SecurityScript & unbloatscript & batch install userapp scripts

[baz77]

I "made" a security script for cm/aosp and wanted to share. Ok, so I copied a lot from what I could find off the net, and thought I would share Seems as if this closes some of the security holes in android in general, but also cm/aokp.

If any of these are rediculous please help contribute to making it better. I just added what I thought could be true.

Warning: doesnt work on touchwiz roms, only cm/aosp
Warning: at own risk, I take no responsibility
Warning: this could render other scripts useless.
Warning: I am no codemonkey, I find after boot I need to manually apply ro access with rootexplorer for some of the directories used here. Havent been able to solve that with tasker/init.d scripts.

How to use:
run in terminal with su privileges.
Or set as script/task/init.d to run on boot. For some stuff to stick you need to do this. I recommend tasker, thats what I ran this with on boot.

Sources are to various to mention. One of them is secdroid. A lot of what that app has I could verify from a lot of sources. But is missing a lot of other stuff.

Tested Improvements are welcome! Donations/beer also

Spoiler

#!/system/bin/sh
mount -o remount, -rw /sbin
mount -o remount, -rw /system
mount -o remount, -rw /system/xbin
####enable the adbd daemon and busybox
mount -o remount, -rw -t rootfs rootfs /
chmod 777 /sbin/adbd
chmod 777 /system/xbin/busybox
###Disable NFC
chmod 000 /dev/ttyO3
chmod 000 /dev/tty3
###hardening TCP/IP stack for IPV4
###Avoid a smurf attack
sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1;
###ICMP broadcast
busybox sysctl -e -w net.ipv4.conf.all.accept_redirects=0;
###ICMP redirects ipv4
busybox sysctl -e -w net.ipv6.conf.all.accept_redirects=0;
###ICMP redirects ipv6
busybox sysctl -e -w net.ipv4.conf.all.send_redirects=0;
### ICMP redirects
busybox sysctl -e -w net.ipv4.conf.all.accept_source_route=0; ###source routing disable
busybox sysctl -e -w net.ipv4.conf.all.forwarding=0;
###Forwarding traffic
busybox sysctl -e -w net.ipv4.conf.all.rp_filter=1;
busybox sysctl -e -w net.ipv4.conf.all.log_martians=1;
###filter martians
busybox sysctl -e -w net.ipv4.tcp_max_syn_backlog=1280;
###TCP syn half-opened
sysctl -w net.ipv4.ip_forward=0;
###Block Redirects
busybox sysctl -e -w net.ipv4.conf.default.accept_redirects=0;
busybox sysctl -e -w net.ipv4.conf.all.secure_redirects=0;
busybox sysctl -e -w net.ipv4.conf.default.secure_redirects=0;
###Block Source-Routing
busybox sysctl -e -w net.ipv4.conf.default.accept_source_route=0;
busybox sysctl -e -w net.ipv4.conf.all.accept_source_route=0;
### IPv4 Tweaks
busybox sysctl -e -w net.ipv4.tcp_timestamps=0;
busybox sysctl -e -w net.ipv4.tcp_sack=1;
busybox sysctl -e -w net.ipv4.tcp_fack=1;
busybox sysctl -e -w net.ipv4.tcp_congestion_control=cubic;
busybox sysctl -e -w net.ipv4.tcp_window_scaling=1;
###Protection against SYN Attacks
busybox sysctl -e -w net.ipv4.tcp_syncookies=1;
busybox sysctl -e -w net.ipv4.conf.all.rp_filter=1;
busybox sysctl -e -w net.ipv4.conf.default.rp_filter=1;
busybox sysctl -e -w net.ipv4.tcp_synack_retries=2;
busybox sysctl -e -w net.ipv4.tcp_syn_retries=2;
busybox sysctl -e -w net.ipv4.tcp_max_syn_backlog=1024;
busybox sysctl -e -w net.ipv4.tcp_max_tw_buckets=16384;
busybox sysctl -e -w net.ipv4.icmp_echo_ignore_all=1;
###Turn on protection for bad icmp error messages
busybox sysctl -e -w net.ipv4.icmp_ignore_bogus_error_responses=1;
busybox sysctl -e -w net.ipv4.tcp_no_metrics_save=1;
busybox sysctl -e -w net.ipv4.tcp_fin_timeout=15;
busybox sysctl -e -w net.ipv4.tcp_keepalive_intvl=30;
busybox sysctl -e -w net.ipv4.tcp_keepalive_probes=5;
busybox sysctl -e -w net.ipv4.tcp_keepalive_time=1800;
###Tune IPv6 and disable lol
busybox sysctl -e -w net.ipv6.conf.default.router_solicitations=0;
busybox sysctl -e -w net.ipv6.conf.default.accept_ra_rtr_pref=0;
busybox sysctl -e -w net.ipv6.conf.default.accept_ra_pinfo=0;
busybox sysctl -e -w net.ipv6.conf.default.accept_ra_defrtr=0;
busybox sysctl -e -w net.ipv6.conf.default.autoconf=0;
busybox sysctl -e -w net.ipv6.conf.default.dad_transmits=0;
busybox sysctl -e -w net.ipv6.conf.default.max_addresses=1;
busybox sysctl -e -w net.ipv6.conf.all.disable_ipv6=1;
busybox sysctl -e -w net.ipv6.conf.default.disable_ipv6=1;
busybox sysctl -e -w net.ipv6.conf.lo.disable_ipv6=1;
### Don't act as a router
busybox sysctl -e -w net.ipv4.ip_forward=0;
busybox sysctl -e -w net.ipv4.conf.all.send_redirects=0;
busybox sysctl -e -w net.ipv4.conf.default.send_redirects=0;
### Removing/ disabling unnecessary binaries. Some of them have access to Internet
mount -o remount, -rw /system/xbin
rm -f /system/xbin/irsii
rm -f /system/xbin/nano
rm -f /system/xbin/nc
rm -f /system/xbin/telnet
rm -f /system/xbin/telnetd
rm -f /system/xbin/telnetd
rm -f /system/xbin/opcontrol
chmod 000 /system/xbin/irsii
chmod 000 /system/xbin/nc
chmod 000 /system/xbin/netserver
chmod 000 /system/xbin/netperf
chmod 000 /system/xbin/opcontrol
chmod 000 /system/xbin/scp
chmod 740 /system/xbin/rsync
chmod 740 /system/xbin/sdptest
chmod 000 /system/xbin/ssh
chmod 000 /system/xbin/sshd
chmod 000 /system/xbin/ssh-keygen
chmod 740 /system/xbin/strace
chmod 000 /system/xbin/tcpdump
chmod 740 /system/xbin/vim
chmod 000 /system/xbin/nano
chmod 000 /system/xbin/telnet
mount -o remount, -ro /system/xbin
###Let's make sure they aren't in bin either
rm -f /system/bin/irsii
rm -f /system/bin/nano
rm -f /system/bin/nc
rm -f /system/bin/telnet
rm -f /system/bin/telnetd
rm -f /system/bin/opcontrol
chmod 000 /system/bin/irsii
chmod 000 /system/bin/nc
chmod 000 /system/bin/netserver
chmod 000 /system/bin/netperf
chmod 000 /system/bin/opcontrol
chmod 000 /system/bin/scp
chmod 740 /system/bin/rsync
chmod 740 /system/bin/sdptest
chmod 000 /system/bin/ssh
chmod 000 /system/bin/sshd
chmod 000 /system/bin/ssh-keygen
chmod 740 /system/bin/strace
chmod 000 /system/bin/tcpdump
chmod 740 /system/bin/vim
chmod 000 /system/bin/nano
chmod 000 /system/bin/telnet
### This disables Bluetooth (Most users want it on)
###chmod 000 /system/bin/bluetoothd
### ONLY root should need these:
chmod 750 /system/bin/iptables
chmod 750 /system/bin/ping
### Let's remove suid from ping (prevent a Privilege escalation attack)
mount -o remount, -rw /system/xbin
chmod 777 /system/xbin/busybox
mount -o remount, -rw /system/bin
busybox chmod -s /system/bin/ping
mount -o remount, -ro /system/bin
chmod 000 /system/xbin/busybox
mount -o remount, -ro /system/xbin
###disable the Packet Management binary - Prevents installing apps
via ADB or remotely
###disable ssh
###remove uiautomator permissions havent found a use for it anyways
mount -o remount, -rw /system/bin
chmod 000 /system/bin/pm
chmod 000 /system/bin/ssh
chmod 000 /system/bin/sshd
chmod 000 /system/bin/sshd
chmod 000 /system/bin/start-ssh
chmod 000 /system/bin/uiautomator
mount -o remount, -ro /system/bin
mount -o remount, -rw /sbin
###Disable the adbd daemon again
mount -o remount, -rw -t rootfs rootfs /
chmod 000 /sbin/adbd
###Prevents adb from running. This protects against attacks like P2P-ADB by Kos
###disable config ssh. No server for me...
###remove files with dictionary for terminals lol wtf
mount -o remount, -rw /etc
rm -rf /etc/terminfo/*
mv /etc/ssh/ssh_config /etc/ssh/ssh_config.donthinkso
mount -o remount, -ro /etc
###close
mount -o remount, -ro -t rootfs rootfs /
mount -o remount, -ro /sbin
mount -o remount, -ro /system/xbin
mount -o remount, -ro /system
mount -o remount, -ro /
###Cause I cant code lol no errors reported. Test without exit 0 to see in terminal if it works for your rom. its here so tasker wont error out if it cant find something.
exit 0

edit, put a /* after terminfo to delete all there
edit, small fix in code, not yet able to properly mount system and root as ro

 

[baz77]

Unbloatscript

Just removing some of the stuff I dont use. You can add/remove what you like

edit: some apps might forceclose if they are running, thats no issue.

After running wipe cache and dalvik and reboot. To further clean.

warning I added reboot at end so device will reboot!

Spoiler

#!/system/bin/sh
mount -o remount, -rw /sbin
mount -o remount, -rw /system
mount -o remount, -rw /system/xbin
# enable the adbd daemon and busybox
chmod 777 /sbin/adbd
chmod 777 /system/xbin/busybox
rm -f /system/app/QuickSearchBox.apk
rm -f /system/app/VoiceSearchStub.apk
rm -f /system/app/Talkback.apk
rm -f /system/app/Talk.apk
rm -f /system/app/Email2.apk
rm -f /system/app/Exchange2.apk
rm -f /system/app/HoloSpiralWallpaper.apk
rm -f /system/app/MagicSmokeWallpapers.apk
rm -f /system/app/VoiceDialer.apk
rm -f /system/app/VpnDialogs.apk
rm -f /system/app/Apollo.apk
rm -f /system/app/BasicDreams.apk
rm -f /system/app/CMFileManager.apk
rm -f /system/app/CMWallpapers.apk
rm -f /system/app/Development.apk
rm -f /system/app/DSPManager.apk
rm -f /system/app/LiveWallpapers.apk
rm -f /system/app/LiveWallpaperPicker.apk
rm -f /system/app/LockClock.apk
rm -f /system/app/MagicSmokeWallpapers.apk
rm -f /system/app/MediaUploader.apk
rm -f /system/app/NoiseField.apk
rm -f /system/app/Phasebeam.apk
rm -f /system/app/SoundRecorder.apk
rm -f /system/app/Term.apk
rm -f /system/app/Trebuchet.apk
rm -f /system/app/WAPPushManager.apk
###remove dalvik and cache
rm -f /data/dalvik-cache/*
rm -f /cache/dalvik-cache/*
rm -f /cache/lost+found/*
chmod 000 /sbin/adbd
chmod 000 /system/xbin/busybox
mount -o remount, -ro /sbin
mount -o remount, -ro /system/xbin
mount -o remount, -ro /system
exit 0
reboot

Edit, added remove dalvik cache, cache and Reboot after running this to prevent fc. You will get some of apps running but that should be no issue
edit, closing, foolish me didnt mount as ro. and removed a bit of other code

edit some more cleaning

 

[baz77]

Batch install script

As I run a lot of scripts to automate my post flash activities. I set my phone on airplane mode and run the following script batch install from a certain folder.

Its nowhere near as sophisticated as Chasmodos roms scripts, but it does the job for my user apps

Here I have a folder (batchlove) where I store my backed upped apps (no data) from playstore on my external sdcard. So far play recognizes the apps and lets me update it. However then you would need tro update the apks in this folder in order to always have up to date versions.You can put apks backed up with a lot off aps here.

Ofcourse I dont keep my tasker app here because it installs everything in that folder, and installing tasker while running this script is not a good idea.

You can run this script from a terminal as wel.

Spoiler

#!/system/bin/sh
mount -o remount, -rw /sbin
mount -o remount, -rw /system
mount -o remount, -rw /system/xbin
mount -o remount, -rw /system/bin
# enable the adbd daemon and busybox
mount -o remount, -rw -t rootfs rootfs /
chmod 777 /sbin/adbd
chmod 777 /system/xbin/busybox
chmod 777 /system/bin/pm
cd /storage/sdcard1/batchlove;
for app in *.apk; do pm install -r $app; done
chmod 000 /sbin/adbd
chmod 000 /system/xbin/busybox
chmod 000 /system/bin/pm
mount -o remount, -rw /sbin
mount -o remount, -rw /system
mount -o remount, -rw /system/xbin
mount -o remount, -rw /system/bin
exit 0

 

[SecUpwN]

You copied SecDroid and added some stuff, now you call it your own project. Why not continue SecDroid?

 

[baz77]

You copied SecDroid and added some stuff, now you call it your own project. Why not continue SecDroid?

I copied a bunch of other stuff also, as even secdroid is not the source of most of those lines. It is an awesome initiative though. An app for the masses. For those insterested http://forum.xda-developers.com/showthread.php?t=2086276.

With the script, not really my project, I wanted to set the values immediately as I flash every other day. I got a script for that. As I would still need that for reopening the closed the stuff,every once in a while.


edit submitted most to secdroid git for the security script

 

[baz77]

added some extra scripts, handy for unbloat/batchinstall.

tip: get tasker, save these scripts as tasks, backup tasker data (from within tasker) and add task to move the backup to external card. Then you only need to install tasker copy the backup to sdcard, restore and run. Its another way

if enough people are interested I can export these scripts as apps from tasker, just install and it will do what the script does.

remember to check folder permissions as these dont always stick lol

 

[baz77]

hope you find it handy, if anyone has a script that is handy please share

 

[mrrocketdog]

delete