Skip to content

Latest commit

 

History

History
64 lines (52 loc) · 3.73 KB

README.md

File metadata and controls

64 lines (52 loc) · 3.73 KB

Puppet Debian Hardening

Masterless Puppet Environment For Debian Hardening

This repo contains a masterless Puppet environment which may be used to lock down a minimal Debian server even further than stock. These controls utilize only open-source components, and can be deploy to any stock Debian 9 machine.

Works on Debian 9 and Puppet 4.8.2

Only intented for a non-gui Debian install, starting with only the "Standard system utilites" and "SSH Server"

Hardening Features

  • Disables IPv6 + unecessary network services
  • Disables desktop GUI (Gnome, KDE, etc.)
  • Hardens SSH server + brute force protection
  • Enforces Stanford password policy and Google TOTP 2FA
  • Enables memory corruption exploit mitigations
  • Applies security patches daily
  • Locks down firewall rule to minimal necessary
  • Disables uncommon kernel modules (floppy, usb storage, etc)

Prerequesites

apt install sudo git wget

Bootstrap Command

Automatically downloads and installs the hardening controls on a stock Debian machine.
Ensure you have console access to the box if recovery is needed.

$(cd /opt/ && sudo git clone https://github.com/0x9090/Linux-Hardening.git && sudo sh -c setup.sh -a)

Uses Open-Source Puppet Modules

Environment Layout

setup.sh = Main installer script. Run this once, and the controls will be implemented and enforced
run.sh = Performs a Puppet run to manually apply the security controls
site.pp = Top-level node definitions

There are several different hardening domains, and each domain is a collection of related security controls.

Most of the code is in the /modules/ folder. Every "_config" postpended module, is a hardening domain configuration module. Those modules contain an init.pp file, which configures the hardening domain. Those init.pp files are what you'll work in to customize the hardening to your needs.

Security Considerations

  • Thoroughly test this in your own environment before using in production. Use at your own risk
  • These controls are only to be used on a fresh, minimal Debian 9 install
  • You need to configure Google 2FA in the os_hardening_config module
  • Firewall is only configured for SSH inbound
  • Create a lowly privleged user, as these controls will disallow root to SSH in
  • It's a good practice to update all the bundled modules before deployment to ensure any known vulnerabilities are removed