pve-security-scanner/vm/01-system-harden.sh

#!/bin/bash
# =============================================================================
# System Hardening for Security Scanner VM
# Run this inside the VM as root
# =============================================================================
set -euo pipefail

echo "============================================"
echo " System Hardening - Security Scanner VM"
echo "============================================"

# --- 1. Update system ---
echo "[+] Updating system packages..."
apt update && apt upgrade -y
apt install -y unattended-upgrades apt-listchanges

# Enable automatic security updates
cat > /etc/apt/apt.conf.d/50unattended-upgrades << 'EOF'
Unattended-Upgrade::Allowed-Origins {
    "${distro_id}:${distro_codename}-security";
};
Unattended-Upgrade::AutoFixInterruptedDpkg "true";
Unattended-Upgrade::Remove-Unused-Dependencies "true";
Unattended-Upgrade::Automatic-Reboot "false";
EOF

dpkg-reconfigure -f noninteractive unattended-upgrades

# --- 2. Kernel hardening (sysctl) ---
echo "[+] Applying kernel hardening..."
cat > /etc/sysctl.d/99-security-scanner.conf << 'EOF'
# --- Network hardening ---
# Disable IP forwarding (scanner should not route traffic)
net.ipv4.ip_forward = 0
net.ipv6.conf.all.forwarding = 0

# Ignore ICMP redirects
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv6.conf.default.accept_redirects = 0

# Don't send ICMP redirects
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0

# Enable reverse path filtering (anti-spoofing)
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1

# Ignore broadcast pings
net.ipv4.icmp_echo_ignore_broadcasts = 1

# Enable SYN flood protection
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 2048
net.ipv4.tcp_synack_retries = 2

# Log suspicious packets
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians = 1

# Disable source routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0

# --- Memory protection ---
# Restrict dmesg access
kernel.dmesg_restrict = 1

# Restrict kernel pointer exposure
kernel.kptr_restrict = 2

# Enable ASLR
kernel.randomize_va_space = 2

# Restrict ptrace
kernel.yama.ptrace_scope = 2

# --- File system ---
# Restrict core dumps
fs.suid_dumpable = 0
EOF

sysctl -p /etc/sysctl.d/99-security-scanner.conf

# --- 3. Restrict core dumps ---
echo "[+] Disabling core dumps..."
cat > /etc/security/limits.d/99-no-core.conf << 'EOF'
*    hard    core    0
*    soft    core    0
EOF

# --- 4. Secure shared memory ---
echo "[+] Securing shared memory..."
if ! grep -q "tmpfs /dev/shm" /etc/fstab; then
    echo "tmpfs /dev/shm tmpfs defaults,noexec,nosuid,nodev 0 0" >> /etc/fstab
fi

# --- 5. Set file permissions ---
echo "[+] Hardening file permissions..."
chmod 700 /root
chmod 600 /etc/crontab
chmod 700 /etc/cron.d
chmod 700 /etc/cron.daily
chmod 700 /etc/cron.hourly
chmod 700 /etc/cron.weekly
chmod 700 /etc/cron.monthly

# --- 6. Disable unnecessary services ---
echo "[+] Disabling unnecessary services..."
DISABLE_SERVICES=(
    "avahi-daemon"
    "cups"
    "rpcbind"
    "bluetooth"
)
for svc in "${DISABLE_SERVICES[@]}"; do
    if systemctl is-enabled "${svc}" 2>/dev/null; then
        systemctl disable --now "${svc}"
        echo "    Disabled: ${svc}"
    fi
done

# --- 7. Install security tools ---
echo "[+] Installing security audit tools..."
apt install -y \
    aide \
    rkhunter \
    lynis \
    auditd \
    audispd-plugins \
    fail2ban \
    logwatch

# --- 8. Initialize AIDE (file integrity monitoring) ---
echo "[!] Initializing AIDE database - this may take 10-20 minutes..."
aideinit
cp /var/lib/aide/aide.db.new /var/lib/aide/aide.db

# --- 9. Configure auditd ---
echo "[+] Configuring audit rules..."
cat > /etc/audit/rules.d/scanner-audit.rules << 'EOF'
# Delete all existing rules
-D

# Buffer size
-b 8192

# Failure mode (1=printk, 2=panic)
-f 1

# Monitor /etc changes
-w /etc/ -p wa -k etc_changes

# Monitor authentication
-w /var/log/auth.log -p wa -k auth_log
-w /etc/passwd -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/group -p wa -k identity
-w /etc/gshadow -p wa -k identity

# Monitor sudo usage
-w /etc/sudoers -p wa -k sudoers
-w /etc/sudoers.d/ -p wa -k sudoers

# Monitor network config changes
-w /etc/hosts -p wa -k network
-w /etc/network/ -p wa -k network
-w /etc/nftables.conf -p wa -k firewall

# Monitor cron changes
-w /etc/crontab -p wa -k cron
-w /etc/cron.d/ -p wa -k cron

# Monitor scanner tool configs
-w /opt/greenbone/ -p wa -k scanner_config

# Lock audit rules (requires reboot to change)
-e 2
EOF

systemctl restart auditd

# --- 10. Password policy ---
echo "[+] Setting password policy..."
apt install -y libpam-pwquality

sed -i 's/^#\s*minlen.*/minlen = 12/' /etc/security/pwquality.conf
sed -i 's/^#\s*minclass.*/minclass = 3/' /etc/security/pwquality.conf
sed -i 's/^#\s*maxrepeat.*/maxrepeat = 3/' /etc/security/pwquality.conf

# Verify settings were applied
for setting in minlen minclass maxrepeat; do
    if ! grep -q "^${setting}" /etc/security/pwquality.conf; then
        echo "[!] WARNING: ${setting} was not set - appending to config"
        case "${setting}" in
            minlen)    echo "minlen = 12" >> /etc/security/pwquality.conf ;;
            minclass)  echo "minclass = 3" >> /etc/security/pwquality.conf ;;
            maxrepeat) echo "maxrepeat = 3" >> /etc/security/pwquality.conf ;;
        esac
    fi
done

echo ""
echo "[+] System hardening complete."
echo "[!] Reboot recommended: shutdown -r now"