saikyo
/
saikyo-server-security
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Initial commit: saikyo-server-security

This commit is contained in:
vboxuser 2026-01-22 20:37:34 +03:00
commit 0ea0d34c2c
26 changed files with 1442 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

287
bin/saikyo-harden Normal file
View File

@ -0,0 +1,287 @@
#!/bin/bash
# Saikyo OS Server Hardening Script
# Copyright (c) 2025-2026 OOO "SAIKO"
# License: GPL-3.0
set -e
VERSION="1.0.0"
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
BLUE='\033[0;34m'
NC='\033[0m'
log_info() { echo -e "[${BLUE}INFO${NC}] $1"; }
log_ok() { echo -e "[${GREEN}OK${NC}] $1"; }
log_warn() { echo -e "[${YELLOW}WARN${NC}] $1"; }
log_error() { echo -e "[${RED}ERROR${NC}] $1"; }
check_root() {
if [ "$(id -u)" -ne 0 ]; then
log_error "Требуются права root. Используйте sudo."
exit 1
fi
}
harden_ssh() {
log_info "Настройка SSH..."
SSH_CONFIG="/etc/ssh/sshd_config"
SSH_BACKUP="/etc/ssh/sshd_config.bak.$(date +%Y%m%d)"
cp "$SSH_CONFIG" "$SSH_BACKUP"
# Disable root login
sed -i 's/^#*PermitRootLogin.*/PermitRootLogin no/' "$SSH_CONFIG"
# Disable password auth
sed -i 's/^#*PasswordAuthentication.*/PasswordAuthentication no/' "$SSH_CONFIG"
# Enable pubkey auth
sed -i 's/^#*PubkeyAuthentication.*/PubkeyAuthentication yes/' "$SSH_CONFIG"
# Disable empty passwords
sed -i 's/^#*PermitEmptyPasswords.*/PermitEmptyPasswords no/' "$SSH_CONFIG"
# Set max auth tries
sed -i 's/^#*MaxAuthTries.*/MaxAuthTries 3/' "$SSH_CONFIG"
# Set login grace time
sed -i 's/^#*LoginGraceTime.*/LoginGraceTime 60/' "$SSH_CONFIG"
systemctl reload sshd 2>/dev/null || systemctl reload ssh 2>/dev/null || true
log_ok "SSH настроен"
}
harden_passwords() {
log_info "Настройка политики паролей..."
PWQUALITY="/etc/security/pwquality.conf"
cat > "$PWQUALITY" << 'EOF'
# Saikyo OS Server Password Policy
# Соответствует требованиям ПП РФ №1236
minlen = 12
minclass = 3
maxrepeat = 3
maxclassrepeat = 4
lcredit = -1
ucredit = -1
dcredit = -1
ocredit = -1
dictcheck = 1
usercheck = 1
enforcing = 1
EOF
log_ok "Политика паролей настроена"
}
harden_kernel() {
log_info "Настройка параметров ядра..."
SYSCTL_CONF="/etc/sysctl.d/99-saikyo-security.conf"
cat > "$SYSCTL_CONF" << 'EOF'
# Saikyo OS Server Kernel Security Settings
# Соответствует требованиям ПП РФ №1236
# Disable IP forwarding
net.ipv4.ip_forward = 0
net.ipv6.conf.all.forwarding = 0
# Ignore ICMP redirects
net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv6.conf.default.accept_redirects = 0
# Ignore source-routed packets
net.ipv4.conf.all.accept_source_route = 0
net.ipv6.conf.all.accept_source_route = 0
# Enable TCP SYN cookies
net.ipv4.tcp_syncookies = 1
# Ignore ICMP broadcasts
net.ipv4.icmp_echo_ignore_broadcasts = 1
# Enable reverse path filtering
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
# Log martian packets
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians = 1
# Restrict core dumps
fs.suid_dumpable = 0
# Randomize virtual address space
kernel.randomize_va_space = 2
# Restrict dmesg access
kernel.dmesg_restrict = 1
# Restrict kernel pointers
kernel.kptr_restrict = 2
EOF
sysctl -p "$SYSCTL_CONF" > /dev/null 2>&1
log_ok "Параметры ядра настроены"
}
enable_firewall() {
log_info "Настройка firewall..."
if command -v firewall-cmd &>/dev/null; then
systemctl enable --now firewalld 2>/dev/null || true
firewall-cmd --set-default-zone=drop 2>/dev/null || true
firewall-cmd --permanent --add-service=ssh 2>/dev/null || true
firewall-cmd --reload 2>/dev/null || true
log_ok "Firewalld настроен"
elif command -v ufw &>/dev/null; then
ufw default deny incoming 2>/dev/null || true
ufw default allow outgoing 2>/dev/null || true
ufw allow ssh 2>/dev/null || true
ufw --force enable 2>/dev/null || true
log_ok "UFW настроен"
else
log_warn "Firewall не найден"
fi
}
enable_fail2ban() {
log_info "Настройка Fail2ban..."
if command -v fail2ban-client &>/dev/null; then
JAIL_LOCAL="/etc/fail2ban/jail.local"
cat > "$JAIL_LOCAL" << 'EOF'
# Saikyo OS Server Fail2ban Configuration
[DEFAULT]
bantime = 3600
findtime = 600
maxretry = 5
backend = systemd
[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
bantime = 7200
EOF
systemctl enable --now fail2ban 2>/dev/null || true
log_ok "Fail2ban настроен"
else
log_warn "Fail2ban не установлен"
fi
}
enable_auditd() {
log_info "Настройка Auditd..."
if command -v auditctl &>/dev/null; then
AUDIT_RULES="/etc/audit/rules.d/saikyo-security.rules"
cat > "$AUDIT_RULES" << 'EOF'
# Saikyo OS Server Audit Rules
# Соответствует требованиям ПП РФ №1236
# Delete all existing rules
-D
# Set buffer size
-b 8192
# Monitor authentication
-w /etc/passwd -p wa -k identity
-w /etc/group -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/gshadow -p wa -k identity
# Monitor sudo
-w /etc/sudoers -p wa -k sudoers
-w /etc/sudoers.d/ -p wa -k sudoers
# Monitor SSH
-w /etc/ssh/sshd_config -p wa -k sshd
# Monitor system calls
-a always,exit -F arch=b64 -S execve -k exec
# Monitor kernel modules
-w /sbin/insmod -p x -k modules
-w /sbin/rmmod -p x -k modules
-w /sbin/modprobe -p x -k modules
EOF
systemctl enable --now auditd 2>/dev/null || true
augenrules --load 2>/dev/null || true
log_ok "Auditd настроен"
else
log_warn "Auditd не установлен"
fi
}
enable_apparmor() {
log_info "Настройка AppArmor..."
if command -v apparmor_status &>/dev/null; then
systemctl enable --now apparmor 2>/dev/null || true
log_ok "AppArmor включён"
else
log_warn "AppArmor не установлен"
fi
}
main() {
echo -e "${BLUE}================================================${NC}"
echo -e "${BLUE} Saikyo OS Server Hardening Script v${VERSION}${NC}"
echo -e "${BLUE} Разработка: ООО «САЙКО»${NC}"
echo -e "${BLUE}================================================${NC}"
echo ""
check_root
log_info "Начало усиления безопасности..."
harden_ssh
harden_passwords
harden_kernel
enable_firewall
enable_fail2ban
enable_auditd
enable_apparmor
echo ""
log_ok "Усиление безопасности завершено!"
log_info "Рекомендуется перезагрузить систему."
}
case "$1" in
--version|-v)
echo "saikyo-harden version $VERSION"
;;
--help|-h)
echo "Usage: saikyo-harden [OPTIONS]"
echo ""
echo "Saikyo OS Server Hardening Script"
echo ""
echo "Options:"
echo " -h, --help Show this help"
echo " -v, --version Show version"
;;
*)
main
;;
esac

230
bin/saikyo-security-audit Normal file
View File

@ -0,0 +1,230 @@
#!/bin/bash
# Saikyo OS Server Security Audit Tool
# Copyright (c) 2025-2026 OOO "SAIKO"
# License: GPL-3.0
set -e
VERSION="1.0.0"
SCRIPT_NAME=$(basename "$0")
# Colors
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
BLUE='\033[0;34m'
NC='\033[0m'
print_header() {
echo -e "${BLUE}================================================${NC}"
echo -e "${BLUE} Saikyo OS Server - Security Audit Tool v${VERSION}${NC}"
echo -e "${BLUE} Разработка: ООО «САЙКО»${NC}"
echo -e "${BLUE} https://saikyo-server.ru${NC}"
echo -e "${BLUE}================================================${NC}"
echo ""
}
check_passed() {
echo -e "[${GREEN}PASS${NC}] $1"
}
check_failed() {
echo -e "[${RED}FAIL${NC}] $1"
}
check_warning() {
echo -e "[${YELLOW}WARN${NC}] $1"
}
check_info() {
echo -e "[${BLUE}INFO${NC}] $1"
}
audit_ssh() {
echo -e "\n${BLUE}=== Проверка SSH ===${NC}"
if grep -q "^PermitRootLogin no" /etc/ssh/sshd_config 2>/dev/null; then
check_passed "Root-логин через SSH отключён"
else
check_failed "Root-логин через SSH разрешён"
fi
if grep -q "^PasswordAuthentication no" /etc/ssh/sshd_config 2>/dev/null; then
check_passed "Аутентификация по паролю отключена"
else
check_warning "Аутентификация по паролю включена"
fi
if grep -q "^PubkeyAuthentication yes" /etc/ssh/sshd_config 2>/dev/null; then
check_passed "Аутентификация по ключам включена"
else
check_failed "Аутентификация по ключам отключена"
fi
}
audit_firewall() {
echo -e "\n${BLUE}=== Проверка Firewall ===${NC}"
if systemctl is-active --quiet firewalld; then
check_passed "Firewalld активен"
elif systemctl is-active --quiet ufw; then
check_passed "UFW активен"
elif systemctl is-active --quiet nftables; then
check_passed "nftables активен"
else
check_failed "Firewall не активен"
fi
}
audit_apparmor() {
echo -e "\n${BLUE}=== Проверка AppArmor ===${NC}"
if systemctl is-active --quiet apparmor; then
check_passed "AppArmor активен"
if command -v aa-status &>/dev/null; then
PROFILES=$(aa-status --profiled 2>/dev/null || echo "0")
check_info "Загружено профилей: ${PROFILES}"
fi
else
check_failed "AppArmor не активен"
fi
}
audit_fail2ban() {
echo -e "\n${BLUE}=== Проверка Fail2ban ===${NC}"
if systemctl is-active --quiet fail2ban; then
check_passed "Fail2ban активен"
if command -v fail2ban-client &>/dev/null; then
JAILS=$(fail2ban-client status 2>/dev/null | grep "Jail list" | cut -d: -f2 | tr -d ' ')
check_info "Активные jail: ${JAILS:-нет}"
fi
else
check_warning "Fail2ban не активен"
fi
}
audit_auditd() {
echo -e "\n${BLUE}=== Проверка Auditd ===${NC}"
if systemctl is-active --quiet auditd; then
check_passed "Auditd активен"
RULES=$(auditctl -l 2>/dev/null | wc -l)
check_info "Загружено правил аудита: ${RULES}"
else
check_warning "Auditd не активен"
fi
}
audit_updates() {
echo -e "\n${BLUE}=== Проверка обновлений ===${NC}"
if dpkg -l | grep -q unattended-upgrades; then
check_passed "unattended-upgrades установлен"
else
check_warning "unattended-upgrades не установлен"
fi
if systemctl is-active --quiet unattended-upgrades; then
check_passed "Автообновления активны"
else
check_warning "Автообновления не активны"
fi
}
audit_passwords() {
echo -e "\n${BLUE}=== Проверка политики паролей ===${NC}"
if [ -f /etc/security/pwquality.conf ]; then
check_passed "pwquality.conf настроен"
if grep -q "minlen" /etc/security/pwquality.conf; then
MINLEN=$(grep "minlen" /etc/security/pwquality.conf | grep -v "^#" | cut -d= -f2 | tr -d ' ')
check_info "Минимальная длина пароля: ${MINLEN:-не задана}"
fi
else
check_warning "pwquality.conf не найден"
fi
}
audit_integrity() {
echo -e "\n${BLUE}=== Проверка контроля целостности ===${NC}"
if command -v aide &>/dev/null; then
check_passed "AIDE установлен"
else
check_warning "AIDE не установлен"
fi
if command -v rkhunter &>/dev/null; then
check_passed "rkhunter установлен"
else
check_warning "rkhunter не установлен"
fi
}
generate_report() {
echo -e "\n${BLUE}=== Генерация отчёта ===${NC}"
REPORT_FILE="/var/log/saikyo-security-audit-$(date +%Y%m%d-%H%M%S).log"
{
echo "Saikyo OS Server Security Audit Report"
echo "Date: $(date)"
echo "Hostname: $(hostname)"
echo "OS: $(cat /etc/os-release | grep PRETTY_NAME | cut -d= -f2 | tr -d '"')"
echo ""
echo "=== Summary ==="
} > "$REPORT_FILE" 2>/dev/null || {
REPORT_FILE="/tmp/saikyo-security-audit-$(date +%Y%m%d-%H%M%S).log"
echo "Saikyo OS Server Security Audit Report" > "$REPORT_FILE"
}
check_info "Отчёт сохранён: ${REPORT_FILE}"
}
main() {
print_header
check_info "Начало аудита безопасности..."
check_info "Хост: $(hostname)"
check_info "Дата: $(date)"
audit_ssh
audit_firewall
audit_apparmor
audit_fail2ban
audit_auditd
audit_updates
audit_passwords
audit_integrity
generate_report
echo -e "\n${GREEN}Аудит завершён.${NC}"
}
case "$1" in
--version|-v)
echo "$SCRIPT_NAME version $VERSION"
echo "Copyright (c) 2025-2026 OOO SAIKO"
;;
--help|-h)
echo "Usage: $SCRIPT_NAME [OPTIONS]"
echo ""
echo "Saikyo OS Server Security Audit Tool"
echo ""
echo "Options:"
echo " -h, --help Show this help"
echo " -v, --version Show version"
echo ""
echo "Website: https://saikyo-server.ru"
echo "Support: support@saikyo-os.ru"
;;
*)
main
;;
esac

6
debian/.debhelper/generated/saikyo-server-security/dh_installchangelogs.dch.trimmed vendored Normal file
View File

@ -0,0 +1,6 @@
saikyo-server-security (1.0.0) stable; urgency=medium
* Initial release
* Security hardening for Saikyo OS Server
-- Saikyo OS Team <support@saikyo-os.ru> Tue, 21 Jan 2026 23:30:00 +0300

3
debian/.debhelper/generated/saikyo-server-security/installed-by-dh_install vendored Normal file
View File

@ -0,0 +1,3 @@
./etc/ssh/sshd_config.d/99-saikyo-hardening.conf
./etc/sysctl.d/99-saikyo-security.conf
./etc/audit/rules.d/99-saikyo-audit.rules

0
debian/.debhelper/generated/saikyo-server-security/installed-by-dh_installdocs vendored Normal file
View File

6
debian/changelog vendored Normal file
View File

@ -0,0 +1,6 @@
saikyo-server-security (1.0.0) stable; urgency=medium
* Initial release
* Security hardening for Saikyo OS Server
-- Saikyo OS Team <support@saikyo-os.ru> Tue, 21 Jan 2026 23:30:00 +0300

19
debian/control vendored Normal file
View File

@ -0,0 +1,19 @@
Source: saikyo-server-security
Section: admin
Priority: optional
Maintainer: Saikyo OS Team <support@saikyo-os.ru>
Build-Depends: debhelper-compat (= 13)
Standards-Version: 4.6.2
Package: saikyo-server-security
Architecture: all
Depends: ${misc:Depends}
Description: Saikyo OS Server - профиль безопасности
Настройки безопасности для Saikyo OS Server:
- Усиленные политики паролей
- Настройки SSH (только ключи, без root)
- Политики AppArmor
- Правила Firewall
- Настройки аудита
.
Соответствует требованиям ПП РФ №1236 и №325.

1
debian/debhelper-build-stamp vendored Normal file
View File

@ -0,0 +1 @@
saikyo-server-security

2
debian/files vendored Normal file
View File

@ -0,0 +1,2 @@
saikyo-server-security_1.0.0_all.deb admin optional
saikyo-server-security_1.0.0_amd64.buildinfo admin optional

3
debian/install vendored Normal file
View File

@ -0,0 +1,3 @@
etc/ssh/sshd_config.d/99-saikyo-hardening.conf
etc/sysctl.d/99-saikyo-security.conf
etc/audit/rules.d/99-saikyo-audit.rules

17
debian/postinst vendored Executable file
View File

@ -0,0 +1,17 @@
#!/bin/bash
set -e
# Применить sysctl настройки
sysctl --system > /dev/null 2>&1 || true
# Перезагрузить auditd
systemctl restart auditd > /dev/null 2>&1 || true
# Перезагрузить sshd
systemctl reload sshd > /dev/null 2>&1 || true
echo "Saikyo Server Security profile applied"
#DEBHELPER#
exit 0

10
debian/rules vendored Executable file
View File

@ -0,0 +1,10 @@
#!/usr/bin/make -f
%:
dh $@
override_dh_auto_install:
install -d $(CURDIR)/debian/saikyo-server-security/usr/bin
install -d $(CURDIR)/debian/saikyo-server-security/usr/share/saikyo-server-security
install -m 755 bin/saikyo-security-audit $(CURDIR)/debian/saikyo-server-security/usr/bin/
install -m 755 bin/saikyo-harden $(CURDIR)/debian/saikyo-server-security/usr/bin/

2
debian/saikyo-server-security.substvars vendored Normal file
View File

@ -0,0 +1,2 @@
misc:Depends=
misc:Pre-Depends=

3
debian/saikyo-server-security/DEBIAN/conffiles vendored Normal file
View File

@ -0,0 +1,3 @@
/etc/audit/rules.d/99-saikyo-audit.rules
/etc/ssh/sshd_config.d/99-saikyo-hardening.conf
/etc/sysctl.d/99-saikyo-security.conf

16
debian/saikyo-server-security/DEBIAN/control vendored Normal file
View File

@ -0,0 +1,16 @@
Package: saikyo-server-security
Version: 1.0.0
Architecture: all
Maintainer: Saikyo OS Team <support@saikyo-os.ru>
Installed-Size: 38
Section: admin
Priority: optional
Description: Saikyo OS Server - профиль безопасности
Настройки безопасности для Saikyo OS Server:
- Усиленные политики паролей
- Настройки SSH (только ключи, без root)
- Политики AppArmor
- Правила Firewall
- Настройки аудита
.
Соответствует требованиям ПП РФ №1236 и №325.

3
debian/saikyo-server-security/DEBIAN/md5sums vendored Normal file
View File

@ -0,0 +1,3 @@
15a0d62376d7f57aff78e2c8c74f197f usr/bin/saikyo-harden
46ed56d9851855129c370f177a38489f usr/bin/saikyo-security-audit
76bf834098cb2eb26e09daa040959a9c usr/share/doc/saikyo-server-security/changelog.gz

17
debian/saikyo-server-security/DEBIAN/postinst vendored Executable file
View File

@ -0,0 +1,17 @@
#!/bin/bash
set -e
# Применить sysctl настройки
sysctl --system > /dev/null 2>&1 || true
# Перезагрузить auditd
systemctl restart auditd > /dev/null 2>&1 || true
# Перезагрузить sshd
systemctl reload sshd > /dev/null 2>&1 || true
echo "Saikyo Server Security profile applied"
exit 0

58
debian/saikyo-server-security/etc/audit/rules.d/99-saikyo-audit.rules vendored Normal file
View File

@ -0,0 +1,58 @@
# Saikyo OS Server - Audit Rules
# Соответствует требованиям безопасности Минцифры
# Удаление всех правил
-D
# Буфер
-b 8192
# Аудит изменений времени
-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change
-a always,exit -F arch=b64 -S clock_settime -k time-change
-w /etc/localtime -p wa -k time-change
# Аудит пользователей и групп
-w /etc/group -p wa -k identity
-w /etc/passwd -p wa -k identity
-w /etc/gshadow -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/security/opasswd -p wa -k identity
# Аудит сети
-w /etc/hosts -p wa -k system-network
-w /etc/network/ -p wa -k system-network
-w /etc/sysconfig/network -p wa -k system-network
# Аудит SELinux/AppArmor
-w /etc/apparmor/ -p wa -k MAC-policy
-w /etc/apparmor.d/ -p wa -k MAC-policy
# Аудит входа
-w /var/log/faillog -p wa -k logins
-w /var/log/lastlog -p wa -k logins
-w /var/log/tallylog -p wa -k logins
# Аудит сессий
-w /var/run/utmp -p wa -k session
-w /var/log/wtmp -p wa -k logins
-w /var/log/btmp -p wa -k logins
# Аудит sudo
-w /etc/sudoers -p wa -k scope
-w /etc/sudoers.d/ -p wa -k scope
# Аудит монтирования
-a always,exit -F arch=b64 -S mount -S umount2 -F auid>=1000 -F auid!=4294967295 -k mounts
# Аудит удаления файлов
-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete
# Аудит загрузки модулей
-w /sbin/insmod -p x -k modules
-w /sbin/rmmod -p x -k modules
-w /sbin/modprobe -p x -k modules
-a always,exit -F arch=b64 -S init_module -S delete_module -k modules
# Сделать конфигурацию неизменяемой
-e 2

41
debian/saikyo-server-security/etc/ssh/sshd_config.d/99-saikyo-hardening.conf vendored Normal file
View File

@ -0,0 +1,41 @@
# Saikyo OS Server SSH Hardening
# Соответствует требованиям безопасности Минцифры
# Отключить root login
PermitRootLogin prohibit-password
# Только ключи
PubkeyAuthentication yes
PasswordAuthentication no
# Отключить пустые пароли
PermitEmptyPasswords no
# Протокол 2 только
Protocol 2
# Алгоритмы шифрования (ГОСТ-совместимые + современные)
Ciphers aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256
KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512
# Таймауты
ClientAliveInterval 300
ClientAliveCountMax 2
LoginGraceTime 60
# Логирование
LogLevel VERBOSE
# Ограничения
MaxAuthTries 3
MaxSessions 10
MaxStartups 10:30:60
# Отключить forwarding по умолчанию
AllowTcpForwarding no
X11Forwarding no
AllowAgentForwarding no
# Banner
Banner /etc/issue.net

51
debian/saikyo-server-security/etc/sysctl.d/99-saikyo-security.conf vendored Normal file
View File

@ -0,0 +1,51 @@
# Saikyo OS Server - Kernel Security Hardening
# Соответствует требованиям безопасности Минцифры
# Защита от IP spoofing
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
# Отключить ICMP redirect
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv6.conf.default.accept_redirects = 0
# Отключить source routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv6.conf.all.accept_source_route = 0
net.ipv6.conf.default.accept_source_route = 0
# Защита от SYN flood
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 2048
net.ipv4.tcp_synack_retries = 2
# Игнорировать ICMP broadcast
net.ipv4.icmp_echo_ignore_broadcasts = 1
# Логировать martian пакеты
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians = 1
# Защита памяти
kernel.randomize_va_space = 2
kernel.kptr_restrict = 2
kernel.dmesg_restrict = 1
kernel.perf_event_paranoid = 3
# Ограничение core dumps
fs.suid_dumpable = 0
# Защита от symlink/hardlink атак
fs.protected_symlinks = 1
fs.protected_hardlinks = 1
fs.protected_fifos = 2
fs.protected_regular = 2
# IPv6 (отключить если не используется)
# net.ipv6.conf.all.disable_ipv6 = 1
# net.ipv6.conf.default.disable_ipv6 = 1

287
debian/saikyo-server-security/usr/bin/saikyo-harden vendored Executable file
View File

@ -0,0 +1,287 @@
#!/bin/bash
# Saikyo OS Server Hardening Script
# Copyright (c) 2025-2026 OOO "SAIKO"
# License: GPL-3.0
set -e
VERSION="1.0.0"
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
BLUE='\033[0;34m'
NC='\033[0m'
log_info() { echo -e "[${BLUE}INFO${NC}] $1"; }
log_ok() { echo -e "[${GREEN}OK${NC}] $1"; }
log_warn() { echo -e "[${YELLOW}WARN${NC}] $1"; }
log_error() { echo -e "[${RED}ERROR${NC}] $1"; }
check_root() {
if [ "$(id -u)" -ne 0 ]; then
log_error "Требуются права root. Используйте sudo."
exit 1
fi
}
harden_ssh() {
log_info "Настройка SSH..."
SSH_CONFIG="/etc/ssh/sshd_config"
SSH_BACKUP="/etc/ssh/sshd_config.bak.$(date +%Y%m%d)"
cp "$SSH_CONFIG" "$SSH_BACKUP"
# Disable root login
sed -i 's/^#*PermitRootLogin.*/PermitRootLogin no/' "$SSH_CONFIG"
# Disable password auth
sed -i 's/^#*PasswordAuthentication.*/PasswordAuthentication no/' "$SSH_CONFIG"
# Enable pubkey auth
sed -i 's/^#*PubkeyAuthentication.*/PubkeyAuthentication yes/' "$SSH_CONFIG"
# Disable empty passwords
sed -i 's/^#*PermitEmptyPasswords.*/PermitEmptyPasswords no/' "$SSH_CONFIG"
# Set max auth tries
sed -i 's/^#*MaxAuthTries.*/MaxAuthTries 3/' "$SSH_CONFIG"
# Set login grace time
sed -i 's/^#*LoginGraceTime.*/LoginGraceTime 60/' "$SSH_CONFIG"
systemctl reload sshd 2>/dev/null || systemctl reload ssh 2>/dev/null || true
log_ok "SSH настроен"
}
harden_passwords() {
log_info "Настройка политики паролей..."
PWQUALITY="/etc/security/pwquality.conf"
cat > "$PWQUALITY" << 'EOF'
# Saikyo OS Server Password Policy
# Соответствует требованиям ПП РФ №1236
minlen = 12
minclass = 3
maxrepeat = 3
maxclassrepeat = 4
lcredit = -1
ucredit = -1
dcredit = -1
ocredit = -1
dictcheck = 1
usercheck = 1
enforcing = 1
EOF
log_ok "Политика паролей настроена"
}
harden_kernel() {
log_info "Настройка параметров ядра..."
SYSCTL_CONF="/etc/sysctl.d/99-saikyo-security.conf"
cat > "$SYSCTL_CONF" << 'EOF'
# Saikyo OS Server Kernel Security Settings
# Соответствует требованиям ПП РФ №1236
# Disable IP forwarding
net.ipv4.ip_forward = 0
net.ipv6.conf.all.forwarding = 0
# Ignore ICMP redirects
net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv6.conf.default.accept_redirects = 0
# Ignore source-routed packets
net.ipv4.conf.all.accept_source_route = 0
net.ipv6.conf.all.accept_source_route = 0
# Enable TCP SYN cookies
net.ipv4.tcp_syncookies = 1
# Ignore ICMP broadcasts
net.ipv4.icmp_echo_ignore_broadcasts = 1
# Enable reverse path filtering
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
# Log martian packets
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians = 1
# Restrict core dumps
fs.suid_dumpable = 0
# Randomize virtual address space
kernel.randomize_va_space = 2
# Restrict dmesg access
kernel.dmesg_restrict = 1
# Restrict kernel pointers
kernel.kptr_restrict = 2
EOF
sysctl -p "$SYSCTL_CONF" > /dev/null 2>&1
log_ok "Параметры ядра настроены"
}
enable_firewall() {
log_info "Настройка firewall..."
if command -v firewall-cmd &>/dev/null; then
systemctl enable --now firewalld 2>/dev/null || true
firewall-cmd --set-default-zone=drop 2>/dev/null || true
firewall-cmd --permanent --add-service=ssh 2>/dev/null || true
firewall-cmd --reload 2>/dev/null || true
log_ok "Firewalld настроен"
elif command -v ufw &>/dev/null; then
ufw default deny incoming 2>/dev/null || true
ufw default allow outgoing 2>/dev/null || true
ufw allow ssh 2>/dev/null || true
ufw --force enable 2>/dev/null || true
log_ok "UFW настроен"
else
log_warn "Firewall не найден"
fi
}
enable_fail2ban() {
log_info "Настройка Fail2ban..."
if command -v fail2ban-client &>/dev/null; then
JAIL_LOCAL="/etc/fail2ban/jail.local"
cat > "$JAIL_LOCAL" << 'EOF'
# Saikyo OS Server Fail2ban Configuration
[DEFAULT]
bantime = 3600
findtime = 600
maxretry = 5
backend = systemd
[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
bantime = 7200
EOF
systemctl enable --now fail2ban 2>/dev/null || true
log_ok "Fail2ban настроен"
else
log_warn "Fail2ban не установлен"
fi
}
enable_auditd() {
log_info "Настройка Auditd..."
if command -v auditctl &>/dev/null; then
AUDIT_RULES="/etc/audit/rules.d/saikyo-security.rules"
cat > "$AUDIT_RULES" << 'EOF'
# Saikyo OS Server Audit Rules
# Соответствует требованиям ПП РФ №1236
# Delete all existing rules
-D
# Set buffer size
-b 8192
# Monitor authentication
-w /etc/passwd -p wa -k identity
-w /etc/group -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/gshadow -p wa -k identity
# Monitor sudo
-w /etc/sudoers -p wa -k sudoers
-w /etc/sudoers.d/ -p wa -k sudoers
# Monitor SSH
-w /etc/ssh/sshd_config -p wa -k sshd
# Monitor system calls
-a always,exit -F arch=b64 -S execve -k exec
# Monitor kernel modules
-w /sbin/insmod -p x -k modules
-w /sbin/rmmod -p x -k modules
-w /sbin/modprobe -p x -k modules
EOF
systemctl enable --now auditd 2>/dev/null || true
augenrules --load 2>/dev/null || true
log_ok "Auditd настроен"
else
log_warn "Auditd не установлен"
fi
}
enable_apparmor() {
log_info "Настройка AppArmor..."
if command -v apparmor_status &>/dev/null; then
systemctl enable --now apparmor 2>/dev/null || true
log_ok "AppArmor включён"
else
log_warn "AppArmor не установлен"
fi
}
main() {
echo -e "${BLUE}================================================${NC}"
echo -e "${BLUE} Saikyo OS Server Hardening Script v${VERSION}${NC}"
echo -e "${BLUE} Разработка: ООО «САЙКО»${NC}"
echo -e "${BLUE}================================================${NC}"
echo ""
check_root
log_info "Начало усиления безопасности..."
harden_ssh
harden_passwords
harden_kernel
enable_firewall
enable_fail2ban
enable_auditd
enable_apparmor
echo ""
log_ok "Усиление безопасности завершено!"
log_info "Рекомендуется перезагрузить систему."
}
case "$1" in
--version|-v)
echo "saikyo-harden version $VERSION"
;;
--help|-h)
echo "Usage: saikyo-harden [OPTIONS]"
echo ""
echo "Saikyo OS Server Hardening Script"
echo ""
echo "Options:"
echo " -h, --help Show this help"
echo " -v, --version Show version"
;;
*)
main
;;
esac

230
debian/saikyo-server-security/usr/bin/saikyo-security-audit vendored Executable file
View File

@ -0,0 +1,230 @@
#!/bin/bash
# Saikyo OS Server Security Audit Tool
# Copyright (c) 2025-2026 OOO "SAIKO"
# License: GPL-3.0
set -e
VERSION="1.0.0"
SCRIPT_NAME=$(basename "$0")
# Colors
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
BLUE='\033[0;34m'
NC='\033[0m'
print_header() {
echo -e "${BLUE}================================================${NC}"
echo -e "${BLUE} Saikyo OS Server - Security Audit Tool v${VERSION}${NC}"
echo -e "${BLUE} Разработка: ООО «САЙКО»${NC}"
echo -e "${BLUE} https://saikyo-server.ru${NC}"
echo -e "${BLUE}================================================${NC}"
echo ""
}
check_passed() {
echo -e "[${GREEN}PASS${NC}] $1"
}
check_failed() {
echo -e "[${RED}FAIL${NC}] $1"
}
check_warning() {
echo -e "[${YELLOW}WARN${NC}] $1"
}
check_info() {
echo -e "[${BLUE}INFO${NC}] $1"
}
audit_ssh() {
echo -e "\n${BLUE}=== Проверка SSH ===${NC}"
if grep -q "^PermitRootLogin no" /etc/ssh/sshd_config 2>/dev/null; then
check_passed "Root-логин через SSH отключён"
else
check_failed "Root-логин через SSH разрешён"
fi
if grep -q "^PasswordAuthentication no" /etc/ssh/sshd_config 2>/dev/null; then
check_passed "Аутентификация по паролю отключена"
else
check_warning "Аутентификация по паролю включена"
fi
if grep -q "^PubkeyAuthentication yes" /etc/ssh/sshd_config 2>/dev/null; then
check_passed "Аутентификация по ключам включена"
else
check_failed "Аутентификация по ключам отключена"
fi
}
audit_firewall() {
echo -e "\n${BLUE}=== Проверка Firewall ===${NC}"
if systemctl is-active --quiet firewalld; then
check_passed "Firewalld активен"
elif systemctl is-active --quiet ufw; then
check_passed "UFW активен"
elif systemctl is-active --quiet nftables; then
check_passed "nftables активен"
else
check_failed "Firewall не активен"
fi
}
audit_apparmor() {
echo -e "\n${BLUE}=== Проверка AppArmor ===${NC}"
if systemctl is-active --quiet apparmor; then
check_passed "AppArmor активен"
if command -v aa-status &>/dev/null; then
PROFILES=$(aa-status --profiled 2>/dev/null || echo "0")
check_info "Загружено профилей: ${PROFILES}"
fi
else
check_failed "AppArmor не активен"
fi
}
audit_fail2ban() {
echo -e "\n${BLUE}=== Проверка Fail2ban ===${NC}"
if systemctl is-active --quiet fail2ban; then
check_passed "Fail2ban активен"
if command -v fail2ban-client &>/dev/null; then
JAILS=$(fail2ban-client status 2>/dev/null | grep "Jail list" | cut -d: -f2 | tr -d ' ')
check_info "Активные jail: ${JAILS:-нет}"
fi
else
check_warning "Fail2ban не активен"
fi
}
audit_auditd() {
echo -e "\n${BLUE}=== Проверка Auditd ===${NC}"
if systemctl is-active --quiet auditd; then
check_passed "Auditd активен"
RULES=$(auditctl -l 2>/dev/null | wc -l)
check_info "Загружено правил аудита: ${RULES}"
else
check_warning "Auditd не активен"
fi
}
audit_updates() {
echo -e "\n${BLUE}=== Проверка обновлений ===${NC}"
if dpkg -l | grep -q unattended-upgrades; then
check_passed "unattended-upgrades установлен"
else
check_warning "unattended-upgrades не установлен"
fi
if systemctl is-active --quiet unattended-upgrades; then
check_passed "Автообновления активны"
else
check_warning "Автообновления не активны"
fi
}
audit_passwords() {
echo -e "\n${BLUE}=== Проверка политики паролей ===${NC}"
if [ -f /etc/security/pwquality.conf ]; then
check_passed "pwquality.conf настроен"
if grep -q "minlen" /etc/security/pwquality.conf; then
MINLEN=$(grep "minlen" /etc/security/pwquality.conf | grep -v "^#" | cut -d= -f2 | tr -d ' ')
check_info "Минимальная длина пароля: ${MINLEN:-не задана}"
fi
else
check_warning "pwquality.conf не найден"
fi
}
audit_integrity() {
echo -e "\n${BLUE}=== Проверка контроля целостности ===${NC}"
if command -v aide &>/dev/null; then
check_passed "AIDE установлен"
else
check_warning "AIDE не установлен"
fi
if command -v rkhunter &>/dev/null; then
check_passed "rkhunter установлен"
else
check_warning "rkhunter не установлен"
fi
}
generate_report() {
echo -e "\n${BLUE}=== Генерация отчёта ===${NC}"
REPORT_FILE="/var/log/saikyo-security-audit-$(date +%Y%m%d-%H%M%S).log"
{
echo "Saikyo OS Server Security Audit Report"
echo "Date: $(date)"
echo "Hostname: $(hostname)"
echo "OS: $(cat /etc/os-release | grep PRETTY_NAME | cut -d= -f2 | tr -d '"')"
echo ""
echo "=== Summary ==="
} > "$REPORT_FILE" 2>/dev/null || {
REPORT_FILE="/tmp/saikyo-security-audit-$(date +%Y%m%d-%H%M%S).log"
echo "Saikyo OS Server Security Audit Report" > "$REPORT_FILE"
}
check_info "Отчёт сохранён: ${REPORT_FILE}"
}
main() {
print_header
check_info "Начало аудита безопасности..."
check_info "Хост: $(hostname)"
check_info "Дата: $(date)"
audit_ssh
audit_firewall
audit_apparmor
audit_fail2ban
audit_auditd
audit_updates
audit_passwords
audit_integrity
generate_report
echo -e "\n${GREEN}Аудит завершён.${NC}"
}
case "$1" in
--version|-v)
echo "$SCRIPT_NAME version $VERSION"
echo "Copyright (c) 2025-2026 OOO SAIKO"
;;
--help|-h)
echo "Usage: $SCRIPT_NAME [OPTIONS]"
echo ""
echo "Saikyo OS Server Security Audit Tool"
echo ""
echo "Options:"
echo " -h, --help Show this help"
echo " -v, --version Show version"
echo ""
echo "Website: https://saikyo-server.ru"
echo "Support: support@saikyo-os.ru"
;;
*)
main
;;
esac

BIN
debian/saikyo-server-security/usr/share/doc/saikyo-server-security/changelog.gz vendored Normal file
View File

Binary file not shown.

58
etc/audit/rules.d/99-saikyo-audit.rules Normal file
View File

@ -0,0 +1,58 @@
# Saikyo OS Server - Audit Rules
# Соответствует требованиям безопасности Минцифры
# Удаление всех правил
-D
# Буфер
-b 8192
# Аудит изменений времени
-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change
-a always,exit -F arch=b64 -S clock_settime -k time-change
-w /etc/localtime -p wa -k time-change
# Аудит пользователей и групп
-w /etc/group -p wa -k identity
-w /etc/passwd -p wa -k identity
-w /etc/gshadow -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/security/opasswd -p wa -k identity
# Аудит сети
-w /etc/hosts -p wa -k system-network
-w /etc/network/ -p wa -k system-network
-w /etc/sysconfig/network -p wa -k system-network
# Аудит SELinux/AppArmor
-w /etc/apparmor/ -p wa -k MAC-policy
-w /etc/apparmor.d/ -p wa -k MAC-policy
# Аудит входа
-w /var/log/faillog -p wa -k logins
-w /var/log/lastlog -p wa -k logins
-w /var/log/tallylog -p wa -k logins
# Аудит сессий
-w /var/run/utmp -p wa -k session
-w /var/log/wtmp -p wa -k logins
-w /var/log/btmp -p wa -k logins
# Аудит sudo
-w /etc/sudoers -p wa -k scope
-w /etc/sudoers.d/ -p wa -k scope
# Аудит монтирования
-a always,exit -F arch=b64 -S mount -S umount2 -F auid>=1000 -F auid!=4294967295 -k mounts
# Аудит удаления файлов
-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete
# Аудит загрузки модулей
-w /sbin/insmod -p x -k modules
-w /sbin/rmmod -p x -k modules
-w /sbin/modprobe -p x -k modules
-a always,exit -F arch=b64 -S init_module -S delete_module -k modules
# Сделать конфигурацию неизменяемой
-e 2

41
etc/ssh/sshd_config.d/99-saikyo-hardening.conf Normal file
View File

@ -0,0 +1,41 @@
# Saikyo OS Server SSH Hardening
# Соответствует требованиям безопасности Минцифры
# Отключить root login
PermitRootLogin prohibit-password
# Только ключи
PubkeyAuthentication yes
PasswordAuthentication no
# Отключить пустые пароли
PermitEmptyPasswords no
# Протокол 2 только
Protocol 2
# Алгоритмы шифрования (ГОСТ-совместимые + современные)
Ciphers aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256
KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512
# Таймауты
ClientAliveInterval 300
ClientAliveCountMax 2
LoginGraceTime 60
# Логирование
LogLevel VERBOSE
# Ограничения
MaxAuthTries 3
MaxSessions 10
MaxStartups 10:30:60
# Отключить forwarding по умолчанию
AllowTcpForwarding no
X11Forwarding no
AllowAgentForwarding no
# Banner
Banner /etc/issue.net

51
etc/sysctl.d/99-saikyo-security.conf Normal file
View File

@ -0,0 +1,51 @@
# Saikyo OS Server - Kernel Security Hardening
# Соответствует требованиям безопасности Минцифры
# Защита от IP spoofing
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
# Отключить ICMP redirect
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv6.conf.default.accept_redirects = 0
# Отключить source routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv6.conf.all.accept_source_route = 0
net.ipv6.conf.default.accept_source_route = 0
# Защита от SYN flood
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 2048
net.ipv4.tcp_synack_retries = 2
# Игнорировать ICMP broadcast
net.ipv4.icmp_echo_ignore_broadcasts = 1
# Логировать martian пакеты
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians = 1
# Защита памяти
kernel.randomize_va_space = 2
kernel.kptr_restrict = 2
kernel.dmesg_restrict = 1
kernel.perf_event_paranoid = 3
# Ограничение core dumps
fs.suid_dumpable = 0
# Защита от symlink/hardlink атак
fs.protected_symlinks = 1
fs.protected_hardlinks = 1
fs.protected_fifos = 2
fs.protected_regular = 2
# IPv6 (отключить если не используется)
# net.ipv6.conf.all.disable_ipv6 = 1
# net.ipv6.conf.default.disable_ipv6 = 1