elie/debian-cis
1
0
Fork 0
mirror of https://github.com/ovh/debian-cis.git synced 2024-11-22 05:27:01 +01:00
Code Issues Packages Projects Releases Wiki Activity

Update README, AUTHORS, LICENSE

Browse Source
This commit is contained in:
Thibault Ayanides 2021-01-13 11:14:26 +01:00
parent 624aba950d
commit 45ccd337b4
3 changed files with 112 additions and 51 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
AUTHORS
View File

@ -3,6 +3,7 @@ Contributors of this project :
Developers :
Thibault Dewailly, OVH <thibault.dewailly@corp.ovh.com>
Stéphane Lesimple, OVH <stephane.lesimple@corp.ovh.com>
Thibault Ayanides, OVH <thibault.ayanides@corp.ovh.com>
Debian package maintainers :
Kevin Tanguy, OVH <kevin.tanguy@corp.ovh.com>

40
LICENSE
View File

@ -1,25 +1,21 @@
Copyright (c) 2016, OVH SAS.
All rights reserved.
MIT License
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are met:
Copyright (c) 2016, OVHcloud
* Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.
* Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
* Neither the name of OVH SAS nor the
names of its contributors may be used to endorse or promote products
derived from this software without specific prior written permission.
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
THIS SOFTWARE IS PROVIDED BY OVH SAS AND CONTRIBUTORS ``AS IS'' AND ANY
EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
DISCLAIMED. IN NO EVENT SHALL OVH SAS AND CONTRIBUTORS BE LIABLE FOR ANY
DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.

122
README.md
View File

@ -1,25 +1,28 @@
# CIS Debian 7/8/9 Hardening
# CIS Debian 9/10 Hardening
Modular Debian 7/8/9 security hardening scripts based on [cisecurity.org](https://www.cisecurity.org)
**News**: this projet is back in the game and is from now on maintained. Be free to use and to
report issues if you find any !
Modular Debian 9/10 security hardening scripts based on [cisecurity.org](https://www.cisecurity.org)
recommendations. We use it at [OVH](https://www.ovh.com) to harden our PCI-DSS infrastructure.
```console
$ bin/hardening.sh --audit-all
[...]
hardening [INFO] Treating /opt/cis-hardening/bin/hardening/13.15_check_duplicate_gid.sh
13.15_check_duplicate_gid [INFO] Working on 13.15_check_duplicate_gid
13.15_check_duplicate_gid [INFO] Checking Configuration
13.15_check_duplicate_gid [INFO] Performing audit
13.15_check_duplicate_gid [ OK ] No duplicate GIDs
13.15_check_duplicate_gid [ OK ] Check Passed
hardening [INFO] Treating /opt/cis-hardening/bin/hardening/6.2.19_check_duplicate_groupname.sh
6.2.19_check_duplicate_gr [INFO] Working on 6.2.19_check_duplicate_groupname
6.2.19_check_duplicate_gr [INFO] Checking Configuration
6.2.19_check_duplicate_gr [INFO] Performing audit
6.2.19_check_duplicate_gr [ OK ] No duplicate GIDs
6.2.19_check_duplicate_gr [ OK ] Check Passed
[...]
################### SUMMARY ###################
Total Available Checks : 191
Total Runned Checks : 191
Total Passed Checks : [ 170/191 ]
Total Failed Checks : [ 21/191 ]
Enabled Checks Percentage : 100.00 %
Conformity Percentage : 89.01 %
Total Available Checks : 232
Total Runned Checks : 166
Total Passed Checks : [ 142/166 ]
Total Failed Checks : [ 24/166 ]
Enabled Checks Percentage : 71.00 %
Conformity Percentage : 85.00 %
```
## Quickstart
@ -29,13 +32,13 @@ $ git clone https://github.com/ovh/debian-cis.git && cd debian-cis
$ cp debian/default /etc/default/cis-hardening
$ sed -i "s#CIS_ROOT_DIR=.*#CIS_ROOT_DIR='$(pwd)'#" /etc/default/cis-hardening
$ bin/hardening/1.1_install_updates.sh --audit-all
1.1_install_updates [INFO] Working on 1.1_install_updates
1.1_install_updates [INFO] Checking Configuration
1.1_install_updates [INFO] Performing audit
1.1_install_updates [INFO] Checking if apt needs an update
1.1_install_updates [INFO] Fetching upgrades ...
1.1_install_updates [ OK ] No upgrades available
1.1_install_updates [ OK ] Check Passed
hardening [INFO] Treating /opt/cis-hardening/bin/hardening/1.1.1.1_disable_freevxfs.sh
1.1.1.1_disable_freevxfs [INFO] Working on 1.1.1.1_disable_freevxfs
1.1.1.1_disable_freevxfs [INFO] [DESCRIPTION] Disable mounting of freevxfs filesystems.
1.1.1.1_disable_freevxfs [INFO] Checking Configuration
1.1.1.1_disable_freevxfs [INFO] Performing audit
1.1.1.1_disable_freevxfs [ OK ] CONFIG_VXFS_FS is disabled
1.1.1.1_disable_freevxfs [ OK ] Check Passed
```
## Usage
@ -72,7 +75,9 @@ This command has 2 main operation modes:
- ``--audit``: Audit your system with all enabled and audit mode scripts
- ``--apply``: Audit your system with all enabled and audit mode scripts and apply changes for enabled scripts
Additionally, ``--audit-all`` can be used to force running all auditing scripts,
Additionally, some options add more granularity:
``--audit-all`` can be used to force running all auditing scripts,
including disabled ones. this will *not* change the system.
``--audit-all-enable-passed`` can be used as a quick way to kickstart your
@ -80,15 +85,28 @@ configuration. It will run all scripts in audit mode. If a script passes,
it will automatically be enabled for future runs. Do NOT use this option
if you have already started to customize your configuration.
``--sudo``: Audit your system as a normal user, but allow sudo escalation to read
``--sudo``: audit your system as a normal user, but allow sudo escalation to read
specific root read-only files. You need to provide a sudoers file in /etc/sudoers.d/
with NOPASWD option, since checks are executed with ``sudo -n`` option, that will
not prompt for a password.
``--batch``: While performing system audit, this option sets LOGLEVEL to 'ok' and
``--batch``: while performing system audit, this option sets LOGLEVEL to 'ok' and
captures all output to print only one line once the check is done, formatted like :
OK|KO OK|KO|WARN{subcheck results} [OK|KO|WARN{...}]
``--only <check_number>``: run only the selected checks.
``--set-hardening-level``: run all checks that are lower or equal to the selected level.
Do NOT use this option if you have already started to customize your configuration.
``--allow-service <service>``: use with --set-hardening-level. Modifies the policy
to allow a certain kind of services on the machine, such as http, mail, etc.
Can be specified multiple times to allow multiple services.
Use --allow-service-list to get a list of supported services.
``--create-config-files-only``: create the config files in etc/conf.d. Must be run as root,
before running the audit with user secaudit, to have the rights setup well on the conf files.
## Hacking
**Getting the source**
@ -110,6 +128,15 @@ $ cp src/skel bin/hardening/99.99_custom_script.sh
$ chmod +x bin/hardening/99.99_custom_script.sh
$ cp src/skel.cfg etc/conf.d/99.99_custom_script.cfg
```
Every custom check numerotation begins with 99. The numbering after it depends on the section the check refers to.
If the check replace somehow one that is in the CIS specifications,
you can use the numerotation of the check it replaces inplace. For example we check
the config of OSSEC (file integrity) in `1.4.x` whereas CIS recommends AIDE.
Do not forget to specify in comment if it's a bonus check (suggested by CIS but not in the CIS numerotation), a legacy check (part from previous CIS specification but deleted in more recents one) or an OVH security check
(part of OVH security policy)
Code your check explaining what it does then if you want to test
@ -125,7 +152,7 @@ Functional tests are available. They are to be run in a Docker environment.
$ ./tests/docker_build_and_run_tests.sh <target> [name of test script...]
```
With `target` being like `debian8` or `debian9`.
With `target` being like `debian9` or `debian10`.
Running without script arguments will run all tests in `./tests/hardening/` directory.
Or you can specify one or several test script to be run.
@ -151,6 +178,45 @@ Functional tests can make use of the following helper functions :
In order to write your own functional test, you will find a code skeleton in
`./src/skel.test`.
Some tests ar labelled with a disclaimer warning that we only test on a blank host
and that we will not test the apply function. It's because the check is very basic
(like a package install) and that a test on it is not really necessary.
Furthermore, some tests are disabled on docker because there not pertinent (kernel
modules, grub, partitions, ...)
You can disable a check on docker with:
```bash
if [ -f "/.dockerenv" ]; then
skip "SKIPPED on docker"
else
...
fi
```
## Coding style
### Shellcheck
We use [Shellcheck](https://github.com/koalaman/shellcheck) to check the
correctness of the scripts and to respect best practices.
It can be used directly with the docker environnment to check all scripts
compliancy. By default it runs on every `.sh` it founds.
```console
$ ./shellcheck/launch_shellcheck.sh [name of script...]
```
### Shellfmt
We use [Shellfmt](https://github.com/mvdan/sh) to check the styling and to keep a
consistent style in every script.
Identically to shellcheck, it can be run through a script with the following:
```console
$ ./shellfmt/launch_shellfmt.sh
```
It will automatically fix any styling problem on every script.
## Disclaimer
This project is a set of tools. They are meant to help the system administrator
@ -174,10 +240,8 @@ Additionally, quoting the License:
## Reference
- **Center for Internet Security**: https://www.cisecurity.org/
- **CIS recommendations**: https://benchmarks.cisecurity.org/downloads/show-single/index.cfm?file=debian7.100
- **CIS recommendations**: https://benchmarks.cisecurity.org/downloads/show-single/index.cfm?file=debian8.100
- **CIS recommendations**: https://learn.cisecurity.org/benchmarks
## License
3-Clause BSD
MIT