elie/debian-cis
1
0
Fork 0
mirror of https://github.com/ovh/debian-cis.git synced 2024-11-23 14:05:37 +01:00
Code Issues Packages Projects Releases Wiki Activity

Regenerate man pages (Github action)

Browse Source
This commit is contained in:
Thibault Ayanides 2021-01-18 09:11:47 +00:00 committed by Thibault Serti
parent af38e4f404
commit 3217429679
1 changed files with 156 additions and 139 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

295
debian/cis-hardening.8 vendored
View File

@ -1,156 +1,173 @@
.TH "CIS Debian 7/8/9 Hardening" 8 "OVH Group"
.\" Automatically generated by Pandoc 2.6
.\"
.TH "CIS-HARDENING" "8" "2016" "" ""
.hy
.SH NAME
cis-hardening - CIS Debian 7/8/9 Hardening
.PP
cis-hardening - CIS Debian 9/10 Hardening
.SH SYNOPSIS
.PP
\f[B]hardening.sh\f[R] RUN_MODE OPTIONS
.SH DESCRIPTION
.PP
Modular Debian 7/8/9 security hardening scripts based on cisecurity.org \[la]https://www.cisecurity.org\[ra]
recommendations. We use it at OVH \[la]https://www.ovh.com\[ra] to harden our PCI\-DSS infrastructure.
Modular Debian 9/10 security hardening scripts based on the CIS
(https://www.cisecurity.org) recommendations.
.PP
.RS
.nf
$ bin/hardening.sh \-\-audit\-all
[...]
hardening [INFO] Treating /opt/cis\-hardening/bin/hardening/13.15_check_duplicate_gid.sh
13.15_check_duplicate_gid [INFO] Working on 13.15_check_duplicate_gid
13.15_check_duplicate_gid [INFO] Checking Configuration
13.15_check_duplicate_gid [INFO] Performing audit
13.15_check_duplicate_gid [ OK ] No duplicate GIDs
13.15_check_duplicate_gid [ OK ] Check Passed
[...]
################### SUMMARY ###################
Total Available Checks : 191
Total Runned Checks : 191
Total Passed Checks : [ 170/191 ]
Total Failed Checks : [ 21/191 ]
Enabled Checks Percentage : 100.00 %
Conformity Percentage : 89.01 %
.fi
.RE
.SH Quickstart
.PP
.RS
.nf
$ git clone https://github.com/ovh/debian\-cis.git && cd debian\-cis
$ cp debian/default /etc/default/cis\-hardening
$ sed \-i "s#CIS_ROOT_DIR=.*#CIS_ROOT_DIR='$(pwd)'#" /etc/default/cis\-hardening
$ bin/hardening/1.1_install_updates.sh \-\-audit\-all
1.1_install_updates [INFO] Working on 1.1_install_updates
1.1_install_updates [INFO] Checking Configuration
1.1_install_updates [INFO] Performing audit
1.1_install_updates [INFO] Checking if apt needs an update
1.1_install_updates [INFO] Fetching upgrades ...
1.1_install_updates [ OK ] No upgrades available
1.1_install_updates [ OK ] Check Passed
.fi
.RE
.SH Usage
.SS Configuration
.PP
Hardening scripts are in \fB\fCbin/hardening\fR\&. Each script has a corresponding
configuration file in \fB\fCetc/conf.d/[script_name].cfg\fR\&.
.PP
Each hardening script can be individually enabled from its configuration file.
For example, this is the default configuration file for \fB\fCdisable_system_accounts\fR:
.PP
.RS
We use it at OVHcloud (https://www.ovhcloud.com) to harden our PCI-DSS
infrastructure.
.SH SCRIPTS CONFIGURATION
.PP
Hardening scripts are in \f[C]bin/hardening\f[R].
Each script has a corresponding configuration file in
\f[C]etc/conf.d/[script_name].cfg\f[R].
.PP
Each hardening script can be individually enabled from its configuration
file.
For example, this is the default configuration file for
\f[C]disable_system_accounts\f[R]:
.IP
.nf
\f[C]
# Configuration for script of same name
status=disabled
# Put here your exceptions concerning admin accounts shells separated by spaces
EXCEPTIONS=""
EXCEPTIONS=\[dq]\[dq]
\f[R]
.fi
.RE
.PP
\fB\fCstatus\fR parameter may take 3 values:
\fB\fCdisabled\fR (do nothing): The script will not run.
\fB\fCaudit\fR (RO): The script will check if any change \fIshould\fP be applied.
\fB\fCenabled\fR (RW): The script will check if any change should be done and automatically apply what it can.
\f[B]status\f[R] parameter may take 3 values:
.IP \[bu] 2
\f[C]disabled\f[R] (do nothing): The script will not run.
.IP \[bu] 2
\f[C]audit\f[R] (RO): The script will check if any change should be
applied.
.IP \[bu] 2
\f[C]enabled\f[R] (RW): The script will check if any change should be
done and automatically apply what it can.
.PP
Global configuration is in \fB\fCetc/hardening.cfg\fR\&. This file controls the log level
as well as the backup directory. Whenever a script is instructed to edit a file, it
will create a timestamped backup in this directory.
.SS Run aka "Harden your distro"
Global configuration is in \f[C]etc/hardening.cfg\f[R].
This file controls the log level as well as the backup directory.
Whenever a script is instructed to edit a file, it will create a
timestamped backup in this directory.
.SH RUN MODE
.TP
.B \f[C]-h\f[R], \f[C]--help\f[R]
Display a friendly help message.
.TP
.B \f[C]--apply\f[R]
Apply hardening for enabled scripts.
Beware that NO confirmation is asked whatsoever, which is why you\[cq]re
warmly advised to use \f[C]--audit\f[R] before, which can be regarded as
a dry-run mode.
.TP
.B \f[C]--audit\f[R]
Audit configuration for enabled scripts.
No modification will be made on the system, we\[cq]ll only report on
your system compliance for each script.
.TP
.B \f[C]--audit-all\f[R]
Same as \f[C]--audit\f[R], but for \f[I]all\f[R] scripts, even disabled
ones.
This is a good way to peek at your compliance level if all scripts were
enabled, and might be a good starting point.
.TP
.B \f[C]--audit-all-enable-passed\f[R]
Same as \f[C]--audit-all\f[R], but in addition, will \f[I]modify\f[R]
the individual scripts configurations to enable those which passed for
your system.
This is an easy way to enable scripts for which you\[cq]re already
compliant.
However, please always review each activated script afterwards, this
option should only be regarded as a way to kickstart a configuration
from scratch.
Don\[cq]t run this if you have already customized the scripts
enable/disable configurations, obviously.
.TP
.B \f[C]--create-config-files-only\f[R]
Create the config files in etc/conf.d Must be run as root, before
running the audit with user secaudit
.TP
.B \f[C]-set-hardening-level=level\f[R]
Modifies the configuration to enable/disable tests given an hardening
level, between 1 to 5.
Don\[cq]t run this if you have already customized the scripts
enable/disable configurations.
1: very basic policy, failure to pass tests at this level indicates
severe misconfiguration of the machine that can have a huge security
impact 2: basic policy, some good practice rules that, once applied,
shouldn\[cq]t break anything on most systems 3: best practices policy,
passing all tests might need some configuration modifications (such as
specific partitioning, etc.) 4: high security policy, passing all tests
might be time-consuming and require high adaptation of your workflow 5:
placebo, policy rules that might be very difficult to apply and
maintain, with questionable security benefits
.TP
.B \f[C]--allow-service=service\f[R]
Use with \f[C]--set-hardening-level\f[R].
Modifies the policy to allow a certain kind of services on the machine,
such as http, mail, etc.
Can be specified multiple times to allow multiple services.
Use \[en]allow-service-list to get a list of supported services.
.SH OPTIONS
.TP
.B \f[C]--allow-service-list\f[R]
Get a list of supported service.
.TP
.B \f[C]--only test-number\f[R]
Modifies the RUN_MODE to only work on the test_number script.
Can be specified multiple times to work only on several scripts.
The test number is the numbered prefix of the script, i.e.\ the test
number of 1.2_script_name.sh is 1.2.
.TP
.B \f[C]--sudo\f[R]
This option lets you audit your system as a normal user, but allows sudo
escalation to gain read-only access to root files.
Note that you need to provide a sudoers file with NOPASSWD option in
/etc/sudoers.d/ because the -n option instructs sudo not to prompt for a
password.
Finally note that \f[C]--sudo\f[R] mode only works for audit mode.
.TP
.B \f[C]--batch\f[R]
While performing system audit, this option sets LOGLEVEL to `ok' and
captures all output to print only one line once the check is done,
formatted like : OK|KO OK|KO|WARN{subcheck results} [OK|KO|WARN{\&...}]
.SH AUTHORS
.IP \[bu] 2
Thibault Dewailly, OVHcloud <thibault.dewailly@ovhcloud.com>
.IP \[bu] 2
St\['e]phane Lesimple, OVHcloud <stephane.lesimple@ovhcloud.com>
.IP \[bu] 2
Thibault Ayanides, OVHcloud <thibault.ayanides@ovhcloud.com>
.IP \[bu] 2
Kevin Tanguy, OVHcloud <kevin.tanguy@ovhcloud.com>
.SH COPYRIGHT
.PP
To run the checks and apply the fixes, run \fB\fCbin/hardening.sh\fR\&.
MIT License
.PP
This command has 2 main operation modes:
\fB\fC\-\-audit\fR: Audit your system with all enabled and audit mode scripts
\fB\fC\-\-apply\fR: Audit your system with all enabled and audit mode scripts and apply changes for enabled scripts
Copyright (c) 2016, OVHcloud
.PP
Additionally, \fB\fC\-\-audit\-all\fR can be used to force running all auditing scripts,
including disabled ones. this will \fInot\fP change the system.
Permission is hereby granted, free of charge, to any person obtaining a
copy of this software and associated documentation files (the
\[lq]Software\[rq]), to deal in the Software without restriction,
including without limitation the rights to use, copy, modify, merge,
publish, distribute, sublicense, and/or sell copies of the Software, and
to permit persons to whom the Software is furnished to do so, subject to
the following conditions:
.PP
\fB\fC\-\-audit\-all\-enable\-passed\fR can be used as a quick way to kickstart your
configuration. It will run all scripts in audit mode. If a script passes,
it will automatically be enabled for future runs. Do NOT use this option
if you have already started to customize your configuration.
.SH Hacking
The above copyright notice and this permission notice shall be included
in all copies or substantial portions of the Software.
.PP
\fBGetting the source\fP
.PP
.RS
.nf
$ git clone https://github.com/ovh/debian\-cis.git
.fi
.RE
.PP
\fBBuilding a debian Package\fP (the hacky way)
.PP
.RS
.nf
$ debuild \-us \-uc
.fi
.RE
.PP
\fBAdding a custom hardening script\fP
.PP
.RS
.nf
$ cp src/skel bin/hardening/99.99_custom_script.sh
$ chmod +x bin/hardening/99.99_custom_script.sh
$ cp src/skel.cfg etc/conf.d/99.99_custom_script.cfg
.fi
.RE
.PP
Code your check explaining what it does then if you want to test
.PP
.RS
.nf
$ sed \-i "s/status=.+/status=enabled/" etc/conf.d/99.99_custom_script.cfg
$ ./bin/hardening/99.99_custom_script.sh
.fi
.RE
.SH Disclaimer
.PP
This project is a set of tools. They are meant to help the system administrator
built a secure environment. While we use it at OVH to harden our PCI\-DSS compliant
infrastructure, we can not guarantee that it will work for you. It will not
magically secure any random host.
.PP
Additionally, quoting the License:
.PP
.RS
THIS SOFTWARE IS PROVIDED BY OVH SAS AND CONTRIBUTORS ``AS IS'' AND ANY
EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
DISCLAIMED. IN NO EVENT SHALL OVH SAS AND CONTRIBUTORS BE LIABLE FOR ANY
DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.RE
.SH Reference
.PP
.RS
.nf
**Center for Internet Security**: https://www.cisecurity.org/
**CIS recommendations**: https://benchmarks.cisecurity.org/downloads/show\-single/index.cfm?file=debian7.100
**CIS recommendations**: https://benchmarks.cisecurity.org/downloads/show\-single/index.cfm?file=debian8.100
.fi
.RE
.SH License
.PP
3\-Clause BSD
THE SOFTWARE IS PROVIDED \[lq]AS IS\[rq], WITHOUT WARRANTY OF ANY KIND,
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
.SH SEE ALSO
.IP \[bu] 2
\f[B]Center for Internet Security\f[R]: https://www.cisecurity.org/
.IP \[bu] 2
\f[B]CIS recommendations\f[R]: https://learn.cisecurity.org/benchmarks
.IP \[bu] 2
\f[B]Project repository\f[R]: https://github.com/ovh/debian-cis