mirror of
https://github.com/optim-enterprises-bv/secureblue.git
synced 2025-11-26 23:15:05 +00:00
73 lines
2.9 KiB
Plaintext
73 lines
2.9 KiB
Plaintext
# Add additional boot parameters for hardening (requires reboot)
|
|
set-kargs-hardening:
|
|
#!/usr/bin/pkexec /usr/bin/bash
|
|
rpm-ostree kargs \
|
|
--append-if-missing="init_on_alloc=1" \
|
|
--append-if-missing="init_on_free=1" \
|
|
--append-if-missing="slab_nomerge" \
|
|
--append-if-missing="page_alloc.shuffle=1" \
|
|
--append-if-missing="randomize_kstack_offset=on" \
|
|
--append-if-missing="vsyscall=none" \
|
|
--append-if-missing="lockdown=confidentiality" \
|
|
--append-if-missing="random.trust_cpu=off" \
|
|
--append-if-missing="random.trust_bootloader=off" \
|
|
--append-if-missing="iommu=force" \
|
|
--append-if-missing="intel_iommu=on" \
|
|
--append-if-missing="amd_iommu=force_isolation" \
|
|
--append-if-missing="iommu.passthrough=0" \
|
|
--append-if-missing="iommu.strict=1" \
|
|
--append-if-missing="pti=on" \
|
|
--append-if-missing="module.sig_enforce=1" \
|
|
--append-if-missing="mitigations=auto,nosmt"
|
|
echo "Hardening kargs set."
|
|
|
|
# Add additional (unstable) boot parameters for hardening (requires reboot)
|
|
set-kargs-hardening-unstable:
|
|
#!/usr/bin/pkexec /usr/bin/bash
|
|
echo "Warning: setting these kargs may lead to boot issues on some hardware."
|
|
rpm-ostree kargs \
|
|
--append-if-missing="efi=disable_early_pci_dma" \
|
|
--append-if-missing="debugfs=off"
|
|
echo "Unstable hardening kargs set."
|
|
|
|
# Harden flatpaks by preloading hardened_malloc
|
|
harden-flatpak:
|
|
#!/usr/bin/bash
|
|
flatpak override --user --filesystem=host-os:ro --env=LD_PRELOAD=/var/run/host/usr/lib64/libhardened_malloc.so
|
|
|
|
# Toggle the cups service on/off
|
|
toggle-cups:
|
|
#!/usr/bin/pkexec /usr/bin/bash
|
|
if systemctl is-enabled --quiet cups; then
|
|
firewall-cmd --permanent --remove-port=631/tcp
|
|
firewall-cmd --permanent --remove-port=631/udp
|
|
firewall-cmd --reload
|
|
systemctl mask cups
|
|
systemctl disable cups
|
|
systemctl stop cups
|
|
systemctl daemon-reload
|
|
echo "Cups disabled."
|
|
else
|
|
firewall-cmd --permanent --add-port=631/tcp
|
|
firewall-cmd --permanent --add-port=631/udp
|
|
firewall-cmd --reload
|
|
systemctl unmask cups
|
|
systemctl enable cups
|
|
systemctl start cups
|
|
systemctl daemon-reload
|
|
echo "Cups enabled."
|
|
fi
|
|
|
|
# Toggle bluetooth kernel modules on/off (requires reboot)
|
|
toggle-bluetooth-modules:
|
|
#!/usr/bin/pkexec /usr/bin/bash
|
|
BLUE_MOD_FILE="/etc/modprobe.d/99-bluetooth.conf"
|
|
if test -e $BLUE_MOD_FILE; then
|
|
sudo rm -f $BLUE_MOD_FILE
|
|
echo "Bluetooth kernel modules disabled. Reboot to take effect."
|
|
else
|
|
sudo sh -c 'echo "install bluetooth /sbin/modprobe --ignore-install bluetooth" >> "$1"' _ "$BLUE_MOD_FILE"
|
|
sudo sh -c 'echo "install btusb /sbin/modprobe --ignore-install btusb" >> "$1"' _ "$BLUE_MOD_FILE"
|
|
sudo chmod 644 $BLUE_MOD_FILE
|
|
echo "Bluetooth kernel modules enabled. Reboot to take effect."
|
|
fi |