chadmcrowell/cks-book-system-hardening.sh

## cks-book-system-hardening.sh
######################################
######### DISABLING SERVICES #########
######################################
# view running services
systemctl | grep running

# view state of snapd service
systemctl status snapd

# stop the snapd service
sudo systemctl stop snapd

# disable the service
sudo systemctl disable snapd

# view the status - should be disabled now
systemctl status snapd

# purge the package is no longer needed
sudo apt purge --auto-remove snapd

# check that the package was purged
systemctl status snapd

########################################
########### USER MANAGEMENT ############
########################################

# list users on system
cat /etc/passwd

# process started by each user
ps aux | grep bash

# add user
sudo adduser ben

# list user entry ben
cat /etc/passwd

# switch to user ben
su ben

# create a new environment for ben
su - ben

# run as root
sudo -u ben pwd

# delete user ben
sudo userdel -r ben

# list groups
cat /etc/group

# add group
sudo groupadd kube-developers

# see new group added
cat /etc/group

# add user to group
sudo usermod -g kube-developers ben

# view group identifier
cat /etc/passwd | grep ben

# reassign group memebers
sudo usermod -g kube-admins ben

# delete group
sudo groupdel kube-developers

########################################
########### FILE MANAGEMENT ############
########################################

# create a file
touch my-file

# view the file permissions
ls -l

# change ownership of file
chown ben my-file

# change file permissions
chmod -w file1

#####################################
######## NETWORK MANAGEMENT #########
#####################################

# install package
sudo apt update && sudo apt install apache2

# list open ports
sudo ss -ltpn

# apache status
sudo systemctl status apache2

# stop the apache service
sudo systemctl stop apache2

# disable the apache service
sudo systemctl disable apache2

# uninstall the service
sudo apt purge --auto-remove apache2

# check port 80 not in use
sudo ss -ltpn | grep :80

# enable firewall
sudo ufw allow ssh

sudo ufw default deny outgoing

sudo ufw default deny incoming

sudo ufw enable

# allow 6443 for K8s API
sudo ufw allow 6443

# repeat the same process to open up other ports on control plane and worker nodes

##################################
####### KERNEL HARDENING #########
##################################

# install apparmor
sudo apt-get update && sudo apt-get install apparmor-utils

# summary of apparmor profiles
sudo aa-status

# load a profile on the worker node
sudo apparmor_parser /etc/apparmor.d/k8s-deny-write

# check that profile was loaded
sudo aa-status
	######################################
	######### DISABLING SERVICES #########
	######################################
	# view running services
	systemctl \| grep running

	# view state of snapd service
	systemctl status snapd

	# stop the snapd service
	sudo systemctl stop snapd

	# disable the service
	sudo systemctl disable snapd

	# view the status - should be disabled now
	systemctl status snapd

	# purge the package is no longer needed
	sudo apt purge --auto-remove snapd

	# check that the package was purged
	systemctl status snapd

	########################################
	########### USER MANAGEMENT ############
	########################################

	# list users on system
	cat /etc/passwd

	# process started by each user
	ps aux \| grep bash

	# add user
	sudo adduser ben

	# list user entry ben
	cat /etc/passwd

	# switch to user ben
	su ben

	# create a new environment for ben
	su - ben

	# run as root
	sudo -u ben pwd

	# delete user ben
	sudo userdel -r ben

	# list groups
	cat /etc/group

	# add group
	sudo groupadd kube-developers

	# see new group added
	cat /etc/group

	# add user to group
	sudo usermod -g kube-developers ben

	# view group identifier
	cat /etc/passwd \| grep ben

	# reassign group memebers
	sudo usermod -g kube-admins ben

	# delete group
	sudo groupdel kube-developers

	########################################
	########### FILE MANAGEMENT ############
	########################################

	# create a file
	touch my-file

	# view the file permissions
	ls -l

	# change ownership of file
	chown ben my-file

	# change file permissions
	chmod -w file1

	#####################################
	######## NETWORK MANAGEMENT #########
	#####################################

	# install package
	sudo apt update && sudo apt install apache2

	# list open ports
	sudo ss -ltpn

	# apache status
	sudo systemctl status apache2

	# stop the apache service
	sudo systemctl stop apache2

	# disable the apache service
	sudo systemctl disable apache2

	# uninstall the service
	sudo apt purge --auto-remove apache2

	# check port 80 not in use
	sudo ss -ltpn \| grep :80

	# enable firewall
	sudo ufw allow ssh

	sudo ufw default deny outgoing

	sudo ufw default deny incoming

	sudo ufw enable

	# allow 6443 for K8s API
	sudo ufw allow 6443

	# repeat the same process to open up other ports on control plane and worker nodes

	##################################
	####### KERNEL HARDENING #########
	##################################

	# install apparmor
	sudo apt-get update && sudo apt-get install apparmor-utils

	# summary of apparmor profiles
	sudo aa-status

	# load a profile on the worker node
	sudo apparmor_parser /etc/apparmor.d/k8s-deny-write

	# check that profile was loaded
	sudo aa-status