Vanguard Elite – Comprehensive Hardening and Monitoring Tutorial

1. Overview of Vanguard Elite

Vanguard Elite is a set of scripts and tools available HERE designed to harden Debian-based servers by:

• Installing and configuring essential security packages.
• Setting up a secure firewall with UFW.
• Enabling Fail2Ban and AppArmor for basic protection.
• Configuring AIDE (Advanced Intrusion Detection Environment) with modern options (SHA512 checksums, updated logging).
• Applying advanced sysctl kernel hardening parameters.
• Writing legal banners to warn unauthorized users.
• Optionally, setting up compiler restrictions.
• Providing interactive tools (both graphical via Tkinter and CLI) to manage and reapply these hardening settings or perform system audits.

This tutorial covers installing all dependencies, running the main setup script (setup.sh), and using the interactive tools (elite.py for GUI and elite_cli.py for command line).

2. Prerequisites of Vanguard Elite

Before starting, ensure that:

• You have a Debian‑based server (such as Debian, Ubuntu, or a derivative).
• You have root (sudo) privileges.
• You have internet connectivity for downloading necessary packages and repositories.
• (Optional) For the GUI tool, you have X11 support (or use SSH with X forwarding or a virtual framebuffer like xvfb-run). For headless servers, use the CLI tool.

3. Project Components

a. setup.sh

This is the main installation and configuration script. It does the following:

• Pre-installation:
  • Installs gnupg and gnupg2 to securely add the Lynis repository.
  • Adds the Lynis repository and updates the package lists.
• Essential Packages Installation:
  • Installs various security and monitoring packages such as UFW, Fail2Ban, AppArmor, sysstat, AIDE, auditd, and more.
• Security Enhancements:
  • Enables sysstat (for accounting) and disables auditd (if its ruleset is empty).
  • Configures UFW firewall defaults.
  • Enables Fail2Ban and AppArmor.
  • Sets up secure cronjobs to run regular system audits and updates.
• AIDE Configuration:
  • Creates a default AIDE configuration file under /etc/aide/aide.conf using modern options (using database_in, log_level=error, report_level=summary).
  • Uses updated file attribute rules that append +sha512 to enforce SHA512 checksums.
  • Initializes the AIDE database.
• Additional Hardening:
  • Writes legal banners in /etc/issue and /etc/issue.net.
  • Applies advanced sysctl hardening settings to enforce various kernel security options.
• Cleanup:
  • Finally, it removes gnupg and gnupg2 (since their role for adding the repository is complete).
• Uninstall Mode:
  • If you run setup.sh -uninstall, the script removes configuration files (such as the advanced sysctl settings and network-protocol blacklisting).

b. elite.py

A Tkinter-based GUI tool that provides interactive buttons to:

• Reload UFW.
• Restart Fail2Ban.
• Reload AppArmor profiles.
• Run a Lynis system audit.
• Configure GRUB secure settings.
• Apply advanced hardening settings (via sysctl).
• Apply SSH hardening settings.

c. elite_cli.py

A similar tool as above but entirely command-line based. It presents a text menu to choose from various security tasks.

4. Installation and Configuration of Vanguard Elite

Step 1. Prepare Your System

1. Log into your Debian‑based server as root or a sudoer.
2. Update your system package lists:bashsudo apt update sudo apt upgrade -y

Step 2. Download the Project Files

Place the following scripts on your server:

• setup.sh
• elite.py
• elite_cli.py

You may clone them from your repository or copy them manually.

Step 3. Make Scripts Executable

Ensure all scripts are executable:

bash

chmod +x setup.sh elite.py elite_cli.py

Step 4. Run the Setup Script

Execute the setup script:

bash

sudo ./setup.sh

The script will:

• Install gnupg and gnupg2.
• Add the Lynis repository:
  • It writes the repository line to /etc/apt/sources.list.d/cisofy-lynis.list.
• Update the repository list via apt update.
• Install all essential packages.
• Enable sysstat and disable auditd.
• Configure UFW, Fail2Ban, AppArmor, secure cron jobs.
• Write and initialize the default AIDE configuration:
  • AIDE configuration is written to /etc/aide/aide.conf with the latest options.
  • The AIDE database is initialized (differences are ignored so that the script does not abort).
• Write legal banners to /etc/issue and /etc/issue.net.
• Apply advanced sysctl hardening settings.
• Finally, remove gnupg and gnupg2.

If the script stops at the AIDE section due to nonzero exit codes (because AIDE detects file differences), note that we added || true to the AIDE commands so that the script continues.

Step 5. Verify Installation

After the script completes, verify that:

• The Lynis repository is in place:bashcat /etc/apt/sources.list.d/cisofy-lynis.list
• AIDE is configured:bashcat /etc/aide/aide.conf
• The sysctl settings are active:bashsysctl -a | grep -E 'dev\.tty\.ldisc_autoload|kernel\.kptr_restrict'
• Legal banners were written:bashcat /etc/issue cat /etc/issue.net

5. Using the Interactive Hardening Tools

Option A: Graphical User Interface (elite.py)

• Ensure that your environment can display graphical applications (e.g., SSH with X11 forwarding or a local desktop).
• Run:bashsudo python3 elite.py
• The GUI window will open with buttons for:
  • Reload Firewall.
  • Restart Fail2Ban.
  • Reload AppArmor profiles.
  • Run Lynis audit.
  • Configure GRUB secure settings.
  • Apply Advanced Hardening (sysctl).
  • Apply SSH Hardening.
• Click the desired button to perform each task.

Option B: Command Line Interface (elite_cli.py)

• For headless servers without GUI, run:bashsudo python3 elite_cli.py
• The CLI menu will display options:
  1. Reload Firewall
  2. Restart Fail2Ban
  3. Reload AppArmor profiles
  4. Run Lynis Audit
  5. Configure GRUB Secure Settings
  6. Apply Advanced Hardening Settings
  7. Apply SSH Hardening Settings
  8. Exit
• Enter the corresponding number to execute the desired task.

6. Uninstallation of Vanguard Elite

To remove some of the configuration modifications introduced by this project (specifically, advanced sysctl settings and network protocol blacklisting), run:

bash

sudo ./setup.sh -uninstall

This will remove:

• /etc/sysctl.d/99-hardening.conf
• /etc/modprobe.d/disable-net-protocols.conf

Note: It does not remove installed packages; additional manual cleanup might be needed if you wish to revert all changes.

7. Troubleshooting and Considerations

• AIDE Differences: AIDE might report differences between its database and the filesystem. This is normal on a running system. The script is configured to ignore nonzero exit statuses from AIDE so it doesn’t interrupt the installation. You can later run sudo aide --check to perform an integrity scan.
• Exit on Error: The script uses set -euo pipefail. If any command (other than AIDE commands with || true) fails, the script will exit immediately. Review error messages carefully.
• X11/GUI Dependencies: If you plan to use the GUI (elite.py), ensure that your server has an X server available or use X forwarding with ssh -X or ssh -Y.
• Post-Installation Review: After the setup script completes, verify that hardening settings (sysctl, legal banners, cron jobs, etc.) are effective. You may also run security audits using Lynis or other tools.
• Compiler Hardening: A reminder is printed regarding compiler hardening. On production servers, consider restricting access to compilers if not required.

8. Conclusion on Vanguard Elite

This comprehensive project sets up Vanguard Elite to automate the installation of security hardening measures. It simplifies tasks like firewall configuration, package security enforcement, AIDE configuration, and kernel parameter tuning—helping push your Lynis hardening score closer to 100.

By following this tutorial and testing the scripts in your environment, you’ll achieve a more secure Debian‑based server with reduced attack surface and improved monitoring. Feel free to customize individual sections to better suit your needs. Enjoy the enhanced security!