@@ -18,21 +18,44 @@ For Ubuntu Desktop, see: [github.com/franckferman/ubuntu-post-install](https://g
1818
1919## Quick Start
2020
21+ ### Download and Run
2122``` bash
22- # Basic installation (VPS-safe)
23+ # Download script
24+ curl -O https://raw.githubusercontent.com/franckferman/debian-server-post-install/main/debian-server-post-install.sh
25+ chmod +x debian-server-post-install.sh
26+
27+ # Or direct execution (basic profile only - review first!)
28+ curl -fsSL https://raw.githubusercontent.com/franckferman/debian-server-post-install/main/debian-server-post-install.sh | bash
29+
30+ # For root users (add --allow-root)
31+ ./debian-server-post-install.sh --allow-root
32+
33+ # Direct with arguments (download first)
34+ curl -fsSL https://raw.githubusercontent.com/franckferman/debian-server-post-install/main/debian-server-post-install.sh | bash -s -- --server-profile dev
35+ ```
36+
37+ ### Profile Examples
38+ ``` bash
39+ # Basic installation (VPS-safe, no Docker)
2340./debian-server-post-install.sh
2441
25- # Production server with performance focus
42+ # Production server with Docker
2643./debian-server-post-install.sh --server-profile prod
2744
28- # Development server with convenience
45+ # Development server with full stack
2946./debian-server-post-install.sh --server-profile dev
3047
3148# Maximum security (still VPS-safe)
3249./debian-server-post-install.sh --server-profile hardened
3350
34- # Custom Docker engine
35- ./debian-server-post-install.sh --docker-type ce
51+ # Default + Docker installation
52+ ./debian-server-post-install.sh --install-docker # docker.io (default)
53+ ./debian-server-post-install.sh --docker-type io # docker.io (explicit)
54+ ./debian-server-post-install.sh --docker-type ce # docker-ce (official)
55+
56+ # Examples with different types
57+ ./debian-server-post-install.sh --server-profile default --docker-type ce
58+ ./debian-server-post-install.sh --server-profile default --install-docker
3659```
3760
3861## Server Profiles
@@ -55,7 +78,7 @@ For Ubuntu Desktop, see: [github.com/franckferman/ubuntu-post-install](https://g
5578+ UFW firewall with hardened rules
5679+ Minimal Vim preset (stable)
5780+ Monitoring and logging enabled
58- + Docker basic installation
81+ - No Docker (use --docker-type to install)
5982+ Network hardening: ICMP/TCP/Source routing protection active
6083- Network hardening: IPv6/Anti-spoofing/Connection limits commented (safe)
6184```
@@ -295,6 +318,12 @@ These features may impact complex network configurations:
295318--no-disable-modern-security # Enable modern security features
296319```
297320
321+ #### ** Kexec System Call**
322+ ``` bash
323+ --disable-kexec # Allow kexec system call (specialized environments)
324+ --no-disable-kexec # Disable kexec system call (default, security hardening)
325+ ```
326+
298327## SSH Configuration
299328
300329### Default SSH Security
@@ -351,16 +380,32 @@ SSH_PORT=22 # Standard port
351380
352381## Docker Configuration
353382
354- ### Docker Engine Types
383+ ### Docker Installation
355384``` bash
356- --docker-type < type> # Docker package type (default: io)
385+ --install-docker # Force Docker installation (docker.io by default)
386+ --docker-type < type> # Docker type (auto-enables installation)
357387 io # docker.io (Debian/Ubuntu repos, stable)
358388 ce # docker-ce (Docker official repos, latest features)
389+ --no-docker # Skip Docker installation
359390```
360391
361- ** Default Behavior:**
362- - Apps-profiles install ` docker.io ` if ` --docker-type io ` (default)
363- - Step 8 configures existing docker.io or installs docker-ce
392+ ** Installation Logic:**
393+ - ** default/minimal/hardened** : No Docker by default
394+ - ** prod/dev** : Docker installed automatically
395+ - ** Any profile** : Use ` --install-docker ` , ` --extras docker ` , or ` --docker-type ` to force installation
396+ - ** --docker-type** : Automatically enables Docker installation with specified type
397+ - ** --extras docker** : Works with ` --docker-type ` to specify engine type
398+
399+ ** Examples:**
400+ ``` bash
401+ # Default profile + Docker CE
402+ ./script.sh --server-profile default --docker-type ce
403+ ./script.sh --server-profile default --extras docker --docker-type ce
404+
405+ # Default profile + Docker IO
406+ ./script.sh --server-profile default --install-docker
407+ ./script.sh --server-profile default --extras docker
408+ ```
364409- Both types get identical security configuration
365410
366411## Editor Configuration
@@ -382,6 +427,43 @@ SSH_PORT=22 # Standard port
382427 bare # basic settings only (hardened)
383428```
384429
430+ ## Kernel Security Hardening
431+
432+ ### Standards and Sources
433+
434+ The kernel hardening parameters are based on industry-standard security frameworks:
435+
436+ ** Primary Sources:**
437+ - ** CIS Benchmarks** - Center for Internet Security Linux hardening guidelines
438+ - ** ANSSI** - French National Agency for Information Systems Security
439+ - ** NIST SP 800-53** - National Institute of Standards and Technology controls
440+ - ** KSPP** - Linux Kernel Self-Protection Project recommendations
441+
442+ ** Applied Protections:**
443+ ``` bash
444+ # Information Disclosure Prevention (CIS 1.6.1 + ANSSI R12)
445+ kernel.dmesg_restrict = 1 # Prevent unprivileged kernel log access
446+ kernel.kptr_restrict = 2 # Hide kernel pointers (anti-KASLR bypass)
447+ kernel.yama.ptrace_scope = 1 # Restrict process debugging
448+
449+ # Kernel Exploit Mitigation (KSPP + CIS)
450+ kernel.kexec_load_disabled = 1 # Disable kexec (anti-rootkit)
451+ kernel.unprivileged_bpf_disabled = 1 # Disable unprivileged eBPF
452+ net.core.bpf_jit_harden = 2 # Harden BPF JIT compiler
453+
454+ # File System Security (CIS 1.6.4 + NIST)
455+ fs.suid_dumpable = 0 # Disable SUID core dumps
456+ fs.protected_hardlinks = 1 # Prevent hardlink attacks
457+ fs.protected_symlinks = 1 # Prevent symlink attacks
458+ fs.protected_fifos = 2 # Prevent FIFO attacks
459+ fs.protected_regular = 2 # Prevent file attacks
460+
461+ # ASLR Enhancement (CIS 1.6.2 + KSPP)
462+ kernel.randomize_va_space = 2 # Full address space randomization
463+ vm.mmap_rnd_bits = 32 # Maximum mmap entropy (64-bit)
464+ vm.mmap_rnd_compat_bits = 16 # Maximum mmap entropy (32-bit)
465+ ```
466+
385467## Hardening Profiles
386468
387469### ` --hardening-profile <profile> `
@@ -513,13 +595,35 @@ Removes: xinetd, nis, rsh-client, talk, telnet, tftp,
513595
514596### Extra Software
515597``` bash
516- --extra-repos < extras> # Additional software repositories
517- gh # GitHub CLI
518-
598+ --extras < list> # Comma-separated extras to install
599+ docker # Enable Docker installation (use with --docker-type)
600+ gh # GitHub CLI with official repository
601+ hashicorp # Redirects to apps-profile development+
602+ monitoring # Handled by existing monitoring steps
603+ mullvad # Use --install-mullvad flag instead
604+
605+ --extra-packages < list> # Comma-separated APT packages to add
606+ htop,bat,exa,fd-find # Example: modern CLI tools
607+
519608--install-mullvad # Mullvad VPN client
520609--mullvad-source < method> # Installation method (apt|direct|github)
521610```
522611
612+ ** Examples:**
613+ ``` bash
614+ # Docker via extras (docker.io by default)
615+ ./script.sh --server-profile default --extras docker
616+
617+ # Docker CE via extras + type specification
618+ ./script.sh --server-profile default --extras docker --docker-type ce
619+
620+ # GitHub CLI + custom packages
621+ ./script.sh --server-profile default --extras gh --extra-packages kubectl,helm
622+
623+ # Development with Docker CE + GitHub CLI
624+ ./script.sh --server-profile dev --docker-type ce --extras gh
625+ ```
626+
523627### Nerd Fonts
524628``` bash
525629--install-nerd-fonts # Install Nerd Fonts for terminal
0 commit comments