elie/debian-cis
1
0
Fork 0
mirror of https://github.com/ovh/debian-cis.git synced 2024-11-23 14:05:37 +01:00
Code Issues Packages Projects Releases Wiki Activity

Regenerate man pages (Github action)

Browse Source
This commit is contained in:
Thibault Ayanides 2021-01-18 09:11:47 +00:00 committed by Thibault Serti
parent af38e4f404
commit 3217429679
1 changed files with 156 additions and 139 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

295
debian/cis-hardening.8 vendored
View File

@ -1,156 +1,173 @@
.TH "CIS Debian 7/8/9 Hardening" 8 "OVH Group" .\" Automatically generated by Pandoc 2.6
.\"
.TH "CIS-HARDENING" "8" "2016" "" ""
.hy
.SH NAME .SH NAME
cis-hardening - CIS Debian 7/8/9 Hardening
.PP .PP
cis-hardening - CIS Debian 9/10 Hardening
.SH SYNOPSIS
.PP
\f[B]hardening.sh\f[R] RUN_MODE OPTIONS
.SH DESCRIPTION .SH DESCRIPTION
.PP .PP
Modular Debian 7/8/9 security hardening scripts based on cisecurity.org \[la]https://www.cisecurity.org\[ra] Modular Debian 9/10 security hardening scripts based on the CIS
recommendations. We use it at OVH \[la]https://www.ovh.com\[ra] to harden our PCI\-DSS infrastructure. (https://www.cisecurity.org) recommendations.
.PP .PP
.RS We use it at OVHcloud (https://www.ovhcloud.com) to harden our PCI-DSS
.nf infrastructure.
$ bin/hardening.sh \-\-audit\-all .SH SCRIPTS CONFIGURATION
[...] .PP
hardening [INFO] Treating /opt/cis\-hardening/bin/hardening/13.15_check_duplicate_gid.sh Hardening scripts are in \f[C]bin/hardening\f[R].
13.15_check_duplicate_gid [INFO] Working on 13.15_check_duplicate_gid Each script has a corresponding configuration file in
13.15_check_duplicate_gid [INFO] Checking Configuration \f[C]etc/conf.d/[script_name].cfg\f[R].
13.15_check_duplicate_gid [INFO] Performing audit .PP
13.15_check_duplicate_gid [ OK ] No duplicate GIDs Each hardening script can be individually enabled from its configuration
13.15_check_duplicate_gid [ OK ] Check Passed file.
[...] For example, this is the default configuration file for
################### SUMMARY ################### \f[C]disable_system_accounts\f[R]:
Total Available Checks : 191 .IP
Total Runned Checks : 191
Total Passed Checks : [ 170/191 ]
Total Failed Checks : [ 21/191 ]
Enabled Checks Percentage : 100.00 %
Conformity Percentage : 89.01 %
.fi
.RE
.SH Quickstart
.PP
.RS
.nf
$ git clone https://github.com/ovh/debian\-cis.git && cd debian\-cis
$ cp debian/default /etc/default/cis\-hardening
$ sed \-i "s#CIS_ROOT_DIR=.*#CIS_ROOT_DIR='$(pwd)'#" /etc/default/cis\-hardening
$ bin/hardening/1.1_install_updates.sh \-\-audit\-all
1.1_install_updates [INFO] Working on 1.1_install_updates
1.1_install_updates [INFO] Checking Configuration
1.1_install_updates [INFO] Performing audit
1.1_install_updates [INFO] Checking if apt needs an update
1.1_install_updates [INFO] Fetching upgrades ...
1.1_install_updates [ OK ] No upgrades available
1.1_install_updates [ OK ] Check Passed
.fi
.RE
.SH Usage
.SS Configuration
.PP
Hardening scripts are in \fB\fCbin/hardening\fR\&. Each script has a corresponding
configuration file in \fB\fCetc/conf.d/[script_name].cfg\fR\&.
.PP
Each hardening script can be individually enabled from its configuration file.
For example, this is the default configuration file for \fB\fCdisable_system_accounts\fR:
.PP
.RS
.nf .nf
\f[C]
# Configuration for script of same name # Configuration for script of same name
status=disabled status=disabled
# Put here your exceptions concerning admin accounts shells separated by spaces # Put here your exceptions concerning admin accounts shells separated by spaces
EXCEPTIONS="" EXCEPTIONS=\[dq]\[dq]
\f[R]
.fi .fi
.RE
.PP .PP
\fB\fCstatus\fR parameter may take 3 values: \f[B]status\f[R] parameter may take 3 values:
\fB\fCdisabled\fR (do nothing): The script will not run. .IP \[bu] 2
\fB\fCaudit\fR (RO): The script will check if any change \fIshould\fP be applied. \f[C]disabled\f[R] (do nothing): The script will not run.
\fB\fCenabled\fR (RW): The script will check if any change should be done and automatically apply what it can. .IP \[bu] 2
\f[C]audit\f[R] (RO): The script will check if any change should be
applied.
.IP \[bu] 2
\f[C]enabled\f[R] (RW): The script will check if any change should be
done and automatically apply what it can.
.PP .PP
Global configuration is in \fB\fCetc/hardening.cfg\fR\&. This file controls the log level Global configuration is in \f[C]etc/hardening.cfg\f[R].
as well as the backup directory. Whenever a script is instructed to edit a file, it This file controls the log level as well as the backup directory.
will create a timestamped backup in this directory. Whenever a script is instructed to edit a file, it will create a
.SS Run aka "Harden your distro" timestamped backup in this directory.
.SH RUN MODE
.TP
.B \f[C]-h\f[R], \f[C]--help\f[R]
Display a friendly help message.
.TP
.B \f[C]--apply\f[R]
Apply hardening for enabled scripts.
Beware that NO confirmation is asked whatsoever, which is why you\[cq]re
warmly advised to use \f[C]--audit\f[R] before, which can be regarded as
a dry-run mode.
.TP
.B \f[C]--audit\f[R]
Audit configuration for enabled scripts.
No modification will be made on the system, we\[cq]ll only report on
your system compliance for each script.
.TP
.B \f[C]--audit-all\f[R]
Same as \f[C]--audit\f[R], but for \f[I]all\f[R] scripts, even disabled
ones.
This is a good way to peek at your compliance level if all scripts were
enabled, and might be a good starting point.
.TP
.B \f[C]--audit-all-enable-passed\f[R]
Same as \f[C]--audit-all\f[R], but in addition, will \f[I]modify\f[R]
the individual scripts configurations to enable those which passed for
your system.
This is an easy way to enable scripts for which you\[cq]re already
compliant.
However, please always review each activated script afterwards, this
option should only be regarded as a way to kickstart a configuration
from scratch.
Don\[cq]t run this if you have already customized the scripts
enable/disable configurations, obviously.
.TP
.B \f[C]--create-config-files-only\f[R]
Create the config files in etc/conf.d Must be run as root, before
running the audit with user secaudit
.TP
.B \f[C]-set-hardening-level=level\f[R]
Modifies the configuration to enable/disable tests given an hardening
level, between 1 to 5.
Don\[cq]t run this if you have already customized the scripts
enable/disable configurations.
1: very basic policy, failure to pass tests at this level indicates
severe misconfiguration of the machine that can have a huge security
impact 2: basic policy, some good practice rules that, once applied,
shouldn\[cq]t break anything on most systems 3: best practices policy,
passing all tests might need some configuration modifications (such as
specific partitioning, etc.) 4: high security policy, passing all tests
might be time-consuming and require high adaptation of your workflow 5:
placebo, policy rules that might be very difficult to apply and
maintain, with questionable security benefits
.TP
.B \f[C]--allow-service=service\f[R]
Use with \f[C]--set-hardening-level\f[R].
Modifies the policy to allow a certain kind of services on the machine,
such as http, mail, etc.
Can be specified multiple times to allow multiple services.
Use \[en]allow-service-list to get a list of supported services.
.SH OPTIONS
.TP
.B \f[C]--allow-service-list\f[R]
Get a list of supported service.
.TP
.B \f[C]--only test-number\f[R]
Modifies the RUN_MODE to only work on the test_number script.
Can be specified multiple times to work only on several scripts.
The test number is the numbered prefix of the script, i.e.\ the test
number of 1.2_script_name.sh is 1.2.
.TP
.B \f[C]--sudo\f[R]
This option lets you audit your system as a normal user, but allows sudo
escalation to gain read-only access to root files.
Note that you need to provide a sudoers file with NOPASSWD option in
/etc/sudoers.d/ because the -n option instructs sudo not to prompt for a
password.
Finally note that \f[C]--sudo\f[R] mode only works for audit mode.
.TP
.B \f[C]--batch\f[R]
While performing system audit, this option sets LOGLEVEL to `ok' and
captures all output to print only one line once the check is done,
formatted like : OK|KO OK|KO|WARN{subcheck results} [OK|KO|WARN{\&...}]
.SH AUTHORS
.IP \[bu] 2
Thibault Dewailly, OVHcloud <thibault.dewailly@ovhcloud.com>
.IP \[bu] 2
St\['e]phane Lesimple, OVHcloud <stephane.lesimple@ovhcloud.com>
.IP \[bu] 2
Thibault Ayanides, OVHcloud <thibault.ayanides@ovhcloud.com>
.IP \[bu] 2
Kevin Tanguy, OVHcloud <kevin.tanguy@ovhcloud.com>
.SH COPYRIGHT
.PP .PP
To run the checks and apply the fixes, run \fB\fCbin/hardening.sh\fR\&. MIT License
.PP .PP
This command has 2 main operation modes: Copyright (c) 2016, OVHcloud
\fB\fC\-\-audit\fR: Audit your system with all enabled and audit mode scripts
\fB\fC\-\-apply\fR: Audit your system with all enabled and audit mode scripts and apply changes for enabled scripts
.PP .PP
Additionally, \fB\fC\-\-audit\-all\fR can be used to force running all auditing scripts, Permission is hereby granted, free of charge, to any person obtaining a
including disabled ones. this will \fInot\fP change the system. copy of this software and associated documentation files (the
\[lq]Software\[rq]), to deal in the Software without restriction,
including without limitation the rights to use, copy, modify, merge,
publish, distribute, sublicense, and/or sell copies of the Software, and
to permit persons to whom the Software is furnished to do so, subject to
the following conditions:
.PP .PP
\fB\fC\-\-audit\-all\-enable\-passed\fR can be used as a quick way to kickstart your The above copyright notice and this permission notice shall be included
configuration. It will run all scripts in audit mode. If a script passes, in all copies or substantial portions of the Software.
it will automatically be enabled for future runs. Do NOT use this option
if you have already started to customize your configuration.
.SH Hacking
.PP .PP
\fBGetting the source\fP THE SOFTWARE IS PROVIDED \[lq]AS IS\[rq], WITHOUT WARRANTY OF ANY KIND,
.PP EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
.RS MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
.nf IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
$ git clone https://github.com/ovh/debian\-cis.git CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
.fi TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
.RE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
.PP .SH SEE ALSO
\fBBuilding a debian Package\fP (the hacky way) .IP \[bu] 2
.PP \f[B]Center for Internet Security\f[R]: https://www.cisecurity.org/
.RS .IP \[bu] 2
.nf \f[B]CIS recommendations\f[R]: https://learn.cisecurity.org/benchmarks
$ debuild \-us \-uc .IP \[bu] 2
.fi \f[B]Project repository\f[R]: https://github.com/ovh/debian-cis
.RE
.PP
\fBAdding a custom hardening script\fP
.PP
.RS
.nf
$ cp src/skel bin/hardening/99.99_custom_script.sh
$ chmod +x bin/hardening/99.99_custom_script.sh
$ cp src/skel.cfg etc/conf.d/99.99_custom_script.cfg
.fi
.RE
.PP
Code your check explaining what it does then if you want to test
.PP
.RS
.nf
$ sed \-i "s/status=.+/status=enabled/" etc/conf.d/99.99_custom_script.cfg
$ ./bin/hardening/99.99_custom_script.sh
.fi
.RE
.SH Disclaimer
.PP
This project is a set of tools. They are meant to help the system administrator
built a secure environment. While we use it at OVH to harden our PCI\-DSS compliant
infrastructure, we can not guarantee that it will work for you. It will not
magically secure any random host.
.PP
Additionally, quoting the License:
.PP
.RS
THIS SOFTWARE IS PROVIDED BY OVH SAS AND CONTRIBUTORS ``AS IS'' AND ANY
EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
DISCLAIMED. IN NO EVENT SHALL OVH SAS AND CONTRIBUTORS BE LIABLE FOR ANY
DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.RE
.SH Reference
.PP
.RS
.nf
**Center for Internet Security**: https://www.cisecurity.org/
**CIS recommendations**: https://benchmarks.cisecurity.org/downloads/show\-single/index.cfm?file=debian7.100
**CIS recommendations**: https://benchmarks.cisecurity.org/downloads/show\-single/index.cfm?file=debian8.100
.fi
.RE
.SH License
.PP
3\-Clause BSD