Skip to content

Commit 8a0beae

Browse files
committed
Fix Docker installation logic and enhance hardening features
Docker Installation Fixes: - Fix --extras docker to properly enable Docker installation - Make --docker-type automatically enable Docker (ce/io) - Update default profile to not install Docker by default - Add comprehensive Docker installation examples Banner Enhancement: - Add red color support for Debian logo (auto-detects terminal colors) - Graceful fallback to plain ASCII for terminals without color support Kernel Hardening Improvements: - Document all kernel hardening sources (CIS, ANSSI, NIST, KSPP) - Add detailed security rationale for each sysctl parameter - Fix potential duplicate application with existence check - Add granular kexec control with --disable-kexec/--no-disable-kexec flags Documentation Updates: - Add comprehensive kernel hardening sources section to README - Update Quick Start with curl download examples and --allow-root - Add Docker installation matrix with all flag combinations - Update website examples with new Docker options - Fix extras documentation to reflect working --extras docker Security Features: - Kexec disabled by default with option to enable for specialized environments - Comprehensive kernel exploit mitigation following industry standards - Performance impact analysis and compatibility notes for Proxmox/virtualization All changes maintain backward compatibility and VPS-safe defaults.
1 parent 494fc79 commit 8a0beae

3 files changed

Lines changed: 236 additions & 50 deletions

File tree

README.md

Lines changed: 118 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -18,21 +18,44 @@ For Ubuntu Desktop, see: [github.com/franckferman/ubuntu-post-install](https://g
1818

1919
## Quick Start
2020

21+
### Download and Run
2122
```bash
22-
# Basic installation (VPS-safe)
23+
# Download script
24+
curl -O https://raw.githubusercontent.com/franckferman/debian-server-post-install/main/debian-server-post-install.sh
25+
chmod +x debian-server-post-install.sh
26+
27+
# Or direct execution (basic profile only - review first!)
28+
curl -fsSL https://raw.githubusercontent.com/franckferman/debian-server-post-install/main/debian-server-post-install.sh | bash
29+
30+
# For root users (add --allow-root)
31+
./debian-server-post-install.sh --allow-root
32+
33+
# Direct with arguments (download first)
34+
curl -fsSL https://raw.githubusercontent.com/franckferman/debian-server-post-install/main/debian-server-post-install.sh | bash -s -- --server-profile dev
35+
```
36+
37+
### Profile Examples
38+
```bash
39+
# Basic installation (VPS-safe, no Docker)
2340
./debian-server-post-install.sh
2441

25-
# Production server with performance focus
42+
# Production server with Docker
2643
./debian-server-post-install.sh --server-profile prod
2744

28-
# Development server with convenience
45+
# Development server with full stack
2946
./debian-server-post-install.sh --server-profile dev
3047

3148
# Maximum security (still VPS-safe)
3249
./debian-server-post-install.sh --server-profile hardened
3350

34-
# Custom Docker engine
35-
./debian-server-post-install.sh --docker-type ce
51+
# Default + Docker installation
52+
./debian-server-post-install.sh --install-docker # docker.io (default)
53+
./debian-server-post-install.sh --docker-type io # docker.io (explicit)
54+
./debian-server-post-install.sh --docker-type ce # docker-ce (official)
55+
56+
# Examples with different types
57+
./debian-server-post-install.sh --server-profile default --docker-type ce
58+
./debian-server-post-install.sh --server-profile default --install-docker
3659
```
3760

3861
## Server Profiles
@@ -55,7 +78,7 @@ For Ubuntu Desktop, see: [github.com/franckferman/ubuntu-post-install](https://g
5578
+ UFW firewall with hardened rules
5679
+ Minimal Vim preset (stable)
5780
+ Monitoring and logging enabled
58-
+ Docker basic installation
81+
- No Docker (use --docker-type to install)
5982
+ Network hardening: ICMP/TCP/Source routing protection active
6083
- Network hardening: IPv6/Anti-spoofing/Connection limits commented (safe)
6184
```
@@ -295,6 +318,12 @@ These features may impact complex network configurations:
295318
--no-disable-modern-security # Enable modern security features
296319
```
297320

321+
#### **Kexec System Call**
322+
```bash
323+
--disable-kexec # Allow kexec system call (specialized environments)
324+
--no-disable-kexec # Disable kexec system call (default, security hardening)
325+
```
326+
298327
## SSH Configuration
299328

300329
### Default SSH Security
@@ -351,16 +380,32 @@ SSH_PORT=22 # Standard port
351380

352381
## Docker Configuration
353382

354-
### Docker Engine Types
383+
### Docker Installation
355384
```bash
356-
--docker-type <type> # Docker package type (default: io)
385+
--install-docker # Force Docker installation (docker.io by default)
386+
--docker-type <type> # Docker type (auto-enables installation)
357387
io # docker.io (Debian/Ubuntu repos, stable)
358388
ce # docker-ce (Docker official repos, latest features)
389+
--no-docker # Skip Docker installation
359390
```
360391

361-
**Default Behavior:**
362-
- Apps-profiles install `docker.io` if `--docker-type io` (default)
363-
- Step 8 configures existing docker.io or installs docker-ce
392+
**Installation Logic:**
393+
- **default/minimal/hardened**: No Docker by default
394+
- **prod/dev**: Docker installed automatically
395+
- **Any profile**: Use `--install-docker`, `--extras docker`, or `--docker-type` to force installation
396+
- **--docker-type**: Automatically enables Docker installation with specified type
397+
- **--extras docker**: Works with `--docker-type` to specify engine type
398+
399+
**Examples:**
400+
```bash
401+
# Default profile + Docker CE
402+
./script.sh --server-profile default --docker-type ce
403+
./script.sh --server-profile default --extras docker --docker-type ce
404+
405+
# Default profile + Docker IO
406+
./script.sh --server-profile default --install-docker
407+
./script.sh --server-profile default --extras docker
408+
```
364409
- Both types get identical security configuration
365410

366411
## Editor Configuration
@@ -382,6 +427,43 @@ SSH_PORT=22 # Standard port
382427
bare # basic settings only (hardened)
383428
```
384429

430+
## Kernel Security Hardening
431+
432+
### Standards and Sources
433+
434+
The kernel hardening parameters are based on industry-standard security frameworks:
435+
436+
**Primary Sources:**
437+
- **CIS Benchmarks** - Center for Internet Security Linux hardening guidelines
438+
- **ANSSI** - French National Agency for Information Systems Security
439+
- **NIST SP 800-53** - National Institute of Standards and Technology controls
440+
- **KSPP** - Linux Kernel Self-Protection Project recommendations
441+
442+
**Applied Protections:**
443+
```bash
444+
# Information Disclosure Prevention (CIS 1.6.1 + ANSSI R12)
445+
kernel.dmesg_restrict = 1 # Prevent unprivileged kernel log access
446+
kernel.kptr_restrict = 2 # Hide kernel pointers (anti-KASLR bypass)
447+
kernel.yama.ptrace_scope = 1 # Restrict process debugging
448+
449+
# Kernel Exploit Mitigation (KSPP + CIS)
450+
kernel.kexec_load_disabled = 1 # Disable kexec (anti-rootkit)
451+
kernel.unprivileged_bpf_disabled = 1 # Disable unprivileged eBPF
452+
net.core.bpf_jit_harden = 2 # Harden BPF JIT compiler
453+
454+
# File System Security (CIS 1.6.4 + NIST)
455+
fs.suid_dumpable = 0 # Disable SUID core dumps
456+
fs.protected_hardlinks = 1 # Prevent hardlink attacks
457+
fs.protected_symlinks = 1 # Prevent symlink attacks
458+
fs.protected_fifos = 2 # Prevent FIFO attacks
459+
fs.protected_regular = 2 # Prevent file attacks
460+
461+
# ASLR Enhancement (CIS 1.6.2 + KSPP)
462+
kernel.randomize_va_space = 2 # Full address space randomization
463+
vm.mmap_rnd_bits = 32 # Maximum mmap entropy (64-bit)
464+
vm.mmap_rnd_compat_bits = 16 # Maximum mmap entropy (32-bit)
465+
```
466+
385467
## Hardening Profiles
386468

387469
### `--hardening-profile <profile>`
@@ -513,13 +595,35 @@ Removes: xinetd, nis, rsh-client, talk, telnet, tftp,
513595

514596
### Extra Software
515597
```bash
516-
--extra-repos <extras> # Additional software repositories
517-
gh # GitHub CLI
518-
598+
--extras <list> # Comma-separated extras to install
599+
docker # Enable Docker installation (use with --docker-type)
600+
gh # GitHub CLI with official repository
601+
hashicorp # Redirects to apps-profile development+
602+
monitoring # Handled by existing monitoring steps
603+
mullvad # Use --install-mullvad flag instead
604+
605+
--extra-packages <list> # Comma-separated APT packages to add
606+
htop,bat,exa,fd-find # Example: modern CLI tools
607+
519608
--install-mullvad # Mullvad VPN client
520609
--mullvad-source <method> # Installation method (apt|direct|github)
521610
```
522611

612+
**Examples:**
613+
```bash
614+
# Docker via extras (docker.io by default)
615+
./script.sh --server-profile default --extras docker
616+
617+
# Docker CE via extras + type specification
618+
./script.sh --server-profile default --extras docker --docker-type ce
619+
620+
# GitHub CLI + custom packages
621+
./script.sh --server-profile default --extras gh --extra-packages kubectl,helm
622+
623+
# Development with Docker CE + GitHub CLI
624+
./script.sh --server-profile dev --docker-type ce --extras gh
625+
```
626+
523627
### Nerd Fonts
524628
```bash
525629
--install-nerd-fonts # Install Nerd Fonts for terminal

0 commit comments

Comments
 (0)