This series is for educational purposes only. To get back to top-level table click here.
This list will cover the basic checklist to preform when you’re securing your OS. If you didn’t choose a Linux OS, then I can’t help you I’m sorry. I’m sure Windows/Mac can be configured to be privacy-focused but I’m not interesting in learning how, and therefore won’t be teaching you.
- [ ] All sensitive data kept on external encrypted USB
- [ ] Setup a non-root account with a strong password
- [ ] Ensure disk is encrypted (FDE)
- [ ] Enable screensaver with idle timer
- [ ] Secure ssh settings (No root remote access, change port, no password auth at least)
- [ ] netstat -lt
-> disable anything you don’t need
- [ ] Firewall is at least enabled. In another guide we’ll get hardcore here. (Default is block all incoming and forwarding, allow all outbound.)
- [ ] Check for rootkits -> chrootkit
- [ ] Keep the machine up to date, always
- [ ] Disable Bluetooth
- [ ] Remove packages that phone home
- [ ] Disable bash history
- [ ] Install AV
- [ ] Bios Password and disable boot from USB
- [ ] Disable mic/webcam
unset HISTFILE; unset SAVEFILE
rm ~/.bash_history
ln -s /dev/null ~/.bash_history
export HISTFILE=/dev/null
export SAVEFILE=/dev/null
rm ~/.zsh_history - Kali
ln -s /dev/null ~/.zsh_history - Kali
sudo apt purge apport popularity-contest -y
sudo apt autoremove
systemctl stop apport.service
systemctl disable apport.service
systemctl mask apport.service
systemctl stop whoopsie.service
systemctl disable whoopsie.service
systemctl mask whoopsie.service
Settings:
- Launch “Settings” from the Application Menu
- Click on “Privacy”
- Change Connectivity Checking -> OFF
- Change “Location Services” to OFF
- Click on “Usage & History” then turn OFF “Recently Used” and put “Retain History” on “1 day”
- Click on “Problem Reporting” and select OFF // Never
chmod o-w /var/crash
chmod o-w /var/metrics
chmod o-w /var/tmp
vim /etc/NetworkManager/conf.d/00-macrandomize.conf
:
[device]
wifi.scan-rand-mac-address=yes
[connection]
wifi.cloned-mac-address=random
ethernet.cloned-mac-address=random
connection.stable-id=${CONNECTION}/${BOOT}
Restart NetworkManager
systemctl restart NetworkManager
Install:
apt install -y apparmor-profiles apparmor-utils
Add some basic profiles
aa-enforce /etc/apparmor.d/usr.bin.firefox
aa-enforce /etc/apparmor.d/usr.sbin.avahi-daemon
aa-enforce /etc/apparmor.d/usr.sbin.dnsmasq
aa-enforce /etc/apparmor.d/bin.ping
aa-enforce /etc/apparmor.d/usr.sbin.rsyslogd
echo "# Monitor changes and executions within /tmp
-w /tmp/ -p wa -k tmp_write
-w /tmp/ -p x -k tmp_exec" > /etc/audit/rules.d/tmp-monitor.rules
echo "# Monitor administrator access to /home directories
-a always,exit -F dir=/home/ -F uid=0 -C auid!=obj_uid -k admin_home_user" > /etc/audit/rules.d/admin-home-watch.rules
augenrules
systemctl restart auditd.service
# Install
apt install chkrootkit
# Check if interfaces are in promiscuous mode (they shouldn't be!)
chkrootkit
$ cd content && tree
.
|____2022
| |____November
| | |____home_lab_6
| | |____proxmox_route_single_interface_through_vpn
| | |____proxmox_route_single_interface_through_vpn
| | |____proxmox_update_networking
| | |____blue_team_2
| | |____blue_team_1
| | |____hackthebox_redpanda
| | |____tryhackme_neighbour
| | |____post_exploitation_journey_2
| | |____post_exploitation_journey_1
| | |____try_hack_me_vulnnetendgame
| | |____try_hack_me_corridor
| | |____try_hack_me_surfer
| | |____try_hack_me_epoch
| | |____try_hack_me_template
| | |____modern_image_format_conversion
| |____October
| |____September
| |____February
| | |____perfect_opsec_anon_accounts
| | |____perfect_opsec_pgp
| | |____perfect_opsec_anon_payment
| | |____perfect_opsec_disk_encryption
| | |____perfect_opsec_hardware_spoofing
| | |____perfect_opsec_vpn_vps_and_tor
| | |____perfect_opsec_tor_browser
| | |____perfect_opsec_source_network
| | |____perfect_opsec_os_install
| | |____perfect_opsec_mitigate_author_profiling
| | |____perfect_opsec_hardware
| | |____perfect_opsec_clearnet_browser
| | |____perfect_opsec_basic_os_config
|____2021
| |____May
| |____April
| |____February
|____2020
| |____December
| |____January
| |____August
| |____July
| | |____playbook
| | |____kioptrix_level_5
| | |____kioptrix_level_4
| | |____kioptrix_level_3
| | |____kioptrix_level_2
| | |____kioptrix_level_1
| | |____ringzer0team_sysadmin_linux_8
| | |____ringzer0team_sysadmin_linux_7
| | |____ringzer0team_sysadmin_linux_6
| | |____ringzer0team_sysadmin_linux_5
| | |____ringzer0team_sysadmin_linux_4
| | |____ringzer0team_sysadmin_linux_3
| | |____ringzer0team_sysadmin_linux_2
| | |____ringzer0team_sysadmin_linux_1
| | |____planning_phase_0
| | |____blog_creation