mirror of
https://github.com/ovh/debian-cis.git
synced 2024-11-23 14:05:37 +01:00
Regenerate man pages (Github action)
This commit is contained in:
parent
af38e4f404
commit
3217429679
295
debian/cis-hardening.8
vendored
295
debian/cis-hardening.8
vendored
@ -1,156 +1,173 @@
|
|||||||
.TH "CIS Debian 7/8/9 Hardening" 8 "OVH Group"
|
.\" Automatically generated by Pandoc 2.6
|
||||||
|
.\"
|
||||||
|
.TH "CIS-HARDENING" "8" "2016" "" ""
|
||||||
|
.hy
|
||||||
.SH NAME
|
.SH NAME
|
||||||
cis-hardening - CIS Debian 7/8/9 Hardening
|
|
||||||
.PP
|
.PP
|
||||||
|
cis-hardening - CIS Debian 9/10 Hardening
|
||||||
|
.SH SYNOPSIS
|
||||||
|
.PP
|
||||||
|
\f[B]hardening.sh\f[R] RUN_MODE OPTIONS
|
||||||
.SH DESCRIPTION
|
.SH DESCRIPTION
|
||||||
.PP
|
.PP
|
||||||
Modular Debian 7/8/9 security hardening scripts based on cisecurity.org \[la]https://www.cisecurity.org\[ra]
|
Modular Debian 9/10 security hardening scripts based on the CIS
|
||||||
recommendations. We use it at OVH \[la]https://www.ovh.com\[ra] to harden our PCI\-DSS infrastructure.
|
(https://www.cisecurity.org) recommendations.
|
||||||
.PP
|
.PP
|
||||||
.RS
|
We use it at OVHcloud (https://www.ovhcloud.com) to harden our PCI-DSS
|
||||||
.nf
|
infrastructure.
|
||||||
$ bin/hardening.sh \-\-audit\-all
|
.SH SCRIPTS CONFIGURATION
|
||||||
[...]
|
.PP
|
||||||
hardening [INFO] Treating /opt/cis\-hardening/bin/hardening/13.15_check_duplicate_gid.sh
|
Hardening scripts are in \f[C]bin/hardening\f[R].
|
||||||
13.15_check_duplicate_gid [INFO] Working on 13.15_check_duplicate_gid
|
Each script has a corresponding configuration file in
|
||||||
13.15_check_duplicate_gid [INFO] Checking Configuration
|
\f[C]etc/conf.d/[script_name].cfg\f[R].
|
||||||
13.15_check_duplicate_gid [INFO] Performing audit
|
.PP
|
||||||
13.15_check_duplicate_gid [ OK ] No duplicate GIDs
|
Each hardening script can be individually enabled from its configuration
|
||||||
13.15_check_duplicate_gid [ OK ] Check Passed
|
file.
|
||||||
[...]
|
For example, this is the default configuration file for
|
||||||
################### SUMMARY ###################
|
\f[C]disable_system_accounts\f[R]:
|
||||||
Total Available Checks : 191
|
.IP
|
||||||
Total Runned Checks : 191
|
|
||||||
Total Passed Checks : [ 170/191 ]
|
|
||||||
Total Failed Checks : [ 21/191 ]
|
|
||||||
Enabled Checks Percentage : 100.00 %
|
|
||||||
Conformity Percentage : 89.01 %
|
|
||||||
.fi
|
|
||||||
.RE
|
|
||||||
.SH Quickstart
|
|
||||||
.PP
|
|
||||||
.RS
|
|
||||||
.nf
|
|
||||||
$ git clone https://github.com/ovh/debian\-cis.git && cd debian\-cis
|
|
||||||
$ cp debian/default /etc/default/cis\-hardening
|
|
||||||
$ sed \-i "s#CIS_ROOT_DIR=.*#CIS_ROOT_DIR='$(pwd)'#" /etc/default/cis\-hardening
|
|
||||||
$ bin/hardening/1.1_install_updates.sh \-\-audit\-all
|
|
||||||
1.1_install_updates [INFO] Working on 1.1_install_updates
|
|
||||||
1.1_install_updates [INFO] Checking Configuration
|
|
||||||
1.1_install_updates [INFO] Performing audit
|
|
||||||
1.1_install_updates [INFO] Checking if apt needs an update
|
|
||||||
1.1_install_updates [INFO] Fetching upgrades ...
|
|
||||||
1.1_install_updates [ OK ] No upgrades available
|
|
||||||
1.1_install_updates [ OK ] Check Passed
|
|
||||||
.fi
|
|
||||||
.RE
|
|
||||||
.SH Usage
|
|
||||||
.SS Configuration
|
|
||||||
.PP
|
|
||||||
Hardening scripts are in \fB\fCbin/hardening\fR\&. Each script has a corresponding
|
|
||||||
configuration file in \fB\fCetc/conf.d/[script_name].cfg\fR\&.
|
|
||||||
.PP
|
|
||||||
Each hardening script can be individually enabled from its configuration file.
|
|
||||||
For example, this is the default configuration file for \fB\fCdisable_system_accounts\fR:
|
|
||||||
.PP
|
|
||||||
.RS
|
|
||||||
.nf
|
.nf
|
||||||
|
\f[C]
|
||||||
# Configuration for script of same name
|
# Configuration for script of same name
|
||||||
status=disabled
|
status=disabled
|
||||||
# Put here your exceptions concerning admin accounts shells separated by spaces
|
# Put here your exceptions concerning admin accounts shells separated by spaces
|
||||||
EXCEPTIONS=""
|
EXCEPTIONS=\[dq]\[dq]
|
||||||
|
\f[R]
|
||||||
.fi
|
.fi
|
||||||
.RE
|
|
||||||
.PP
|
.PP
|
||||||
\fB\fCstatus\fR parameter may take 3 values:
|
\f[B]status\f[R] parameter may take 3 values:
|
||||||
\fB\fCdisabled\fR (do nothing): The script will not run.
|
.IP \[bu] 2
|
||||||
\fB\fCaudit\fR (RO): The script will check if any change \fIshould\fP be applied.
|
\f[C]disabled\f[R] (do nothing): The script will not run.
|
||||||
\fB\fCenabled\fR (RW): The script will check if any change should be done and automatically apply what it can.
|
.IP \[bu] 2
|
||||||
|
\f[C]audit\f[R] (RO): The script will check if any change should be
|
||||||
|
applied.
|
||||||
|
.IP \[bu] 2
|
||||||
|
\f[C]enabled\f[R] (RW): The script will check if any change should be
|
||||||
|
done and automatically apply what it can.
|
||||||
.PP
|
.PP
|
||||||
Global configuration is in \fB\fCetc/hardening.cfg\fR\&. This file controls the log level
|
Global configuration is in \f[C]etc/hardening.cfg\f[R].
|
||||||
as well as the backup directory. Whenever a script is instructed to edit a file, it
|
This file controls the log level as well as the backup directory.
|
||||||
will create a timestamped backup in this directory.
|
Whenever a script is instructed to edit a file, it will create a
|
||||||
.SS Run aka "Harden your distro"
|
timestamped backup in this directory.
|
||||||
|
.SH RUN MODE
|
||||||
|
.TP
|
||||||
|
.B \f[C]-h\f[R], \f[C]--help\f[R]
|
||||||
|
Display a friendly help message.
|
||||||
|
.TP
|
||||||
|
.B \f[C]--apply\f[R]
|
||||||
|
Apply hardening for enabled scripts.
|
||||||
|
Beware that NO confirmation is asked whatsoever, which is why you\[cq]re
|
||||||
|
warmly advised to use \f[C]--audit\f[R] before, which can be regarded as
|
||||||
|
a dry-run mode.
|
||||||
|
.TP
|
||||||
|
.B \f[C]--audit\f[R]
|
||||||
|
Audit configuration for enabled scripts.
|
||||||
|
No modification will be made on the system, we\[cq]ll only report on
|
||||||
|
your system compliance for each script.
|
||||||
|
.TP
|
||||||
|
.B \f[C]--audit-all\f[R]
|
||||||
|
Same as \f[C]--audit\f[R], but for \f[I]all\f[R] scripts, even disabled
|
||||||
|
ones.
|
||||||
|
This is a good way to peek at your compliance level if all scripts were
|
||||||
|
enabled, and might be a good starting point.
|
||||||
|
.TP
|
||||||
|
.B \f[C]--audit-all-enable-passed\f[R]
|
||||||
|
Same as \f[C]--audit-all\f[R], but in addition, will \f[I]modify\f[R]
|
||||||
|
the individual scripts configurations to enable those which passed for
|
||||||
|
your system.
|
||||||
|
This is an easy way to enable scripts for which you\[cq]re already
|
||||||
|
compliant.
|
||||||
|
However, please always review each activated script afterwards, this
|
||||||
|
option should only be regarded as a way to kickstart a configuration
|
||||||
|
from scratch.
|
||||||
|
Don\[cq]t run this if you have already customized the scripts
|
||||||
|
enable/disable configurations, obviously.
|
||||||
|
.TP
|
||||||
|
.B \f[C]--create-config-files-only\f[R]
|
||||||
|
Create the config files in etc/conf.d Must be run as root, before
|
||||||
|
running the audit with user secaudit
|
||||||
|
.TP
|
||||||
|
.B \f[C]-set-hardening-level=level\f[R]
|
||||||
|
Modifies the configuration to enable/disable tests given an hardening
|
||||||
|
level, between 1 to 5.
|
||||||
|
Don\[cq]t run this if you have already customized the scripts
|
||||||
|
enable/disable configurations.
|
||||||
|
1: very basic policy, failure to pass tests at this level indicates
|
||||||
|
severe misconfiguration of the machine that can have a huge security
|
||||||
|
impact 2: basic policy, some good practice rules that, once applied,
|
||||||
|
shouldn\[cq]t break anything on most systems 3: best practices policy,
|
||||||
|
passing all tests might need some configuration modifications (such as
|
||||||
|
specific partitioning, etc.) 4: high security policy, passing all tests
|
||||||
|
might be time-consuming and require high adaptation of your workflow 5:
|
||||||
|
placebo, policy rules that might be very difficult to apply and
|
||||||
|
maintain, with questionable security benefits
|
||||||
|
.TP
|
||||||
|
.B \f[C]--allow-service=service\f[R]
|
||||||
|
Use with \f[C]--set-hardening-level\f[R].
|
||||||
|
Modifies the policy to allow a certain kind of services on the machine,
|
||||||
|
such as http, mail, etc.
|
||||||
|
Can be specified multiple times to allow multiple services.
|
||||||
|
Use \[en]allow-service-list to get a list of supported services.
|
||||||
|
.SH OPTIONS
|
||||||
|
.TP
|
||||||
|
.B \f[C]--allow-service-list\f[R]
|
||||||
|
Get a list of supported service.
|
||||||
|
.TP
|
||||||
|
.B \f[C]--only test-number\f[R]
|
||||||
|
Modifies the RUN_MODE to only work on the test_number script.
|
||||||
|
Can be specified multiple times to work only on several scripts.
|
||||||
|
The test number is the numbered prefix of the script, i.e.\ the test
|
||||||
|
number of 1.2_script_name.sh is 1.2.
|
||||||
|
.TP
|
||||||
|
.B \f[C]--sudo\f[R]
|
||||||
|
This option lets you audit your system as a normal user, but allows sudo
|
||||||
|
escalation to gain read-only access to root files.
|
||||||
|
Note that you need to provide a sudoers file with NOPASSWD option in
|
||||||
|
/etc/sudoers.d/ because the -n option instructs sudo not to prompt for a
|
||||||
|
password.
|
||||||
|
Finally note that \f[C]--sudo\f[R] mode only works for audit mode.
|
||||||
|
.TP
|
||||||
|
.B \f[C]--batch\f[R]
|
||||||
|
While performing system audit, this option sets LOGLEVEL to `ok' and
|
||||||
|
captures all output to print only one line once the check is done,
|
||||||
|
formatted like : OK|KO OK|KO|WARN{subcheck results} [OK|KO|WARN{\&...}]
|
||||||
|
.SH AUTHORS
|
||||||
|
.IP \[bu] 2
|
||||||
|
Thibault Dewailly, OVHcloud <thibault.dewailly@ovhcloud.com>
|
||||||
|
.IP \[bu] 2
|
||||||
|
St\['e]phane Lesimple, OVHcloud <stephane.lesimple@ovhcloud.com>
|
||||||
|
.IP \[bu] 2
|
||||||
|
Thibault Ayanides, OVHcloud <thibault.ayanides@ovhcloud.com>
|
||||||
|
.IP \[bu] 2
|
||||||
|
Kevin Tanguy, OVHcloud <kevin.tanguy@ovhcloud.com>
|
||||||
|
.SH COPYRIGHT
|
||||||
.PP
|
.PP
|
||||||
To run the checks and apply the fixes, run \fB\fCbin/hardening.sh\fR\&.
|
MIT License
|
||||||
.PP
|
.PP
|
||||||
This command has 2 main operation modes:
|
Copyright (c) 2016, OVHcloud
|
||||||
\fB\fC\-\-audit\fR: Audit your system with all enabled and audit mode scripts
|
|
||||||
\fB\fC\-\-apply\fR: Audit your system with all enabled and audit mode scripts and apply changes for enabled scripts
|
|
||||||
.PP
|
.PP
|
||||||
Additionally, \fB\fC\-\-audit\-all\fR can be used to force running all auditing scripts,
|
Permission is hereby granted, free of charge, to any person obtaining a
|
||||||
including disabled ones. this will \fInot\fP change the system.
|
copy of this software and associated documentation files (the
|
||||||
|
\[lq]Software\[rq]), to deal in the Software without restriction,
|
||||||
|
including without limitation the rights to use, copy, modify, merge,
|
||||||
|
publish, distribute, sublicense, and/or sell copies of the Software, and
|
||||||
|
to permit persons to whom the Software is furnished to do so, subject to
|
||||||
|
the following conditions:
|
||||||
.PP
|
.PP
|
||||||
\fB\fC\-\-audit\-all\-enable\-passed\fR can be used as a quick way to kickstart your
|
The above copyright notice and this permission notice shall be included
|
||||||
configuration. It will run all scripts in audit mode. If a script passes,
|
in all copies or substantial portions of the Software.
|
||||||
it will automatically be enabled for future runs. Do NOT use this option
|
|
||||||
if you have already started to customize your configuration.
|
|
||||||
.SH Hacking
|
|
||||||
.PP
|
.PP
|
||||||
\fBGetting the source\fP
|
THE SOFTWARE IS PROVIDED \[lq]AS IS\[rq], WITHOUT WARRANTY OF ANY KIND,
|
||||||
.PP
|
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
|
||||||
.RS
|
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
|
||||||
.nf
|
IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
|
||||||
$ git clone https://github.com/ovh/debian\-cis.git
|
CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
|
||||||
.fi
|
TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
|
||||||
.RE
|
SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
||||||
.PP
|
.SH SEE ALSO
|
||||||
\fBBuilding a debian Package\fP (the hacky way)
|
.IP \[bu] 2
|
||||||
.PP
|
\f[B]Center for Internet Security\f[R]: https://www.cisecurity.org/
|
||||||
.RS
|
.IP \[bu] 2
|
||||||
.nf
|
\f[B]CIS recommendations\f[R]: https://learn.cisecurity.org/benchmarks
|
||||||
$ debuild \-us \-uc
|
.IP \[bu] 2
|
||||||
.fi
|
\f[B]Project repository\f[R]: https://github.com/ovh/debian-cis
|
||||||
.RE
|
|
||||||
.PP
|
|
||||||
\fBAdding a custom hardening script\fP
|
|
||||||
.PP
|
|
||||||
.RS
|
|
||||||
.nf
|
|
||||||
$ cp src/skel bin/hardening/99.99_custom_script.sh
|
|
||||||
$ chmod +x bin/hardening/99.99_custom_script.sh
|
|
||||||
$ cp src/skel.cfg etc/conf.d/99.99_custom_script.cfg
|
|
||||||
.fi
|
|
||||||
.RE
|
|
||||||
.PP
|
|
||||||
Code your check explaining what it does then if you want to test
|
|
||||||
.PP
|
|
||||||
.RS
|
|
||||||
.nf
|
|
||||||
$ sed \-i "s/status=.+/status=enabled/" etc/conf.d/99.99_custom_script.cfg
|
|
||||||
$ ./bin/hardening/99.99_custom_script.sh
|
|
||||||
.fi
|
|
||||||
.RE
|
|
||||||
.SH Disclaimer
|
|
||||||
.PP
|
|
||||||
This project is a set of tools. They are meant to help the system administrator
|
|
||||||
built a secure environment. While we use it at OVH to harden our PCI\-DSS compliant
|
|
||||||
infrastructure, we can not guarantee that it will work for you. It will not
|
|
||||||
magically secure any random host.
|
|
||||||
.PP
|
|
||||||
Additionally, quoting the License:
|
|
||||||
.PP
|
|
||||||
.RS
|
|
||||||
THIS SOFTWARE IS PROVIDED BY OVH SAS AND CONTRIBUTORS ``AS IS'' AND ANY
|
|
||||||
EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
|
|
||||||
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
|
|
||||||
DISCLAIMED. IN NO EVENT SHALL OVH SAS AND CONTRIBUTORS BE LIABLE FOR ANY
|
|
||||||
DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
|
|
||||||
(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
|
|
||||||
LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
|
|
||||||
ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
|
||||||
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
|
|
||||||
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
||||||
.RE
|
|
||||||
.SH Reference
|
|
||||||
.PP
|
|
||||||
.RS
|
|
||||||
.nf
|
|
||||||
**Center for Internet Security**: https://www.cisecurity.org/
|
|
||||||
**CIS recommendations**: https://benchmarks.cisecurity.org/downloads/show\-single/index.cfm?file=debian7.100
|
|
||||||
**CIS recommendations**: https://benchmarks.cisecurity.org/downloads/show\-single/index.cfm?file=debian8.100
|
|
||||||
.fi
|
|
||||||
.RE
|
|
||||||
.SH License
|
|
||||||
.PP
|
|
||||||
3\-Clause BSD
|
|
||||||
|
Loading…
Reference in New Issue
Block a user