Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.allthingslinux.org/llms.txt

Use this file to discover all available pages before exploring further.

atl.sh is a multi-user system where untrusted users have shell access. Security is enforced through multiple overlapping layers — no single mechanism is relied upon alone.

Defense-in-depth model

┌─────────────────────────────────────────────┐
│  Network: UFW firewall + Fail2ban           │
├─────────────────────────────────────────────┤
│  Authentication: SSH key-only, no passwords │
├─────────────────────────────────────────────┤
│  Authorization: AllowGroups, sudo disabled  │
├─────────────────────────────────────────────┤
│  Isolation: cgroups, quotas, private /tmp   │
├─────────────────────────────────────────────┤
│  Monitoring: auditd, AIDE, process acct     │
├─────────────────────────────────────────────┤
│  Hardening: CIS sysctl, module blacklist    │
└─────────────────────────────────────────────┘

Kernel hardening (sysctl)

CIS-aligned kernel parameters set via security/tasks/sysctl-hardening.yml:
ParameterValuePurpose
kernel.randomize_va_space2Full ASLR
kernel.yama.ptrace_scope2Only root can ptrace
kernel.dmesg_restrict1Users can’t read kernel ring buffer
kernel.kptr_restrict2Hide kernel pointers
kernel.sysrq0Disable magic SysRq key
net.ipv4.conf.all.rp_filter1Strict reverse path filtering
net.ipv4.conf.all.accept_redirects0Reject ICMP redirects
net.ipv4.conf.all.send_redirects0Don’t send ICMP redirects
net.ipv4.icmp_echo_ignore_broadcasts1Ignore broadcast pings
net.ipv4.tcp_syncookies1SYN flood protection

Module blacklist

Uncommon kernel modules are blacklisted to reduce attack surface (security/tasks/module-blacklist.yml):
  • Uncommon filesystems: cramfs, freevxfs, hfs, hfsplus, jffs2, squashfs, udf
  • Uncommon network protocols: dccp, sctp, rds, tipc
  • USB storage: usb-storage (server has no need for USB mass storage)

SSH hardening

SettingValue
Ports22, 2222
AuthenticationKey-only (passwords disabled)
Root loginprohibit-password (key-only)
Max auth tries3
Login grace time30 seconds
Allowed groupspubnix, root, sudo
Client alive interval300s (5 min)
Client alive count max2
Users outside the allowed groups cannot SSH in at all.

Firewall (UFW)

Default policy: deny incoming, allow outgoing. Only explicitly listed TCP ports are open: 22, 2222, 70, 79, 80, 443, 1965, 21, 40000–40100 SSH (port 22) is additionally rate-limited by UFW.

Fail2ban

Monitors SSH auth failures:
SettingValue
Ban time1 hour (3600s)
Detection window10 minutes (600s)
Max failures5
fail2ban-client status sshd      # view current bans
fail2ban-client set sshd unbanip 1.2.3.4  # unban an IP

User isolation

Cgroup v2 slices

Each user session runs in a systemd user slice with hard limits:
ResourceLimit
CPU200% (2 cores)
Memory1.5 GB
Tasks200 (processes + threads)
Exceeding memory triggers the OOM killer. Exceeding tasks prevents new process creation.

Disk quotas

XFS/ext4 quotas per user:
LimitValue
Soft5 GB (grace period warning)
Hard6 GB (writes fail)

Private /tmp

pam_namespace polyinstantiation gives each login session an isolated /tmp, /var/tmp, and /run/lock. Users cannot see each other’s temporary files.

PAM limits

Additional limits via /etc/security/limits.conf:
LimitValue
nproc100
nofile1024
core0 (no core dumps)

Privilege restrictions

  • sudo and su are blocked for pubnix users
  • /etc/shadow is not readable by users
  • /root is not accessible
  • /etc is read-only for users
  • dmesg is restricted (kernel.dmesg_restrict=1)

Audit logging (auditd)

40+ audit rules organized by category:

Self-auditing

Monitors changes to audit infrastructure itself: /var/log/audit/, /etc/audit/, audit tools.

Identity and authentication

Watches: /etc/passwd, /etc/shadow, /etc/group, /etc/gshadow, /etc/sudoers, /etc/sudoers.d/

Network configuration

Watches: /etc/hosts, /etc/network/

SSH configuration

Watches: /etc/ssh/sshd_config

Suspicious activity (LOLBins)

Execution monitoring for: wget, curl, nc, socat, sudo, su

Scripting interpreters

Syscall monitoring (execve) for user-invoked: python3, perl, ruby, vim Tagged with MITRE ATT&CK technique IDs (e.g., T1059_Command_Execution).

Privilege and permission changes

Syscall monitoring for: chmod, chown, fchmod, fchown — filtered to real users (auid >= 1000).

System integrity

Watches: /etc/sysctl.conf, /etc/sysctl.d/, /etc/modprobe.d/

Login integrity

Watches: /var/log/lastlog, /var/log/faillock, /var/log/tallylog

Time manipulation

Syscall monitoring: adjtimex, settimeofday, clock_settime

Process tracing

Syscall monitoring: ptrace, memfd_create 
# Query audit log
ausearch -ts recent              # recent events
ausearch -k priv_esc             # privilege escalation
ausearch -k T1059_Command_Execution  # scripting interpreter use
ausearch -k perm_mod             # permission changes
aureport --summary               # summary report

File integrity (AIDE)

AIDE runs daily at 05:00 UTC via systemd timer. It checksums system binaries, config files, and kernel settings, reporting any unexpected changes. 
aide --check                     # manual check
aide --update                    # update database after intentional changes
mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db

Malware scanning

Three scanners are installed and configured:
ToolPurpose
rkhunterRootkit detection
chkrootkitRootkit detection (second opinion)
lynisSecurity auditing and compliance

Automatic updates

unattended-upgrades applies security patches automatically. Check history: 
cat /var/log/unattended-upgrades/unattended-upgrades.log