debian-cis/debian/cis-hardening.8

.\" Automatically generated by Pandoc 2.6
.\"
.TH "CIS-HARDENING" "8" "2016" "" ""
.hy
.SH NAME
.PP
cis-hardening - CIS Debian 9/10 Hardening
.SH SYNOPSIS
.PP
\f[B]hardening.sh\f[R] RUN_MODE OPTIONS
.SH DESCRIPTION
.PP
Modular Debian 9/10 security hardening scripts based on the CIS
(https://www.cisecurity.org) recommendations.
.PP
We use it at OVHcloud (https://www.ovhcloud.com) to harden our PCI-DSS
infrastructure.
.SH SCRIPTS CONFIGURATION
.PP
Hardening scripts are in \f[C]bin/hardening\f[R].
Each script has a corresponding configuration file in
\f[C]etc/conf.d/[script_name].cfg\f[R].
.PP
Each hardening script can be individually enabled from its configuration
file.
For example, this is the default configuration file for
\f[C]disable_system_accounts\f[R]:
.IP
.nf
\f[C]
# Configuration for script of same name
status=disabled
# Put here your exceptions concerning admin accounts shells separated by spaces
EXCEPTIONS=\[dq]\[dq]
\f[R]
.fi
.PP
\f[B]status\f[R] parameter may take 3 values:
.IP \[bu] 2
\f[C]disabled\f[R] (do nothing): The script will not run.
.IP \[bu] 2
\f[C]audit\f[R] (RO): The script will check if any change should be
applied.
.IP \[bu] 2
\f[C]enabled\f[R] (RW): The script will check if any change should be
done and automatically apply what it can.
.PP
Global configuration is in \f[C]etc/hardening.cfg\f[R].
This file controls the log level as well as the backup directory.
Whenever a script is instructed to edit a file, it will create a
timestamped backup in this directory.
.SH RUN MODE
.TP
.B \f[C]-h\f[R], \f[C]--help\f[R]
Display a friendly help message.
.TP
.B \f[C]--apply\f[R]
Apply hardening for enabled scripts.
Beware that NO confirmation is asked whatsoever, which is why you\[cq]re
warmly advised to use \f[C]--audit\f[R] before, which can be regarded as
a dry-run mode.
.TP
.B \f[C]--audit\f[R]
Audit configuration for enabled scripts.
No modification will be made on the system, we\[cq]ll only report on
your system compliance for each script.
.TP
.B \f[C]--audit-all\f[R]
Same as \f[C]--audit\f[R], but for \f[I]all\f[R] scripts, even disabled
ones.
This is a good way to peek at your compliance level if all scripts were
enabled, and might be a good starting point.
.TP
.B \f[C]--audit-all-enable-passed\f[R]
Same as \f[C]--audit-all\f[R], but in addition, will \f[I]modify\f[R]
the individual scripts configurations to enable those which passed for
your system.
This is an easy way to enable scripts for which you\[cq]re already
compliant.
However, please always review each activated script afterwards, this
option should only be regarded as a way to kickstart a configuration
from scratch.
Don\[cq]t run this if you have already customized the scripts
enable/disable configurations, obviously.
.TP
.B \f[C]--create-config-files-only\f[R]
Create the config files in etc/conf.d Must be run as root, before
running the audit with user secaudit
.TP
.B \f[C]-set-hardening-level=level\f[R]
Modifies the configuration to enable/disable tests given an hardening
level, between 1 to 5.
Don\[cq]t run this if you have already customized the scripts
enable/disable configurations.
1: very basic policy, failure to pass tests at this level indicates
severe misconfiguration of the machine that can have a huge security
impact 2: basic policy, some good practice rules that, once applied,
shouldn\[cq]t break anything on most systems 3: best practices policy,
passing all tests might need some configuration modifications (such as
specific partitioning, etc.) 4: high security policy, passing all tests
might be time-consuming and require high adaptation of your workflow 5:
placebo, policy rules that might be very difficult to apply and
maintain, with questionable security benefits
.TP
.B \f[C]--allow-service=service\f[R]
Use with \f[C]--set-hardening-level\f[R].
Modifies the policy to allow a certain kind of services on the machine,
such as http, mail, etc.
Can be specified multiple times to allow multiple services.
Use \[en]allow-service-list to get a list of supported services.
.SH OPTIONS
.TP
.B \f[C]--allow-service-list\f[R]
Get a list of supported service.
.TP
.B \f[C]--only test-number\f[R]
Modifies the RUN_MODE to only work on the test_number script.
Can be specified multiple times to work only on several scripts.
The test number is the numbered prefix of the script, i.e.\ the test
number of 1.2_script_name.sh is 1.2.
.TP
.B \f[C]--sudo\f[R]
This option lets you audit your system as a normal user, but allows sudo
escalation to gain read-only access to root files.
Note that you need to provide a sudoers file with NOPASSWD option in
/etc/sudoers.d/ because the -n option instructs sudo not to prompt for a
password.
Finally note that \f[C]--sudo\f[R] mode only works for audit mode.
.TP
.B \f[C]--batch\f[R]
While performing system audit, this option sets LOGLEVEL to `ok' and
captures all output to print only one line once the check is done,
formatted like : OK|KO OK|KO|WARN{subcheck results} [OK|KO|WARN{\&...}]
.SH AUTHORS
.IP \[bu] 2
Thibault Dewailly, OVHcloud <thibault.dewailly@ovhcloud.com>
.IP \[bu] 2
St\['e]phane Lesimple, OVHcloud <stephane.lesimple@ovhcloud.com>
.IP \[bu] 2
Thibault Ayanides, OVHcloud <thibault.ayanides@ovhcloud.com>
.IP \[bu] 2
Kevin Tanguy, OVHcloud <kevin.tanguy@ovhcloud.com>
.SH COPYRIGHT
.PP
MIT License
.PP
Copyright (c) 2016, OVHcloud
.PP
Permission is hereby granted, free of charge, to any person obtaining a
copy of this software and associated documentation files (the
\[lq]Software\[rq]), to deal in the Software without restriction,
including without limitation the rights to use, copy, modify, merge,
publish, distribute, sublicense, and/or sell copies of the Software, and
to permit persons to whom the Software is furnished to do so, subject to
the following conditions:
.PP
The above copyright notice and this permission notice shall be included
in all copies or substantial portions of the Software.
.PP
THE SOFTWARE IS PROVIDED \[lq]AS IS\[rq], WITHOUT WARRANTY OF ANY KIND,
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
.SH SEE ALSO
.IP \[bu] 2
\f[B]Center for Internet Security\f[R]: https://www.cisecurity.org/
.IP \[bu] 2
\f[B]CIS recommendations\f[R]: https://learn.cisecurity.org/benchmarks
.IP \[bu] 2
\f[B]Project repository\f[R]: https://github.com/ovh/debian-cis
Regenerate man pages (Github action) 2021-01-18 10:11:47 +01:00			`.\" Automatically generated by Pandoc 2.6`
			`.\"`
			`.TH "CIS-HARDENING" "8" "2016" "" ""`
			`.hy`
Debian package revision bump 1.0-4 2016-04-21 12:00:20 +02:00			`.SH NAME`
			`.PP`
Regenerate man pages (Github action) 2021-01-18 10:11:47 +01:00			`cis-hardening - CIS Debian 9/10 Hardening`
			`.SH SYNOPSIS`
			`.PP`
			`\f[B]hardening.sh\f[R] RUN_MODE OPTIONS`
Debian package revision bump 1.0-4 2016-04-21 12:00:20 +02:00			`.SH DESCRIPTION`
			`.PP`
Regenerate man pages (Github action) 2021-01-18 10:11:47 +01:00			`Modular Debian 9/10 security hardening scripts based on the CIS`
			`(https://www.cisecurity.org) recommendations.`
Debian package revision bump 1.0-4 2016-04-21 12:00:20 +02:00			`.PP`
Regenerate man pages (Github action) 2021-01-18 10:11:47 +01:00			`We use it at OVHcloud (https://www.ovhcloud.com) to harden our PCI-DSS`
			`infrastructure.`
			`.SH SCRIPTS CONFIGURATION`
Debian package revision bump 1.0-4 2016-04-21 12:00:20 +02:00			`.PP`
Regenerate man pages (Github action) 2021-01-18 10:11:47 +01:00			`Hardening scripts are in \f[C]bin/hardening\f[R].`
			`Each script has a corresponding configuration file in`
			`\f[C]etc/conf.d/[script_name].cfg\f[R].`
Debian package revision bump 1.0-4 2016-04-21 12:00:20 +02:00			`.PP`
Regenerate man pages (Github action) 2021-01-18 10:11:47 +01:00			`Each hardening script can be individually enabled from its configuration`
			`file.`
			`For example, this is the default configuration file for`
			`\f[C]disable_system_accounts\f[R]:`
			`.IP`
Debian package revision bump 1.0-4 2016-04-21 12:00:20 +02:00			`.nf`
Regenerate man pages (Github action) 2021-01-18 10:11:47 +01:00			`\f[C]`
Debian package revision bump 1.0-4 2016-04-21 12:00:20 +02:00			`# Configuration for script of same name`
			`status=disabled`
			`# Put here your exceptions concerning admin accounts shells separated by spaces`
Regenerate man pages (Github action) 2021-01-18 10:11:47 +01:00			`EXCEPTIONS=\[dq]\[dq]`
			`\f[R]`
Debian package revision bump 1.0-4 2016-04-21 12:00:20 +02:00			`.fi`
			`.PP`
Regenerate man pages (Github action) 2021-01-18 10:11:47 +01:00			`\f[B]status\f[R] parameter may take 3 values:`
			`.IP \[bu] 2`
			`\f[C]disabled\f[R] (do nothing): The script will not run.`
			`.IP \[bu] 2`
			`\f[C]audit\f[R] (RO): The script will check if any change should be`
			`applied.`
			`.IP \[bu] 2`
			`\f[C]enabled\f[R] (RW): The script will check if any change should be`
			`done and automatically apply what it can.`
			`.PP`
			`Global configuration is in \f[C]etc/hardening.cfg\f[R].`
			`This file controls the log level as well as the backup directory.`
			`Whenever a script is instructed to edit a file, it will create a`
			`timestamped backup in this directory.`
			`.SH RUN MODE`
			`.TP`
			`.B \f[C]-h\f[R], \f[C]--help\f[R]`
			`Display a friendly help message.`
			`.TP`
			`.B \f[C]--apply\f[R]`
			`Apply hardening for enabled scripts.`
			`Beware that NO confirmation is asked whatsoever, which is why you\[cq]re`
			`warmly advised to use \f[C]--audit\f[R] before, which can be regarded as`
			`a dry-run mode.`
			`.TP`
			`.B \f[C]--audit\f[R]`
			`Audit configuration for enabled scripts.`
			`No modification will be made on the system, we\[cq]ll only report on`
			`your system compliance for each script.`
			`.TP`
			`.B \f[C]--audit-all\f[R]`
			`Same as \f[C]--audit\f[R], but for \f[I]all\f[R] scripts, even disabled`
			`ones.`
			`This is a good way to peek at your compliance level if all scripts were`
			`enabled, and might be a good starting point.`
			`.TP`
			`.B \f[C]--audit-all-enable-passed\f[R]`
			`Same as \f[C]--audit-all\f[R], but in addition, will \f[I]modify\f[R]`
			`the individual scripts configurations to enable those which passed for`
			`your system.`
			`This is an easy way to enable scripts for which you\[cq]re already`
			`compliant.`
			`However, please always review each activated script afterwards, this`
			`option should only be regarded as a way to kickstart a configuration`
			`from scratch.`
			`Don\[cq]t run this if you have already customized the scripts`
			`enable/disable configurations, obviously.`
			`.TP`
			`.B \f[C]--create-config-files-only\f[R]`
			`Create the config files in etc/conf.d Must be run as root, before`
			`running the audit with user secaudit`
			`.TP`
			`.B \f[C]-set-hardening-level=level\f[R]`
			`Modifies the configuration to enable/disable tests given an hardening`
			`level, between 1 to 5.`
			`Don\[cq]t run this if you have already customized the scripts`
			`enable/disable configurations.`
			`1: very basic policy, failure to pass tests at this level indicates`
			`severe misconfiguration of the machine that can have a huge security`
			`impact 2: basic policy, some good practice rules that, once applied,`
			`shouldn\[cq]t break anything on most systems 3: best practices policy,`
			`passing all tests might need some configuration modifications (such as`
			`specific partitioning, etc.) 4: high security policy, passing all tests`
			`might be time-consuming and require high adaptation of your workflow 5:`
			`placebo, policy rules that might be very difficult to apply and`
			`maintain, with questionable security benefits`
			`.TP`
			`.B \f[C]--allow-service=service\f[R]`
			`Use with \f[C]--set-hardening-level\f[R].`
			`Modifies the policy to allow a certain kind of services on the machine,`
			`such as http, mail, etc.`
			`Can be specified multiple times to allow multiple services.`
			`Use \[en]allow-service-list to get a list of supported services.`
			`.SH OPTIONS`
			`.TP`
			`.B \f[C]--allow-service-list\f[R]`
			`Get a list of supported service.`
			`.TP`
			`.B \f[C]--only test-number\f[R]`
			`Modifies the RUN_MODE to only work on the test_number script.`
			`Can be specified multiple times to work only on several scripts.`
			`The test number is the numbered prefix of the script, i.e.\ the test`
			`number of 1.2_script_name.sh is 1.2.`
			`.TP`
			`.B \f[C]--sudo\f[R]`
			`This option lets you audit your system as a normal user, but allows sudo`
			`escalation to gain read-only access to root files.`
			`Note that you need to provide a sudoers file with NOPASSWD option in`
			`/etc/sudoers.d/ because the -n option instructs sudo not to prompt for a`
			`password.`
			`Finally note that \f[C]--sudo\f[R] mode only works for audit mode.`
			`.TP`
			`.B \f[C]--batch\f[R]`
			While performing system audit, this option sets LOGLEVEL to `ok' and
			`captures all output to print only one line once the check is done,`
			`formatted like : OK\|KO OK\|KO\|WARN{subcheck results} [OK\|KO\|WARN{\&...}]`
			`.SH AUTHORS`
			`.IP \[bu] 2`
			`Thibault Dewailly, OVHcloud <thibault.dewailly@ovhcloud.com>`
			`.IP \[bu] 2`
			`St\['e]phane Lesimple, OVHcloud <stephane.lesimple@ovhcloud.com>`
			`.IP \[bu] 2`
			`Thibault Ayanides, OVHcloud <thibault.ayanides@ovhcloud.com>`
			`.IP \[bu] 2`
			`Kevin Tanguy, OVHcloud <kevin.tanguy@ovhcloud.com>`
			`.SH COPYRIGHT`
			`.PP`
			`MIT License`
			`.PP`
			`Copyright (c) 2016, OVHcloud`
			`.PP`
			`Permission is hereby granted, free of charge, to any person obtaining a`
			`copy of this software and associated documentation files (the`
			`\[lq]Software\[rq]), to deal in the Software without restriction,`
			`including without limitation the rights to use, copy, modify, merge,`
			`publish, distribute, sublicense, and/or sell copies of the Software, and`
			`to permit persons to whom the Software is furnished to do so, subject to`
			`the following conditions:`
			`.PP`
			`The above copyright notice and this permission notice shall be included`
			`in all copies or substantial portions of the Software.`
			`.PP`
			`THE SOFTWARE IS PROVIDED \[lq]AS IS\[rq], WITHOUT WARRANTY OF ANY KIND,`
			`EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF`
			`MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.`
			`IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY`
			`CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,`
			`TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE`
			`SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.`
			`.SH SEE ALSO`
			`.IP \[bu] 2`
			`\f[B]Center for Internet Security\f[R]: https://www.cisecurity.org/`
			`.IP \[bu] 2`
			`\f[B]CIS recommendations\f[R]: https://learn.cisecurity.org/benchmarks`
			`.IP \[bu] 2`
			`\f[B]Project repository\f[R]: https://github.com/ovh/debian-cis`