elie/debian-cis
1
0
Fork 0
mirror of https://github.com/ovh/debian-cis.git synced 2024-12-04 04:28:19 +01:00
Code Issues Packages Projects Releases Wiki Activity

Beautify README.md

Browse Source
This commit is contained in:
Thibault Ayanides 2021-01-15 11:51:53 +01:00 committed by Thibault Serti
parent 8f5e3c2ef8
commit 0ab210183b
2 changed files with 33 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
AUTHORS
View File

@ -1,9 +1,9 @@
Contributors of this project : Contributors of this project :
Developers : Developers :
Thibault Dewailly, OVH <thibault.dewailly@corp.ovh.com> Thibault Dewailly, OVHcloud <thibault.dewailly@ovhcloud.com>
Stéphane Lesimple, OVH <stephane.lesimple@corp.ovh.com> Stéphane Lesimple, OVHcloud <stephane.lesimple@ovhcloud.com>
Thibault Ayanides, OVH <thibault.ayanides@corp.ovh.com> Thibault Ayanides, OVHcloud <thibault.ayanides@ovhcloud.com>
Debian package maintainers : Debian package maintainers :
Kevin Tanguy, OVH <kevin.tanguy@corp.ovh.com> Kevin Tanguy, OVHcloud <kevin.tanguy@ovhcloud.com>

45
README.md
View File

@ -1,10 +1,23 @@
# CIS Debian 9/10 Hardening # :lock: CIS Debian 9/10 Hardening
**News**: this projet is back in the game and is from now on maintained. Be free to use and to :tada: **News**: this projet is back in the game and is from now on maintained. Be free to use and to
report issues if you find any ! report issues if you find any !
<p align="center">
<img src="https://repository-images.githubusercontent.com/56690366/bbe7c380-55b2-11eb-84ba-d06bf153fe8b" width="300px">
</p>
![Shell-linter](https://github.com/thibaultserti/debian-cis/workflows/Run%20shell-linter/badge.svg)
![Functionnal tests](https://github.com/thibaultserti/debian-cis/workflows/Run%20functionnal%20tests/badge.svg)
![Release](https://github.com/thibaultserti/debian-cis/workflows/Create%20Release/badge.svg)
![Realease](https://img.shields.io/github/v/release/ovh/debian-cis)
![License](https://img.shields.io/github/license/ovh/debian-cis)
---
Modular Debian 9/10 security hardening scripts based on [cisecurity.org](https://www.cisecurity.org) Modular Debian 9/10 security hardening scripts based on [cisecurity.org](https://www.cisecurity.org)
recommendations. We use it at [OVH](https://www.ovh.com) to harden our PCI-DSS infrastructure. recommendations. We use it at [OVHcloud](https://www.ovhcloud.com) to harden our PCI-DSS infrastructure.
```console ```console
$ bin/hardening.sh --audit-all $ bin/hardening.sh --audit-all
@ -25,7 +38,7 @@ hardening [INFO] Treating /opt/cis-hardening/bin/hardening/6.2.19_check_duplicat
Conformity Percentage : 85.00 % Conformity Percentage : 85.00 %
``` ```
## Quickstart ## :dizzy: Quickstart
```console ```console
$ git clone https://github.com/ovh/debian-cis.git && cd debian-cis $ git clone https://github.com/ovh/debian-cis.git && cd debian-cis
@ -41,7 +54,7 @@ hardening [INFO] Treating /opt/cis-hardening/bin/hardening/1.1.1
1.1.1.1_disable_freevxfs [ OK ] Check Passed 1.1.1.1_disable_freevxfs [ OK ] Check Passed
``` ```
## Usage ## :hammer: Usage
### Configuration ### Configuration
@ -107,7 +120,7 @@ Use --allow-service-list to get a list of supported services.
``--create-config-files-only``: create the config files in etc/conf.d. Must be run as root, ``--create-config-files-only``: create the config files in etc/conf.d. Must be run as root,
before running the audit with user secaudit, to have the rights setup well on the conf files. before running the audit with user secaudit, to have the rights setup well on the conf files.
## Hacking ## :computer: Hacking
**Getting the source** **Getting the source**
@ -134,8 +147,8 @@ If the check replace somehow one that is in the CIS specifications,
you can use the numerotation of the check it replaces inplace. For example we check you can use the numerotation of the check it replaces inplace. For example we check
the config of OSSEC (file integrity) in `1.4.x` whereas CIS recommends AIDE. the config of OSSEC (file integrity) in `1.4.x` whereas CIS recommends AIDE.
Do not forget to specify in comment if it's a bonus check (suggested by CIS but not in the CIS numerotation), a legacy check (part from previous CIS specification but deleted in more recents one) or an OVH security check Do not forget to specify in comment if it's a bonus check (suggested by CIS but not in the CIS numerotation), a legacy check (part from previous CIS specification but deleted in more recents one) or an OVHcloud security check.
(part of OVH security policy) (part of OVHcloud security policy)
Code your check explaining what it does then if you want to test Code your check explaining what it does then if you want to test
@ -144,7 +157,7 @@ Code your check explaining what it does then if you want to test
$ sed -i "s/status=.+/status=enabled/" etc/conf.d/99.99_custom_script.cfg $ sed -i "s/status=.+/status=enabled/" etc/conf.d/99.99_custom_script.cfg
$ ./bin/hardening/99.99_custom_script.sh $ ./bin/hardening/99.99_custom_script.sh
``` ```
## Functional testing ## :sparkles: Functional testing
Functional tests are available. They are to be run in a Docker environment. Functional tests are available. They are to be run in a Docker environment.
@ -193,7 +206,7 @@ else
fi fi
``` ```
## Coding style ## :art: Coding style
### Shellcheck ### Shellcheck
We use [Shellcheck](https://github.com/koalaman/shellcheck) to check the We use [Shellcheck](https://github.com/koalaman/shellcheck) to check the
@ -217,19 +230,19 @@ $ ./shellfmt/launch_shellfmt.sh
It will automatically fix any styling problem on every script. It will automatically fix any styling problem on every script.
## Disclaimer ## :heavy_exclamation_mark: Disclaimer
This project is a set of tools. They are meant to help the system administrator This project is a set of tools. They are meant to help the system administrator
built a secure environment. While we use it at OVH to harden our PCI-DSS compliant built a secure environment. While we use it at OVHcloud to harden our PCI-DSS compliant
infrastructure, we can not guarantee that it will work for you. It will not infrastructure, we can not guarantee that it will work for you. It will not
magically secure any random host. magically secure any random host.
Additionally, quoting the License: Additionally, quoting the License:
> THIS SOFTWARE IS PROVIDED BY OVH SAS AND CONTRIBUTORS ``AS IS'' AND ANY > THIS SOFTWARE IS PROVIDED BY OVHcloud SAS AND CONTRIBUTORS ``AS IS'' AND ANY
> EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED > EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
> WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE > WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
> DISCLAIMED. IN NO EVENT SHALL OVH SAS AND CONTRIBUTORS BE LIABLE FOR ANY > DISCLAIMED. IN NO EVENT SHALL OVHcloud SAS AND CONTRIBUTORS BE LIABLE FOR ANY
> DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES > DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
> (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; > (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
> LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND > LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
@ -237,11 +250,11 @@ Additionally, quoting the License:
> (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS > (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
> SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. > SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
## Reference ## :satellite: Reference
- **Center for Internet Security**: https://www.cisecurity.org/ - **Center for Internet Security**: https://www.cisecurity.org/
- **CIS recommendations**: https://learn.cisecurity.org/benchmarks - **CIS recommendations**: https://learn.cisecurity.org/benchmarks
## License ## :page_facing_up: License
MIT MIT