 30 | echo "Initializing AIDE, the file integrity checker..."
 31 | aideinit
 32 | mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db 
 33 | 
 34 | # Configure Auditd
 35 | echo "Configuring auditd..."
 36 | cp /etc/audit/auditd.conf /etc/audit/auditd.conf.backup
 37 | echo "
 38 | log_file = /var/log/audit/audit.log
 39 | log_group = root
 40 | log_format = ENRICHED
 41 | priority_boost = 4
 42 | flush = INCREMENTAL_ASYNC
 43 | freq = 20
 44 | num_logs = 5
 45 | disp_qos = lossy
 46 | dispatcher = /sbin/audispd
 47 | name_format = HOSTNAME
 48 | max_log_file = 8
 49 | max_log_file_action = ROTATE
 50 | space_left = 75
 51 | space_left_action = SYSLOG
 52 | action_mail_acct = root
 53 | admin_space_left = 50
 54 | admin_space_left_action = SUSPEND
 55 | disk_full_action = SUSPEND
 56 | disk_error_action = SUSPEND
 57 | " > /etc/audit/auditd.conf
 58 | service auditd restart
 59 | 
 60 | # Configure AppArmor
 61 | echo "Configuring AppArmor..."
 62 | aa-enforce /etc/apparmor.d/*  
 63 | 
 64 | # Configure ClamAV
 65 | echo "Scheduling ClamAV scans..."
 66 | echo "Please enter how often you want ClamAV scans to run (daily, weekly, monthly):"
 67 | read scan_frequency
 68 | echo "0 1 * * * root clamscan --infected --remove --recursive /" > /etc/cron.$scan_frequency/clamav_scan  # Updated cron syntax to avoid errors
 69 | 
 70 | # Configure Unattended-Upgrades
 71 | echo "Configuring automatic security updates..."
 72 | dpkg-reconfigure --priority=low unattended-upgrades  # Ensures unattended upgrades are enabled
 73 | 
 74 | # Setup Firewall with UFW
 75 | echo "Setting up UFW firewall..."
 76 | ufw enable
 77 | ufw default deny incoming
 78 | ufw default allow outgoing
 79 | ufw allow ssh
 80 | # **NEW CHANGE**: Enable logging for UFW firewall for better visibility and monitoring.
 81 | ufw logging on  # **NEW CHANGE**: Enable logging for UFW firewall for better visibility and monitoring.
 82 | 
 83 | # Setup OpenSCAP
 84 | echo "Configuring OpenSCAP..."
 85 | echo "Please enter how often you want OpenSCAP scans to run (daily, weekly, monthly):"
 86 | read oscap_frequency
 87 | echo "30 2 * * * root oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_standard --report /var/log/oscap_report.html /usr/share/xml/scap/ssg/content/ssg-ubuntu1804-ds.xml" > /etc/cron.$oscap_frequency/oscap_scan
 88 | 
 89 | # Finalizing and generating report
 90 | echo "Generating final report..."
 91 | echo "
 92 | System Hardening Completed Successfully
 93 | - All packages updated
 94 | - AIDE, Auditd, AppArmor, ClamAV, and OpenSCAP configured
 95 | - Unattended upgrades and firewall configured
 96 | - Security scans scheduled
 97 | - Firewall logging enabled  # **NEW CHANGE**: Added log about firewall logging being enabled
 98 | " > /var/log/hardening_report.txt  # **NEW CHANGE**: Added log about firewall logging being enabled
 99 | 
100 | echo "Hardening report can be found at /var/log/hardening_report.txt"
101 | 
102 | # Notify user
103 | echo "Ubuntu hardening process completed. Please check the report at /var/log/hardening_report.txt for details."
104 | 


--------------------------------------------------------------------------------