Perfect OpSEC - Become Invisible Online

This series is for educational purposes only. To get back to top-level table click here.

Linux OS Hardening - Basics

This list will cover the basic checklist to preform when you’re securing your OS. If you didn’t choose a Linux OS, then I can’t help you I’m sorry. I’m sure Windows/Mac can be configured to be privacy-focused but I’m not interesting in learning how, and therefore won’t be teaching you.
- [ ] All sensitive data kept on external encrypted USB
- [ ] Setup a non-root account with a strong password
- [ ] Ensure disk is encrypted (FDE)
- [ ] Enable screensaver with idle timer
- [ ] Secure ssh settings (No root remote access, change port, no password auth at least)
- [ ] netstat -lt -> disable anything you don’t need
- [ ] Firewall is at least enabled. In another guide we’ll get hardcore here. (Default is block all incoming and forwarding, allow all outbound.)
- [ ] Check for rootkits -> chrootkit
- [ ] Keep the machine up to date, always
- [ ] Disable Bluetooth
- [ ] Remove packages that phone home
- [ ] Disable bash history
- [ ] Install AV
- [ ] Bios Password and disable boot from USB
- [ ] Disable mic/webcam

Disable Bash history

unset HISTFILE; unset SAVEFILE
rm ~/.bash_history
ln -s /dev/null ~/.bash_history
export HISTFILE=/dev/null
export SAVEFILE=/dev/null
rm ~/.zsh_history - Kali
ln -s /dev/null ~/.zsh_history - Kali

Remove packages that phone home

sudo apt purge apport popularity-contest -y
sudo apt autoremove

systemctl stop apport.service
systemctl disable apport.service
systemctl mask apport.service

systemctl stop whoopsie.service
systemctl disable whoopsie.service
systemctl mask whoopsie.service

Settings:
- Launch “Settings” from the Application Menu
- Click on “Privacy”
- Change Connectivity Checking -> OFF
- Change “Location Services” to OFF
- Click on “Usage & History” then turn OFF “Recently Used” and put “Retain History” on “1 day”
- Click on “Problem Reporting” and select OFF // Never

Patch some dir permissions

chmod o-w /var/crash
chmod o-w /var/metrics
chmod o-w /var/tmp

Randomize MAC for any Wifi connection

vim /etc/NetworkManager/conf.d/00-macrandomize.conf:

[device]
wifi.scan-rand-mac-address=yes

[connection]
wifi.cloned-mac-address=random
ethernet.cloned-mac-address=random
connection.stable-id=${CONNECTION}/${BOOT}

Restart NetworkManager

systemctl restart NetworkManager

AppArmor

Install:

apt install -y apparmor-profiles apparmor-utils

Add some basic profiles

aa-enforce /etc/apparmor.d/usr.bin.firefox
aa-enforce /etc/apparmor.d/usr.sbin.avahi-daemon
aa-enforce /etc/apparmor.d/usr.sbin.dnsmasq
aa-enforce /etc/apparmor.d/bin.ping
aa-enforce /etc/apparmor.d/usr.sbin.rsyslogd

Auditing

echo "# Monitor changes and executions within /tmp
-w /tmp/ -p wa -k tmp_write
-w /tmp/ -p x -k tmp_exec" > /etc/audit/rules.d/tmp-monitor.rules

echo "# Monitor administrator access to /home directories
-a always,exit -F dir=/home/ -F uid=0 -C auid!=obj_uid -k admin_home_user" > /etc/audit/rules.d/admin-home-watch.rules

augenrules

systemctl restart auditd.service

chkrootkit

# Install
apt install chkrootkit
# Check if interfaces are in promiscuous mode (they shouldn't be!)
chkrootkit

References

• NCSC
  
• [](https://7a6570.github.io/apparmor-profile-for-virtualbox.html)