security hardening part 3

nextcloud · Dec 17, 2017 · 34fc851 · 34fc851
1 parent af54edb
commit 34fc851
Show file tree

Hide file tree

Showing 3 changed files with 27 additions and 15 deletions.
diff --git a/changelog.md b/changelog.md
@@ -1,5 +1,7 @@
 
-[v0.41.12](https://github.com/nextcloud/nextcloudpi/commit/392ac9c) (2017-12-17) security hardening part 2
+[v0.41.13](https://github.com/nextcloud/nextcloudpi/commit/4daac1b) (2017-12-17) security hardening part 3
+
+[v0.41.12](https://github.com/nextcloud/nextcloudpi/commit/672d233) (2017-12-17) security hardening part 2
 
 [v0.41.11](https://github.com/nextcloud/nextcloudpi/commit/b817b90) (2017-12-16) security hardening
 

diff --git a/nextcloudpi.sh b/nextcloudpi.sh
@@ -214,21 +214,26 @@ EOF
 
     ## kernel hardening
     cat >> /etc/sysctl.conf <<EOF
-sysctl fs.protected_hardlinks=1
-sysctl fs.protected_symlinks=1
-sysctl kernel.core_uses_pid=1
-sysctl kernel.dmesg_restrict=1
-sysctl kernel.kptr_restrict=2
-sysctl kernel.sysrq=0
-sysctl net.ipv4.conf.all.accept_redirects=0
-sysctl net.ipv4.conf.all.log_martians=1
-sysctl net.ipv4.conf.all.rp_filter=1
-sysctl net.ipv4.conf.all.send_redirects=0
-sysctl net.ipv4.conf.default.accept_redirects=0
-sysctl net.ipv4.conf.default.accept_source_route=0
-sysctl net.ipv4.conf.default.log_martians=1
-sysctl net.ipv4.tcp_timestamps=0
+fs.protected_hardlinks=1
+fs.protected_symlinks=1
+kernel.core_uses_pid=1
+kernel.dmesg_restrict=1
+kernel.kptr_restrict=2
+kernel.sysrq=0
+net.ipv4.conf.all.accept_redirects=0
+net.ipv4.conf.all.log_martians=1
+net.ipv4.conf.all.rp_filter=1
+net.ipv4.conf.all.send_redirects=0
+net.ipv4.conf.default.accept_redirects=0
+net.ipv4.conf.default.accept_source_route=0
+net.ipv4.conf.default.log_martians=1
+net.ipv4.tcp_timestamps=0
+net.ipv6.conf.all.accept_redirects=0
+net.ipv6.conf.default.accept_redirects=0
 EOF
+
+    ## other tweaks
+    sed -i "s|^UMASK.*|UMASK           027|" /etc/login.defs
   fi
 }
 

diff --git a/update.sh b/update.sh
@@ -172,10 +172,15 @@ net.ipv4.conf.default.accept_redirects=0
 net.ipv4.conf.default.accept_source_route=0
 net.ipv4.conf.default.log_martians=1
 net.ipv4.tcp_timestamps=0
+net.ipv6.conf.all.accept_redirects=0
+net.ipv6.conf.default.accept_redirects=0
 EOF
+  sysctl -p /etc/sysctl.conf
 
   # small tweaks
   cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
+  chmod go-x /usr/bin/arm-linux-gnueabihf-* &>/dev/null
+  sed -i "s|^UMASK.*|UMASK           027|" /etc/login.defs
 
   # secure mysql
   DBPASSWD=$( grep password /root/.my.cnf | cut -d= -f2 )