solana-validator/audit at master · cryptolandtech/solana-validator · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
General System Security
-----------
sudo apt update && sudo apt upgrade

https://www.cyberciti.biz/faq/how-to-set-up-automatic-updates-for-ubuntu-linux-18-04/
sudo apt install unattended-upgrades apt-listchanges bsd-mailx
sudo dpkg-reconfigure -plow unattended-upgrades
vi /etc/apt/apt.conf.d/50unattended-upgrades; Unattended-Upgrade::Automatic-Reboot "false";
sudo unattended-upgrades --dry-run


apt install -y libpam-cracklib
vim /etc/pam.d/common-password
password        requisite     pam_cracklib.so try_first_pass retry=3 minlen=8 dcredit=0 ucredit=1 ocredit=0 lcredit=0


vi /etc/ssh/sshd_config

AllowUsers celo
AllowGroups celo

chmod 750 /etc/sudoers
chmod 750 /home/celo


/etc/security/limits.conf
*               hard    core             0
echo 'fs.suid_dumpable = 0' >> /etc/sysctl.conf
sysctl -p

apt remove binutils-x86-64-linux-gnu gcc; apt autoremove

vi /etc/ssh/sshd_config
AllowTcpForwarding no
ClientAliveCountMax 2
Compression no
LogLevel VERBOSE
MaxAuthTries 3
MaxSessions 2
TCPKeepAlive no
X11Forwarding no
AllowAgentForwarding no

service ssh restart

apt install rkhunter -y

apt install usbguard debsums apt-show-versions sysstat
systemctl start sysstat
systemctl enable sysstat

Change ssh port +  allow ufw

/etc/issue si /etc/issue.net
WARNING: This computer system including all related equipment, network devices (specifically including Internet access), are provided only for authorized use. All computer systems may be monitored for all lawful purposes, including to ensure that their use is authorized, for management of the system, to facilitate protection against unauthorized access, and to verify security procedures, survivability and operational security.

/etc/login.defs
umask 027

sudo apt-get purge $(dpkg -l | grep '^rc' | awk '{print $2}')

vi /etc/modprobe.d/blacklist.conf
install cramfs /bin/true
install freevxfs /bin/true
install hfs /bin/true
install hfsplus /bin/true
install jffs2 /bin/true
install udf /bin/true
blacklist usb-storage

vi /etc/usbguard/usbguard-daemon.conf
PresentControllerPolicy=block
PresentDevicePolicy=block

systemctl restart usbguard

 echo 0 > /sys/bus/usb/devices/usb1/authorized
 echo 0 > /sys/bus/usb/devices/usb2/authorized
 echo 0 > /sys/bus/usb/devices/usb3/authorized
 echo 0 > /sys/bus/usb/devices/usb4/authorized


https://www.techrepublic.com/article/how-to-password-protect-the-grub-boot-loader-in-ubuntu/
sysctl.conf:
fs.suid_dumpable=0
kernel.core_uses_pid=1
kernel.dmesg_restrict=1
kernel.kptr_restrict=2
kernel.sysrq=0
### BE carefull. If you disable for validator docker won't work anymore
net.ipv4.conf.all.forwarding=1
net.ipv4.conf.all.log_martians=1
net.ipv4.conf.all.send_redirects=0
net.ipv4.conf.default.accept_source_route=0
net.ipv4.conf.default.log_martians=1
net.ipv4.conf.all.accept_redirects=0


chmod 750 /etc/sudoers.d/
apt install apparmor apt-show-versions

  sudo apt install clamav acct aide arpwatch  usbguard -y
sudo touch /var/lib/aide/aide.db
chmod 750 /etc/sudoers.d/
sudo aide --config=/usr/share/aide/config/aide/aide.conf --check


cd /etc; chmod o-rx,g-rx cron.monthly cron.hourly cron.weekly cron.daily cron.d at.deny crontab

Se ruleaza si se executa ce vrea
grpck
#Vei avea dastea: 'mabalaru' is a member of the 'docker' group in /etc/group but not in /etc/gshadow
#trebuie sa intri in /etc.shaddow si sa-l bagi in grup

echo "umask 077" >> /etc/profile
echo "* hard core 0" >> /etc/security/limits.conf


#Comanda asta arata userii care au shell. Trebuie sa iei fiecare user la mana si sa-i spui sa expire parola
getent passwd | grep -f /etc/shells | tr ',' ':' | awk -F: '{print $1, $5}' |     xargs -L1 bash -c 'echo ${@:2}:$(chage -l $1| awk -F": " "/Password expires/{print \$2}")' : |     column -ts:

chage -M 9999 USERI


echo 0 > /sys/bus/usb/devices/usb2/authorized
echo 0 > /sys/bus/usb/devices/usb1/authorized

https://www.cyberciti.biz/faq/linux-disable-modprobe-loading-of-usb-storage-driver/

apt remove binutils-x86-64-linux-gnu; apt autoremove
sudo apt-get purge $(dpkg -l | grep '^rc' | awk '{print $2}')