diff --git a/AUTHORS b/AUTHORS index e46d827..a243e85 100644 --- a/AUTHORS +++ b/AUTHORS @@ -3,6 +3,7 @@ Contributors of this project : Developers : Thibault Dewailly, OVH Stéphane Lesimple, OVH + Thibault Ayanides, OVH Debian package maintainers : Kevin Tanguy, OVH diff --git a/LICENSE b/LICENSE index fb3feff..ea9d6d6 100644 --- a/LICENSE +++ b/LICENSE @@ -1,25 +1,21 @@ -Copyright (c) 2016, OVH SAS. -All rights reserved. +MIT License -Redistribution and use in source and binary forms, with or without -modification, are permitted provided that the following conditions are met: +Copyright (c) 2016, OVHcloud - * Redistributions of source code must retain the above copyright - notice, this list of conditions and the following disclaimer. - * Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - * Neither the name of OVH SAS nor the - names of its contributors may be used to endorse or promote products - derived from this software without specific prior written permission. +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: -THIS SOFTWARE IS PROVIDED BY OVH SAS AND CONTRIBUTORS ``AS IS'' AND ANY -EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED -WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -DISCLAIMED. IN NO EVENT SHALL OVH SAS AND CONTRIBUTORS BE LIABLE FOR ANY -DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES -(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND -ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT -(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS -SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. diff --git a/README.md b/README.md index 458d1de..e3d456f 100644 --- a/README.md +++ b/README.md @@ -1,25 +1,28 @@ -# CIS Debian 7/8/9 Hardening +# CIS Debian 9/10 Hardening -Modular Debian 7/8/9 security hardening scripts based on [cisecurity.org](https://www.cisecurity.org) +**News**: this projet is back in the game and is from now on maintained. Be free to use and to +report issues if you find any ! + +Modular Debian 9/10 security hardening scripts based on [cisecurity.org](https://www.cisecurity.org) recommendations. We use it at [OVH](https://www.ovh.com) to harden our PCI-DSS infrastructure. ```console $ bin/hardening.sh --audit-all [...] -hardening [INFO] Treating /opt/cis-hardening/bin/hardening/13.15_check_duplicate_gid.sh -13.15_check_duplicate_gid [INFO] Working on 13.15_check_duplicate_gid -13.15_check_duplicate_gid [INFO] Checking Configuration -13.15_check_duplicate_gid [INFO] Performing audit -13.15_check_duplicate_gid [ OK ] No duplicate GIDs -13.15_check_duplicate_gid [ OK ] Check Passed +hardening [INFO] Treating /opt/cis-hardening/bin/hardening/6.2.19_check_duplicate_groupname.sh +6.2.19_check_duplicate_gr [INFO] Working on 6.2.19_check_duplicate_groupname +6.2.19_check_duplicate_gr [INFO] Checking Configuration +6.2.19_check_duplicate_gr [INFO] Performing audit +6.2.19_check_duplicate_gr [ OK ] No duplicate GIDs +6.2.19_check_duplicate_gr [ OK ] Check Passed [...] ################### SUMMARY ################### - Total Available Checks : 191 - Total Runned Checks : 191 - Total Passed Checks : [ 170/191 ] - Total Failed Checks : [ 21/191 ] - Enabled Checks Percentage : 100.00 % - Conformity Percentage : 89.01 % + Total Available Checks : 232 + Total Runned Checks : 166 + Total Passed Checks : [ 142/166 ] + Total Failed Checks : [ 24/166 ] + Enabled Checks Percentage : 71.00 % + Conformity Percentage : 85.00 % ``` ## Quickstart @@ -29,13 +32,13 @@ $ git clone https://github.com/ovh/debian-cis.git && cd debian-cis $ cp debian/default /etc/default/cis-hardening $ sed -i "s#CIS_ROOT_DIR=.*#CIS_ROOT_DIR='$(pwd)'#" /etc/default/cis-hardening $ bin/hardening/1.1_install_updates.sh --audit-all -1.1_install_updates [INFO] Working on 1.1_install_updates -1.1_install_updates [INFO] Checking Configuration -1.1_install_updates [INFO] Performing audit -1.1_install_updates [INFO] Checking if apt needs an update -1.1_install_updates [INFO] Fetching upgrades ... -1.1_install_updates [ OK ] No upgrades available -1.1_install_updates [ OK ] Check Passed +hardening [INFO] Treating /opt/cis-hardening/bin/hardening/1.1.1.1_disable_freevxfs.sh +1.1.1.1_disable_freevxfs [INFO] Working on 1.1.1.1_disable_freevxfs +1.1.1.1_disable_freevxfs [INFO] [DESCRIPTION] Disable mounting of freevxfs filesystems. +1.1.1.1_disable_freevxfs [INFO] Checking Configuration +1.1.1.1_disable_freevxfs [INFO] Performing audit +1.1.1.1_disable_freevxfs [ OK ] CONFIG_VXFS_FS is disabled +1.1.1.1_disable_freevxfs [ OK ] Check Passed ``` ## Usage @@ -72,7 +75,9 @@ This command has 2 main operation modes: - ``--audit``: Audit your system with all enabled and audit mode scripts - ``--apply``: Audit your system with all enabled and audit mode scripts and apply changes for enabled scripts -Additionally, ``--audit-all`` can be used to force running all auditing scripts, +Additionally, some options add more granularity: + + ``--audit-all`` can be used to force running all auditing scripts, including disabled ones. this will *not* change the system. ``--audit-all-enable-passed`` can be used as a quick way to kickstart your @@ -80,15 +85,28 @@ configuration. It will run all scripts in audit mode. If a script passes, it will automatically be enabled for future runs. Do NOT use this option if you have already started to customize your configuration. -``--sudo``: Audit your system as a normal user, but allow sudo escalation to read +``--sudo``: audit your system as a normal user, but allow sudo escalation to read specific root read-only files. You need to provide a sudoers file in /etc/sudoers.d/ with NOPASWD option, since checks are executed with ``sudo -n`` option, that will not prompt for a password. -``--batch``: While performing system audit, this option sets LOGLEVEL to 'ok' and +``--batch``: while performing system audit, this option sets LOGLEVEL to 'ok' and captures all output to print only one line once the check is done, formatted like : OK|KO OK|KO|WARN{subcheck results} [OK|KO|WARN{...}] +``--only ``: run only the selected checks. + +``--set-hardening-level``: run all checks that are lower or equal to the selected level. +Do NOT use this option if you have already started to customize your configuration. + +``--allow-service ``: use with --set-hardening-level. Modifies the policy +to allow a certain kind of services on the machine, such as http, mail, etc. +Can be specified multiple times to allow multiple services. +Use --allow-service-list to get a list of supported services. + +``--create-config-files-only``: create the config files in etc/conf.d. Must be run as root, +before running the audit with user secaudit, to have the rights setup well on the conf files. + ## Hacking **Getting the source** @@ -110,6 +128,15 @@ $ cp src/skel bin/hardening/99.99_custom_script.sh $ chmod +x bin/hardening/99.99_custom_script.sh $ cp src/skel.cfg etc/conf.d/99.99_custom_script.cfg ``` +Every custom check numerotation begins with 99. The numbering after it depends on the section the check refers to. + +If the check replace somehow one that is in the CIS specifications, +you can use the numerotation of the check it replaces inplace. For example we check +the config of OSSEC (file integrity) in `1.4.x` whereas CIS recommends AIDE. + +Do not forget to specify in comment if it's a bonus check (suggested by CIS but not in the CIS numerotation), a legacy check (part from previous CIS specification but deleted in more recents one) or an OVH security check +(part of OVH security policy) + Code your check explaining what it does then if you want to test @@ -125,7 +152,7 @@ Functional tests are available. They are to be run in a Docker environment. $ ./tests/docker_build_and_run_tests.sh [name of test script...] ``` -With `target` being like `debian8` or `debian9`. +With `target` being like `debian9` or `debian10`. Running without script arguments will run all tests in `./tests/hardening/` directory. Or you can specify one or several test script to be run. @@ -151,6 +178,45 @@ Functional tests can make use of the following helper functions : In order to write your own functional test, you will find a code skeleton in `./src/skel.test`. +Some tests ar labelled with a disclaimer warning that we only test on a blank host +and that we will not test the apply function. It's because the check is very basic +(like a package install) and that a test on it is not really necessary. + +Furthermore, some tests are disabled on docker because there not pertinent (kernel +modules, grub, partitions, ...) +You can disable a check on docker with: +```bash +if [ -f "/.dockerenv" ]; then + skip "SKIPPED on docker" +else +... +fi +``` + +## Coding style +### Shellcheck + +We use [Shellcheck](https://github.com/koalaman/shellcheck) to check the +correctness of the scripts and to respect best practices. +It can be used directly with the docker environnment to check all scripts +compliancy. By default it runs on every `.sh` it founds. + +```console +$ ./shellcheck/launch_shellcheck.sh [name of script...] +``` + +### Shellfmt + +We use [Shellfmt](https://github.com/mvdan/sh) to check the styling and to keep a +consistent style in every script. +Identically to shellcheck, it can be run through a script with the following: + +```console +$ ./shellfmt/launch_shellfmt.sh +``` +It will automatically fix any styling problem on every script. + + ## Disclaimer This project is a set of tools. They are meant to help the system administrator @@ -174,10 +240,8 @@ Additionally, quoting the License: ## Reference - **Center for Internet Security**: https://www.cisecurity.org/ -- **CIS recommendations**: https://benchmarks.cisecurity.org/downloads/show-single/index.cfm?file=debian7.100 -- **CIS recommendations**: https://benchmarks.cisecurity.org/downloads/show-single/index.cfm?file=debian8.100 +- **CIS recommendations**: https://learn.cisecurity.org/benchmarks ## License -3-Clause BSD - +MIT