elie/debian-cis
1
0
Fork 0
mirror of https://github.com/ovh/debian-cis.git synced 2025-07-15 21:32:17 +02:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: elie:v3.0
Branches Tags
elie:master elie:damcava35/deb12_scripts_2 elie:damcava35/update_lib elie:damcava35/new_scripts elie:damcava35/issue_249 elie:damcava35/drop_debian10 elie:damcava35/is_ip_v6_enabled elie:damcava35/issue_195 elie:damcava35/fix_only elie:damcava35/fix_packaging elie:damcava35/set_version elie:damcava35/test_pre_commit elie:dev/thibault.dewailly/deb12 elie:dependabot/github_actions/luizm/action-sh-checker-0.9.0 elie:dev/thibault.dewailly/set_hardening_level elie:dev/thibault.dewailly/syslogng_remotecheck
elie:latest elie:v4.1-5 elie:v4.1-4 elie:v4.1-3 elie:v4.1-2 elie:v4.1-1 elie:v4.0-1 elie:v3.8-1 elie:v3.7-1 elie:v3.6-1 elie:v3.5-1 elie:v3.4-1 elie:v3.3-1 elie:v3.2-2 elie:v3.2-1 elie:v3.2-0 elie:v3.1-6 elie:v3.1-5 elie:v3.1-4 elie:v3.1-3 elie:v3.1-2 elie:v3.1-1 elie:v3.1-0 elie:v3.0-1 elie:v3.0 elie:v2.1-6 elie:v2.1-5 elie:v2.1-4 elie:v2.1-3 elie:v2.1-2 elie:v2.1-1 elie:v2.0-6 elie:v2.0-5 elie:v2.0-4 elie:v1.3-4 elie:v1.3-3 elie:v1.3-2 elie:v1.3 elie:v1.2-1 elie:v1.1-1
...
compare: elie:v3.0-1
Branches Tags
elie:damcava35/deb12_scripts_2 elie:damcava35/update_lib elie:damcava35/new_scripts elie:master elie:damcava35/issue_249 elie:damcava35/drop_debian10 elie:damcava35/is_ip_v6_enabled elie:damcava35/issue_195 elie:damcava35/fix_only elie:damcava35/fix_packaging elie:damcava35/set_version elie:damcava35/test_pre_commit elie:dev/thibault.dewailly/deb12 elie:dependabot/github_actions/luizm/action-sh-checker-0.9.0 elie:dev/thibault.dewailly/set_hardening_level elie:dev/thibault.dewailly/syslogng_remotecheck
elie:latest elie:v4.1-5 elie:v4.1-4 elie:v4.1-3 elie:v4.1-2 elie:v4.1-1 elie:v4.0-1 elie:v3.8-1 elie:v3.7-1 elie:v3.6-1 elie:v3.5-1 elie:v3.4-1 elie:v3.3-1 elie:v3.2-2 elie:v3.2-1 elie:v3.2-0 elie:v3.1-6 elie:v3.1-5 elie:v3.1-4 elie:v3.1-3 elie:v3.1-2 elie:v3.1-1 elie:v3.1-0 elie:v3.0-1 elie:v3.0 elie:v2.1-6 elie:v2.1-5 elie:v2.1-4 elie:v2.1-3 elie:v2.1-2 elie:v2.1-1 elie:v2.0-6 elie:v2.0-5 elie:v2.0-4 elie:v1.3-4 elie:v1.3-3 elie:v1.3-2 elie:v1.3 elie:v1.2-1 elie:v1.1-1

17 Commits
v3.0 ... v3.0-1

Author SHA1 Message Date
Thibault Ayanides
89780550e6 Fix badges on README 2021-01-18 15:47:41 +01:00
Thibault Ayanides
047421f2d8 Regenerate man pages (Github action) 2021-01-18 15:47:41 +01:00
Thibault Ayanides
124aeea5cc Fix debian package build via github actions 2021-01-18 15:47:41 +01:00
Thibault Ayanides
8de9817035 Update LICENSE 2021-01-18 15:47:41 +01:00
Thibault Ayanides
3217429679 Regenerate man pages (Github action) 2021-01-18 11:45:13 +01:00
Thibault Ayanides
af38e4f404 Update changelog 2021-01-18 11:45:13 +01:00
Thibault Ayanides
efb14ea0a9 Add compile manual github action 2021-01-18 11:45:13 +01:00
Thibault Ayanides
8029da6157 Add manual 2021-01-18 11:45:13 +01:00
Thibault Ayanides
4281ed330a Update compat in debian package 2021-01-18 11:45:13 +01:00
Thibault Ayanides
aa90093f24 Add dependabot action 2021-01-18 11:45:13 +01:00
Thibault Ayanides
0ab210183b Beautify README.md 2021-01-18 11:45:13 +01:00
Thibault Ayanides
8f5e3c2ef8 Bump shellcheck action version 2021-01-18 11:45:13 +01:00
Thibault Ayanides
f454b18991 Change artefact name when releasing 2021-01-18 11:45:13 +01:00
Thibault Ayanides
33b0dae4c3 Check if changelog was modfified before release 2021-01-18 11:45:13 +01:00
Thibault Ayanides
44e7ea7c63 Improve workflows 2021-01-18 11:45:13 +01:00
Thibault Ayanides
3f20f99e50 Add github actions 
Add shellcheck, shellfmt, release, prerelease, functionnal tests
 2021-01-14 19:31:14 +01:00
Thibault Ayanides
45ccd337b4 Update README, AUTHORS, LICENSE 2021-01-13 11:14:26 +01:00
13 changed files with 816 additions and 204 deletions
Expand all files Collapse all files

7
.github/dependabot.yml vendored Normal file
View File

@ -0,0 +1,7 @@
version: 2
updates:
- package-ecosystem: "github-actions"
directory: "/"
schedule:
# Check for updates to GitHub Actions every weekday
interval: "daily"

17
.github/workflows/compile-manual.yml vendored Normal file
View File

@ -0,0 +1,17 @@
---
name: Compile debian man
on:
- push
jobs:
compile-debian-man:
runs-on: ubuntu-latest
steps:
- name: Checkout repo
uses: actions/checkout@v2
- name: Produce debian man
run: 'docker run --rm --volume "`pwd`:/data" --user `id -u`:`id -g` pandoc/latex:2.6 MANUAL.md -s -t man > debian/cis-hardening.8'
- uses: EndBug/add-and-commit@v6
with:
add: 'debian/cis-hardening.8'
message: 'Regenerate man pages (Github action)'
token: ${{ secrets.GITHUB_TOKEN }}

20
.github/workflows/functionnal-tests.yml vendored Normal file
View File

@ -0,0 +1,20 @@
---
name: Run functionnal tests
on:
- pull_request
- push
jobs:
functionnal-tests-docker-debian9:
runs-on: ubuntu-latest
steps:
- name: Checkout repo
uses: actions/checkout@v2
- name: Run the tests debian9
run: ./tests/docker_build_and_run_tests.sh debian9
functionnal-tests-docker-debian10:
runs-on: ubuntu-latest
steps:
- name: Checkout repo
uses: actions/checkout@v2
- name: Run the tests debian10
run: ./tests/docker_build_and_run_tests.sh debian10

64
.github/workflows/pre-release.yml vendored Normal file
View File

@ -0,0 +1,64 @@
---
name: Create Pre-Release
on:
push:
branches:
- master
jobs:
build:
name: Create Pre-Release
runs-on: ubuntu-latest
steps:
# CHECKOUT CODE
- name: Checkout code
uses: actions/checkout@v2
# BUILD THE .DEB PACKAGE
- name: Build
run: |
sudo apt-get update
sudo apt-get install -y build-essential devscripts debhelper
sudo debuild --buildinfo-option=-O -us -uc -b -j8
find ../ -name "*.deb" -exec mv {} cis-hardening.deb \;
# DELETE THE TAG NAMED LATEST AND THE CORRESPONDING RELEASE
- name: Delete the tag latest and the release latest
uses: dev-drprasad/delete-tag-and-release@v0.1.2
with:
delete_release: true
tag_name: latest
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
# GET LATEST VERSION TAG
- name: Get latest version tag
uses: actions-ecosystem/action-get-latest-tag@v1
id: get-latest-tag
# GENERATE CHANGELOG CORRESPONDING TO COMMIT BETWEEN HEAD AND COMPUTED LAST TAG
- name: Generate changelog
id: changelog
uses: metcalfc/changelog-generator@v0.4.4
with:
myToken: ${{ secrets.GITHUB_TOKEN }}
head-ref: ${{ github.sha }}
base-ref: ${{ steps.get-latest-tag.outputs.tag }}
# CREATE RELEASE NAMED LATEST
- name: Create Release
id: create_release
uses: actions/create-release@v1.1.4
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
tag_name: latest
release_name: Pre-release
body: ${{ steps.changelog.outputs.changelog }}
draft: false
prerelease: true
# UPLOAD PACKAGE .DEB
- name: Upload Release deb
id: upload-release-asset
uses: actions/upload-release-asset@v1
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
upload_url: ${{ steps.create_release.outputs.upload_url }}
asset_path: ./cis-hardening.deb
asset_name: cis-hardening.deb
asset_content_type: application/vnd.debian.binary-package

22
.github/workflows/shellcheck_and_shellfmt.yml vendored Normal file
View File

@ -0,0 +1,22 @@
---
name: Run shell-linter
on:
- push
- pull_request
jobs:
sh-checker:
runs-on: ubuntu-latest
steps:
- name: Checkout repo
uses: actions/checkout@v2
- name: Run the sh-checker
uses: luizm/action-sh-checker@v0.1.10
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Optional if sh_checker_comment is false.
SHELLCHECK_OPTS: --color=always --shell=bash -x --source-path=SCRIPTDIR # Optional: exclude some shellcheck warnings.
SHFMT_OPTS: -l -i 4 -w # Optional: pass arguments to shfmt.
with:
sh_checker_comment: true
sh_checker_exclude: |
src/
debian/postrm

66
.github/workflows/tagged-release.yml vendored Normal file
View File

@ -0,0 +1,66 @@
---
name: Create Release
on:
push:
tags:
- 'v*'
jobs:
build:
name: Create Release
# only runs on master
if: github.event.base_ref == 'refs/heads/master'
runs-on: ubuntu-latest
steps:
# GET VERSION TAG
- name: Get latest version number
id: vars
run: echo ::set-output name=tag::${GITHUB_REF#refs/*/}
# CHECKOUT CODE
- name: Checkout code
uses: actions/checkout@v2
with:
ref: ${{ steps.vars.outputs.tag }}
# GENERATE CHANGELOG CORRESPONDING TO ENTRY IN DEBIAN/CHANGELOG
- name: Generate changelog
run: sed -n -e "/cis-hardening ($(echo ${{ steps.vars.outputs.tag }} | tr -d 'v'))/,/ -- / p" debian/changelog | tail -n +3 | head -n -2 > changelog.md
# IF THERE IS A NEW TAG BUT NO CORRESPONDING ENTRY IN DEBIAN/CHANGELOG, SET JOB TO FAIL
- name: Abort if changelog is empty
run: '[ -s changelog.md ] || (echo "No entry corresponding to the specified version found in debian/changelog"; exit 1)'
# BUILD THE .DEB PACKAGE
- name: Build
run: |
sudo apt-get update
sudo apt-get install -y build-essential devscripts debhelper
sudo debuild --buildinfo-option=-O -us -uc -b -j8
find ../ -name "*.deb" -exec mv {} cis-hardening.deb \;
# DELETE THE TAG NAMED LATEST AND THE CORRESPONDING RELEASE
- name: Delete the tag latest and the release latest
uses: dev-drprasad/delete-tag-and-release@v0.1.2
with:
delete_release: true
tag_name: latest
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
# CREATE RELEASE
- name: Create Release
id: create_release
uses: actions/create-release@v1
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
tag_name: ${{ github.ref }}
release_name: Release ${{ github.ref }}
body_path: changelog.md
draft: false
prerelease: false
# UPLOAD PACKAGE .DEB
- name: Upload Release deb
id: upload-release-asset
uses: actions/upload-release-asset@v1
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
upload_url: ${{ steps.create_release.outputs.upload_url }}
asset_path: ./cis-hardening.deb
asset_name: cis-hardening-${{ steps.vars.outputs.tag }}.deb
asset_content_type: application/vnd.debian.binary-package

7
AUTHORS
View File

@ -1,8 +1,9 @@
Contributors of this project :
Developers :
Thibault Dewailly, OVH <thibault.dewailly@corp.ovh.com>
Stéphane Lesimple, OVH <stephane.lesimple@corp.ovh.com>
Thibault Dewailly, OVHcloud <thibault.dewailly@ovhcloud.com>
Stéphane Lesimple, OVHcloud <stephane.lesimple@ovhcloud.com>
Thibault Ayanides, OVHcloud <thibault.ayanides@ovhcloud.com>
Debian package maintainers :
Kevin Tanguy, OVH <kevin.tanguy@corp.ovh.com>
Kevin Tanguy, OVHcloud <kevin.tanguy@ovhcloud.com>

211
LICENSE
View File

@ -1,25 +1,192 @@
Copyright (c) 2016, OVH SAS.
All rights reserved.
Copyright 2020 OVHcloud
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are met:
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
* Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.
* Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
* Neither the name of OVH SAS nor the
names of its contributors may be used to endorse or promote products
derived from this software without specific prior written permission.
http://www.apache.org/licenses/LICENSE-2.0
THIS SOFTWARE IS PROVIDED BY OVH SAS AND CONTRIBUTORS ``AS IS'' AND ANY
EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
DISCLAIMED. IN NO EVENT SHALL OVH SAS AND CONTRIBUTORS BE LIABLE FOR ANY
DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
A copy of the license terms follows:
Apache License
Version 2.0, January 2004
http://www.apache.org/licenses/
TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
1. Definitions.
"License" shall mean the terms and conditions for use, reproduction,
and distribution as defined by Sections 1 through 9 of this document.
"Licensor" shall mean the copyright owner or entity authorized by
the copyright owner that is granting the License.
"Legal Entity" shall mean the union of the acting entity and all
other entities that control, are controlled by, or are under common
control with that entity. For the purposes of this definition,
"control" means (i) the power, direct or indirect, to cause the
direction or management of such entity, whether by contract or
otherwise, or (ii) ownership of fifty percent (50%) or more of the
outstanding shares, or (iii) beneficial ownership of such entity.
"You" (or "Your") shall mean an individual or Legal Entity
exercising permissions granted by this License.
"Source" form shall mean the preferred form for making modifications,
including but not limited to software source code, documentation
source, and configuration files.
"Object" form shall mean any form resulting from mechanical
transformation or translation of a Source form, including but
not limited to compiled object code, generated documentation,
and conversions to other media types.
"Work" shall mean the work of authorship, whether in Source or
Object form, made available under the License, as indicated by a
copyright notice that is included in or attached to the work
(an example is provided in the Appendix below).
"Derivative Works" shall mean any work, whether in Source or Object
form, that is based on (or derived from) the Work and for which the
editorial revisions, annotations, elaborations, or other modifications
represent, as a whole, an original work of authorship. For the purposes
of this License, Derivative Works shall not include works that remain
separable from, or merely link (or bind by name) to the interfaces of,
the Work and Derivative Works thereof.
"Contribution" shall mean any work of authorship, including
the original version of the Work and any modifications or additions
to that Work or Derivative Works thereof, that is intentionally
submitted to Licensor for inclusion in the Work by the copyright owner
or by an individual or Legal Entity authorized to submit on behalf of
the copyright owner. For the purposes of this definition, "submitted"
means any form of electronic, verbal, or written communication sent
to the Licensor or its representatives, including but not limited to
communication on electronic mailing lists, source code control systems,
and issue tracking systems that are managed by, or on behalf of, the
Licensor for the purpose of discussing and improving the Work, but
excluding communication that is conspicuously marked or otherwise
designated in writing by the copyright owner as "Not a Contribution."
"Contributor" shall mean Licensor and any individual or Legal Entity
on behalf of whom a Contribution has been received by Licensor and
subsequently incorporated within the Work.
2. Grant of Copyright License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
copyright license to reproduce, prepare Derivative Works of,
publicly display, publicly perform, sublicense, and distribute the
Work and such Derivative Works in Source or Object form.
3. Grant of Patent License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
(except as stated in this section) patent license to make, have made,
use, offer to sell, sell, import, and otherwise transfer the Work,
where such license applies only to those patent claims licensable
by such Contributor that are necessarily infringed by their
Contribution(s) alone or by combination of their Contribution(s)
with the Work to which such Contribution(s) was submitted. If You
institute patent litigation against any entity (including a
cross-claim or counterclaim in a lawsuit) alleging that the Work
or a Contribution incorporated within the Work constitutes direct
or contributory patent infringement, then any patent licenses
granted to You under this License for that Work shall terminate
as of the date such litigation is filed.
4. Redistribution. You may reproduce and distribute copies of the
Work or Derivative Works thereof in any medium, with or without
modifications, and in Source or Object form, provided that You
meet the following conditions:
(a) You must give any other recipients of the Work or
Derivative Works a copy of this License; and
(b) You must cause any modified files to carry prominent notices
stating that You changed the files; and
(c) You must retain, in the Source form of any Derivative Works
that You distribute, all copyright, patent, trademark, and
attribution notices from the Source form of the Work,
excluding those notices that do not pertain to any part of
the Derivative Works; and
(d) If the Work includes a "NOTICE" text file as part of its
distribution, then any Derivative Works that You distribute must
include a readable copy of the attribution notices contained
within such NOTICE file, excluding those notices that do not
pertain to any part of the Derivative Works, in at least one
of the following places: within a NOTICE text file distributed
as part of the Derivative Works; within the Source form or
documentation, if provided along with the Derivative Works; or,
within a display generated by the Derivative Works, if and
wherever such third-party notices normally appear. The contents
of the NOTICE file are for informational purposes only and
do not modify the License. You may add Your own attribution
notices within Derivative Works that You distribute, alongside
or as an addendum to the NOTICE text from the Work, provided
that such additional attribution notices cannot be construed
as modifying the License.
You may add Your own copyright statement to Your modifications and
may provide additional or different license terms and conditions
for use, reproduction, or distribution of Your modifications, or
for any such Derivative Works as a whole, provided Your use,
reproduction, and distribution of the Work otherwise complies with
the conditions stated in this License.
5. Submission of Contributions. Unless You explicitly state otherwise,
any Contribution intentionally submitted for inclusion in the Work
by You to the Licensor shall be under the terms and conditions of
this License, without any additional terms or conditions.
Notwithstanding the above, nothing herein shall supersede or modify
the terms of any separate license agreement you may have executed
with Licensor regarding such Contributions.
6. Trademarks. This License does not grant permission to use the trade
names, trademarks, service marks, or product names of the Licensor,
except as required for reasonable and customary use in describing the
origin of the Work and reproducing the content of the NOTICE file.
7. Disclaimer of Warranty. Unless required by applicable law or
agreed to in writing, Licensor provides the Work (and each
Contributor provides its Contributions) on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
implied, including, without limitation, any warranties or conditions
of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
PARTICULAR PURPOSE. You are solely responsible for determining the
appropriateness of using or redistributing the Work and assume any
risks associated with Your exercise of permissions under this License.
8. Limitation of Liability. In no event and under no legal theory,
whether in tort (including negligence), contract, or otherwise,
unless required by applicable law (such as deliberate and grossly
negligent acts) or agreed to in writing, shall any Contributor be
liable to You for damages, including any direct, indirect, special,
incidental, or consequential damages of any character arising as a
result of this License or out of the use or inability to use the
Work (including but not limited to damages for loss of goodwill,
work stoppage, computer failure or malfunction, or any and all
other commercial damages or losses), even if such Contributor
has been advised of the possibility of such damages.
9. Accepting Warranty or Additional Liability. While redistributing
the Work or Derivative Works thereof, You may choose to offer,
and charge a fee for, acceptance of support, warranty, indemnity,
or other liability obligations and/or rights consistent with this
License. However, in accepting such obligations, You may act only
on Your own behalf and on Your sole responsibility, not on behalf
of any other Contributor, and only if You agree to indemnify,
defend, and hold each Contributor harmless for any liability
incurred by, or claims asserted against, such Contributor by reason
of your accepting any such warranty or additional liability.
END OF TERMS AND CONDITIONS

151
MANUAL.md Normal file
View File

@ -0,0 +1,151 @@
% CIS-HARDENING(8)
%
% 2016
# NAME
cis-hardening - CIS Debian 9/10 Hardening
# SYNOPSIS
**hardening.sh** RUN_MODE [OPTIONS]
# DESCRIPTION
Modular Debian 9/10 security hardening scripts based on the CIS (https://www.cisecurity.org) recommendations.
We use it at OVHcloud (https://www.ovhcloud.com) to harden our PCI-DSS infrastructure.
# SCRIPTS CONFIGURATION
Hardening scripts are in `bin/hardening`. Each script has a corresponding
configuration file in `etc/conf.d/[script_name].cfg`.
Each hardening script can be individually enabled from its configuration file.
For example, this is the default configuration file for `disable_system_accounts`:
```
# Configuration for script of same name
status=disabled
# Put here your exceptions concerning admin accounts shells separated by spaces
EXCEPTIONS=""
```
**status** parameter may take 3 values:
- `disabled` (do nothing): The script will not run.
- `audit` (RO): The script will check if any change should be applied.
- `enabled` (RW): The script will check if any change should be done and automatically apply what it can.
Global configuration is in `etc/hardening.cfg`. This file controls the log level
as well as the backup directory. Whenever a script is instructed to edit a file, it
will create a timestamped backup in this directory.
# RUN MODE
`-h`, `--help`
: Display a friendly help message.
`--apply`
: Apply hardening for enabled scripts.
Beware that NO confirmation is asked whatsoever, which is why you're warmly
advised to use `--audit` before, which can be regarded as a dry-run mode.
`--audit`
: Audit configuration for enabled scripts.
No modification will be made on the system, we'll only report on your system
compliance for each script.
`--audit-all`
: Same as `--audit`, but for *all* scripts, even disabled ones.
This is a good way to peek at your compliance level if all scripts were enabled,
and might be a good starting point.
`--audit-all-enable-passed`
: Same as `--audit-all`, but in addition, will *modify* the individual scripts
configurations to enable those which passed for your system.
This is an easy way to enable scripts for which you're already compliant.
However, please always review each activated script afterwards, this option
should only be regarded as a way to kickstart a configuration from scratch.
Don't run this if you have already customized the scripts enable/disable
configurations, obviously.
`--create-config-files-only`
: Create the config files in etc/conf.d
Must be run as root, before running the audit with user secaudit
`-set-hardening-level=level`
: Modifies the configuration to enable/disable tests given an hardening level,
between 1 to 5. Don't run this if you have already customized the scripts
enable/disable configurations.
1: very basic policy, failure to pass tests at this level indicates severe
misconfiguration of the machine that can have a huge security impact
2: basic policy, some good practice rules that, once applied, shouldn't
break anything on most systems
3: best practices policy, passing all tests might need some configuration
modifications (such as specific partitioning, etc.)
4: high security policy, passing all tests might be time-consuming and
require high adaptation of your workflow
5: placebo, policy rules that might be very difficult to apply and maintain,
with questionable security benefits
`--allow-service=service`
: Use with `--set-hardening-level`.
Modifies the policy to allow a certain kind of services on the machine, such
as http, mail, etc. Can be specified multiple times to allow multiple services.
Use --allow-service-list to get a list of supported services.
# OPTIONS
`--allow-service-list`
: Get a list of supported service.
`--only test-number`
: Modifies the RUN_MODE to only work on the test_number script.
Can be specified multiple times to work only on several scripts.
The test number is the numbered prefix of the script,
i.e. the test number of 1.2_script_name.sh is 1.2.
`--sudo`
: This option lets you audit your system as a normal user, but allows sudo
escalation to gain read-only access to root files. Note that you need to
provide a sudoers file with NOPASSWD option in /etc/sudoers.d/ because
the -n option instructs sudo not to prompt for a password.
Finally note that `--sudo` mode only works for audit mode.
`--batch`
: While performing system audit, this option sets LOGLEVEL to 'ok' and
captures all output to print only one line once the check is done, formatted like :
OK|KO OK|KO|WARN{subcheck results} [OK|KO|WARN{...}]
# AUTHORS
- Thibault Dewailly, OVHcloud <thibault.dewailly@ovhcloud.com>
- Stéphane Lesimple, OVHcloud <stephane.lesimple@ovhcloud.com>
- Thibault Ayanides, OVHcloud <thibault.ayanides@ovhcloud.com>
- Kevin Tanguy, OVHcloud <kevin.tanguy@ovhcloud.com>
# COPYRIGHT
Copyright 2020 OVHcloud
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
# SEE ALSO
- **Center for Internet Security**: https://www.cisecurity.org/
- **CIS recommendations**: https://learn.cisecurity.org/benchmarks
- **Project repository**: https://github.com/ovh/debian-cis

155
README.md
View File

@ -1,44 +1,60 @@
# CIS Debian 7/8/9 Hardening
# :lock: CIS Debian 9/10 Hardening
Modular Debian 7/8/9 security hardening scripts based on [cisecurity.org](https://www.cisecurity.org)
recommendations. We use it at [OVH](https://www.ovh.com) to harden our PCI-DSS infrastructure.
:tada: **News**: this projet is back in the game and is from now on maintained. Be free to use and to
report issues if you find any !
<p align="center">
<img src="https://repository-images.githubusercontent.com/56690366/bbe7c380-55b2-11eb-84ba-d06bf153fe8b" width="300px">
</p>
![Shell-linter](https://github.com/ovh/debian-cis/workflows/Run%20shell-linter/badge.svg)
![Functionnal tests](https://github.com/ovh/debian-cis/workflows/Run%20functionnal%20tests/badge.svg)
![Release](https://github.com/ovh/debian-cis/workflows/Create%20Release/badge.svg)
![Realease](https://img.shields.io/github/v/release/ovh/debian-cis)
![License](https://img.shields.io/github/license/ovh/debian-cis)
---
Modular Debian 9/10 security hardening scripts based on [cisecurity.org](https://www.cisecurity.org)
recommendations. We use it at [OVHcloud](https://www.ovhcloud.com) to harden our PCI-DSS infrastructure.
```console
$ bin/hardening.sh --audit-all
[...]
hardening [INFO] Treating /opt/cis-hardening/bin/hardening/13.15_check_duplicate_gid.sh
13.15_check_duplicate_gid [INFO] Working on 13.15_check_duplicate_gid
13.15_check_duplicate_gid [INFO] Checking Configuration
13.15_check_duplicate_gid [INFO] Performing audit
13.15_check_duplicate_gid [ OK ] No duplicate GIDs
13.15_check_duplicate_gid [ OK ] Check Passed
hardening [INFO] Treating /opt/cis-hardening/bin/hardening/6.2.19_check_duplicate_groupname.sh
6.2.19_check_duplicate_gr [INFO] Working on 6.2.19_check_duplicate_groupname
6.2.19_check_duplicate_gr [INFO] Checking Configuration
6.2.19_check_duplicate_gr [INFO] Performing audit
6.2.19_check_duplicate_gr [ OK ] No duplicate GIDs
6.2.19_check_duplicate_gr [ OK ] Check Passed
[...]
################### SUMMARY ###################
Total Available Checks : 191
Total Runned Checks : 191
Total Passed Checks : [ 170/191 ]
Total Failed Checks : [ 21/191 ]
Enabled Checks Percentage : 100.00 %
Conformity Percentage : 89.01 %
Total Available Checks : 232
Total Runned Checks : 166
Total Passed Checks : [ 142/166 ]
Total Failed Checks : [ 24/166 ]
Enabled Checks Percentage : 71.00 %
Conformity Percentage : 85.00 %
```
## Quickstart
## :dizzy: Quickstart
```console
$ git clone https://github.com/ovh/debian-cis.git && cd debian-cis
$ cp debian/default /etc/default/cis-hardening
$ sed -i "s#CIS_ROOT_DIR=.*#CIS_ROOT_DIR='$(pwd)'#" /etc/default/cis-hardening
$ bin/hardening/1.1_install_updates.sh --audit-all
1.1_install_updates [INFO] Working on 1.1_install_updates
1.1_install_updates [INFO] Checking Configuration
1.1_install_updates [INFO] Performing audit
1.1_install_updates [INFO] Checking if apt needs an update
1.1_install_updates [INFO] Fetching upgrades ...
1.1_install_updates [ OK ] No upgrades available
1.1_install_updates [ OK ] Check Passed
hardening [INFO] Treating /opt/cis-hardening/bin/hardening/1.1.1.1_disable_freevxfs.sh
1.1.1.1_disable_freevxfs [INFO] Working on 1.1.1.1_disable_freevxfs
1.1.1.1_disable_freevxfs [INFO] [DESCRIPTION] Disable mounting of freevxfs filesystems.
1.1.1.1_disable_freevxfs [INFO] Checking Configuration
1.1.1.1_disable_freevxfs [INFO] Performing audit
1.1.1.1_disable_freevxfs [ OK ] CONFIG_VXFS_FS is disabled
1.1.1.1_disable_freevxfs [ OK ] Check Passed
```
## Usage
## :hammer: Usage
### Configuration
@ -72,7 +88,9 @@ This command has 2 main operation modes:
- ``--audit``: Audit your system with all enabled and audit mode scripts
- ``--apply``: Audit your system with all enabled and audit mode scripts and apply changes for enabled scripts
Additionally, ``--audit-all`` can be used to force running all auditing scripts,
Additionally, some options add more granularity:
``--audit-all`` can be used to force running all auditing scripts,
including disabled ones. this will *not* change the system.
``--audit-all-enable-passed`` can be used as a quick way to kickstart your
@ -80,16 +98,29 @@ configuration. It will run all scripts in audit mode. If a script passes,
it will automatically be enabled for future runs. Do NOT use this option
if you have already started to customize your configuration.
``--sudo``: Audit your system as a normal user, but allow sudo escalation to read
``--sudo``: audit your system as a normal user, but allow sudo escalation to read
specific root read-only files. You need to provide a sudoers file in /etc/sudoers.d/
with NOPASWD option, since checks are executed with ``sudo -n`` option, that will
not prompt for a password.
``--batch``: While performing system audit, this option sets LOGLEVEL to 'ok' and
``--batch``: while performing system audit, this option sets LOGLEVEL to 'ok' and
captures all output to print only one line once the check is done, formatted like :
OK|KO OK|KO|WARN{subcheck results} [OK|KO|WARN{...}]
## Hacking
``--only <check_number>``: run only the selected checks.
``--set-hardening-level``: run all checks that are lower or equal to the selected level.
Do NOT use this option if you have already started to customize your configuration.
``--allow-service <service>``: use with --set-hardening-level. Modifies the policy
to allow a certain kind of services on the machine, such as http, mail, etc.
Can be specified multiple times to allow multiple services.
Use --allow-service-list to get a list of supported services.
``--create-config-files-only``: create the config files in etc/conf.d. Must be run as root,
before running the audit with user secaudit, to have the rights setup well on the conf files.
## :computer: Hacking
**Getting the source**
@ -110,6 +141,15 @@ $ cp src/skel bin/hardening/99.99_custom_script.sh
$ chmod +x bin/hardening/99.99_custom_script.sh
$ cp src/skel.cfg etc/conf.d/99.99_custom_script.cfg
```
Every custom check numerotation begins with 99. The numbering after it depends on the section the check refers to.
If the check replace somehow one that is in the CIS specifications,
you can use the numerotation of the check it replaces inplace. For example we check
the config of OSSEC (file integrity) in `1.4.x` whereas CIS recommends AIDE.
Do not forget to specify in comment if it's a bonus check (suggested by CIS but not in the CIS numerotation), a legacy check (part from previous CIS specification but deleted in more recents one) or an OVHcloud security check.
(part of OVHcloud security policy)
Code your check explaining what it does then if you want to test
@ -117,7 +157,7 @@ Code your check explaining what it does then if you want to test
$ sed -i "s/status=.+/status=enabled/" etc/conf.d/99.99_custom_script.cfg
$ ./bin/hardening/99.99_custom_script.sh
```
## Functional testing
## :sparkles: Functional testing
Functional tests are available. They are to be run in a Docker environment.
@ -125,7 +165,7 @@ Functional tests are available. They are to be run in a Docker environment.
$ ./tests/docker_build_and_run_tests.sh <target> [name of test script...]
```
With `target` being like `debian8` or `debian9`.
With `target` being like `debian9` or `debian10`.
Running without script arguments will run all tests in `./tests/hardening/` directory.
Or you can specify one or several test script to be run.
@ -151,10 +191,49 @@ Functional tests can make use of the following helper functions :
In order to write your own functional test, you will find a code skeleton in
`./src/skel.test`.
## Disclaimer
Some tests ar labelled with a disclaimer warning that we only test on a blank host
and that we will not test the apply function. It's because the check is very basic
(like a package install) and that a test on it is not really necessary.
Furthermore, some tests are disabled on docker because there not pertinent (kernel
modules, grub, partitions, ...)
You can disable a check on docker with:
```bash
if [ -f "/.dockerenv" ]; then
skip "SKIPPED on docker"
else
...
fi
```
## :art: Coding style
### Shellcheck
We use [Shellcheck](https://github.com/koalaman/shellcheck) to check the
correctness of the scripts and to respect best practices.
It can be used directly with the docker environnment to check all scripts
compliancy. By default it runs on every `.sh` it founds.
```console
$ ./shellcheck/launch_shellcheck.sh [name of script...]
```
### Shellfmt
We use [Shellfmt](https://github.com/mvdan/sh) to check the styling and to keep a
consistent style in every script.
Identically to shellcheck, it can be run through a script with the following:
```console
$ ./shellfmt/launch_shellfmt.sh
```
It will automatically fix any styling problem on every script.
## :heavy_exclamation_mark: Disclaimer
This project is a set of tools. They are meant to help the system administrator
built a secure environment. While we use it at OVH to harden our PCI-DSS compliant
built a secure environment. While we use it at OVHcloud to harden our PCI-DSS compliant
infrastructure, we can not guarantee that it will work for you. It will not
magically secure any random host.
@ -163,7 +242,7 @@ Additionally, quoting the License:
> THIS SOFTWARE IS PROVIDED BY OVH SAS AND CONTRIBUTORS ``AS IS'' AND ANY
> EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
> WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
> DISCLAIMED. IN NO EVENT SHALL OVH SAS AND CONTRIBUTORS BE LIABLE FOR ANY
> DISCLAIMED. IN NO EVENT SHALL OVHcloud SAS AND CONTRIBUTORS BE LIABLE FOR ANY
> DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
> (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
> LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
@ -171,13 +250,11 @@ Additionally, quoting the License:
> (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
> SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
## Reference
## :satellite: Reference
- **Center for Internet Security**: https://www.cisecurity.org/
- **CIS recommendations**: https://benchmarks.cisecurity.org/downloads/show-single/index.cfm?file=debian7.100
- **CIS recommendations**: https://benchmarks.cisecurity.org/downloads/show-single/index.cfm?file=debian8.100
- **CIS recommendations**: https://learn.cisecurity.org/benchmarks
## License
3-Clause BSD
## :page_facing_up: License
Apache, Version 2.0

7
debian/changelog vendored
View File

@ -1,3 +1,10 @@
cis-hardening (3.0-1) unstable; urgency=medium
* Add workflows for github action
* Update man page and README.md
-- Thibault Ayanides <thibault.ayanides@ovhcloud.com> Mon, 18 Jan 2021 09:01:28 +0100
cis-hardening (3.0) unstable; urgency=medium
* Migration to debian10 numbering

291
debian/cis-hardening.8 vendored
View File

@ -1,156 +1,169 @@
.TH "CIS Debian 7/8/9 Hardening" 8 "OVH Group"
.\" Automatically generated by Pandoc 2.6
.\"
.TH "CIS-HARDENING" "8" "2016" "" ""
.hy
.SH NAME
cis-hardening - CIS Debian 7/8/9 Hardening
.PP
cis-hardening - CIS Debian 9/10 Hardening
.SH SYNOPSIS
.PP
\f[B]hardening.sh\f[R] RUN_MODE OPTIONS
.SH DESCRIPTION
.PP
Modular Debian 7/8/9 security hardening scripts based on cisecurity.org \[la]https://www.cisecurity.org\[ra]
recommendations. We use it at OVH \[la]https://www.ovh.com\[ra] to harden our PCI\-DSS infrastructure.
Modular Debian 9/10 security hardening scripts based on the CIS
(https://www.cisecurity.org) recommendations.
.PP
.RS
.nf
$ bin/hardening.sh \-\-audit\-all
[...]
hardening [INFO] Treating /opt/cis\-hardening/bin/hardening/13.15_check_duplicate_gid.sh
13.15_check_duplicate_gid [INFO] Working on 13.15_check_duplicate_gid
13.15_check_duplicate_gid [INFO] Checking Configuration
13.15_check_duplicate_gid [INFO] Performing audit
13.15_check_duplicate_gid [ OK ] No duplicate GIDs
13.15_check_duplicate_gid [ OK ] Check Passed
[...]
################### SUMMARY ###################
Total Available Checks : 191
Total Runned Checks : 191
Total Passed Checks : [ 170/191 ]
Total Failed Checks : [ 21/191 ]
Enabled Checks Percentage : 100.00 %
Conformity Percentage : 89.01 %
.fi
.RE
.SH Quickstart
.PP
.RS
.nf
$ git clone https://github.com/ovh/debian\-cis.git && cd debian\-cis
$ cp debian/default /etc/default/cis\-hardening
$ sed \-i "s#CIS_ROOT_DIR=.*#CIS_ROOT_DIR='$(pwd)'#" /etc/default/cis\-hardening
$ bin/hardening/1.1_install_updates.sh \-\-audit\-all
1.1_install_updates [INFO] Working on 1.1_install_updates
1.1_install_updates [INFO] Checking Configuration
1.1_install_updates [INFO] Performing audit
1.1_install_updates [INFO] Checking if apt needs an update
1.1_install_updates [INFO] Fetching upgrades ...
1.1_install_updates [ OK ] No upgrades available
1.1_install_updates [ OK ] Check Passed
.fi
.RE
.SH Usage
.SS Configuration
.PP
Hardening scripts are in \fB\fCbin/hardening\fR\&. Each script has a corresponding
configuration file in \fB\fCetc/conf.d/[script_name].cfg\fR\&.
.PP
Each hardening script can be individually enabled from its configuration file.
For example, this is the default configuration file for \fB\fCdisable_system_accounts\fR:
.PP
.RS
We use it at OVHcloud (https://www.ovhcloud.com) to harden our PCI-DSS
infrastructure.
.SH SCRIPTS CONFIGURATION
.PP
Hardening scripts are in \f[C]bin/hardening\f[R].
Each script has a corresponding configuration file in
\f[C]etc/conf.d/[script_name].cfg\f[R].
.PP
Each hardening script can be individually enabled from its configuration
file.
For example, this is the default configuration file for
\f[C]disable_system_accounts\f[R]:
.IP
.nf
\f[C]
# Configuration for script of same name
status=disabled
# Put here your exceptions concerning admin accounts shells separated by spaces
EXCEPTIONS=""
EXCEPTIONS=\[dq]\[dq]
\f[R]
.fi
.RE
.PP
\fB\fCstatus\fR parameter may take 3 values:
\fB\fCdisabled\fR (do nothing): The script will not run.
\fB\fCaudit\fR (RO): The script will check if any change \fIshould\fP be applied.
\fB\fCenabled\fR (RW): The script will check if any change should be done and automatically apply what it can.
\f[B]status\f[R] parameter may take 3 values:
.IP \[bu] 2
\f[C]disabled\f[R] (do nothing): The script will not run.
.IP \[bu] 2
\f[C]audit\f[R] (RO): The script will check if any change should be
applied.
.IP \[bu] 2
\f[C]enabled\f[R] (RW): The script will check if any change should be
done and automatically apply what it can.
.PP
Global configuration is in \fB\fCetc/hardening.cfg\fR\&. This file controls the log level
as well as the backup directory. Whenever a script is instructed to edit a file, it
will create a timestamped backup in this directory.
.SS Run aka "Harden your distro"
Global configuration is in \f[C]etc/hardening.cfg\f[R].
This file controls the log level as well as the backup directory.
Whenever a script is instructed to edit a file, it will create a
timestamped backup in this directory.
.SH RUN MODE
.TP
.B \f[C]-h\f[R], \f[C]--help\f[R]
Display a friendly help message.
.TP
.B \f[C]--apply\f[R]
Apply hardening for enabled scripts.
Beware that NO confirmation is asked whatsoever, which is why you\[cq]re
warmly advised to use \f[C]--audit\f[R] before, which can be regarded as
a dry-run mode.
.TP
.B \f[C]--audit\f[R]
Audit configuration for enabled scripts.
No modification will be made on the system, we\[cq]ll only report on
your system compliance for each script.
.TP
.B \f[C]--audit-all\f[R]
Same as \f[C]--audit\f[R], but for \f[I]all\f[R] scripts, even disabled
ones.
This is a good way to peek at your compliance level if all scripts were
enabled, and might be a good starting point.
.TP
.B \f[C]--audit-all-enable-passed\f[R]
Same as \f[C]--audit-all\f[R], but in addition, will \f[I]modify\f[R]
the individual scripts configurations to enable those which passed for
your system.
This is an easy way to enable scripts for which you\[cq]re already
compliant.
However, please always review each activated script afterwards, this
option should only be regarded as a way to kickstart a configuration
from scratch.
Don\[cq]t run this if you have already customized the scripts
enable/disable configurations, obviously.
.TP
.B \f[C]--create-config-files-only\f[R]
Create the config files in etc/conf.d Must be run as root, before
running the audit with user secaudit
.TP
.B \f[C]-set-hardening-level=level\f[R]
Modifies the configuration to enable/disable tests given an hardening
level, between 1 to 5.
Don\[cq]t run this if you have already customized the scripts
enable/disable configurations.
1: very basic policy, failure to pass tests at this level indicates
severe misconfiguration of the machine that can have a huge security
impact 2: basic policy, some good practice rules that, once applied,
shouldn\[cq]t break anything on most systems 3: best practices policy,
passing all tests might need some configuration modifications (such as
specific partitioning, etc.) 4: high security policy, passing all tests
might be time-consuming and require high adaptation of your workflow 5:
placebo, policy rules that might be very difficult to apply and
maintain, with questionable security benefits
.TP
.B \f[C]--allow-service=service\f[R]
Use with \f[C]--set-hardening-level\f[R].
Modifies the policy to allow a certain kind of services on the machine,
such as http, mail, etc.
Can be specified multiple times to allow multiple services.
Use \[en]allow-service-list to get a list of supported services.
.SH OPTIONS
.TP
.B \f[C]--allow-service-list\f[R]
Get a list of supported service.
.TP
.B \f[C]--only test-number\f[R]
Modifies the RUN_MODE to only work on the test_number script.
Can be specified multiple times to work only on several scripts.
The test number is the numbered prefix of the script, i.e.\ the test
number of 1.2_script_name.sh is 1.2.
.TP
.B \f[C]--sudo\f[R]
This option lets you audit your system as a normal user, but allows sudo
escalation to gain read-only access to root files.
Note that you need to provide a sudoers file with NOPASSWD option in
/etc/sudoers.d/ because the -n option instructs sudo not to prompt for a
password.
Finally note that \f[C]--sudo\f[R] mode only works for audit mode.
.TP
.B \f[C]--batch\f[R]
While performing system audit, this option sets LOGLEVEL to `ok' and
captures all output to print only one line once the check is done,
formatted like : OK|KO OK|KO|WARN{subcheck results} [OK|KO|WARN{\&...}]
.SH AUTHORS
.IP \[bu] 2
Thibault Dewailly, OVHcloud <thibault.dewailly@ovhcloud.com>
.IP \[bu] 2
St\['e]phane Lesimple, OVHcloud <stephane.lesimple@ovhcloud.com>
.IP \[bu] 2
Thibault Ayanides, OVHcloud <thibault.ayanides@ovhcloud.com>
.IP \[bu] 2
Kevin Tanguy, OVHcloud <kevin.tanguy@ovhcloud.com>
.SH COPYRIGHT
.PP
To run the checks and apply the fixes, run \fB\fCbin/hardening.sh\fR\&.
Copyright 2020 OVHcloud
.PP
This command has 2 main operation modes:
\fB\fC\-\-audit\fR: Audit your system with all enabled and audit mode scripts
\fB\fC\-\-apply\fR: Audit your system with all enabled and audit mode scripts and apply changes for enabled scripts
.PP
Additionally, \fB\fC\-\-audit\-all\fR can be used to force running all auditing scripts,
including disabled ones. this will \fInot\fP change the system.
.PP
\fB\fC\-\-audit\-all\-enable\-passed\fR can be used as a quick way to kickstart your
configuration. It will run all scripts in audit mode. If a script passes,
it will automatically be enabled for future runs. Do NOT use this option
if you have already started to customize your configuration.
.SH Hacking
.PP
\fBGetting the source\fP
.PP
.RS
Licensed under the Apache License, Version 2.0 (the \[lq]License\[rq]);
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
.IP
.nf
$ git clone https://github.com/ovh/debian\-cis.git
\f[C]
http://www.apache.org/licenses/LICENSE-2.0
\f[R]
.fi
.RE
.PP
\fBBuilding a debian Package\fP (the hacky way)
.PP
.RS
.nf
$ debuild \-us \-uc
.fi
.RE
.PP
\fBAdding a custom hardening script\fP
.PP
.RS
.nf
$ cp src/skel bin/hardening/99.99_custom_script.sh
$ chmod +x bin/hardening/99.99_custom_script.sh
$ cp src/skel.cfg etc/conf.d/99.99_custom_script.cfg
.fi
.RE
.PP
Code your check explaining what it does then if you want to test
.PP
.RS
.nf
$ sed \-i "s/status=.+/status=enabled/" etc/conf.d/99.99_custom_script.cfg
$ ./bin/hardening/99.99_custom_script.sh
.fi
.RE
.SH Disclaimer
.PP
This project is a set of tools. They are meant to help the system administrator
built a secure environment. While we use it at OVH to harden our PCI\-DSS compliant
infrastructure, we can not guarantee that it will work for you. It will not
magically secure any random host.
.PP
Additionally, quoting the License:
.PP
.RS
THIS SOFTWARE IS PROVIDED BY OVH SAS AND CONTRIBUTORS ``AS IS'' AND ANY
EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
DISCLAIMED. IN NO EVENT SHALL OVH SAS AND CONTRIBUTORS BE LIABLE FOR ANY
DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.RE
.SH Reference
.PP
.RS
.nf
**Center for Internet Security**: https://www.cisecurity.org/
**CIS recommendations**: https://benchmarks.cisecurity.org/downloads/show\-single/index.cfm?file=debian7.100
**CIS recommendations**: https://benchmarks.cisecurity.org/downloads/show\-single/index.cfm?file=debian8.100
.fi
.RE
.SH License
.PP
3\-Clause BSD
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an \[lq]AS IS\[rq]
BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
implied.
See the License for the specific language governing permissions and
limitations under the License.
# SEE ALSO
.IP \[bu] 2
\f[B]Center for Internet Security\f[R]: https://www.cisecurity.org/
.IP \[bu] 2
\f[B]CIS recommendations\f[R]: https://learn.cisecurity.org/benchmarks
.IP \[bu] 2
\f[B]Project repository\f[R]: https://github.com/ovh/debian-cis

2
debian/compat vendored
View File

@ -1 +1 @@
8
9