.\" Automatically generated by Pandoc 2.6 .\" .TH "CIS-HARDENING" "8" "2016" "" "" .hy .SH NAME .PP cis-hardening - CIS Debian 10/11/12 Hardening .SH SYNOPSIS .PP \f[B]hardening.sh\f[R] RUN_MODE OPTIONS .SH DESCRIPTION .PP Modular Debian 10/11/12 security hardening scripts based on the CIS (https://www.cisecurity.org) recommendations. .PP We use it at OVHcloud (https://www.ovhcloud.com) to harden our PCI-DSS infrastructure. .SH SCRIPTS CONFIGURATION .PP Hardening scripts are in \f[C]bin/hardening\f[R]. Each script has a corresponding configuration file in \f[C]etc/conf.d/[script_name].cfg\f[R]. .PP Each hardening script can be individually enabled from its configuration file. For example, this is the default configuration file for \f[C]disable_system_accounts\f[R]: .IP .nf \f[C] # Configuration for script of same name status=disabled # Put here your exceptions concerning admin accounts shells separated by spaces EXCEPTIONS=\[dq]\[dq] \f[R] .fi .PP \f[B]status\f[R] parameter may take 3 values: .IP \[bu] 2 \f[C]disabled\f[R] (do nothing): The script will not run. .IP \[bu] 2 \f[C]audit\f[R] (RO): The script will check if any change should be applied. .IP \[bu] 2 \f[C]enabled\f[R] (RW): The script will check if any change should be done and automatically apply what it can. .PP Global configuration is in \f[C]etc/hardening.cfg\f[R]. This file controls the log level as well as the backup directory. Whenever a script is instructed to edit a file, it will create a timestamped backup in this directory. .SH RUN MODE .TP .B \f[C]-h\f[R], \f[C]--help\f[R] Display a friendly help message. .TP .B \f[C]--apply\f[R] Apply hardening for enabled scripts. Beware that NO confirmation is asked whatsoever, which is why you\[cq]re warmly advised to use \f[C]--audit\f[R] before, which can be regarded as a dry-run mode. .TP .B \f[C]--audit\f[R] Audit configuration for enabled scripts. No modification will be made on the system, we\[cq]ll only report on your system compliance for each script. .TP .B \f[C]--audit-all\f[R] Same as \f[C]--audit\f[R], but for \f[I]all\f[R] scripts, even disabled ones. This is a good way to peek at your compliance level if all scripts were enabled, and might be a good starting point. .TP .B \f[C]--audit-all-enable-passed\f[R] Same as \f[C]--audit-all\f[R], but in addition, will \f[I]modify\f[R] the individual scripts configurations to enable those which passed for your system. This is an easy way to enable scripts for which you\[cq]re already compliant. However, please always review each activated script afterwards, this option should only be regarded as a way to kickstart a configuration from scratch. Don\[cq]t run this if you have already customized the scripts enable/disable configurations, obviously. .TP .B \f[C]--create-config-files-only\f[R] Create the config files in etc/conf.d Must be run as root, before running the audit with user secaudit .TP .B \f[C]-set-hardening-level=level\f[R] Modifies the configuration to enable/disable tests given an hardening level, between 1 to 5. Don\[cq]t run this if you have already customized the scripts enable/disable configurations. 1: very basic policy, failure to pass tests at this level indicates severe misconfiguration of the machine that can have a huge security impact 2: basic policy, some good practice rules that, once applied, shouldn\[cq]t break anything on most systems 3: best practices policy, passing all tests might need some configuration modifications (such as specific partitioning, etc.) 4: high security policy, passing all tests might be time-consuming and require high adaptation of your workflow 5: placebo, policy rules that might be very difficult to apply and maintain, with questionable security benefits .TP .B \f[C]--allow-service=service\f[R] Use with \f[C]--set-hardening-level\f[R]. Modifies the policy to allow a certain kind of services on the machine, such as http, mail, etc. Can be specified multiple times to allow multiple services. Use \[en]allow-service-list to get a list of supported services. .SH OPTIONS .TP .B \f[C]--allow-service-list\f[R] Get a list of supported service. .TP .B \f[C]--only test-number\f[R] Modifies the RUN_MODE to only work on the test_number script. Can be specified multiple times to work only on several scripts. The test number is the numbered prefix of the script, i.e.\ the test number of 1.2_script_name.sh is 1.2. .TP .B \f[C]--sudo\f[R] This option lets you audit your system as a normal user, but allows sudo escalation to gain read-only access to root files. Note that you need to provide a sudoers file with NOPASSWD option in /etc/sudoers.d/ because the -n option instructs sudo not to prompt for a password. Finally note that \f[C]--sudo\f[R] mode only works for audit mode. .TP .B \f[C]--set-log-level=level\f[R] This option sets LOGLEVEL, you can choose : info, warning, error, ok, debug. Default value is : info .TP .B \f[C]--batch\f[R] While performing system audit, this option sets LOGLEVEL to `ok' and captures all output to print only one line once the check is done, formatted like : OK|KO OK|KO|WARN{subcheck results} [OK|KO|WARN{\&...}] .PP \f[C]--allow-unsupported-distribution\f[R] Must be specified manually in the command line to allow the run on non compatible version or distribution. If you want to mute the warning change the LOGLEVEL in /etc/hardening.cfg .SH AUTHORS .IP \[bu] 2 Thibault Dewailly, OVHcloud .IP \[bu] 2 St\['e]phane Lesimple, OVHcloud .IP \[bu] 2 Thibault Ayanides, OVHcloud .IP \[bu] 2 Kevin Tanguy, OVHcloud .SH COPYRIGHT .PP Copyright 2023 OVHcloud .PP Licensed under the Apache License, Version 2.0 (the \[lq]License\[rq]); you may not use this file except in compliance with the License. You may obtain a copy of the License at .IP .nf \f[C] http://www.apache.org/licenses/LICENSE-2.0 \f[R] .fi .PP Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an \[lq]AS IS\[rq] BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. # SEE ALSO .IP \[bu] 2 \f[B]Center for Internet Security\f[R]: https://www.cisecurity.org/ .IP \[bu] 2 \f[B]CIS recommendations\f[R]: https://learn.cisecurity.org/benchmarks .IP \[bu] 2 \f[B]Project repository\f[R]: https://github.com/ovh/debian-cis