Coder Social home page Coder Social logo

rpi_pub's Introduction

Overview

Raspberry Pi Base Setup and Security Hardening

This repository serves to create a repeatable and uniform process in efforts of standardizing a raspbian deployment on one or more Raspberry Pi's. It also is my work in progress for adopting and using ansible to perform these tasks and continued learning.

See the Features section below and give it a go.

Why?

I wanted to learn ansible and enjoy running pihole on two Pi Zero W's. I also test on a RPI3B+. I also wanted to harden and tweak the raspbian OS to achieve a greater level of security. Lynis is the benchmark tool which evaluated my test systems. This ansible playbook will achieve a score just above 80 (Which is pretty good). This is a healthy level that allows for continued expansion and varied use cases which doesn't sacrifice too much security.

Features

I'll list some features of this repository and ansible setup. This can also be known as "What does this playbook do for me?".

OS (Base)

  • Setup System Timezone (default: Europe/Stockholm)
  • Setup System Localization and Language (default: en_US.UTF-8)
  • Setup Keyboard Layout (default: US)
  • Configure System Package Manager (apt)
    • Don't acquire extra languages
    • Use IPV4 for downloads
    • Don't Install "Recommends"
    • Don't Install "Suggests"
    • Don't Autoremove "RecommendsImportant"
    • Don't Autoremove "SuggestsImportant"
    • Allow apt to run non-interactively
      • Use --force-confdef
      • Use --force-confold
    • Setup apt cache directory (/tmp/apt)
    • Setup apt cache archive (/var/cache/apt/arhive)
  • Setup System fstab file
    • Ensure Security Settings on Mountpoints and Commit (Write) time of 30 Minutes on root partition
    • Uses 'findmnt' to automatically find PARTUUID for /boot and /
    • Mounts the following mountpoints with their own settings
      • /boot - defaults,noatime
      • / - defaults,noatime,commit=1800
      • /tmp - rw,bind,noatime,nodev,nosuid,noexec
      • /opt - rw,bind,noatime,nodev,nosuid
      • /home - rw,bind,noatime,nodev
      • /var - rw,bind,noatime,nodev,nosuid
      • /var/log - rw,bind,noatime,nodev,nosuid,noexec
      • /var/tmp - rw,bind,noatime,nodev,nosuid,noexec
      • /dev/shm - noatime,noexec,nodev,nosuid
  • Setup Systen Swap Size (256MB)

OS Base Packages

  • Install OS Base Packages that enhance the functionality of the system while keeping the package count low
    • aptitude
    • python-apt
    • apt-transport-https
    • raspberrypi-kernel-headers
    • dkms
    • debian-archive-keyring
    • console-data
    • xkbset
    • locales-all
    • dnsutils
    • screen
    • rsync
    • wget
    • curl
    • vim
    • git
    • ttf-mscorefonts-installer
    • iotop

OS Kernel Tweaks

  • Disable Unused Filesystems (Security)
    • cramfs
    • dccp
    • freevxfs
    • hfs
    • hfsplus
    • jffs2
    • rds
    • sctp
    • squashfs
    • tipc
    • udf
  • Disable Kernel IPV6 Support (Security)
  • Disable Kernel Bluetooth Support (Security)
  • Disable Kernel FireWire Support (Security)
  • Disable Kernel USB Storage Support (Security)
  • Disable Wi-Fi Power Savings (Pi Zero (W) and Non Pi-Zero Models)
  • Enable Kernel Hardening via Sysctl Settings (Security)
    • Kernel Randomize VA Space
    • IPV4 Networking Items
    • IPV6 Networking Items
  • Ensure Disable of Wi-Fi PowerSave at Startup for Persistence
  • Kernel Scheduler change from deadline to kyber and with Persistence

OS Services Setups

  • Auto Update
    • Automatic updates. Warning! Updates may break the system.
  • SSH
    • SSH Security Hardening
  • Firewall
    • Local firewall
  • nginx
    • Light weight web server including Let's Encrypt certificates
  • fail2ban
    • Network security tool that scans log files and bans IP addresses
  • RSYSLOG
    • Enable High Precision Timestamping

Pre-requirements and Assumptions

  • Your have burned latest (buster or even bookworm) raspbian (preferably 64 bit) image to SD card
  • You have done 'touch /boot/ssh" to enable headless ssh login
  • You have set up Wifi with wpa_supplicant.conf or for Bookworm use the imager Or add an out of range connection
sudo nmcli connection add type wifi con-name TheConnectionName ssid TheSsId 802-11-wireless-security.key-mgmt WPA-PSK 802-11-wireless-security.psk TheSecret
  • You have created an alternative user with sudo permissions. You should not run as user pi, which will be disabled
  • You have done 'ssh-copy-id -i ~/.ssh/id_rsa.pub @<your pi's IP address>'
  • You can successfully login to @<your pi's IP address> using passwordless (key-based) authentication with no errors.
  • You can sucessfully run sudo without as password. Verify by running sudo visudo
  • OPTIONAL: You have run apt update to catch issues such as repos becomming oldstable
  • OPTIONAL: install NMAP on the host system you run ansible from. This will enable the discoverPi.sh script to help you find your pi on the network.

The first steps can be achieved by configuring those details while burning the OS image.

Passwordless sudoer

The alternative user needs passwordless sudo permissions, which can be achieved like this (or while burning image):

USER=paj
SUDOERSDFILE=/etc/sudoers.d/099_altuser-nopasswd
echo "$USER ALL=(ALL) NOPASSWD: ALL" > $SUDOERSDFILE
chmod 0440 $SUDOERSDFILE
chown root:root $SUDOERSDFILE    

How To Get This Repository

git clone [email protected]:cbarreholm/rpi_pub.git

Setup

Discover your Pi's IP Address on your network

  • cd rpi_pub
  • Run ./discoverPi 192.168.1.0/24 (or whatever your network CIDR is)
  • View the output file called "inventory.txt" in rpi_pub folder

Use the IP that was discovered for your pi as inventory

  • edit the rpi_pub/ansible/inventory.yaml file to include the IP that was discovered in the [rpi_server] group. Alternatively add in /etc/hosts

Edit the rpi_pub/ansible/prepPi.yml file to play with roles and tags, but this is optional and advanced

Usage

cd rpi_pub/ansible

ansible-playbook -i inventory prepPi.yml

  • Include -vv at the end to see more output
  • Include --tags "ssh" as an example to see it just do the SSH configurations

References and Sources

Acknowledgement

This repo is a fork of https://github.com/raajivrekha/rpi_pub created by Raajiv Rekha

rpi_pub's People

Contributors

raajivrekha avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.