How to Harden Debian/Ubuntu/Rocky Desktop
Linux desktops have more moving parts and require less hardening than a server. These listed tweaks can be adapted for either debian/ubuntu/rocky linux type distributions.
Tuning SystemD Journal
We should limit the size of the journal in memory and on disk. This prevents the disk from being full. The logs would just roll over and keep the same size.
Edit and modify the below file; -
vim /etc/systemd/journald.conf
...
SystemMaxUse=256M
SystemKeepFree=512M
SystemMaxFileSize=32M
...Tuning Console History
By defaults the history size is unlimited or too large. We should set a sane limit to around 25 lines.
Edit the below file and add the two lines for all unix users; -
vim ~/.bashrc
...
export HISTSIZE=100
export HISTFILESIZE=100Tuning System Limits
You can set system limits according to your business context. Servers can be highly restrictive. Desktops can be more loose
Below is an example for a desktop machine; -
sudo vim /etc/security/limits.d
# <domain> <type> <item> <value>
# Base Defaults
* - nproc 350
* - maxlogins 1
* - nofile 60000
* - core 0
* - fsize 500000
ubuntu - maxlogins 2
ubuntu - nproc 2800
ubuntu - nofile 400000
ubuntu - fsize 9000000
ubuntu - priority -10Tuning Sudo
We should tune sudo to timeout after 5 minutes of escalation; -
vim /etc/sudoers.d/timeout
...
Defaults timestamp_timeout=5We should have a dedicated headless admin user for all administration. Desktop users should remain least privileged and not escalate.
Tuning firewall
Install can configure a simple firewall; -
sudo apt install ufw
sudo ufw status verbose
sudo ufw default deny incoming
sudo ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skipWe allow outgoing traffic to any port because SSH should be on a nonstandard port other than 22. We are a desktop so we deny all incoming.
Tuning Your Boot Loader
We should disable the boot loader so that selinux, app armor, or any other kernel module cannot be disabled or changed upon boot loading.
In debian/ubuntu/linux mint we can do the below; -
vim /etc/default/grub
...
GRUB_TIMEOUT=0
sudo update-grubTuning Your Kernel
On Rocky Linux 9.2 desktop the below should be updated to your system. A standard lynis audit system check will pick up the below.
sudo dnf install lynis
sudo lynis audit system
sudo vim /etc/sysctl.d/01-tuning.conf
dev.tty.ldisc_autoload=0
fs.protected_fifos=2
fs.protected_regular=2
# Disable core dumps
fs.suid_dumpable = 0
# Restrict access to kernel logs
kernel.dmesg_restrict=1
# Hide kernel pointers
kernel.kptr_restrict=2
kernel.perf_event_paranoid=3
# Randomise memory space
kernel.randomize_va_space=2
# Disable System Request debugging functionality
kernel.sysrq=0
kernel.unprivileged_bpf_disabled=1
kernel.yama.ptrace_scope=1
net.core.bpf_jit_harden=2
net.ipv4.conf.all.accept_redirects=0
net.ipv4.conf.all.log_martians=1
net.ipv4.conf.all.rp_filter=1
net.ipv4.conf.all.send_redirects=0
net.ipv4.conf.default.accept_redirects=0
net.ipv4.conf.default.log_martians=1
net.ipv6.conf.all.accept_redirects=0
net.ipv6.conf.default.accept_redirects=0Suppress CTRL+ALT+DELETE
We do not need a keyboard reboot when we have the power button on desktops and the hypervisor on servers.
sudo vim /etc/systemd/system.conf
...
CtrlAltDelBurstAction=none
...
sudo systemctl daemon-reloadTool Tuning
When performing sys admin, or even developing in a headless way, we should ideally use the screen command. This enables console locking in both emulated desktop console, and in headless TTY.
The defaults are sane but not installed to unix users. Install the sane defaults and add the timeout value below.
Install and configure screen;-
sudo dnf installs screen
sudo vim /etc/screenrc
...
idle 60 lockscreen
cp -f /etc/screenrc /profiles.d/.screenrc
cp -f /profiles.d/.screenrc ~/.screenrcAlthough not security related, having sane defaults aids in system administration and development productivity.
Install and configure vim; -
sudo vim /etc/profiles.d/.vimrc
:set number
:setlocal cm=blowfish2
:set colorcolumn=100
:set winwidth=102
:set winminwidth=100
:set equalalways
:syntax on
:set tabstop=3
:set shiftwidth=3
:set expandtab
sudo cp /etc/profiles.d/.vimrc /root
sudo cp /etc/profiles.d/.vimrc /home/admin_sec
sudo cp /etc/profiles.d/.vimrc /home/researchInstall lynis auditing tool; -
sudo apt install lynis
sudo lynis audit systemLocking Out Root
We should prevent root from logging into TTY via below; -
echo > /etc/securettyWe should disable root’s shell in passwd; -
sudo vim /etc/passwd
root:x:0:0:root:/root:/sbin/nologinRoot should have been locked out upon installation. However, if not, we should lockout the root user by generating a random password as its password; -
uuidgen | sudo passwd root --stdin
sudo passwd root --lockAIDE
AIDE is the open source revision of trip wire, for Advanced Intrusion Detection. It basically records file system attributes and their check sum hash. Any modifications are marked as suspicious and will be recorded in system logs.
A conservative snapshot of key system files should be used. The defaults are sane. Snapshots should be taken after RPM installations. Checking for changes should be initiated before RPM installations and system administration.
Automatic running is not recommended as this can wear out your SSD disk.
First install; -
sudo dnf install aideTaking a snapshot for the first time; -
sudo aide --init --config /etc/aide.conf
sudo mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gzTaking another snapshot; -
sudo aide --update --config /etc/aide.conf
sudo mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db.gzChecking for changes/system tampering; -
sudo aide --check --config /etc/aide.confThe defaults for aide.conf are sane. This tool can be used to make sure the system was not changed since the last administration. After system administration, you run an — update.
Next time you want to administer, you can check if there were any unauthorized system changes by running a — — check. This identifies malware, hacking and any other system level surprises.
RKHunter
This is a simple tool to use. It gives assurances that you have no common rookits installed
Install and configure via below; -
sudo dnf install rkhunter
sudo sed -i ‘s|\=http|=https|g’ /var/lib/rkhunter/db/mirrors.dat
sudo rkhunter --updateIf the above update fails that is ok. The repository’s defaults are sane. We just want to protect our system from known root kit signatures.
Check system; -
sudo rkhunter --checkSnapshot file properties of system; -
sudo rkhunter --propupdYou should get a few warnings. This is normal for a fresh install.
SELinux
Rocky linux is the most stable desktop distribution with selinux. Debian is not stable even though selinux is compiled into the kernel by default.
This is the main immutability tool. It groups system files and binaries by “context” type so that read/write/execute are enabled only within their context. SELinux can be configured to deny by default by removing unconfined_t usage and enabling sysadm_r for system configuration. Root can be confined as system_t context.
SELinux in debian breaks firefox at the time of this writing. Rocky linux has mature selinux modules that prevents applications from breaking. We should enable enforcing of selinux for Rocky Linux and other Red Hat type distributions
We confine a least privileged user via below; -
sudo semanage login -l
sudo semanage login -a -s staff_u admin_sec
sudo semanage login -lWe confine root user via below; -
sudo semanage login -a -s system_u rootWe set the default context to the existing selinux user; -
sudo semanage login -l
sudo semanage login -m -s system_u __default__
sudo semanage login -lWe prevent unconfined_r escalation via below; -
sudo semanage user --list
semanage user -m -R 'staff_r sysadm_r system_r’ staff_u
semanage user -m -R 'staff_r sysadm_r system_r' root
semanage user -m -R 'system_r’ system_uTo deharden and administer a system and escalate as unconfined_r; -
sudo semanage user --list
semanage user -m -R 'staff_r sysadm_r system_r unconfined_r' staff_u
semanage user -m -R 'staff_r sysadm_r system_r unconfined_r' root
semanage user -m -R 'system_r unconfined_r' system_uTo administer in most scenarios we escalate as sysadm_r; -
sudo -r sysadm_r vim /etc/security/limits.d/limits.confConclusion
Linux has many moving parts. By default they may not be as secure as they could be. This blog lists hardening points that do not break a desktop. I hope someone found this blog useful.
