Raspberry Pi 4 Ubuntu support

[Martin11180]

Hallo

Can you tell me what I have to remove so that the boot works again after running the script via USB hard drive
It works via SD
I have already removed USBguard after running the script, unfortunately without success

Raspberry Pi 4 Model B Rev 1.1
PRETTY_NAME="Ubuntu 22.04.5 LTS"
NAME="Ubuntu"
VERSION_ID="22.04"
VERSION="22.04.5 LTS (Jammy Jellyfish)"
VERSION_CODENAME=jammy
ID=ubuntu
ID_LIKE=debian
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
UBUNTU_CODENAME=jammy

[konstruktoid]

Have you modified https://github.com/konstruktoid/hardening/blob/master/scripts/disablemod as well? See https://github.com/konstruktoid/hardening?tab=readme-ov-file#disablemod.

[konstruktoid]

I updated the documentation in #551

[Martin11180]

I plan on restarting
Removed the following file for testing
Attached is a picture of where the Rasbbery is hanging

sudo rm /etc/modprobe.d/disablefs.conf
sudo rm /etc/modprobe.d/disablemod.conf
sudo rm /etc/modprobe.d/disablenet.conf
sudo apt remove usbguard
sudo apt purge usbguard

[Martin11180]

OK, I apparently forgot something when I went to test it
can you build the script so that this line

MOD="bluetooth bnep btusb cpia2 firewire-core floppy n_hdlc net-pf-31 pcspkr soundcore thunderbolt usb-midi uvcvideo v4l2_common"

and 

PACKAGE_INSTALL="acct aide-common cracklib-runtime debsums gnupg2 haveged libpam-pwquality libpam-tmpdir needrestart openssh-server postfix psad rkhunter sysstat systemd-coredump tcpd update-notifier-common vlock $APPARMOR $AUDITD $VM"

can be adjusted in the config file
For example, Postfix doesn't want to be on the system
and would also like to use nano for now

Now boot from the hard drive
Have two more questions, I can't get any further with some messages

 ✗ Verify that AppArmor is enabled on the kernel command line
   (in test file ./apparmor.bats, line 7)
     `[ "$status" -eq 0 ]' failed

I'm not sure what to do

✗ Verify that audit is enabled
   (in test file ./auditd.bats, line 7)
     `[ "$status" -eq 0 ]' failed

I'm not sure what to do

✗ Verify /usr/bin/make permission
   (in test file ./compilers.bats, line 5)
     `[ "$status" -eq 0 ]' failed

cat: /usr/bin/make: No such file or directory

 ✗ Verify FileCreateMode in /etc/rsyslog.conf
   (in test file ./journalctl.bats, line 27)
     `[ "$status" -eq 0 ]' failed


 
atrinbeckeroberstmartin@ubuntu:~/setup/hardening/tests$ cat /etc/rsyslog.conf
# /etc/rsyslog.conf configuration file for rsyslog
#
# For more information install rsyslog-doc and see
# /usr/share/doc/rsyslog-doc/html/configuration/index.html
#
# Default logging rules can be found in /etc/rsyslog.d/50-default.conf


#################
#### MODULES ####
#################

module(load="imuxsock") # provides support for local system logging
#module(load="immark")  # provides --MARK-- message capability

# provides UDP syslog reception
#module(load="imudp")
#input(type="imudp" port="514")

# provides TCP syslog reception
#module(load="imtcp")
#input(type="imtcp" port="514")

# provides kernel logging support and enable non-kernel klog messages
module(load="imklog" permitnonkernelfacility="on")

###########################
#### GLOBAL DIRECTIVES ####
###########################

#
# Use traditional timestamp format.
# To enable high precision timestamps, comment out the following line.
#
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

# Filter duplicated messages
$RepeatedMsgReduction on

#
# Set the default permissions for all log files.
#
$FileOwner syslog
$FileGroup adm
$FileCreateMode 0600
$DirCreateMode 0755
$Umask 0022
$PrivDropToUser syslog
$PrivDropToGroup syslog

#
# Where to place spool and state files
#
$WorkDirectory /var/spool/rsyslog

#
# Include all config files in /etc/rsyslog.d/
#
$IncludeConfig /etc/rsyslog.d/*.conf

I've tried everything possible, unfortunately without success

✗ Ensure sudo NOPASSWD is not used
   (in test file ./sudo.bats, line 35)
     `[ "$status" -eq 1 ]' failed

I'm not sure what to do

✗ Verify OpenSSH sftp
   (in test file ./sshd.bats, line 92)
     `[ "$status" -eq 0 ]' failed

I'm not sure what to do

✗ Verify password protected GRUB
   (in test file ./misc.bats, line 22)
     `[ "$status" -eq 0 ]' failed with status 2

I don't know if Rassbery already exists with Grub2

From ssh audit the standard looks like this

Restrict key exchange, cipher, and MAC algorithms, as per sshaudit.com\n
# hardening guide.
KexAlgorithms [email protected],curve25519-sha256,[email protected],gss-curve25519-sha256-,diffie-hellman-group16-sha512,gss-group16-sha512-,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256
Ciphers [email protected],[email protected],aes256-ctr,aes192-ctr,[email protected],aes128-ctr
MACs [email protected],[email protected],[email protected]\n\nHostKeyAlgorithms [email protected],[email protected],[email protected],[email protected],[email protected],ssh-ed25519,rsa-sha2-512,rsa-sha2-256
CASignatureAlgorithms [email protected],ssh-ed25519,rsa-sha2-512,rsa-sha2-256\n\nGSSAPIKexAlgorithms gss-curve25519-sha256-,gss-group16-sha512-\n\nHostbasedAcceptedAlgorithms [email protected],[email protected],[email protected],ssh-ed25519,[email protected],rsa-sha2-512,[email protected],rsa-sha2-256
PubkeyAcceptedAlgorithms [email protected],[email protected],[email protected],ssh-ed25519,[email protected],rsa-sha2-512,[email protected],rsa-sha2-256" 


 ✗ Verify OpenSSH KexAlgorithms
   (in test file ./sshd.bats, line 117)
     `[ "$status" -eq 0 ]' failed
 ✗ Verify OpenSSH Ciphers
   (in test file ./sshd.bats, line 122)
     `[ "$status" -eq 0 ]' failed
 ✗ Verify OpenSSH Macs
   (in test file ./sshd.bats, line 127)
     `[ "$status" -eq 0 ]' failed
 ✗ Ensure OpenSSH MAC [email protected] is not used
   (in test file ./sshd.bats, line 272)
     `[ "$status" -eq 1 ]' failed

which ones are correct

 ✗ Ensure user games is removed
   (in test file ./users.bats, line 5)
     `[ "$status" -eq 1 ]' failed
 ✗ Ensure user gnats is removed
   (in test file ./users.bats, line 10)
     `[ "$status" -eq 1 ]' failed
 ✗ Ensure user irc is removed
   (in test file ./users.bats, line 15)
     `[ "$status" -eq 1 ]' failed
 ✗ Ensure user list is removed
   (in test file ./users.bats, line 20)
     `[ "$status" -eq 1 ]' failed
 ✗ Ensure user news is removed
   (in test file ./users.bats, line 25)
     `[ "$status" -eq 1 ]' failed
 ✗ Ensure user sync is removed
   (in test file ./users.bats, line 30)
     `[ "$status" -eq 1 ]' failed
 ✗ Ensure user uucp is removed
   (in test file ./users.bats, line 35)
     `[ "$status" -eq 1 ]' failed

are always there again after a restart

I haven't posted anything else, so I know what I have to do

Your answer may also help others with this problem

[konstruktoid]

For now you'll need to manually update the functions.

And if you don't have any particular reason to pass all the tests, there's no need to pay any attention to them.
For example, if you don't need make on you system there's no point of installing it just to pass the test.

What does grep -E '^\$FileCreateMode 06(0|4)0$' /etc/rsyslog.conf return?

[Martin11180]

grep -E '^$FileCreateMode 06(0|4)0$' /etc/rsyslog.conf
$FileCreateMode 0600

but OpenSSH sftp is not in your description either
and with the exchange, cipher, and MAC algorithm it would also be interesting, which is currently a problem because of security

[konstruktoid]

grep -E '^$FileCreateMode 06(0|4)0$' /etc/rsyslog.conf $FileCreateMode 0600

so the test should have caught that.

but OpenSSH sftp is not in your description either and with the exchange, cipher, and MAC algorithm it would also be interesting, which is currently a problem because of security

which problem of security? because the configuration doesn't match sshaudit.com? Adapt the configuration to suit your needs, don't just follow an recommendation. Neither complies to FIPS 140-2 for example.