diff --git a/debian/cis-hardening.8 b/debian/cis-hardening.8 index 1228f4f..fd83d23 100644 --- a/debian/cis-hardening.8 +++ b/debian/cis-hardening.8 @@ -1,156 +1,173 @@ -.TH "CIS Debian 7/8/9 Hardening" 8 "OVH Group" +.\" Automatically generated by Pandoc 2.6 +.\" +.TH "CIS-HARDENING" "8" "2016" "" "" +.hy .SH NAME -cis-hardening - CIS Debian 7/8/9 Hardening .PP +cis-hardening - CIS Debian 9/10 Hardening +.SH SYNOPSIS +.PP +\f[B]hardening.sh\f[R] RUN_MODE OPTIONS .SH DESCRIPTION .PP -Modular Debian 7/8/9 security hardening scripts based on cisecurity.org \[la]https://www.cisecurity.org\[ra] -recommendations. We use it at OVH \[la]https://www.ovh.com\[ra] to harden our PCI\-DSS infrastructure. +Modular Debian 9/10 security hardening scripts based on the CIS +(https://www.cisecurity.org) recommendations. .PP -.RS -.nf -$ bin/hardening.sh \-\-audit\-all -[...] -hardening [INFO] Treating /opt/cis\-hardening/bin/hardening/13.15_check_duplicate_gid.sh -13.15_check_duplicate_gid [INFO] Working on 13.15_check_duplicate_gid -13.15_check_duplicate_gid [INFO] Checking Configuration -13.15_check_duplicate_gid [INFO] Performing audit -13.15_check_duplicate_gid [ OK ] No duplicate GIDs -13.15_check_duplicate_gid [ OK ] Check Passed -[...] -################### SUMMARY ################### - Total Available Checks : 191 - Total Runned Checks : 191 - Total Passed Checks : [ 170/191 ] - Total Failed Checks : [ 21/191 ] - Enabled Checks Percentage : 100.00 % - Conformity Percentage : 89.01 % -.fi -.RE -.SH Quickstart -.PP -.RS -.nf -$ git clone https://github.com/ovh/debian\-cis.git && cd debian\-cis -$ cp debian/default /etc/default/cis\-hardening -$ sed \-i "s#CIS_ROOT_DIR=.*#CIS_ROOT_DIR='$(pwd)'#" /etc/default/cis\-hardening -$ bin/hardening/1.1_install_updates.sh \-\-audit\-all -1.1_install_updates [INFO] Working on 1.1_install_updates -1.1_install_updates [INFO] Checking Configuration -1.1_install_updates [INFO] Performing audit -1.1_install_updates [INFO] Checking if apt needs an update -1.1_install_updates [INFO] Fetching upgrades ... -1.1_install_updates [ OK ] No upgrades available -1.1_install_updates [ OK ] Check Passed -.fi -.RE -.SH Usage -.SS Configuration -.PP -Hardening scripts are in \fB\fCbin/hardening\fR\&. Each script has a corresponding -configuration file in \fB\fCetc/conf.d/[script_name].cfg\fR\&. -.PP -Each hardening script can be individually enabled from its configuration file. -For example, this is the default configuration file for \fB\fCdisable_system_accounts\fR: -.PP -.RS +We use it at OVHcloud (https://www.ovhcloud.com) to harden our PCI-DSS +infrastructure. +.SH SCRIPTS CONFIGURATION +.PP +Hardening scripts are in \f[C]bin/hardening\f[R]. +Each script has a corresponding configuration file in +\f[C]etc/conf.d/[script_name].cfg\f[R]. +.PP +Each hardening script can be individually enabled from its configuration +file. +For example, this is the default configuration file for +\f[C]disable_system_accounts\f[R]: +.IP .nf +\f[C] # Configuration for script of same name status=disabled # Put here your exceptions concerning admin accounts shells separated by spaces -EXCEPTIONS="" +EXCEPTIONS=\[dq]\[dq] +\f[R] .fi -.RE .PP -\fB\fCstatus\fR parameter may take 3 values: - \fB\fCdisabled\fR (do nothing): The script will not run. - \fB\fCaudit\fR (RO): The script will check if any change \fIshould\fP be applied. - \fB\fCenabled\fR (RW): The script will check if any change should be done and automatically apply what it can. +\f[B]status\f[R] parameter may take 3 values: +.IP \[bu] 2 +\f[C]disabled\f[R] (do nothing): The script will not run. +.IP \[bu] 2 +\f[C]audit\f[R] (RO): The script will check if any change should be +applied. +.IP \[bu] 2 +\f[C]enabled\f[R] (RW): The script will check if any change should be +done and automatically apply what it can. .PP -Global configuration is in \fB\fCetc/hardening.cfg\fR\&. This file controls the log level -as well as the backup directory. Whenever a script is instructed to edit a file, it -will create a timestamped backup in this directory. -.SS Run aka "Harden your distro" +Global configuration is in \f[C]etc/hardening.cfg\f[R]. +This file controls the log level as well as the backup directory. +Whenever a script is instructed to edit a file, it will create a +timestamped backup in this directory. +.SH RUN MODE +.TP +.B \f[C]-h\f[R], \f[C]--help\f[R] +Display a friendly help message. +.TP +.B \f[C]--apply\f[R] +Apply hardening for enabled scripts. +Beware that NO confirmation is asked whatsoever, which is why you\[cq]re +warmly advised to use \f[C]--audit\f[R] before, which can be regarded as +a dry-run mode. +.TP +.B \f[C]--audit\f[R] +Audit configuration for enabled scripts. +No modification will be made on the system, we\[cq]ll only report on +your system compliance for each script. +.TP +.B \f[C]--audit-all\f[R] +Same as \f[C]--audit\f[R], but for \f[I]all\f[R] scripts, even disabled +ones. +This is a good way to peek at your compliance level if all scripts were +enabled, and might be a good starting point. +.TP +.B \f[C]--audit-all-enable-passed\f[R] +Same as \f[C]--audit-all\f[R], but in addition, will \f[I]modify\f[R] +the individual scripts configurations to enable those which passed for +your system. +This is an easy way to enable scripts for which you\[cq]re already +compliant. +However, please always review each activated script afterwards, this +option should only be regarded as a way to kickstart a configuration +from scratch. +Don\[cq]t run this if you have already customized the scripts +enable/disable configurations, obviously. +.TP +.B \f[C]--create-config-files-only\f[R] +Create the config files in etc/conf.d Must be run as root, before +running the audit with user secaudit +.TP +.B \f[C]-set-hardening-level=level\f[R] +Modifies the configuration to enable/disable tests given an hardening +level, between 1 to 5. +Don\[cq]t run this if you have already customized the scripts +enable/disable configurations. +1: very basic policy, failure to pass tests at this level indicates +severe misconfiguration of the machine that can have a huge security +impact 2: basic policy, some good practice rules that, once applied, +shouldn\[cq]t break anything on most systems 3: best practices policy, +passing all tests might need some configuration modifications (such as +specific partitioning, etc.) 4: high security policy, passing all tests +might be time-consuming and require high adaptation of your workflow 5: +placebo, policy rules that might be very difficult to apply and +maintain, with questionable security benefits +.TP +.B \f[C]--allow-service=service\f[R] +Use with \f[C]--set-hardening-level\f[R]. +Modifies the policy to allow a certain kind of services on the machine, +such as http, mail, etc. +Can be specified multiple times to allow multiple services. +Use \[en]allow-service-list to get a list of supported services. +.SH OPTIONS +.TP +.B \f[C]--allow-service-list\f[R] +Get a list of supported service. +.TP +.B \f[C]--only test-number\f[R] +Modifies the RUN_MODE to only work on the test_number script. +Can be specified multiple times to work only on several scripts. +The test number is the numbered prefix of the script, i.e.\ the test +number of 1.2_script_name.sh is 1.2. +.TP +.B \f[C]--sudo\f[R] +This option lets you audit your system as a normal user, but allows sudo +escalation to gain read-only access to root files. +Note that you need to provide a sudoers file with NOPASSWD option in +/etc/sudoers.d/ because the -n option instructs sudo not to prompt for a +password. +Finally note that \f[C]--sudo\f[R] mode only works for audit mode. +.TP +.B \f[C]--batch\f[R] +While performing system audit, this option sets LOGLEVEL to `ok' and +captures all output to print only one line once the check is done, +formatted like : OK|KO OK|KO|WARN{subcheck results} [OK|KO|WARN{\&...}] +.SH AUTHORS +.IP \[bu] 2 +Thibault Dewailly, OVHcloud +.IP \[bu] 2 +St\['e]phane Lesimple, OVHcloud +.IP \[bu] 2 +Thibault Ayanides, OVHcloud +.IP \[bu] 2 +Kevin Tanguy, OVHcloud +.SH COPYRIGHT .PP -To run the checks and apply the fixes, run \fB\fCbin/hardening.sh\fR\&. +MIT License .PP -This command has 2 main operation modes: - \fB\fC\-\-audit\fR: Audit your system with all enabled and audit mode scripts - \fB\fC\-\-apply\fR: Audit your system with all enabled and audit mode scripts and apply changes for enabled scripts +Copyright (c) 2016, OVHcloud .PP -Additionally, \fB\fC\-\-audit\-all\fR can be used to force running all auditing scripts, -including disabled ones. this will \fInot\fP change the system. +Permission is hereby granted, free of charge, to any person obtaining a +copy of this software and associated documentation files (the +\[lq]Software\[rq]), to deal in the Software without restriction, +including without limitation the rights to use, copy, modify, merge, +publish, distribute, sublicense, and/or sell copies of the Software, and +to permit persons to whom the Software is furnished to do so, subject to +the following conditions: .PP -\fB\fC\-\-audit\-all\-enable\-passed\fR can be used as a quick way to kickstart your -configuration. It will run all scripts in audit mode. If a script passes, -it will automatically be enabled for future runs. Do NOT use this option -if you have already started to customize your configuration. -.SH Hacking +The above copyright notice and this permission notice shall be included +in all copies or substantial portions of the Software. .PP -\fBGetting the source\fP -.PP -.RS -.nf -$ git clone https://github.com/ovh/debian\-cis.git -.fi -.RE -.PP -\fBBuilding a debian Package\fP (the hacky way) -.PP -.RS -.nf -$ debuild \-us \-uc -.fi -.RE -.PP -\fBAdding a custom hardening script\fP -.PP -.RS -.nf -$ cp src/skel bin/hardening/99.99_custom_script.sh -$ chmod +x bin/hardening/99.99_custom_script.sh -$ cp src/skel.cfg etc/conf.d/99.99_custom_script.cfg -.fi -.RE -.PP -Code your check explaining what it does then if you want to test -.PP -.RS -.nf -$ sed \-i "s/status=.+/status=enabled/" etc/conf.d/99.99_custom_script.cfg -$ ./bin/hardening/99.99_custom_script.sh -.fi -.RE -.SH Disclaimer -.PP -This project is a set of tools. They are meant to help the system administrator -built a secure environment. While we use it at OVH to harden our PCI\-DSS compliant -infrastructure, we can not guarantee that it will work for you. It will not -magically secure any random host. -.PP -Additionally, quoting the License: -.PP -.RS -THIS SOFTWARE IS PROVIDED BY OVH SAS AND CONTRIBUTORS ``AS IS'' AND ANY -EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED -WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -DISCLAIMED. IN NO EVENT SHALL OVH SAS AND CONTRIBUTORS BE LIABLE FOR ANY -DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES -(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND -ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT -(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS -SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -.RE -.SH Reference -.PP -.RS -.nf - **Center for Internet Security**: https://www.cisecurity.org/ - **CIS recommendations**: https://benchmarks.cisecurity.org/downloads/show\-single/index.cfm?file=debian7.100 - **CIS recommendations**: https://benchmarks.cisecurity.org/downloads/show\-single/index.cfm?file=debian8.100 -.fi -.RE -.SH License -.PP -3\-Clause BSD +THE SOFTWARE IS PROVIDED \[lq]AS IS\[rq], WITHOUT WARRANTY OF ANY KIND, +EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF +MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. +IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY +CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, +TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE +SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. +.SH SEE ALSO +.IP \[bu] 2 +\f[B]Center for Internet Security\f[R]: https://www.cisecurity.org/ +.IP \[bu] 2 +\f[B]CIS recommendations\f[R]: https://learn.cisecurity.org/benchmarks +.IP \[bu] 2 +\f[B]Project repository\f[R]: https://github.com/ovh/debian-cis