From 75445254723c358dfccc66118a288659c0daa972 Mon Sep 17 00:00:00 2001 From: ItsDrike Date: Sat, 23 Jan 2021 20:31:00 +0100 Subject: [PATCH] Add security packages/config --- home/.config/sh/aliases | 48 +++++++++++-------- packages.yaml | 29 ++++++++--- .../NetworkManager/conf.d/wifi_rand_mac.conf | 9 ++++ root/etc/resolv.conf | 11 +++++ 4 files changed, 71 insertions(+), 26 deletions(-) create mode 100644 root/etc/NetworkManager/conf.d/wifi_rand_mac.conf create mode 100644 root/etc/resolv.conf diff --git a/home/.config/sh/aliases b/home/.config/sh/aliases index 40c32bc..cf28ccf 100755 --- a/home/.config/sh/aliases +++ b/home/.config/sh/aliases @@ -6,24 +6,6 @@ alias mdkir='mkdir' alias soruce='source' alias souce='source' -# Exa aliases (replacement for ls, if you are using ls, comment or change this -alias ls='exa' -alias l='exa -glah' -alias ll='exa -glah --classify -s=size --group-directories-first -r' -alias ld='exa -glahD' -alias tree='exa -Tlagh' -alias dotfiles='exa -hula -d .[a-z]* | grep -v ^d' # Show all dotfiles -alias dotdirs='exa -hulaD -d .[a-z]*' # Show all dotdirs -alias dotall='exa -hula -d .[a-z]*' # Show both dotdirs and dotfiles - -# Shortcuts -alias rr='rm -r' -alias sv='systemctl' - -# Aliases for piping directly (f.e.: history G ssh) -alias -g G='| grep' -alias -g H='| head' - # Changing directories alias ..='cd ..' alias ...='cd ../../' @@ -34,6 +16,14 @@ alias .3='cd ../../../' alias .4='cd ../../../../' alias .5='cd ../../../../../' +# Shortcuts +alias rr='rm -r' +alias sv='systemctl' + +# Aliases for piping directly (f.e.: history G ssh) +alias -g G='| grep' +alias -g H='| head' + # Python alias py3='python3' alias py2='python2' @@ -41,6 +31,16 @@ alias py='ipython' alias ipy='ipython' alias bpy='bpython' +# Exa aliases (replacement for ls, if you are using ls, comment or change this +alias ls='exa' +alias l='exa -glah' +alias ll='exa -glah --classify -s=size --group-directories-first -r' +alias ld='exa -glahD' +alias tree='exa -Tlagh' +alias dotfiles='exa -hula -d .[a-z]* | grep -v ^d' # Show all dotfiles +alias dotdirs='exa -hulaD -d .[a-z]*' # Show all dotdirs +alias dotall='exa -hula -d .[a-z]*' # Show both dotdirs and dotfiles + # Config access shortcuts alias cfzshrc='vim ~/.zshrc' alias cfvim='vim ~/.config/vim/vimrc' @@ -62,8 +62,14 @@ command -v hd > /dev/null || alias hd="hexdump -C" # Cannonical hex dump; some s command -v md5sum > /dev/null || alias md5sum="md5" # Fallback from `md5sum` to `md5` command -v sha1sum > /dev/null || alias sha1sum="shasum" # Fallback from `sha1sum` to `shasum` +# X11 clipboard (either using xclip or xsel, xsel takes precedence if both) +command -v xclip > /dev/null && alias pbcopy='xclip -selection clipboard' +command -v xclip > /dev/null && alias pbpaste='xclip -selection clipboard -o' +command -v xsel > /dev/null && alias pbcopy='xsel --clipboard --input' +command -v xsel > /dev/null && alias pbpaste='xsel --clipboard --output' + # Regular expressions -alias reg_email='echo "[^[:space:]]+@[^[:space:]]+"' +alias reg_email='echo "[a-Z0-9._%-]+@[a-Z0-9.-]+\.[a-Z]{2,10}"' alias reg_mac='echo "([[:xdigit:]]{2}:){5}[[:xdigit:]]{2}"' alias reg_ipv4='echo "([0-9]{1,3}\.){3}[0-9]{1,3}"' alias reg_ipv6='echo "\s*((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:)))(%.+)?\s*"' # Also catches loopbacks (::1), (for valid matching, it needs to be this long...) @@ -110,7 +116,7 @@ alias psg='ps aux | grep -v grep | grep -i -e VSZ -e' # Get searchable process w # Time info alias now='date +"%T"' -alias nowtime=now +alias nowtime='now' alias nowdate='date +"%d-%m-%Y"' alias week='date +%V' @@ -134,6 +140,8 @@ alias undopush="git push -f origin HEAD^:master" # Other headless aliases alias reload="exec \$SHELL" # Reload the shell (i.e. invoke as a login shell +alias vuln='arch-audit' # Show vulnerable packages that can be upgraded (Arch Linux) +alias update-vuln="pacman -Sy \"\$(arch-audit --upgradable --quiet | awk '{sub(/>=.+/, \"\"); print}' | paste -s -d ' ')\"" # Upgrade all vulnerable packages, with released fixes alias path='echo -e ${PATH//:/\\n}' # Print each PATH entry on a separate line alias fhere='find . -name' # Find file/dir from currrent dir alias swapout='sudo swapoff -a; sudo swapon -a' # Reset swap (move everything to RAM) diff --git a/packages.yaml b/packages.yaml index a1e36ce..f32c81c 100644 --- a/packages.yaml +++ b/packages.yaml @@ -1,18 +1,28 @@ pacman: # Common - - base-devel + - base-devel # Necessary for building AUR and yay install - git - vim - sudo - networkmanager # CLI + - exa # Modern ls replacement - cron # Scheduling program + - pkgfile # Pacman metadata explorer + - xsel # CLI tool for get/set contents of X11 clipboard (alternatively there's xclip) + # ZSH + Plugins - zsh # shell - zsh-syntax-highlighting # colored zsh - zsh-autosuggestions # Suggestions from previous commands - - exa # Modern ls replacement - - pkgfile # Pacman metadata explorer + # Security + - macchanger # Tool for changing MAC address + - dnsutils # Tools for managing DNS + - arch-audit # Similar to pkg-audit (AUR), based on Arch CVE Monitoring Team data + - apparmor # Mandantoy Access Control using Linux Security Module + - lynis # Security and System auditing tool + - firejail # Sandboxing isolation tool + - clamav # Anti-virus toolkit # GUI - gedit # Graphical text editor @@ -36,13 +46,20 @@ pacman: git: - - https://aur.archlinux.org/yay-git.git + - https://aur.archlinux.org/yay-git.git # Yay tool, for AUR installation aur: - - autojump # Faster way to navigate in CLI + # CLI + # ZSH Extensions + - autojump # Faster way to navigate in CLI (j command) + # Security + - ngrok # Forward your localhost without ip recovery + - pkg-audit # AUdit installed packages against known vulnerabilities, not necessary with arch-audit, but it does provide more detailed info + - opensnitch # onitor all network traffic (Installation can be quite slow ~15min) + + # GUI - spotify # Online music player - timeshift # Backup utility - onlyoffice-bin # Full office suite (MS Office alternative) - - ngrok # Forward your localhost - visual-studio-code-bin # Official vVsual Studio Code text editor for programmers - exodus # Software cryptocurrency wallet diff --git a/root/etc/NetworkManager/conf.d/wifi_rand_mac.conf b/root/etc/NetworkManager/conf.d/wifi_rand_mac.conf new file mode 100644 index 0000000..e2a2dec --- /dev/null +++ b/root/etc/NetworkManager/conf.d/wifi_rand_mac.conf @@ -0,0 +1,9 @@ +[device-mac-randomization] +# "yes" is already the default for scanning +wifi.scan-rand-mac-address=yes + +[connection-mac-randomization] +# Randomize MAC for every ethernet connection +ethernet.cloned-mac-address=random +# Generate a random MAC for each WiFi and associate the two permanently. +wifi.cloned-mac-address=stable diff --git a/root/etc/resolv.conf b/root/etc/resolv.conf new file mode 100644 index 0000000..443a1eb --- /dev/null +++ b/root/etc/resolv.conf @@ -0,0 +1,11 @@ +# DNS configuration, NetworkManager tends to override this +# but setting immutable flag to this file fixes that. +# This can be done by running chattr +i /etc/resolv.conf + +# You should add this manually, with the immutable flag, +# Using it from the script will let NetworkManager override +# these back to the local DNS resolv, rendering this irrelevant +nameserver 1.1.1.1 +nameserver 1.0.0.1 +nameserver 192.168.0.1 +