starred/hardening
1
0
Fork 0
mirror of https://github.com/konstruktoid/hardening.git synced 2026-04-25 16:55:53 +03:00
Code Issues 6 Projects Releases 4 Packages Wiki Activity

[GH-ISSUE #550] Raspberry Pi 4 Ubuntu support #88

New issue
Open
opened 2026-03-03 13:59:04 +03:00 by kerem · 15 comments
kerem commented 2026-03-03 13:59:04 +03:00
Owner
Copy link

Originally created by @Martin11180 on GitHub (Dec 27, 2024).
Original GitHub issue: https://github.com/konstruktoid/hardening/issues/550

Originally assigned to: @konstruktoid on GitHub.

Hallo

Can you tell me what I have to remove so that the boot works again after running the script via USB hard drive
It works via SD
I have already removed USBguard after running the script, unfortunately without success

Raspberry Pi 4 Model B Rev 1.1
PRETTY_NAME="Ubuntu 22.04.5 LTS"
NAME="Ubuntu"
VERSION_ID="22.04"
VERSION="22.04.5 LTS (Jammy Jellyfish)"
VERSION_CODENAME=jammy
ID=ubuntu
ID_LIKE=debian
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
UBUNTU_CODENAME=jammy

Originally created by @Martin11180 on GitHub (Dec 27, 2024). Original GitHub issue: https://github.com/konstruktoid/hardening/issues/550 Originally assigned to: @konstruktoid on GitHub. Hallo Can you tell me what I have to remove so that the boot works again after running the script via USB hard drive It works via SD I have already removed USBguard after running the script, unfortunately without success Raspberry Pi 4 Model B Rev 1.1 PRETTY_NAME="Ubuntu 22.04.5 LTS" NAME="Ubuntu" VERSION_ID="22.04" VERSION="22.04.5 LTS (Jammy Jellyfish)" VERSION_CODENAME=jammy ID=ubuntu ID_LIKE=debian HOME_URL="https://www.ubuntu.com/" SUPPORT_URL="https://help.ubuntu.com/" BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/" PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy" UBUNTU_CODENAME=jammy
kerem commented 2026-03-03 14:29:26 +03:00
Author
Owner
Copy link

@konstruktoid commented on GitHub (Dec 27, 2024):

Have you modified https://github.com/konstruktoid/hardening/blob/master/scripts/disablemod as well? See https://github.com/konstruktoid/hardening?tab=readme-ov-file#disablemod.

<!-- gh-comment-id:2564084455 --> @konstruktoid commented on GitHub (Dec 27, 2024): Have you modified https://github.com/konstruktoid/hardening/blob/master/scripts/disablemod as well? See https://github.com/konstruktoid/hardening?tab=readme-ov-file#disablemod.
kerem commented 2026-03-03 14:29:26 +03:00
Author
Owner
Copy link

@konstruktoid commented on GitHub (Dec 27, 2024):

I updated the documentation in #551

<!-- gh-comment-id:2564085141 --> @konstruktoid commented on GitHub (Dec 27, 2024): I updated the documentation in #551
kerem commented 2026-03-03 14:29:26 +03:00
Author
Owner
Copy link

@Martin11180 commented on GitHub (Dec 27, 2024):

I plan on restarting
Removed the following file for testing
Attached is a picture of where the Rasbbery is hanging

sudo rm /etc/modprobe.d/disablefs.conf
sudo rm /etc/modprobe.d/disablemod.conf
sudo rm /etc/modprobe.d/disablenet.conf
sudo apt remove usbguard
sudo apt purge usbguard

20241228_002530

<!-- gh-comment-id:2564094337 --> @Martin11180 commented on GitHub (Dec 27, 2024): I plan on restarting Removed the following file for testing Attached is a picture of where the Rasbbery is hanging sudo rm /etc/modprobe.d/disablefs.conf sudo rm /etc/modprobe.d/disablemod.conf sudo rm /etc/modprobe.d/disablenet.conf sudo apt remove usbguard sudo apt purge usbguard ![20241228_002530](https://github.com/user-attachments/assets/2b289896-ecbd-4357-8409-45eae4c4a348)
kerem commented 2026-03-03 14:29:26 +03:00
Author
Owner
Copy link

@Martin11180 commented on GitHub (Dec 28, 2024):

OK, I apparently forgot something when I went to test it
can you build the script so that this line

MOD="bluetooth bnep btusb cpia2 firewire-core floppy n_hdlc net-pf-31 pcspkr soundcore thunderbolt usb-midi uvcvideo v4l2_common"

and 

PACKAGE_INSTALL="acct aide-common cracklib-runtime debsums gnupg2 haveged libpam-pwquality libpam-tmpdir needrestart openssh-server postfix psad rkhunter sysstat systemd-coredump tcpd update-notifier-common vlock $APPARMOR $AUDITD $VM"

can be adjusted in the config file
For example, Postfix doesn't want to be on the system
and would also like to use nano for now

Now boot from the hard drive
Have two more questions, I can't get any further with some messages

 ✗ Verify that AppArmor is enabled on the kernel command line
   (in test file ./apparmor.bats, line 7)
     `[ "$status" -eq 0 ]' failed

I'm not sure what to do

✗ Verify that audit is enabled
   (in test file ./auditd.bats, line 7)
     `[ "$status" -eq 0 ]' failed

I'm not sure what to do

✗ Verify /usr/bin/make permission
   (in test file ./compilers.bats, line 5)
     `[ "$status" -eq 0 ]' failed

cat: /usr/bin/make: No such file or directory

 ✗ Verify FileCreateMode in /etc/rsyslog.conf
   (in test file ./journalctl.bats, line 27)
     `[ "$status" -eq 0 ]' failed


 
atrinbeckeroberstmartin@ubuntu:~/setup/hardening/tests$ cat /etc/rsyslog.conf
# /etc/rsyslog.conf configuration file for rsyslog
#
# For more information install rsyslog-doc and see
# /usr/share/doc/rsyslog-doc/html/configuration/index.html
#
# Default logging rules can be found in /etc/rsyslog.d/50-default.conf


#################
#### MODULES ####
#################

module(load="imuxsock") # provides support for local system logging
#module(load="immark")  # provides --MARK-- message capability

# provides UDP syslog reception
#module(load="imudp")
#input(type="imudp" port="514")

# provides TCP syslog reception
#module(load="imtcp")
#input(type="imtcp" port="514")

# provides kernel logging support and enable non-kernel klog messages
module(load="imklog" permitnonkernelfacility="on")

###########################
#### GLOBAL DIRECTIVES ####
###########################

#
# Use traditional timestamp format.
# To enable high precision timestamps, comment out the following line.
#
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

# Filter duplicated messages
$RepeatedMsgReduction on

#
# Set the default permissions for all log files.
#
$FileOwner syslog
$FileGroup adm
$FileCreateMode 0600
$DirCreateMode 0755
$Umask 0022
$PrivDropToUser syslog
$PrivDropToGroup syslog

#
# Where to place spool and state files
#
$WorkDirectory /var/spool/rsyslog

#
# Include all config files in /etc/rsyslog.d/
#
$IncludeConfig /etc/rsyslog.d/*.conf

I've tried everything possible, unfortunately without success

✗ Ensure sudo NOPASSWD is not used
   (in test file ./sudo.bats, line 35)
     `[ "$status" -eq 1 ]' failed

I'm not sure what to do

✗ Verify OpenSSH sftp
   (in test file ./sshd.bats, line 92)
     `[ "$status" -eq 0 ]' failed

I'm not sure what to do

✗ Verify password protected GRUB
   (in test file ./misc.bats, line 22)
     `[ "$status" -eq 0 ]' failed with status 2

I don't know if Rassbery already exists with Grub2

From ssh audit the standard looks like this

Restrict key exchange, cipher, and MAC algorithms, as per sshaudit.com\n
# hardening guide.
KexAlgorithms sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,gss-curve25519-sha256-,diffie-hellman-group16-sha512,gss-group16-sha512-,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-gcm@openssh.com,aes128-ctr
MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128-etm@openssh.com\n\nHostKeyAlgorithms sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256
CASignatureAlgorithms sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256\n\nGSSAPIKexAlgorithms gss-curve25519-sha256-,gss-group16-sha512-\n\nHostbasedAcceptedAlgorithms sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-256
PubkeyAcceptedAlgorithms sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-256" 


 ✗ Verify OpenSSH KexAlgorithms
   (in test file ./sshd.bats, line 117)
     `[ "$status" -eq 0 ]' failed
 ✗ Verify OpenSSH Ciphers
   (in test file ./sshd.bats, line 122)
     `[ "$status" -eq 0 ]' failed
 ✗ Verify OpenSSH Macs
   (in test file ./sshd.bats, line 127)
     `[ "$status" -eq 0 ]' failed
 ✗ Ensure OpenSSH MAC umac-128-etm@openssh.com is not used
   (in test file ./sshd.bats, line 272)
     `[ "$status" -eq 1 ]' failed

which ones are correct

 ✗ Ensure user games is removed
   (in test file ./users.bats, line 5)
     `[ "$status" -eq 1 ]' failed
 ✗ Ensure user gnats is removed
   (in test file ./users.bats, line 10)
     `[ "$status" -eq 1 ]' failed
 ✗ Ensure user irc is removed
   (in test file ./users.bats, line 15)
     `[ "$status" -eq 1 ]' failed
 ✗ Ensure user list is removed
   (in test file ./users.bats, line 20)
     `[ "$status" -eq 1 ]' failed
 ✗ Ensure user news is removed
   (in test file ./users.bats, line 25)
     `[ "$status" -eq 1 ]' failed
 ✗ Ensure user sync is removed
   (in test file ./users.bats, line 30)
     `[ "$status" -eq 1 ]' failed
 ✗ Ensure user uucp is removed
   (in test file ./users.bats, line 35)
     `[ "$status" -eq 1 ]' failed

are always there again after a restart

I haven't posted anything else, so I know what I have to do

Your answer may also help others with this problem

<!-- gh-comment-id:2564247459 --> @Martin11180 commented on GitHub (Dec 28, 2024): OK, I apparently forgot something when I went to test it can you build the script so that this line ``` MOD="bluetooth bnep btusb cpia2 firewire-core floppy n_hdlc net-pf-31 pcspkr soundcore thunderbolt usb-midi uvcvideo v4l2_common" and PACKAGE_INSTALL="acct aide-common cracklib-runtime debsums gnupg2 haveged libpam-pwquality libpam-tmpdir needrestart openssh-server postfix psad rkhunter sysstat systemd-coredump tcpd update-notifier-common vlock $APPARMOR $AUDITD $VM" ``` can be adjusted in the config file For example, Postfix doesn't want to be on the system and would also like to use nano for now Now boot from the hard drive Have two more questions, I can't get any further with some messages ``` ✗ Verify that AppArmor is enabled on the kernel command line (in test file ./apparmor.bats, line 7) `[ "$status" -eq 0 ]' failed ``` I'm not sure what to do ``` ✗ Verify that audit is enabled (in test file ./auditd.bats, line 7) `[ "$status" -eq 0 ]' failed ``` I'm not sure what to do ``` ✗ Verify /usr/bin/make permission (in test file ./compilers.bats, line 5) `[ "$status" -eq 0 ]' failed ``` cat: /usr/bin/make: No such file or directory ``` ✗ Verify FileCreateMode in /etc/rsyslog.conf (in test file ./journalctl.bats, line 27) `[ "$status" -eq 0 ]' failed atrinbeckeroberstmartin@ubuntu:~/setup/hardening/tests$ cat /etc/rsyslog.conf # /etc/rsyslog.conf configuration file for rsyslog # # For more information install rsyslog-doc and see # /usr/share/doc/rsyslog-doc/html/configuration/index.html # # Default logging rules can be found in /etc/rsyslog.d/50-default.conf ################# #### MODULES #### ################# module(load="imuxsock") # provides support for local system logging #module(load="immark") # provides --MARK-- message capability # provides UDP syslog reception #module(load="imudp") #input(type="imudp" port="514") # provides TCP syslog reception #module(load="imtcp") #input(type="imtcp" port="514") # provides kernel logging support and enable non-kernel klog messages module(load="imklog" permitnonkernelfacility="on") ########################### #### GLOBAL DIRECTIVES #### ########################### # # Use traditional timestamp format. # To enable high precision timestamps, comment out the following line. # $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat # Filter duplicated messages $RepeatedMsgReduction on # # Set the default permissions for all log files. # $FileOwner syslog $FileGroup adm $FileCreateMode 0600 $DirCreateMode 0755 $Umask 0022 $PrivDropToUser syslog $PrivDropToGroup syslog # # Where to place spool and state files # $WorkDirectory /var/spool/rsyslog # # Include all config files in /etc/rsyslog.d/ # $IncludeConfig /etc/rsyslog.d/*.conf ``` I've tried everything possible, unfortunately without success ``` ✗ Ensure sudo NOPASSWD is not used (in test file ./sudo.bats, line 35) `[ "$status" -eq 1 ]' failed ``` I'm not sure what to do ``` ✗ Verify OpenSSH sftp (in test file ./sshd.bats, line 92) `[ "$status" -eq 0 ]' failed ``` I'm not sure what to do ``` ✗ Verify password protected GRUB (in test file ./misc.bats, line 22) `[ "$status" -eq 0 ]' failed with status 2 ``` I don't know if Rassbery already exists with Grub2 From ssh audit the standard looks like this ``` Restrict key exchange, cipher, and MAC algorithms, as per sshaudit.com\n # hardening guide. KexAlgorithms sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,gss-curve25519-sha256-,diffie-hellman-group16-sha512,gss-group16-sha512-,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256 Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-gcm@openssh.com,aes128-ctr MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128-etm@openssh.com\n\nHostKeyAlgorithms sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256 CASignatureAlgorithms sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256\n\nGSSAPIKexAlgorithms gss-curve25519-sha256-,gss-group16-sha512-\n\nHostbasedAcceptedAlgorithms sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-256 PubkeyAcceptedAlgorithms sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-256" ✗ Verify OpenSSH KexAlgorithms (in test file ./sshd.bats, line 117) `[ "$status" -eq 0 ]' failed ✗ Verify OpenSSH Ciphers (in test file ./sshd.bats, line 122) `[ "$status" -eq 0 ]' failed ✗ Verify OpenSSH Macs (in test file ./sshd.bats, line 127) `[ "$status" -eq 0 ]' failed ✗ Ensure OpenSSH MAC umac-128-etm@openssh.com is not used (in test file ./sshd.bats, line 272) `[ "$status" -eq 1 ]' failed ``` which ones are correct ``` ✗ Ensure user games is removed (in test file ./users.bats, line 5) `[ "$status" -eq 1 ]' failed ✗ Ensure user gnats is removed (in test file ./users.bats, line 10) `[ "$status" -eq 1 ]' failed ✗ Ensure user irc is removed (in test file ./users.bats, line 15) `[ "$status" -eq 1 ]' failed ✗ Ensure user list is removed (in test file ./users.bats, line 20) `[ "$status" -eq 1 ]' failed ✗ Ensure user news is removed (in test file ./users.bats, line 25) `[ "$status" -eq 1 ]' failed ✗ Ensure user sync is removed (in test file ./users.bats, line 30) `[ "$status" -eq 1 ]' failed ✗ Ensure user uucp is removed (in test file ./users.bats, line 35) `[ "$status" -eq 1 ]' failed ``` are always there again after a restart I haven't posted anything else, so I know what I have to do Your answer may also help others with this problem
kerem commented 2026-03-03 14:29:26 +03:00
Author
Owner
Copy link

@konstruktoid commented on GitHub (Dec 28, 2024):

For now you'll need to manually update the functions.

And if you don't have any particular reason to pass all the tests, there's no need to pay any attention to them.
For example, if you don't need make on you system there's no point of installing it just to pass the test.

What does grep -E '^\$FileCreateMode 06(0|4)0$' /etc/rsyslog.conf return?

<!-- gh-comment-id:2564293030 --> @konstruktoid commented on GitHub (Dec 28, 2024): For now you'll need to manually update the functions. And if you don't have any particular reason to pass all the tests, there's no need to pay any attention to them. For example, if you don't need `make` on you system there's no point of installing it just to pass the test. What does `grep -E '^\$FileCreateMode 06(0|4)0$' /etc/rsyslog.conf` return?
kerem commented 2026-03-03 14:29:26 +03:00
Author
Owner
Copy link

@Martin11180 commented on GitHub (Dec 28, 2024):

grep -E '^$FileCreateMode 06(0|4)0$' /etc/rsyslog.conf
$FileCreateMode 0600

but OpenSSH sftp is not in your description either
and with the exchange, cipher, and MAC algorithm it would also be interesting, which is currently a problem because of security

<!-- gh-comment-id:2564314968 --> @Martin11180 commented on GitHub (Dec 28, 2024): grep -E '^\$FileCreateMode 06(0|4)0$' /etc/rsyslog.conf $FileCreateMode 0600 but OpenSSH sftp is not in your description either and with the exchange, cipher, and MAC algorithm it would also be interesting, which is currently a problem because of security
kerem commented 2026-03-03 14:29:26 +03:00
Author
Owner
Copy link

@konstruktoid commented on GitHub (Dec 28, 2024):

grep -E '^$FileCreateMode 06(0|4)0$' /etc/rsyslog.conf $FileCreateMode 0600

so the test should have caught that.

but OpenSSH sftp is not in your description either and with the exchange, cipher, and MAC algorithm it would also be interesting, which is currently a problem because of security

which problem of security? because the configuration doesn't match sshaudit.com? Adapt the configuration to suit your needs, don't just follow an recommendation. Neither complies to FIPS 140-2 for example.

<!-- gh-comment-id:2564488925 --> @konstruktoid commented on GitHub (Dec 28, 2024): > grep -E '^$FileCreateMode 06(0|4)0$' /etc/rsyslog.conf $FileCreateMode 0600 so the test should have caught that. > but OpenSSH sftp is not in your description either and with the exchange, cipher, and MAC algorithm it would also be interesting, which is currently a problem because of security which problem of security? because the configuration doesn't match `sshaudit.com`? Adapt the configuration to suit your needs, don't just follow an recommendation. Neither complies to FIPS 140-2 for example.
kerem commented 2026-03-03 14:29:27 +03:00
Author
Owner
Copy link

@Martin11180 commented on GitHub (Feb 4, 2025):

Hello
I'm building a server for the first time and it's a bit confusing which cipher and MAC algorithms are correct, yours or those from sshaudit.com
Have you changed anything in the code when I run through your script, I can no longer get in via ssh
and also I get without root when I type cd
-bash: cd: /home/username: Permission denied
additionally execute this command
the command cd command and ssh login works
sudo chown -R $USER:$USER $HOME

greet
Martin

<!-- gh-comment-id:2635174780 --> @Martin11180 commented on GitHub (Feb 4, 2025): Hello I'm building a server for the first time and it's a bit confusing which cipher and MAC algorithms are correct, yours or those from sshaudit.com Have you changed anything in the code when I run through your script, I can no longer get in via ssh and also I get without root when I type cd -bash: cd: /home/username: Permission denied additionally execute this command the command cd command and ssh login works sudo chown -R $USER:$USER $HOME greet Martin
kerem commented 2026-03-03 14:29:27 +03:00
Author
Owner
Copy link

@konstruktoid commented on GitHub (Feb 5, 2025):

No, the last update was https://github.com/konstruktoid/hardening/pull/551.

The correct ssh configuration is the one that suits your needs and complies with any regulation you need to follow, Mozilla got more configuration examples https://infosec.mozilla.org/guidelines/openssh.

Note that the code is not idempotent, so running it multiple times will create all sort of problems.

<!-- gh-comment-id:2636268928 --> @konstruktoid commented on GitHub (Feb 5, 2025): No, the last update was https://github.com/konstruktoid/hardening/pull/551. The correct ssh configuration is the one that suits your needs and complies with any regulation you need to follow, Mozilla got more configuration examples https://infosec.mozilla.org/guidelines/openssh. Note that the code is not idempotent, so running it multiple times will create all sort of problems.
kerem commented 2026-03-03 14:29:27 +03:00
Author
Owner
Copy link

@Martin11180 commented on GitHub (Feb 5, 2025):

Hello
I don't know what to do anymore
It ran with your code the whole time
Not for a few days
I have now reset my cloud init file to minimal
Close to the setup everything still works
Then I execute these commands

sudo apt-get -y install git net-tools procps --no-install-recommends
git clone https://github.com/konstruktoid/hardening.git
cd hardening
sudo nano ubuntu.cfg
SSH_GRPS='sshadmin'
AUTOFILL='Y'
SSH_PORT='22'
TIMEDATECTL='Europe/Berlin'
and start
sudo bash ubuntu.sh

After that ssh goes and home order for example cannot be called
Permission denied comes up
Do you see an error somewhere?


#cloud-config
autoinstall:
  package_update: false
  #updates: security
  refresh-installer:
  #  update: yes
  network-config/verbose: true
  version: 1
  storage:
    grub:
      reorder_uefi: false
    config:
        - { ptable: gpt, path: /dev/sda, wipe: superblock, preserve: false, name: '', grub_device: false, type: disk, id: disk-sda }
        - { type: partition, device: disk-sda, size: 536870912, wipe: superblock, flag: boot, number: 1, preserve: false, grub_device: true, id: sda-grub }
        - { type: partition, device: disk-sda, size: 1073741824, wipe: superblock, flag: '', number: 2, preserve: false, grub_device: false, id: sda-boot }
        - { type: partition, device: disk-sda, size: -1, wipe: superblock, flag: '', number: 3, preserve: false, grub_device: false, id: sda-lvm}
        - { type: dm_crypt,  volume: sda-lvm, key: test, preserve: false, id: dm_crypt-1 }
        - { type: lvm_volgroup, name: ubuntu-vg, devices: [ dm_crypt-1 ], preserve: false, id: vg-1 }
        - { type: lvm_partition, name: lv-root,   volgroup: vg-1, size: 20G,  wipe: superblock, preserve: false, id: lv-root }
        - { type: lvm_partition, name: lv-tmp,    volgroup: vg-1, size: 5G,   wipe: superblock, preserve: false, id: lv-tmp }
        - { type: lvm_partition, name: lv-home,   volgroup: vg-1, size: 10G,  wipe: superblock, preserve: false, id: lv-home }
        - { type: lvm_partition, name: lv-vartmp, volgroup: vg-1, size: 5G,  wipe: superblock, preserve: false, id: lv-vartmp  }
        - { type: lvm_partition, name: lv-varlog, volgroup: vg-1, size: 5G,  wipe: superblock, preserve: false, id: lv-varlog }
        - { type: lvm_partition, name: lv-audit,  volgroup: vg-1, size: 5G,  wipe: superblock, preserve: false, id: lv-audit }
        - { type: lvm_partition, name: lv-var,    volgroup: vg-1, size: 10G,  wipe: superblock, preserve: false, id: lv-var  }
        - { type: lvm_partition, name: lv-nscout, volgroup: vg-1, size: 20G,  wipe: superblock, preserve: false, id: lv-nscout  }
        - { fstype: fat32, volume: sda-grub, preserve: false, type: format, id: sda-grub-fs }
        - { fstype: ext4,  volume: sda-boot, preserve: false, type: format, id: sda-boot-fs }
        - { fstype: xfs,   volume: lv-root,  preserve: false, type: format, id: lv-root-fs  }
        - { fstype: xfs,   volume: lv-tmp,   preserve: false, type: format, id: lv-tmp-fs   }
        - { fstype: xfs,   volume: lv-home,  preserve: false, type: format, id: lv-home-fs  }
        - { fstype: xfs,   volume: lv-vartmp,preserve: false, type: format, id: lv-vartmp-fs   }
        - { fstype: xfs,   volume: lv-varlog,preserve: false, type: format, id: lv-varlog-fs }
        - { fstype: xfs,   volume: lv-audit, preserve: false, type: format, id: lv-audit-fs }
        - { fstype: xfs,   volume: lv-var,   preserve: false, type: format, id: lv-var-fs   }
        - { fstype: xfs,   volume: lv-nscout,   preserve: false, type: format, id: lv-nc-fs   }
        - {type: mount, path: /,             id: m-root,   device: lv-root-fs  }
        - {type: mount, path: /boot/efi,     id: m-grub,   device: sda-grub-fs }
        - {type: mount, path: /boot,         id: m-boot,   device: sda-boot-fs ,  options: 'nosuid,nodev,noexec'}
        - {type: mount, path: /tmp,          id: m-tmp,    device: lv-tmp-fs,     options: 'nosuid,nodev,noexec'  }
        - {type: mount, path: /home,         id: m-home,   device: lv-home-fs,    options: 'nosuid,nodev' }
        - {type: mount, path: /var/tmp,      id: m-vartmp, device: lv-vartmp-fs,  options: 'nosuid,nodev,noexec' }
        - {type: mount, path: /var/log,      id: m-varlog, device: lv-varlog-fs,  options: 'nosuid,nodev,noexec'}
        - {type: mount, path: /var/log/audit,id: m-audit,  device: lv-audit-fs,   options: 'nosuid,nodev,noexec'}
        - {type: mount, path: /var,          id: m-usr,    device: lv-var-fs,     options: 'nosuid,nodev' }
        - {type: mount, path: /home/user/nightscout,  id: m-nscout,   device: lv-nc-fs,    options: 'nosuid,nodev' }
  locale: de_DE.UTF-8
  timezone: Europe/Berlin
  keyboard:
    layout: de
  identity:
    hostname: meinewelt
    password: $6$.....
    username: ....
  ssh:
    allow-pw: false
    install-server: true
  apt:
    geoip: true
    preserve_sources_list: false
    primary:
      - arches: [amd64, i386]
        uri: http://de.archive.ubuntu.com/ubuntu
      - arches: [default]
        uri: http://ports.ubuntu.com/ubuntu-ports
  packages:
    - cryptsetup-initramfs
    - initramfs-tools
    - apt-transport-https
    - ca-certificates
    - curl
    - git
    - openssl
  user-data: 
    disable_root: false
    users:
      - name: charlie
        groups: admin
        sudo: ALL=(ALL) NOPASSWD:ALL
        ssh_authorized_keys:
           - ssh-ed25519 .....
        shell: /bin/bash
    ssh_deletekeys: false
    runcmd:
      - sudo su
      - groupadd -r sshadmin
      - usermod -a -G sshadmin .....
      - chmod 600 /etc/ssh/sshd_config
    write_files:
      - path: /etc/ssh/sshd_config
        content: |
           Include /etc/ssh/sshd_config.d/*.conf
           HostbasedAuthentication no
           Port 22
           RekeyLimit 512M 1h
           IgnoreUserKnownHosts yes
           HostKey /etc/ssh/ssh_host_ed25519_key
           PermitTunnel no
           SyslogFacility AUTH
           LogLevel VERBOSE
           LoginGraceTime 30
           PermitRootLogin no
           StrictModes yes
           PubkeyAuthentication yes
           AuthorizedKeysFile .ssh/authorized_keys
           IgnoreRhosts yes
           PermitEmptyPasswords no
           #ChallengeResponseAuthentication yes
           ChallengeResponseAuthentication no 
           PasswordAuthentication no
           KerberosAuthentication no
           KerberosOrLocalPasswd no
           KerberosTicketCleanup yes
           GSSAPIAuthentication no
           GSSAPICleanupCredentials yes
           X11Forwarding no
           X11DisplayOffset 10
           PrintMotd no
           PrintLastLog yes
           TCPKeepAlive no
           MaxStartups 10:30:60
           Banner /etc/issue.net
           AcceptEnv LANG LC_*
           UsePAM yes
           AllowUsers charlie
           DenyUsers root daemon bin sys sync games man lp mail news proxy www-data backup list irc gnats nobody libuuid ntp Debian-exim mysql popuser mhandlers-user psaftp drweb bind postfix munin
           #AuthenticationMethods publickey,keyboard-interactive
           AuthenticationMethods publickey
           MaxAuthTries 3
           MaxSessions  2
           UseDNS no
           AllowTcpForwarding no
           AllowStreamLocalForwarding no
           GatewayPorts no
           AllowAgentForwarding no
           ClientAliveInterval 300
           ClientAliveCountMax 2
           Compression no
           AllowGroups sshadmin
           Subsystem sftp internal-sftp
           PermitUserEnvironment no

I'm trying to limit the error
Here are three messages, I don't know if they were there before
ln: failed to create symbolic link '/etc/systemd/system/default.target.wants/tmp.mount': No such file or directory
Can't exec "/tmp/libpam0g.config.em44zQ": Permission denied at /usr/lib/aarch64-linux-gnu/perl-base/IPC/Open3.pm line 178.
open2: exec of /tmp/libpam0g.config.em44zQ configure 1.4.0-11ubuntu2.4 failed: Permission denied at /usr/share/perl5/Debconf/ConfModule.pm line 59.

<!-- gh-comment-id:2637993304 --> @Martin11180 commented on GitHub (Feb 5, 2025): Hello I don't know what to do anymore It ran with your code the whole time Not for a few days I have now reset my cloud init file to minimal Close to the setup everything still works Then I execute these commands ``` sudo apt-get -y install git net-tools procps --no-install-recommends git clone https://github.com/konstruktoid/hardening.git cd hardening sudo nano ubuntu.cfg SSH_GRPS='sshadmin' AUTOFILL='Y' SSH_PORT='22' TIMEDATECTL='Europe/Berlin' and start sudo bash ubuntu.sh ``` After that ssh goes and home order for example cannot be called Permission denied comes up Do you see an error somewhere? ``` #cloud-config autoinstall: package_update: false #updates: security refresh-installer: # update: yes network-config/verbose: true version: 1 storage: grub: reorder_uefi: false config: - { ptable: gpt, path: /dev/sda, wipe: superblock, preserve: false, name: '', grub_device: false, type: disk, id: disk-sda } - { type: partition, device: disk-sda, size: 536870912, wipe: superblock, flag: boot, number: 1, preserve: false, grub_device: true, id: sda-grub } - { type: partition, device: disk-sda, size: 1073741824, wipe: superblock, flag: '', number: 2, preserve: false, grub_device: false, id: sda-boot } - { type: partition, device: disk-sda, size: -1, wipe: superblock, flag: '', number: 3, preserve: false, grub_device: false, id: sda-lvm} - { type: dm_crypt, volume: sda-lvm, key: test, preserve: false, id: dm_crypt-1 } - { type: lvm_volgroup, name: ubuntu-vg, devices: [ dm_crypt-1 ], preserve: false, id: vg-1 } - { type: lvm_partition, name: lv-root, volgroup: vg-1, size: 20G, wipe: superblock, preserve: false, id: lv-root } - { type: lvm_partition, name: lv-tmp, volgroup: vg-1, size: 5G, wipe: superblock, preserve: false, id: lv-tmp } - { type: lvm_partition, name: lv-home, volgroup: vg-1, size: 10G, wipe: superblock, preserve: false, id: lv-home } - { type: lvm_partition, name: lv-vartmp, volgroup: vg-1, size: 5G, wipe: superblock, preserve: false, id: lv-vartmp } - { type: lvm_partition, name: lv-varlog, volgroup: vg-1, size: 5G, wipe: superblock, preserve: false, id: lv-varlog } - { type: lvm_partition, name: lv-audit, volgroup: vg-1, size: 5G, wipe: superblock, preserve: false, id: lv-audit } - { type: lvm_partition, name: lv-var, volgroup: vg-1, size: 10G, wipe: superblock, preserve: false, id: lv-var } - { type: lvm_partition, name: lv-nscout, volgroup: vg-1, size: 20G, wipe: superblock, preserve: false, id: lv-nscout } - { fstype: fat32, volume: sda-grub, preserve: false, type: format, id: sda-grub-fs } - { fstype: ext4, volume: sda-boot, preserve: false, type: format, id: sda-boot-fs } - { fstype: xfs, volume: lv-root, preserve: false, type: format, id: lv-root-fs } - { fstype: xfs, volume: lv-tmp, preserve: false, type: format, id: lv-tmp-fs } - { fstype: xfs, volume: lv-home, preserve: false, type: format, id: lv-home-fs } - { fstype: xfs, volume: lv-vartmp,preserve: false, type: format, id: lv-vartmp-fs } - { fstype: xfs, volume: lv-varlog,preserve: false, type: format, id: lv-varlog-fs } - { fstype: xfs, volume: lv-audit, preserve: false, type: format, id: lv-audit-fs } - { fstype: xfs, volume: lv-var, preserve: false, type: format, id: lv-var-fs } - { fstype: xfs, volume: lv-nscout, preserve: false, type: format, id: lv-nc-fs } - {type: mount, path: /, id: m-root, device: lv-root-fs } - {type: mount, path: /boot/efi, id: m-grub, device: sda-grub-fs } - {type: mount, path: /boot, id: m-boot, device: sda-boot-fs , options: 'nosuid,nodev,noexec'} - {type: mount, path: /tmp, id: m-tmp, device: lv-tmp-fs, options: 'nosuid,nodev,noexec' } - {type: mount, path: /home, id: m-home, device: lv-home-fs, options: 'nosuid,nodev' } - {type: mount, path: /var/tmp, id: m-vartmp, device: lv-vartmp-fs, options: 'nosuid,nodev,noexec' } - {type: mount, path: /var/log, id: m-varlog, device: lv-varlog-fs, options: 'nosuid,nodev,noexec'} - {type: mount, path: /var/log/audit,id: m-audit, device: lv-audit-fs, options: 'nosuid,nodev,noexec'} - {type: mount, path: /var, id: m-usr, device: lv-var-fs, options: 'nosuid,nodev' } - {type: mount, path: /home/user/nightscout, id: m-nscout, device: lv-nc-fs, options: 'nosuid,nodev' } locale: de_DE.UTF-8 timezone: Europe/Berlin keyboard: layout: de identity: hostname: meinewelt password: $6$..... username: .... ssh: allow-pw: false install-server: true apt: geoip: true preserve_sources_list: false primary: - arches: [amd64, i386] uri: http://de.archive.ubuntu.com/ubuntu - arches: [default] uri: http://ports.ubuntu.com/ubuntu-ports packages: - cryptsetup-initramfs - initramfs-tools - apt-transport-https - ca-certificates - curl - git - openssl user-data: disable_root: false users: - name: charlie groups: admin sudo: ALL=(ALL) NOPASSWD:ALL ssh_authorized_keys: - ssh-ed25519 ..... shell: /bin/bash ssh_deletekeys: false runcmd: - sudo su - groupadd -r sshadmin - usermod -a -G sshadmin ..... - chmod 600 /etc/ssh/sshd_config write_files: - path: /etc/ssh/sshd_config content: | Include /etc/ssh/sshd_config.d/*.conf HostbasedAuthentication no Port 22 RekeyLimit 512M 1h IgnoreUserKnownHosts yes HostKey /etc/ssh/ssh_host_ed25519_key PermitTunnel no SyslogFacility AUTH LogLevel VERBOSE LoginGraceTime 30 PermitRootLogin no StrictModes yes PubkeyAuthentication yes AuthorizedKeysFile .ssh/authorized_keys IgnoreRhosts yes PermitEmptyPasswords no #ChallengeResponseAuthentication yes ChallengeResponseAuthentication no PasswordAuthentication no KerberosAuthentication no KerberosOrLocalPasswd no KerberosTicketCleanup yes GSSAPIAuthentication no GSSAPICleanupCredentials yes X11Forwarding no X11DisplayOffset 10 PrintMotd no PrintLastLog yes TCPKeepAlive no MaxStartups 10:30:60 Banner /etc/issue.net AcceptEnv LANG LC_* UsePAM yes AllowUsers charlie DenyUsers root daemon bin sys sync games man lp mail news proxy www-data backup list irc gnats nobody libuuid ntp Debian-exim mysql popuser mhandlers-user psaftp drweb bind postfix munin #AuthenticationMethods publickey,keyboard-interactive AuthenticationMethods publickey MaxAuthTries 3 MaxSessions 2 UseDNS no AllowTcpForwarding no AllowStreamLocalForwarding no GatewayPorts no AllowAgentForwarding no ClientAliveInterval 300 ClientAliveCountMax 2 Compression no AllowGroups sshadmin Subsystem sftp internal-sftp PermitUserEnvironment no ``` I'm trying to limit the error Here are three messages, I don't know if they were there before ln: failed to create symbolic link '/etc/systemd/system/default.target.wants/tmp.mount': No such file or directory Can't exec "/tmp/libpam0g.config.em44zQ": Permission denied at /usr/lib/aarch64-linux-gnu/perl-base/IPC/Open3.pm line 178. open2: exec of /tmp/libpam0g.config.em44zQ configure 1.4.0-11ubuntu2.4 failed: Permission denied at /usr/share/perl5/Debconf/ConfModule.pm line 59.
kerem commented 2026-03-03 14:29:27 +03:00
Author
Owner
Copy link

@Martin11180 commented on GitHub (Feb 6, 2025):

Hello
I have now started every function disable and enable and f_pre enable and this error occurs with the function f_adduser

<!-- gh-comment-id:2639099490 --> @Martin11180 commented on GitHub (Feb 6, 2025): Hello I have now started every function disable and enable and f_pre enable and this error occurs with the function f_adduser
kerem commented 2026-03-03 14:29:27 +03:00
Author
Owner
Copy link

@konstruktoid commented on GitHub (Feb 6, 2025):

could you run the code with bash -x?

<!-- gh-comment-id:2639179643 --> @konstruktoid commented on GitHub (Feb 6, 2025): could you run the code with `bash -x`?
kerem commented 2026-03-03 14:29:27 +03:00
Author
Owner
Copy link

@Martin11180 commented on GitHub (Feb 7, 2025):

Hello
I don't understand it

a setup without cloud-init, the rights of /home look like this

drwxr-x--- 4 charlie charlie 83 Feb 7 01:18 charlie

and your script runs through and everything works afterwards

with cloud init setup it looks like this

drwxr-xr-x 4 root root 36 Feb 7 03:02 charlie

according to the script then like this

drwxr-x--- 5 root root 53 Feb 7 15:23 charlie
-bash: cd: charlie: Permission denied cd /home

I reduced the cloud init again without success

#cloud-config
autoinstall:
  package_update: false
  #updates: security
  refresh-installer:
  #  update: yes
  network-config/verbose: true
  version: 1
  storage:
    grub:
      reorder_uefi: false
    config:
        - { ptable: gpt, path: /dev/sda, wipe: superblock, preserve: false, name: '', grub_device: false, type: disk, id: disk-sda }
        - { type: partition, device: disk-sda, size: 536870912, wipe: superblock, flag: boot, number: 1, preserve: false, grub_device: true, id: sda-grub }
        - { type: partition, device: disk-sda, size: 1073741824, wipe: superblock, flag: '', number: 2, preserve: false, grub_device: false, id: sda-boot }
        - { type: partition, device: disk-sda, size: -1, wipe: superblock, flag: '', number: 3, preserve: false, grub_device: false, id: sda-lvm}
        - { type: dm_crypt,  volume: sda-lvm, key: test, preserve: false, id: dm_crypt-1 }
        - { type: lvm_volgroup, name: ubuntu-vg, devices: [ dm_crypt-1 ], preserve: false, id: vg-1 }
        - { type: lvm_partition, name: lv-root,   volgroup: vg-1, size: 20G,  wipe: superblock, preserve: false, id: lv-root }
        - { type: lvm_partition, name: lv-tmp,    volgroup: vg-1, size: 5G,   wipe: superblock, preserve: false, id: lv-tmp }
        - { type: lvm_partition, name: lv-home,   volgroup: vg-1, size: 10G,  wipe: superblock, preserve: false, id: lv-home }
        - { type: lvm_partition, name: lv-vartmp, volgroup: vg-1, size: 5G,  wipe: superblock, preserve: false, id: lv-vartmp  }
        - { type: lvm_partition, name: lv-varlog, volgroup: vg-1, size: 5G,  wipe: superblock, preserve: false, id: lv-varlog }
        - { type: lvm_partition, name: lv-audit,  volgroup: vg-1, size: 5G,  wipe: superblock, preserve: false, id: lv-audit }
        - { type: lvm_partition, name: lv-var,    volgroup: vg-1, size: 10G,  wipe: superblock, preserve: false, id: lv-var  }
        - { type: lvm_partition, name: lv-nscout, volgroup: vg-1, size: 20G,  wipe: superblock, preserve: false, id: lv-nscout  }
        - { fstype: fat32, volume: sda-grub, preserve: false, type: format, id: sda-grub-fs }
        - { fstype: ext4,  volume: sda-boot, preserve: false, type: format, id: sda-boot-fs }
        - { fstype: xfs,   volume: lv-root,  preserve: false, type: format, id: lv-root-fs  }
        - { fstype: xfs,   volume: lv-tmp,   preserve: false, type: format, id: lv-tmp-fs   }
        - { fstype: xfs,   volume: lv-home,  preserve: false, type: format, id: lv-home-fs  }
        - { fstype: xfs,   volume: lv-vartmp,preserve: false, type: format, id: lv-vartmp-fs   }
        - { fstype: xfs,   volume: lv-varlog,preserve: false, type: format, id: lv-varlog-fs }
        - { fstype: xfs,   volume: lv-audit, preserve: false, type: format, id: lv-audit-fs }
        - { fstype: xfs,   volume: lv-var,   preserve: false, type: format, id: lv-var-fs   }
        - { fstype: xfs,   volume: lv-nscout,   preserve: false, type: format, id: lv-nc-fs   }
        - {type: mount, path: /,             id: m-root,   device: lv-root-fs  }
        - {type: mount, path: /boot/efi,     id: m-grub,   device: sda-grub-fs }
        - {type: mount, path: /boot,         id: m-boot,   device: sda-boot-fs ,  options: 'nosuid,nodev,noexec'}
        - {type: mount, path: /tmp,          id: m-tmp,    device: lv-tmp-fs,     options: 'nosuid,nodev,noexec'  }
        - {type: mount, path: /home,         id: m-home,   device: lv-home-fs,    options: 'nosuid,nodev' }
        - {type: mount, path: /var/tmp,      id: m-vartmp, device: lv-vartmp-fs,  options: 'nosuid,nodev,noexec' }
        - {type: mount, path: /var/log,      id: m-varlog, device: lv-varlog-fs,  options: 'nosuid,nodev,noexec'}
        - {type: mount, path: /var/log/audit,id: m-audit,  device: lv-audit-fs,   options: 'nosuid,nodev,noexec'}
        - {type: mount, path: /var,          id: m-usr,    device: lv-var-fs,     options: 'nosuid,nodev' }
        - {type: mount, path: /home/user/nightscout,  id: m-nscout,   device: lv-nc-fs,    options: 'nosuid,nodev' }
  locale: de_DE.UTF-8
  timezone: Europe/Berlin
  keyboard:
    layout: de
  identity:
    hostname: meinewelt
    password: $6$.....
    username: ....
  ssh:
    allow-pw: false
    install-server: true
packages:
    - cryptsetup-initramfs
    - initramfs-tools
    - apt-transport-https
    - ca-certificates
    - curl
    - git
    - openssl
  user-data: 
    disable_root: false
    users:
      - name: charlie
        groups: users, admin, sudo
        sudo: ALL=(ALL) NOPASSWD:ALL
        ssh_authorized_keys:
           - ssh-ed25519 .....
        shell: /bin/bash
    ssh_deletekeys: false

Why did it work all the time before, I can't find which owner should be now

<!-- gh-comment-id:2643134707 --> @Martin11180 commented on GitHub (Feb 7, 2025): Hello I don't understand it a setup without cloud-init, the rights of /home look like this drwxr-x--- 4 charlie charlie 83 Feb 7 01:18 charlie and your script runs through and everything works afterwards with cloud init setup it looks like this drwxr-xr-x 4 root root 36 Feb 7 03:02 charlie according to the script then like this drwxr-x--- 5 root root 53 Feb 7 15:23 charlie -bash: cd: charlie: Permission denied cd /home I reduced the cloud init again without success ``` #cloud-config autoinstall: package_update: false #updates: security refresh-installer: # update: yes network-config/verbose: true version: 1 storage: grub: reorder_uefi: false config: - { ptable: gpt, path: /dev/sda, wipe: superblock, preserve: false, name: '', grub_device: false, type: disk, id: disk-sda } - { type: partition, device: disk-sda, size: 536870912, wipe: superblock, flag: boot, number: 1, preserve: false, grub_device: true, id: sda-grub } - { type: partition, device: disk-sda, size: 1073741824, wipe: superblock, flag: '', number: 2, preserve: false, grub_device: false, id: sda-boot } - { type: partition, device: disk-sda, size: -1, wipe: superblock, flag: '', number: 3, preserve: false, grub_device: false, id: sda-lvm} - { type: dm_crypt, volume: sda-lvm, key: test, preserve: false, id: dm_crypt-1 } - { type: lvm_volgroup, name: ubuntu-vg, devices: [ dm_crypt-1 ], preserve: false, id: vg-1 } - { type: lvm_partition, name: lv-root, volgroup: vg-1, size: 20G, wipe: superblock, preserve: false, id: lv-root } - { type: lvm_partition, name: lv-tmp, volgroup: vg-1, size: 5G, wipe: superblock, preserve: false, id: lv-tmp } - { type: lvm_partition, name: lv-home, volgroup: vg-1, size: 10G, wipe: superblock, preserve: false, id: lv-home } - { type: lvm_partition, name: lv-vartmp, volgroup: vg-1, size: 5G, wipe: superblock, preserve: false, id: lv-vartmp } - { type: lvm_partition, name: lv-varlog, volgroup: vg-1, size: 5G, wipe: superblock, preserve: false, id: lv-varlog } - { type: lvm_partition, name: lv-audit, volgroup: vg-1, size: 5G, wipe: superblock, preserve: false, id: lv-audit } - { type: lvm_partition, name: lv-var, volgroup: vg-1, size: 10G, wipe: superblock, preserve: false, id: lv-var } - { type: lvm_partition, name: lv-nscout, volgroup: vg-1, size: 20G, wipe: superblock, preserve: false, id: lv-nscout } - { fstype: fat32, volume: sda-grub, preserve: false, type: format, id: sda-grub-fs } - { fstype: ext4, volume: sda-boot, preserve: false, type: format, id: sda-boot-fs } - { fstype: xfs, volume: lv-root, preserve: false, type: format, id: lv-root-fs } - { fstype: xfs, volume: lv-tmp, preserve: false, type: format, id: lv-tmp-fs } - { fstype: xfs, volume: lv-home, preserve: false, type: format, id: lv-home-fs } - { fstype: xfs, volume: lv-vartmp,preserve: false, type: format, id: lv-vartmp-fs } - { fstype: xfs, volume: lv-varlog,preserve: false, type: format, id: lv-varlog-fs } - { fstype: xfs, volume: lv-audit, preserve: false, type: format, id: lv-audit-fs } - { fstype: xfs, volume: lv-var, preserve: false, type: format, id: lv-var-fs } - { fstype: xfs, volume: lv-nscout, preserve: false, type: format, id: lv-nc-fs } - {type: mount, path: /, id: m-root, device: lv-root-fs } - {type: mount, path: /boot/efi, id: m-grub, device: sda-grub-fs } - {type: mount, path: /boot, id: m-boot, device: sda-boot-fs , options: 'nosuid,nodev,noexec'} - {type: mount, path: /tmp, id: m-tmp, device: lv-tmp-fs, options: 'nosuid,nodev,noexec' } - {type: mount, path: /home, id: m-home, device: lv-home-fs, options: 'nosuid,nodev' } - {type: mount, path: /var/tmp, id: m-vartmp, device: lv-vartmp-fs, options: 'nosuid,nodev,noexec' } - {type: mount, path: /var/log, id: m-varlog, device: lv-varlog-fs, options: 'nosuid,nodev,noexec'} - {type: mount, path: /var/log/audit,id: m-audit, device: lv-audit-fs, options: 'nosuid,nodev,noexec'} - {type: mount, path: /var, id: m-usr, device: lv-var-fs, options: 'nosuid,nodev' } - {type: mount, path: /home/user/nightscout, id: m-nscout, device: lv-nc-fs, options: 'nosuid,nodev' } locale: de_DE.UTF-8 timezone: Europe/Berlin keyboard: layout: de identity: hostname: meinewelt password: $6$..... username: .... ssh: allow-pw: false install-server: true packages: - cryptsetup-initramfs - initramfs-tools - apt-transport-https - ca-certificates - curl - git - openssl user-data: disable_root: false users: - name: charlie groups: users, admin, sudo sudo: ALL=(ALL) NOPASSWD:ALL ssh_authorized_keys: - ssh-ed25519 ..... shell: /bin/bash ssh_deletekeys: false ``` Why did it work all the time before, I can't find which owner should be now
kerem commented 2026-03-03 14:29:27 +03:00
Author
Owner
Copy link

@konstruktoid commented on GitHub (Feb 10, 2025):

I can't reproduce this.

vagrant@jammy:~/hardening$ stat /home/vagrant
  File: /home/vagrant                                                                                                                                                                                              Size: 4096            Blocks: 8          IO Block: 4096   directory
Device: fd00h/64768d    Inode: 786434      Links: 6
Access: (0750/drwxr-x---)  Uid: ( 1000/ vagrant)   Gid: ( 1000/ vagrant)
Access: 2025-02-10 11:33:19.346629381 +0000
Modify: 2025-02-10 11:32:52.329127744 +0000
Change: 2025-02-10 11:32:52.329127744 +0000
 Birth: 2024-07-23 18:02:42.283999602 +0000
vagrant@jammy:~/hardening$ sudo chmod 0755 /home/vagrant
vagrant@jammy:~/hardening$ stat /home/vagrant
  File: /home/vagrant
  Size: 4096            Blocks: 8          IO Block: 4096   directory
Device: fd00h/64768d    Inode: 786434      Links: 6
Access: (0755/drwxr-xr-x)  Uid: ( 1000/ vagrant)   Gid: ( 1000/ vagrant)
Access: 2025-02-10 11:33:19.346629381 +0000
Modify: 2025-02-10 11:32:52.329127744 +0000
Change: 2025-02-10 11:33:51.722808939 +0000
 Birth: 2024-07-23 18:02:42.283999602 +0000
vagrant@jammy:~/hardening$ git diff
diff --git a/ubuntu.cfg b/ubuntu.cfg
index 73310d5..4cd5a2c 100644
--- a/ubuntu.cfg
+++ b/ubuntu.cfg
@@ -8,10 +8,10 @@ LOGROTATE_CONF='./misc/logrotate.conf'
 NTPSERVERPOOL='0.ubuntu.pool.ntp.org 1.ubuntu.pool.ntp.org 2.ubuntu.pool.ntp.org 3.ubuntu.pool.ntp.org pool.ntp.org'
 TIMEDATECTL=''
 VERBOSE='N'
-AUTOFILL='N'
+AUTOFILL='Y'
 ADMINEMAIL='root@localhost'
 KEEP_SNAPD='Y'
-CHANGEME='' # Add something just to verify that you actually glanced the code
+CHANGEME='asdas' # Add something just to verify that you actually glanced the code

 # Configuration files
 ADDUSER='/etc/adduser.conf'
vagrant@jammy:~/hardening$ sudo bash ubuntu.sh
[...]
vagrant@jammy:~/hardening$ stat /home/vagrant
  File: /home/vagrant
  Size: 4096            Blocks: 8          IO Block: 4096   directory
Device: fd00h/64768d    Inode: 786434      Links: 6
Access: (0750/drwxr-x---)  Uid: ( 1000/ vagrant)   Gid: ( 1000/ vagrant)
Access: 2025-02-10 11:40:14.709915663 +0000
Modify: 2025-02-10 11:46:13.867473396 +0000
Change: 2025-02-10 11:46:13.867473396 +0000
 Birth: 2024-07-23 18:02:42.283999602 +0000
vagrant@jammy:~/hardening$ lsb_release -d
Description:    Ubuntu 22.04.5 LTS
<!-- gh-comment-id:2647754756 --> @konstruktoid commented on GitHub (Feb 10, 2025): I can't reproduce this. ```sh vagrant@jammy:~/hardening$ stat /home/vagrant File: /home/vagrant Size: 4096 Blocks: 8 IO Block: 4096 directory Device: fd00h/64768d Inode: 786434 Links: 6 Access: (0750/drwxr-x---) Uid: ( 1000/ vagrant) Gid: ( 1000/ vagrant) Access: 2025-02-10 11:33:19.346629381 +0000 Modify: 2025-02-10 11:32:52.329127744 +0000 Change: 2025-02-10 11:32:52.329127744 +0000 Birth: 2024-07-23 18:02:42.283999602 +0000 vagrant@jammy:~/hardening$ sudo chmod 0755 /home/vagrant vagrant@jammy:~/hardening$ stat /home/vagrant File: /home/vagrant Size: 4096 Blocks: 8 IO Block: 4096 directory Device: fd00h/64768d Inode: 786434 Links: 6 Access: (0755/drwxr-xr-x) Uid: ( 1000/ vagrant) Gid: ( 1000/ vagrant) Access: 2025-02-10 11:33:19.346629381 +0000 Modify: 2025-02-10 11:32:52.329127744 +0000 Change: 2025-02-10 11:33:51.722808939 +0000 Birth: 2024-07-23 18:02:42.283999602 +0000 vagrant@jammy:~/hardening$ git diff diff --git a/ubuntu.cfg b/ubuntu.cfg index 73310d5..4cd5a2c 100644 --- a/ubuntu.cfg +++ b/ubuntu.cfg @@ -8,10 +8,10 @@ LOGROTATE_CONF='./misc/logrotate.conf' NTPSERVERPOOL='0.ubuntu.pool.ntp.org 1.ubuntu.pool.ntp.org 2.ubuntu.pool.ntp.org 3.ubuntu.pool.ntp.org pool.ntp.org' TIMEDATECTL='' VERBOSE='N' -AUTOFILL='N' +AUTOFILL='Y' ADMINEMAIL='root@localhost' KEEP_SNAPD='Y' -CHANGEME='' # Add something just to verify that you actually glanced the code +CHANGEME='asdas' # Add something just to verify that you actually glanced the code # Configuration files ADDUSER='/etc/adduser.conf' vagrant@jammy:~/hardening$ sudo bash ubuntu.sh [...] vagrant@jammy:~/hardening$ stat /home/vagrant File: /home/vagrant Size: 4096 Blocks: 8 IO Block: 4096 directory Device: fd00h/64768d Inode: 786434 Links: 6 Access: (0750/drwxr-x---) Uid: ( 1000/ vagrant) Gid: ( 1000/ vagrant) Access: 2025-02-10 11:40:14.709915663 +0000 Modify: 2025-02-10 11:46:13.867473396 +0000 Change: 2025-02-10 11:46:13.867473396 +0000 Birth: 2024-07-23 18:02:42.283999602 +0000 vagrant@jammy:~/hardening$ lsb_release -d Description: Ubuntu 22.04.5 LTS ```
kerem commented 2026-03-03 14:29:27 +03:00
Author
Owner
Copy link

@Martin11180 commented on GitHub (Feb 12, 2025):

Hello
With a setup via cloud init
There must be something wrong with Cloud-init config
For me, root is the owner instead of charlie

charlie@meinewelt:~$ stat /home/charlie
  File: /home/charlie
  Size: 36              Blocks: 0          IO Block: 4096   directory
Device: fc03h/64515d    Inode: 131         Links: 4
Access: (0750/drwxr-x---)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2025-02-12 11:19:52.798173657 +0100
Modify: 2025-01-17 22:48:27.801999956 +0100
Change: 2025-02-12 18:29:05.783848858 +0100
 Birth: 2025-02-12 11:19:52.798173657 +0100
<!-- gh-comment-id:2654417089 --> @Martin11180 commented on GitHub (Feb 12, 2025): Hello With a setup via cloud init There must be something wrong with Cloud-init config For me, root is the owner instead of charlie ``` charlie@meinewelt:~$ stat /home/charlie File: /home/charlie Size: 36 Blocks: 0 IO Block: 4096 directory Device: fc03h/64515d Inode: 131 Links: 4 Access: (0750/drwxr-x---) Uid: ( 0/ root) Gid: ( 0/ root) Access: 2025-02-12 11:19:52.798173657 +0100 Modify: 2025-01-17 22:48:27.801999956 +0100 Change: 2025-02-12 18:29:05.783848858 +0100 Birth: 2025-02-12 11:19:52.798173657 +0100 ```
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
renovate/github-codeql-action-4.x
v2.2.0
v2.1.0
v2.0.0
v1.0.0
v1.0
Labels
Clear labels   
Stale

   
bug

   
bug

   
bug

   
pull-request

Mirrored from GitHub Pull Request

No labels
Stale
bug
bug
bug
pull-request
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/hardening#88
No description provided.