debian-cis/debian/cis-hardening.8

157 lines
5.5 KiB
Groff
Raw Permalink Normal View History

.TH "CIS Debian 7/8/9 Hardening" 8 "OVH Group"
2016-04-21 12:00:20 +02:00
.SH NAME
cis-hardening - CIS Debian 7/8/9 Hardening
2016-04-21 12:00:20 +02:00
.PP
.SH DESCRIPTION
.PP
Modular Debian 7/8/9 security hardening scripts based on cisecurity.org \[la]https://www.cisecurity.org\[ra]
2016-04-22 14:29:33 +02:00
recommendations. We use it at OVH \[la]https://www.ovh.com\[ra] to harden our PCI\-DSS infrastructure.
2016-04-21 12:00:20 +02:00
.PP
.RS
.nf
$ bin/hardening.sh \-\-audit\-all
[...]
hardening [INFO] Treating /opt/cis\-hardening/bin/hardening/13.15_check_duplicate_gid.sh
13.15_check_duplicate_gid [INFO] Working on 13.15_check_duplicate_gid
13.15_check_duplicate_gid [INFO] Checking Configuration
13.15_check_duplicate_gid [INFO] Performing audit
13.15_check_duplicate_gid [ OK ] No duplicate GIDs
13.15_check_duplicate_gid [ OK ] Check Passed
[...]
################### SUMMARY ###################
Total Available Checks : 191
Total Runned Checks : 191
Total Passed Checks : [ 170/191 ]
Total Failed Checks : [ 21/191 ]
Enabled Checks Percentage : 100.00 %
Conformity Percentage : 89.01 %
.fi
.RE
.SH Quickstart
.PP
.RS
.nf
$ git clone https://github.com/ovh/debian\-cis.git && cd debian\-cis
2016-04-22 10:18:31 +02:00
$ cp debian/default /etc/default/cis\-hardening
$ sed \-i "s#CIS_ROOT_DIR=.*#CIS_ROOT_DIR='$(pwd)'#" /etc/default/cis\-hardening
2016-04-21 12:00:20 +02:00
$ bin/hardening/1.1_install_updates.sh \-\-audit\-all
1.1_install_updates [INFO] Working on 1.1_install_updates
1.1_install_updates [INFO] Checking Configuration
1.1_install_updates [INFO] Performing audit
1.1_install_updates [INFO] Checking if apt needs an update
1.1_install_updates [INFO] Fetching upgrades ...
1.1_install_updates [ OK ] No upgrades available
1.1_install_updates [ OK ] Check Passed
.fi
.RE
.SH Usage
.SS Configuration
.PP
Hardening scripts are in \fB\fCbin/hardening\fR\&. Each script has a corresponding
configuration file in \fB\fCetc/conf.d/[script_name].cfg\fR\&.
.PP
Each hardening script can be individually enabled from its configuration file.
For example, this is the default configuration file for \fB\fCdisable_system_accounts\fR:
.PP
.RS
.nf
# Configuration for script of same name
status=disabled
# Put here your exceptions concerning admin accounts shells separated by spaces
EXCEPTIONS=""
.fi
.RE
.PP
\fB\fCstatus\fR parameter may take 3 values:
\fB\fCdisabled\fR (do nothing): The script will not run.
\fB\fCaudit\fR (RO): The script will check if any change \fIshould\fP be applied.
\fB\fCenabled\fR (RW): The script will check if any change should be done and automatically apply what it can.
.PP
Global configuration is in \fB\fCetc/hardening.cfg\fR\&. This file controls the log level
as well as the backup directory. Whenever a script is instructed to edit a file, it
will create a timestamped backup in this directory.
.SS Run aka "Harden your distro"
.PP
To run the checks and apply the fixes, run \fB\fCbin/hardening.sh\fR\&.
.PP
This command has 2 main operation modes:
\fB\fC\-\-audit\fR: Audit your system with all enabled and audit mode scripts
\fB\fC\-\-apply\fR: Audit your system with all enabled and audit mode scripts and apply changes for enabled scripts
.PP
Additionally, \fB\fC\-\-audit\-all\fR can be used to force running all auditing scripts,
including disabled ones. this will \fInot\fP change the system.
.PP
\fB\fC\-\-audit\-all\-enable\-passed\fR can be used as a quick way to kickstart your
configuration. It will run all scripts in audit mode. If a script passes,
it will automatically be enabled for future runs. Do NOT use this option
if you have already started to customize your configuration.
.SH Hacking
.PP
\fBGetting the source\fP
.PP
.RS
.nf
$ git clone https://github.com/ovh/debian\-cis.git
.fi
.RE
.PP
\fBBuilding a debian Package\fP (the hacky way)
.PP
.RS
.nf
$ debuild \-us \-uc
.fi
.RE
.PP
\fBAdding a custom hardening script\fP
.PP
.RS
.nf
$ cp src/skel bin/hardening/99.99_custom_script.sh
$ chmod +x bin/hardening/99.99_custom_script.sh
$ cp src/skel.cfg etc/conf.d/99.99_custom_script.cfg
.fi
.RE
.PP
Code your check explaining what it does then if you want to test
.PP
.RS
.nf
$ sed \-i "s/status=.+/status=enabled/" etc/conf.d/99.99_custom_script.cfg
$ ./bin/hardening/99.99_custom_script.sh
.fi
.RE
.SH Disclaimer
.PP
This project is a set of tools. They are meant to help the system administrator
built a secure environment. While we use it at OVH to harden our PCI\-DSS compliant
infrastructure, we can not guarantee that it will work for you. It will not
magically secure any random host.
.PP
Additionally, quoting the License:
.PP
.RS
THIS SOFTWARE IS PROVIDED BY OVH SAS AND CONTRIBUTORS ``AS IS'' AND ANY
EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
DISCLAIMED. IN NO EVENT SHALL OVH SAS AND CONTRIBUTORS BE LIABLE FOR ANY
DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.RE
.SH Reference
.PP
.RS
.nf
**Center for Internet Security**: https://www.cisecurity.org/
**CIS recommendations**: https://benchmarks.cisecurity.org/downloads/show\-single/index.cfm?file=debian7.100
2017-06-05 16:36:25 +02:00
**CIS recommendations**: https://benchmarks.cisecurity.org/downloads/show\-single/index.cfm?file=debian8.100
2016-04-21 12:00:20 +02:00
.fi
.RE
.SH License
.PP
3\-Clause BSD