mirror of
https://github.com/ovh/debian-cis.git
synced 2024-12-22 22:15:24 +01:00
Update README, AUTHORS, LICENSE
This commit is contained in:
parent
624aba950d
commit
45ccd337b4
1
AUTHORS
1
AUTHORS
@ -3,6 +3,7 @@ Contributors of this project :
|
||||
Developers :
|
||||
Thibault Dewailly, OVH <thibault.dewailly@corp.ovh.com>
|
||||
Stéphane Lesimple, OVH <stephane.lesimple@corp.ovh.com>
|
||||
Thibault Ayanides, OVH <thibault.ayanides@corp.ovh.com>
|
||||
|
||||
Debian package maintainers :
|
||||
Kevin Tanguy, OVH <kevin.tanguy@corp.ovh.com>
|
||||
|
40
LICENSE
40
LICENSE
@ -1,25 +1,21 @@
|
||||
Copyright (c) 2016, OVH SAS.
|
||||
All rights reserved.
|
||||
MIT License
|
||||
|
||||
Redistribution and use in source and binary forms, with or without
|
||||
modification, are permitted provided that the following conditions are met:
|
||||
Copyright (c) 2016, OVHcloud
|
||||
|
||||
* Redistributions of source code must retain the above copyright
|
||||
notice, this list of conditions and the following disclaimer.
|
||||
* Redistributions in binary form must reproduce the above copyright
|
||||
notice, this list of conditions and the following disclaimer in the
|
||||
documentation and/or other materials provided with the distribution.
|
||||
* Neither the name of OVH SAS nor the
|
||||
names of its contributors may be used to endorse or promote products
|
||||
derived from this software without specific prior written permission.
|
||||
Permission is hereby granted, free of charge, to any person obtaining a copy
|
||||
of this software and associated documentation files (the "Software"), to deal
|
||||
in the Software without restriction, including without limitation the rights
|
||||
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
||||
copies of the Software, and to permit persons to whom the Software is
|
||||
furnished to do so, subject to the following conditions:
|
||||
|
||||
THIS SOFTWARE IS PROVIDED BY OVH SAS AND CONTRIBUTORS ``AS IS'' AND ANY
|
||||
EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
|
||||
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
|
||||
DISCLAIMED. IN NO EVENT SHALL OVH SAS AND CONTRIBUTORS BE LIABLE FOR ANY
|
||||
DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
|
||||
(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
|
||||
LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
|
||||
ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
||||
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
|
||||
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
The above copyright notice and this permission notice shall be included in all
|
||||
copies or substantial portions of the Software.
|
||||
|
||||
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
||||
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
||||
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
||||
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
||||
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
||||
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
|
||||
SOFTWARE.
|
||||
|
122
README.md
122
README.md
@ -1,25 +1,28 @@
|
||||
# CIS Debian 7/8/9 Hardening
|
||||
# CIS Debian 9/10 Hardening
|
||||
|
||||
Modular Debian 7/8/9 security hardening scripts based on [cisecurity.org](https://www.cisecurity.org)
|
||||
**News**: this projet is back in the game and is from now on maintained. Be free to use and to
|
||||
report issues if you find any !
|
||||
|
||||
Modular Debian 9/10 security hardening scripts based on [cisecurity.org](https://www.cisecurity.org)
|
||||
recommendations. We use it at [OVH](https://www.ovh.com) to harden our PCI-DSS infrastructure.
|
||||
|
||||
```console
|
||||
$ bin/hardening.sh --audit-all
|
||||
[...]
|
||||
hardening [INFO] Treating /opt/cis-hardening/bin/hardening/13.15_check_duplicate_gid.sh
|
||||
13.15_check_duplicate_gid [INFO] Working on 13.15_check_duplicate_gid
|
||||
13.15_check_duplicate_gid [INFO] Checking Configuration
|
||||
13.15_check_duplicate_gid [INFO] Performing audit
|
||||
13.15_check_duplicate_gid [ OK ] No duplicate GIDs
|
||||
13.15_check_duplicate_gid [ OK ] Check Passed
|
||||
hardening [INFO] Treating /opt/cis-hardening/bin/hardening/6.2.19_check_duplicate_groupname.sh
|
||||
6.2.19_check_duplicate_gr [INFO] Working on 6.2.19_check_duplicate_groupname
|
||||
6.2.19_check_duplicate_gr [INFO] Checking Configuration
|
||||
6.2.19_check_duplicate_gr [INFO] Performing audit
|
||||
6.2.19_check_duplicate_gr [ OK ] No duplicate GIDs
|
||||
6.2.19_check_duplicate_gr [ OK ] Check Passed
|
||||
[...]
|
||||
################### SUMMARY ###################
|
||||
Total Available Checks : 191
|
||||
Total Runned Checks : 191
|
||||
Total Passed Checks : [ 170/191 ]
|
||||
Total Failed Checks : [ 21/191 ]
|
||||
Enabled Checks Percentage : 100.00 %
|
||||
Conformity Percentage : 89.01 %
|
||||
Total Available Checks : 232
|
||||
Total Runned Checks : 166
|
||||
Total Passed Checks : [ 142/166 ]
|
||||
Total Failed Checks : [ 24/166 ]
|
||||
Enabled Checks Percentage : 71.00 %
|
||||
Conformity Percentage : 85.00 %
|
||||
```
|
||||
|
||||
## Quickstart
|
||||
@ -29,13 +32,13 @@ $ git clone https://github.com/ovh/debian-cis.git && cd debian-cis
|
||||
$ cp debian/default /etc/default/cis-hardening
|
||||
$ sed -i "s#CIS_ROOT_DIR=.*#CIS_ROOT_DIR='$(pwd)'#" /etc/default/cis-hardening
|
||||
$ bin/hardening/1.1_install_updates.sh --audit-all
|
||||
1.1_install_updates [INFO] Working on 1.1_install_updates
|
||||
1.1_install_updates [INFO] Checking Configuration
|
||||
1.1_install_updates [INFO] Performing audit
|
||||
1.1_install_updates [INFO] Checking if apt needs an update
|
||||
1.1_install_updates [INFO] Fetching upgrades ...
|
||||
1.1_install_updates [ OK ] No upgrades available
|
||||
1.1_install_updates [ OK ] Check Passed
|
||||
hardening [INFO] Treating /opt/cis-hardening/bin/hardening/1.1.1.1_disable_freevxfs.sh
|
||||
1.1.1.1_disable_freevxfs [INFO] Working on 1.1.1.1_disable_freevxfs
|
||||
1.1.1.1_disable_freevxfs [INFO] [DESCRIPTION] Disable mounting of freevxfs filesystems.
|
||||
1.1.1.1_disable_freevxfs [INFO] Checking Configuration
|
||||
1.1.1.1_disable_freevxfs [INFO] Performing audit
|
||||
1.1.1.1_disable_freevxfs [ OK ] CONFIG_VXFS_FS is disabled
|
||||
1.1.1.1_disable_freevxfs [ OK ] Check Passed
|
||||
```
|
||||
|
||||
## Usage
|
||||
@ -72,7 +75,9 @@ This command has 2 main operation modes:
|
||||
- ``--audit``: Audit your system with all enabled and audit mode scripts
|
||||
- ``--apply``: Audit your system with all enabled and audit mode scripts and apply changes for enabled scripts
|
||||
|
||||
Additionally, ``--audit-all`` can be used to force running all auditing scripts,
|
||||
Additionally, some options add more granularity:
|
||||
|
||||
``--audit-all`` can be used to force running all auditing scripts,
|
||||
including disabled ones. this will *not* change the system.
|
||||
|
||||
``--audit-all-enable-passed`` can be used as a quick way to kickstart your
|
||||
@ -80,15 +85,28 @@ configuration. It will run all scripts in audit mode. If a script passes,
|
||||
it will automatically be enabled for future runs. Do NOT use this option
|
||||
if you have already started to customize your configuration.
|
||||
|
||||
``--sudo``: Audit your system as a normal user, but allow sudo escalation to read
|
||||
``--sudo``: audit your system as a normal user, but allow sudo escalation to read
|
||||
specific root read-only files. You need to provide a sudoers file in /etc/sudoers.d/
|
||||
with NOPASWD option, since checks are executed with ``sudo -n`` option, that will
|
||||
not prompt for a password.
|
||||
|
||||
``--batch``: While performing system audit, this option sets LOGLEVEL to 'ok' and
|
||||
``--batch``: while performing system audit, this option sets LOGLEVEL to 'ok' and
|
||||
captures all output to print only one line once the check is done, formatted like :
|
||||
OK|KO OK|KO|WARN{subcheck results} [OK|KO|WARN{...}]
|
||||
|
||||
``--only <check_number>``: run only the selected checks.
|
||||
|
||||
``--set-hardening-level``: run all checks that are lower or equal to the selected level.
|
||||
Do NOT use this option if you have already started to customize your configuration.
|
||||
|
||||
``--allow-service <service>``: use with --set-hardening-level. Modifies the policy
|
||||
to allow a certain kind of services on the machine, such as http, mail, etc.
|
||||
Can be specified multiple times to allow multiple services.
|
||||
Use --allow-service-list to get a list of supported services.
|
||||
|
||||
``--create-config-files-only``: create the config files in etc/conf.d. Must be run as root,
|
||||
before running the audit with user secaudit, to have the rights setup well on the conf files.
|
||||
|
||||
## Hacking
|
||||
|
||||
**Getting the source**
|
||||
@ -110,6 +128,15 @@ $ cp src/skel bin/hardening/99.99_custom_script.sh
|
||||
$ chmod +x bin/hardening/99.99_custom_script.sh
|
||||
$ cp src/skel.cfg etc/conf.d/99.99_custom_script.cfg
|
||||
```
|
||||
Every custom check numerotation begins with 99. The numbering after it depends on the section the check refers to.
|
||||
|
||||
If the check replace somehow one that is in the CIS specifications,
|
||||
you can use the numerotation of the check it replaces inplace. For example we check
|
||||
the config of OSSEC (file integrity) in `1.4.x` whereas CIS recommends AIDE.
|
||||
|
||||
Do not forget to specify in comment if it's a bonus check (suggested by CIS but not in the CIS numerotation), a legacy check (part from previous CIS specification but deleted in more recents one) or an OVH security check
|
||||
(part of OVH security policy)
|
||||
|
||||
|
||||
Code your check explaining what it does then if you want to test
|
||||
|
||||
@ -125,7 +152,7 @@ Functional tests are available. They are to be run in a Docker environment.
|
||||
$ ./tests/docker_build_and_run_tests.sh <target> [name of test script...]
|
||||
```
|
||||
|
||||
With `target` being like `debian8` or `debian9`.
|
||||
With `target` being like `debian9` or `debian10`.
|
||||
|
||||
Running without script arguments will run all tests in `./tests/hardening/` directory.
|
||||
Or you can specify one or several test script to be run.
|
||||
@ -151,6 +178,45 @@ Functional tests can make use of the following helper functions :
|
||||
In order to write your own functional test, you will find a code skeleton in
|
||||
`./src/skel.test`.
|
||||
|
||||
Some tests ar labelled with a disclaimer warning that we only test on a blank host
|
||||
and that we will not test the apply function. It's because the check is very basic
|
||||
(like a package install) and that a test on it is not really necessary.
|
||||
|
||||
Furthermore, some tests are disabled on docker because there not pertinent (kernel
|
||||
modules, grub, partitions, ...)
|
||||
You can disable a check on docker with:
|
||||
```bash
|
||||
if [ -f "/.dockerenv" ]; then
|
||||
skip "SKIPPED on docker"
|
||||
else
|
||||
...
|
||||
fi
|
||||
```
|
||||
|
||||
## Coding style
|
||||
### Shellcheck
|
||||
|
||||
We use [Shellcheck](https://github.com/koalaman/shellcheck) to check the
|
||||
correctness of the scripts and to respect best practices.
|
||||
It can be used directly with the docker environnment to check all scripts
|
||||
compliancy. By default it runs on every `.sh` it founds.
|
||||
|
||||
```console
|
||||
$ ./shellcheck/launch_shellcheck.sh [name of script...]
|
||||
```
|
||||
|
||||
### Shellfmt
|
||||
|
||||
We use [Shellfmt](https://github.com/mvdan/sh) to check the styling and to keep a
|
||||
consistent style in every script.
|
||||
Identically to shellcheck, it can be run through a script with the following:
|
||||
|
||||
```console
|
||||
$ ./shellfmt/launch_shellfmt.sh
|
||||
```
|
||||
It will automatically fix any styling problem on every script.
|
||||
|
||||
|
||||
## Disclaimer
|
||||
|
||||
This project is a set of tools. They are meant to help the system administrator
|
||||
@ -174,10 +240,8 @@ Additionally, quoting the License:
|
||||
## Reference
|
||||
|
||||
- **Center for Internet Security**: https://www.cisecurity.org/
|
||||
- **CIS recommendations**: https://benchmarks.cisecurity.org/downloads/show-single/index.cfm?file=debian7.100
|
||||
- **CIS recommendations**: https://benchmarks.cisecurity.org/downloads/show-single/index.cfm?file=debian8.100
|
||||
- **CIS recommendations**: https://learn.cisecurity.org/benchmarks
|
||||
|
||||
## License
|
||||
|
||||
3-Clause BSD
|
||||
|
||||
MIT
|
||||
|
Loading…
Reference in New Issue
Block a user