elie/debian-cis
1
0
Fork 0
mirror of https://github.com/ovh/debian-cis.git synced 2024-11-22 13:37:02 +01:00
Code Issues Packages Projects Releases Wiki Activity

Update README, AUTHORS, LICENSE

Browse Source
This commit is contained in:
Thibault Ayanides 2021-01-13 11:14:26 +01:00
parent 624aba950d
commit 45ccd337b4
3 changed files with 112 additions and 51 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
AUTHORS
View File

@ -3,6 +3,7 @@ Contributors of this project :
Developers : Developers :
Thibault Dewailly, OVH <thibault.dewailly@corp.ovh.com> Thibault Dewailly, OVH <thibault.dewailly@corp.ovh.com>
Stéphane Lesimple, OVH <stephane.lesimple@corp.ovh.com> Stéphane Lesimple, OVH <stephane.lesimple@corp.ovh.com>
Thibault Ayanides, OVH <thibault.ayanides@corp.ovh.com>
Debian package maintainers : Debian package maintainers :
Kevin Tanguy, OVH <kevin.tanguy@corp.ovh.com> Kevin Tanguy, OVH <kevin.tanguy@corp.ovh.com>

40
LICENSE
View File

@ -1,25 +1,21 @@
Copyright (c) 2016, OVH SAS. MIT License
All rights reserved.
Redistribution and use in source and binary forms, with or without Copyright (c) 2016, OVHcloud
modification, are permitted provided that the following conditions are met:
* Redistributions of source code must retain the above copyright Permission is hereby granted, free of charge, to any person obtaining a copy
notice, this list of conditions and the following disclaimer. of this software and associated documentation files (the "Software"), to deal
* Redistributions in binary form must reproduce the above copyright in the Software without restriction, including without limitation the rights
notice, this list of conditions and the following disclaimer in the to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
documentation and/or other materials provided with the distribution. copies of the Software, and to permit persons to whom the Software is
* Neither the name of OVH SAS nor the furnished to do so, subject to the following conditions:
names of its contributors may be used to endorse or promote products
derived from this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY OVH SAS AND CONTRIBUTORS ``AS IS'' AND ANY The above copyright notice and this permission notice shall be included in all
EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED copies or substantial portions of the Software.
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
DISCLAIMED. IN NO EVENT SHALL OVH SAS AND CONTRIBUTORS BE LIABLE FOR ANY THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. SOFTWARE.

122
README.md
View File

@ -1,25 +1,28 @@
# CIS Debian 7/8/9 Hardening # CIS Debian 9/10 Hardening
Modular Debian 7/8/9 security hardening scripts based on [cisecurity.org](https://www.cisecurity.org) **News**: this projet is back in the game and is from now on maintained. Be free to use and to
report issues if you find any !
Modular Debian 9/10 security hardening scripts based on [cisecurity.org](https://www.cisecurity.org)
recommendations. We use it at [OVH](https://www.ovh.com) to harden our PCI-DSS infrastructure. recommendations. We use it at [OVH](https://www.ovh.com) to harden our PCI-DSS infrastructure.
```console ```console
$ bin/hardening.sh --audit-all $ bin/hardening.sh --audit-all
[...] [...]
hardening [INFO] Treating /opt/cis-hardening/bin/hardening/13.15_check_duplicate_gid.sh hardening [INFO] Treating /opt/cis-hardening/bin/hardening/6.2.19_check_duplicate_groupname.sh
13.15_check_duplicate_gid [INFO] Working on 13.15_check_duplicate_gid 6.2.19_check_duplicate_gr [INFO] Working on 6.2.19_check_duplicate_groupname
13.15_check_duplicate_gid [INFO] Checking Configuration 6.2.19_check_duplicate_gr [INFO] Checking Configuration
13.15_check_duplicate_gid [INFO] Performing audit 6.2.19_check_duplicate_gr [INFO] Performing audit
13.15_check_duplicate_gid [ OK ] No duplicate GIDs 6.2.19_check_duplicate_gr [ OK ] No duplicate GIDs
13.15_check_duplicate_gid [ OK ] Check Passed 6.2.19_check_duplicate_gr [ OK ] Check Passed
[...] [...]
################### SUMMARY ################### ################### SUMMARY ###################
Total Available Checks : 191 Total Available Checks : 232
Total Runned Checks : 191 Total Runned Checks : 166
Total Passed Checks : [ 170/191 ] Total Passed Checks : [ 142/166 ]
Total Failed Checks : [ 21/191 ] Total Failed Checks : [ 24/166 ]
Enabled Checks Percentage : 100.00 % Enabled Checks Percentage : 71.00 %
Conformity Percentage : 89.01 % Conformity Percentage : 85.00 %
``` ```
## Quickstart ## Quickstart
@ -29,13 +32,13 @@ $ git clone https://github.com/ovh/debian-cis.git && cd debian-cis
$ cp debian/default /etc/default/cis-hardening $ cp debian/default /etc/default/cis-hardening
$ sed -i "s#CIS_ROOT_DIR=.*#CIS_ROOT_DIR='$(pwd)'#" /etc/default/cis-hardening $ sed -i "s#CIS_ROOT_DIR=.*#CIS_ROOT_DIR='$(pwd)'#" /etc/default/cis-hardening
$ bin/hardening/1.1_install_updates.sh --audit-all $ bin/hardening/1.1_install_updates.sh --audit-all
1.1_install_updates [INFO] Working on 1.1_install_updates hardening [INFO] Treating /opt/cis-hardening/bin/hardening/1.1.1.1_disable_freevxfs.sh
1.1_install_updates [INFO] Checking Configuration 1.1.1.1_disable_freevxfs [INFO] Working on 1.1.1.1_disable_freevxfs
1.1_install_updates [INFO] Performing audit 1.1.1.1_disable_freevxfs [INFO] [DESCRIPTION] Disable mounting of freevxfs filesystems.
1.1_install_updates [INFO] Checking if apt needs an update 1.1.1.1_disable_freevxfs [INFO] Checking Configuration
1.1_install_updates [INFO] Fetching upgrades ... 1.1.1.1_disable_freevxfs [INFO] Performing audit
1.1_install_updates [ OK ] No upgrades available 1.1.1.1_disable_freevxfs [ OK ] CONFIG_VXFS_FS is disabled
1.1_install_updates [ OK ] Check Passed 1.1.1.1_disable_freevxfs [ OK ] Check Passed
``` ```
## Usage ## Usage
@ -72,7 +75,9 @@ This command has 2 main operation modes:
- ``--audit``: Audit your system with all enabled and audit mode scripts - ``--audit``: Audit your system with all enabled and audit mode scripts
- ``--apply``: Audit your system with all enabled and audit mode scripts and apply changes for enabled scripts - ``--apply``: Audit your system with all enabled and audit mode scripts and apply changes for enabled scripts
Additionally, ``--audit-all`` can be used to force running all auditing scripts, Additionally, some options add more granularity:
``--audit-all`` can be used to force running all auditing scripts,
including disabled ones. this will *not* change the system. including disabled ones. this will *not* change the system.
``--audit-all-enable-passed`` can be used as a quick way to kickstart your ``--audit-all-enable-passed`` can be used as a quick way to kickstart your
@ -80,15 +85,28 @@ configuration. It will run all scripts in audit mode. If a script passes,
it will automatically be enabled for future runs. Do NOT use this option it will automatically be enabled for future runs. Do NOT use this option
if you have already started to customize your configuration. if you have already started to customize your configuration.
``--sudo``: Audit your system as a normal user, but allow sudo escalation to read ``--sudo``: audit your system as a normal user, but allow sudo escalation to read
specific root read-only files. You need to provide a sudoers file in /etc/sudoers.d/ specific root read-only files. You need to provide a sudoers file in /etc/sudoers.d/
with NOPASWD option, since checks are executed with ``sudo -n`` option, that will with NOPASWD option, since checks are executed with ``sudo -n`` option, that will
not prompt for a password. not prompt for a password.
``--batch``: While performing system audit, this option sets LOGLEVEL to 'ok' and ``--batch``: while performing system audit, this option sets LOGLEVEL to 'ok' and
captures all output to print only one line once the check is done, formatted like : captures all output to print only one line once the check is done, formatted like :
OK|KO OK|KO|WARN{subcheck results} [OK|KO|WARN{...}] OK|KO OK|KO|WARN{subcheck results} [OK|KO|WARN{...}]
``--only <check_number>``: run only the selected checks.
``--set-hardening-level``: run all checks that are lower or equal to the selected level.
Do NOT use this option if you have already started to customize your configuration.
``--allow-service <service>``: use with --set-hardening-level. Modifies the policy
to allow a certain kind of services on the machine, such as http, mail, etc.
Can be specified multiple times to allow multiple services.
Use --allow-service-list to get a list of supported services.
``--create-config-files-only``: create the config files in etc/conf.d. Must be run as root,
before running the audit with user secaudit, to have the rights setup well on the conf files.
## Hacking ## Hacking
**Getting the source** **Getting the source**
@ -110,6 +128,15 @@ $ cp src/skel bin/hardening/99.99_custom_script.sh
$ chmod +x bin/hardening/99.99_custom_script.sh $ chmod +x bin/hardening/99.99_custom_script.sh
$ cp src/skel.cfg etc/conf.d/99.99_custom_script.cfg $ cp src/skel.cfg etc/conf.d/99.99_custom_script.cfg
``` ```
Every custom check numerotation begins with 99. The numbering after it depends on the section the check refers to.
If the check replace somehow one that is in the CIS specifications,
you can use the numerotation of the check it replaces inplace. For example we check
the config of OSSEC (file integrity) in `1.4.x` whereas CIS recommends AIDE.
Do not forget to specify in comment if it's a bonus check (suggested by CIS but not in the CIS numerotation), a legacy check (part from previous CIS specification but deleted in more recents one) or an OVH security check
(part of OVH security policy)
Code your check explaining what it does then if you want to test Code your check explaining what it does then if you want to test
@ -125,7 +152,7 @@ Functional tests are available. They are to be run in a Docker environment.
$ ./tests/docker_build_and_run_tests.sh <target> [name of test script...] $ ./tests/docker_build_and_run_tests.sh <target> [name of test script...]
``` ```
With `target` being like `debian8` or `debian9`. With `target` being like `debian9` or `debian10`.
Running without script arguments will run all tests in `./tests/hardening/` directory. Running without script arguments will run all tests in `./tests/hardening/` directory.
Or you can specify one or several test script to be run. Or you can specify one or several test script to be run.
@ -151,6 +178,45 @@ Functional tests can make use of the following helper functions :
In order to write your own functional test, you will find a code skeleton in In order to write your own functional test, you will find a code skeleton in
`./src/skel.test`. `./src/skel.test`.
Some tests ar labelled with a disclaimer warning that we only test on a blank host
and that we will not test the apply function. It's because the check is very basic
(like a package install) and that a test on it is not really necessary.
Furthermore, some tests are disabled on docker because there not pertinent (kernel
modules, grub, partitions, ...)
You can disable a check on docker with:
```bash
if [ -f "/.dockerenv" ]; then
skip "SKIPPED on docker"
else
...
fi
```
## Coding style
### Shellcheck
We use [Shellcheck](https://github.com/koalaman/shellcheck) to check the
correctness of the scripts and to respect best practices.
It can be used directly with the docker environnment to check all scripts
compliancy. By default it runs on every `.sh` it founds.
```console
$ ./shellcheck/launch_shellcheck.sh [name of script...]
```
### Shellfmt
We use [Shellfmt](https://github.com/mvdan/sh) to check the styling and to keep a
consistent style in every script.
Identically to shellcheck, it can be run through a script with the following:
```console
$ ./shellfmt/launch_shellfmt.sh
```
It will automatically fix any styling problem on every script.
## Disclaimer ## Disclaimer
This project is a set of tools. They are meant to help the system administrator This project is a set of tools. They are meant to help the system administrator
@ -174,10 +240,8 @@ Additionally, quoting the License:
## Reference ## Reference
- **Center for Internet Security**: https://www.cisecurity.org/ - **Center for Internet Security**: https://www.cisecurity.org/
- **CIS recommendations**: https://benchmarks.cisecurity.org/downloads/show-single/index.cfm?file=debian7.100 - **CIS recommendations**: https://learn.cisecurity.org/benchmarks
- **CIS recommendations**: https://benchmarks.cisecurity.org/downloads/show-single/index.cfm?file=debian8.100
## License ## License
3-Clause BSD MIT