Perfect OpSEC - Become Invisible Online

This series is for educational purposes only. To get back to top-level table click here.

Linux OS Hardening - Basics

This list will cover the basic checklist to preform when you’re securing your OS. If you didn’t choose a Linux OS, then I can’t help you I’m sorry. I’m sure Windows/Mac can be configured to be privacy-focused but I’m not interesting in learning how, and therefore won’t be teaching you.
- [ ] All sensitive data kept on external encrypted USB
- [ ] Setup a non-root account with a strong password
- [ ] Ensure disk is encrypted (FDE)
- [ ] Enable screensaver with idle timer
- [ ] Secure ssh settings (No root remote access, change port, no password auth at least)
- [ ] netstat -lt -> disable anything you don’t need
- [ ] Firewall is at least enabled. In another guide we’ll get hardcore here. (Default is block all incoming and forwarding, allow all outbound.)
- [ ] Check for rootkits -> chrootkit
- [ ] Keep the machine up to date, always
- [ ] Disable Bluetooth
- [ ] Remove packages that phone home
- [ ] Disable bash history
- [ ] Install AV
- [ ] Bios Password and disable boot from USB
- [ ] Disable mic/webcam

Disable Bash history

unset HISTFILE; unset SAVEFILE
rm ~/.bash_history
ln -s /dev/null ~/.bash_history
export HISTFILE=/dev/null
export SAVEFILE=/dev/null
rm ~/.zsh_history - Kali
ln -s /dev/null ~/.zsh_history - Kali

Remove packages that phone home

sudo apt purge apport popularity-contest -y
sudo apt autoremove

systemctl stop apport.service
systemctl disable apport.service
systemctl mask apport.service

systemctl stop whoopsie.service
systemctl disable whoopsie.service
systemctl mask whoopsie.service

Settings:
- Launch “Settings” from the Application Menu
- Click on “Privacy”
- Change Connectivity Checking -> OFF
- Change “Location Services” to OFF
- Click on “Usage & History” then turn OFF “Recently Used” and put “Retain History” on “1 day”
- Click on “Problem Reporting” and select OFF // Never

Patch some dir permissions

chmod o-w /var/crash
chmod o-w /var/metrics
chmod o-w /var/tmp

Randomize MAC for any Wifi connection

vim /etc/NetworkManager/conf.d/00-macrandomize.conf:

[device]
wifi.scan-rand-mac-address=yes

[connection]
wifi.cloned-mac-address=random
ethernet.cloned-mac-address=random
connection.stable-id=${CONNECTION}/${BOOT}

Restart NetworkManager

systemctl restart NetworkManager

AppArmor

Install:

apt install -y apparmor-profiles apparmor-utils

Add some basic profiles

aa-enforce /etc/apparmor.d/usr.bin.firefox
aa-enforce /etc/apparmor.d/usr.sbin.avahi-daemon
aa-enforce /etc/apparmor.d/usr.sbin.dnsmasq
aa-enforce /etc/apparmor.d/bin.ping
aa-enforce /etc/apparmor.d/usr.sbin.rsyslogd

Auditing

echo "# Monitor changes and executions within /tmp
-w /tmp/ -p wa -k tmp_write
-w /tmp/ -p x -k tmp_exec" > /etc/audit/rules.d/tmp-monitor.rules

echo "# Monitor administrator access to /home directories
-a always,exit -F dir=/home/ -F uid=0 -C auid!=obj_uid -k admin_home_user" > /etc/audit/rules.d/admin-home-watch.rules

augenrules

systemctl restart auditd.service

chkrootkit

# Install
apt install chkrootkit
# Check if interfaces are in promiscuous mode (they shouldn't be!)
chkrootkit

References

Directory

$ cd content && tree

|____2022

| |____November

| | |____home_lab_6

| | |____proxmox_route_single_interface_through_vpn

| | |____proxmox_route_single_interface_through_vpn

| | |____proxmox_update_networking

| | |____blue_team_2

| | |____blue_team_1

| | |____hackthebox_redpanda

| | |____tryhackme_neighbour

| | |____post_exploitation_journey_2

| | |____post_exploitation_journey_1

| | |____try_hack_me_vulnnetendgame

| | |____try_hack_me_corridor

| | |____try_hack_me_surfer

| | |____try_hack_me_epoch

| | |____try_hack_me_template

| | |____modern_image_format_conversion

| |____October

| | |____unity_interactable_tmp_text

| | |____blog_refactor_1

| |____September

| | |____offline_wiki_sync

| |____February

| | |____perfect_opsec_anon_accounts

| | |____perfect_opsec_pgp

| | |____perfect_opsec_anon_payment

| | |____perfect_opsec_disk_encryption

| | |____perfect_opsec_hardware_spoofing

| | |____perfect_opsec_vpn_vps_and_tor

| | |____perfect_opsec_tor_browser

| | |____perfect_opsec_source_network

| | |____perfect_opsec_os_install

| | |____perfect_opsec_mitigate_author_profiling

| | |____perfect_opsec_hardware

| | |____perfect_opsec_clearnet_browser

| | |____perfect_opsec_basic_os_config

|____2021

| |____December

| | |____thm_revil_corp

| | |____thm_cybercrafted

| | |____thm_road

| | |____thm_squidgame

| | |____thm_carnage

| |____August

| | |____xxe_base64

| | |____vulnhub_chronos_1

| | |____tryhackme_picklerick

| | |____tryhackme_superspamr

| | |____tryhackme_overpass

| |____July

| | |____home_lab_5

| | |____home_lab_4

| | |____home_lab_3

| |____June

| | |____home_lab_2

| | |____proxmox_lvm_disk_resize

| |____May

| | |____home_lab_1

| |____April

| | |____home_lab_0

| |____March

| | |____tryhackme_the_great_escape

| | |____tryhackme_enterprize

| | |____tryhackme_attacktive_directory

| | |____tryhackme_blue

| | |____pinkys_palace_2

| | |____temple_of_doom_1

| |____February

| | |____lin_security_1

| | |____chill_hack

| | |____y0usef_1

| |____January

| | |____pwnlab_1

| | |____cve_2021_3156

| | |____build_log_7

| | |____skytower_1

| | |____mr_roboot_1

| | |____vulnix_1

| | |____brainpan_1

| | |____sick_os_1_2

| | |____vuln_os_2

| | |____stapler_1

|____2020

| |____December

| | |____build_log_6

| |____November

| | |____game_dev_log_4

| | |____game_dev_log_3

| | |____game_dev_log_2

| | |____build_log_5

| |____January

| | |____game_dev_log_1

| |____September

| | |____saas_app_2

| | |____saas_app_1

| | |____build_log_4

| | |____build_log_3

| |____August

| | |____build_log_2

| | |____build_log_1

| |____July

| | |____playbook

| | |____kioptrix_level_5

| | |____kioptrix_level_4

| | |____kioptrix_level_3

| | |____kioptrix_level_2

| | |____kioptrix_level_1

| | |____ringzer0team_sysadmin_linux_8

| | |____ringzer0team_sysadmin_linux_7

| | |____ringzer0team_sysadmin_linux_6

| | |____ringzer0team_sysadmin_linux_5

| | |____ringzer0team_sysadmin_linux_4

| | |____ringzer0team_sysadmin_linux_3

| | |____ringzer0team_sysadmin_linux_2

| | |____ringzer0team_sysadmin_linux_1

| | |____planning_phase_0

| | |____blog_creation

Contents