49 lines
1.2 KiB
Bash
Executable File
49 lines
1.2 KiB
Bash
Executable File
#!/bin/bash
|
|
set -e
|
|
|
|
echo "Applying Miasma OS system hardening..."
|
|
|
|
# Configure kernel parameters
|
|
cat > /etc/sysctl.d/99-miasma-hardening.conf << 'EOF'
|
|
# Miasma OS Security Hardening
|
|
kernel.dmesg_restrict = 1
|
|
kernel.kptr_restrict = 2
|
|
kernel.unprivileged_bpf_disabled = 1
|
|
net.core.bpf_jit_harden = 2
|
|
kernel.yama.ptrace_scope = 2
|
|
net.ipv4.conf.all.rp_filter = 1
|
|
net.ipv4.conf.default.rp_filter = 1
|
|
net.ipv4.conf.all.accept_redirects = 0
|
|
net.ipv4.conf.default.accept_redirects = 0
|
|
net.ipv6.conf.all.accept_redirects = 0
|
|
net.ipv6.conf.default.accept_redirects = 0
|
|
net.ipv4.conf.all.send_redirects = 0
|
|
net.ipv4.conf.default.send_redirects = 0
|
|
net.ipv4.icmp_echo_ignore_all = 1
|
|
EOF
|
|
|
|
# Configure nftables (replacing ufw)
|
|
pacman -S --noconfirm --needed nftables
|
|
systemctl enable nftables
|
|
# Basic nftables rules will be configured on first boot
|
|
|
|
# Set secure umask
|
|
echo "umask 077" >> /etc/profile
|
|
|
|
# Disable core dumps
|
|
echo "* hard core 0" >> /etc/security/limits.conf
|
|
|
|
# Blacklist vulnerable modules (based on Secureblue)
|
|
cat > /etc/modprobe.d/blacklist-miasma.conf << 'EOF'
|
|
# Miasma OS module blacklisting
|
|
blacklist dccp
|
|
blacklist sctp
|
|
blacklist rds
|
|
blacklist tipc
|
|
blacklist n_hdlc
|
|
blacklist bluetooth
|
|
blacklist net-pf-31
|
|
blacklist uvcvideo
|
|
EOF
|
|
|
|
echo "System hardening complete!" |