mirror of
https://github.com/ovh/debian-cis.git
synced 2024-11-21 21:17:00 +01:00
2e53dfb573
* feat: Officialize Debian 12 support Functional tests now pass CIS Benchmark PDF for Debian 12 is not out yet, but the hardening points checked are still relevant in Debian 12. OVHcloud is now using it in critical production, hence making it officially supported --------- Co-authored-by: ThibaultDewailly <ThibaultDewailly@users.noreply.github.com>
181 lines
6.4 KiB
Groff
181 lines
6.4 KiB
Groff
.\" Automatically generated by Pandoc 2.6
|
|
.\"
|
|
.TH "CIS-HARDENING" "8" "2016" "" ""
|
|
.hy
|
|
.SH NAME
|
|
.PP
|
|
cis-hardening - CIS Debian 10/11/12 Hardening
|
|
.SH SYNOPSIS
|
|
.PP
|
|
\f[B]hardening.sh\f[R] RUN_MODE OPTIONS
|
|
.SH DESCRIPTION
|
|
.PP
|
|
Modular Debian 10/11/12 security hardening scripts based on the CIS
|
|
(https://www.cisecurity.org) recommendations.
|
|
.PP
|
|
We use it at OVHcloud (https://www.ovhcloud.com) to harden our PCI-DSS
|
|
infrastructure.
|
|
.SH SCRIPTS CONFIGURATION
|
|
.PP
|
|
Hardening scripts are in \f[C]bin/hardening\f[R].
|
|
Each script has a corresponding configuration file in
|
|
\f[C]etc/conf.d/[script_name].cfg\f[R].
|
|
.PP
|
|
Each hardening script can be individually enabled from its configuration
|
|
file.
|
|
For example, this is the default configuration file for
|
|
\f[C]disable_system_accounts\f[R]:
|
|
.IP
|
|
.nf
|
|
\f[C]
|
|
# Configuration for script of same name
|
|
status=disabled
|
|
# Put here your exceptions concerning admin accounts shells separated by spaces
|
|
EXCEPTIONS=\[dq]\[dq]
|
|
\f[R]
|
|
.fi
|
|
.PP
|
|
\f[B]status\f[R] parameter may take 3 values:
|
|
.IP \[bu] 2
|
|
\f[C]disabled\f[R] (do nothing): The script will not run.
|
|
.IP \[bu] 2
|
|
\f[C]audit\f[R] (RO): The script will check if any change should be
|
|
applied.
|
|
.IP \[bu] 2
|
|
\f[C]enabled\f[R] (RW): The script will check if any change should be
|
|
done and automatically apply what it can.
|
|
.PP
|
|
Global configuration is in \f[C]etc/hardening.cfg\f[R].
|
|
This file controls the log level as well as the backup directory.
|
|
Whenever a script is instructed to edit a file, it will create a
|
|
timestamped backup in this directory.
|
|
.SH RUN MODE
|
|
.TP
|
|
.B \f[C]-h\f[R], \f[C]--help\f[R]
|
|
Display a friendly help message.
|
|
.TP
|
|
.B \f[C]--apply\f[R]
|
|
Apply hardening for enabled scripts.
|
|
Beware that NO confirmation is asked whatsoever, which is why you\[cq]re
|
|
warmly advised to use \f[C]--audit\f[R] before, which can be regarded as
|
|
a dry-run mode.
|
|
.TP
|
|
.B \f[C]--audit\f[R]
|
|
Audit configuration for enabled scripts.
|
|
No modification will be made on the system, we\[cq]ll only report on
|
|
your system compliance for each script.
|
|
.TP
|
|
.B \f[C]--audit-all\f[R]
|
|
Same as \f[C]--audit\f[R], but for \f[I]all\f[R] scripts, even disabled
|
|
ones.
|
|
This is a good way to peek at your compliance level if all scripts were
|
|
enabled, and might be a good starting point.
|
|
.TP
|
|
.B \f[C]--audit-all-enable-passed\f[R]
|
|
Same as \f[C]--audit-all\f[R], but in addition, will \f[I]modify\f[R]
|
|
the individual scripts configurations to enable those which passed for
|
|
your system.
|
|
This is an easy way to enable scripts for which you\[cq]re already
|
|
compliant.
|
|
However, please always review each activated script afterwards, this
|
|
option should only be regarded as a way to kickstart a configuration
|
|
from scratch.
|
|
Don\[cq]t run this if you have already customized the scripts
|
|
enable/disable configurations, obviously.
|
|
.TP
|
|
.B \f[C]--create-config-files-only\f[R]
|
|
Create the config files in etc/conf.d Must be run as root, before
|
|
running the audit with user secaudit
|
|
.TP
|
|
.B \f[C]-set-hardening-level=level\f[R]
|
|
Modifies the configuration to enable/disable tests given an hardening
|
|
level, between 1 to 5.
|
|
Don\[cq]t run this if you have already customized the scripts
|
|
enable/disable configurations.
|
|
1: very basic policy, failure to pass tests at this level indicates
|
|
severe misconfiguration of the machine that can have a huge security
|
|
impact 2: basic policy, some good practice rules that, once applied,
|
|
shouldn\[cq]t break anything on most systems 3: best practices policy,
|
|
passing all tests might need some configuration modifications (such as
|
|
specific partitioning, etc.) 4: high security policy, passing all tests
|
|
might be time-consuming and require high adaptation of your workflow 5:
|
|
placebo, policy rules that might be very difficult to apply and
|
|
maintain, with questionable security benefits
|
|
.TP
|
|
.B \f[C]--allow-service=service\f[R]
|
|
Use with \f[C]--set-hardening-level\f[R].
|
|
Modifies the policy to allow a certain kind of services on the machine,
|
|
such as http, mail, etc.
|
|
Can be specified multiple times to allow multiple services.
|
|
Use \[en]allow-service-list to get a list of supported services.
|
|
.SH OPTIONS
|
|
.TP
|
|
.B \f[C]--allow-service-list\f[R]
|
|
Get a list of supported service.
|
|
.TP
|
|
.B \f[C]--only test-number\f[R]
|
|
Modifies the RUN_MODE to only work on the test_number script.
|
|
Can be specified multiple times to work only on several scripts.
|
|
The test number is the numbered prefix of the script, i.e.\ the test
|
|
number of 1.2_script_name.sh is 1.2.
|
|
.TP
|
|
.B \f[C]--sudo\f[R]
|
|
This option lets you audit your system as a normal user, but allows sudo
|
|
escalation to gain read-only access to root files.
|
|
Note that you need to provide a sudoers file with NOPASSWD option in
|
|
/etc/sudoers.d/ because the -n option instructs sudo not to prompt for a
|
|
password.
|
|
Finally note that \f[C]--sudo\f[R] mode only works for audit mode.
|
|
.TP
|
|
.B \f[C]--set-log-level=level\f[R]
|
|
This option sets LOGLEVEL, you can choose : info, warning, error, ok,
|
|
debug.
|
|
Default value is : info
|
|
.TP
|
|
.B \f[C]--batch\f[R]
|
|
While performing system audit, this option sets LOGLEVEL to `ok' and
|
|
captures all output to print only one line once the check is done,
|
|
formatted like : OK|KO OK|KO|WARN{subcheck results} [OK|KO|WARN{\&...}]
|
|
.PP
|
|
\f[C]--allow-unsupported-distribution\f[R] Must be specified manually in
|
|
the command line to allow the run on non compatible version or
|
|
distribution.
|
|
If you want to mute the warning change the LOGLEVEL in
|
|
/etc/hardening.cfg
|
|
.SH AUTHORS
|
|
.IP \[bu] 2
|
|
Thibault Dewailly, OVHcloud <thibault.dewailly@ovhcloud.com>
|
|
.IP \[bu] 2
|
|
St\['e]phane Lesimple, OVHcloud <stephane.lesimple@ovhcloud.com>
|
|
.IP \[bu] 2
|
|
Thibault Ayanides, OVHcloud <thibault.ayanides@ovhcloud.com>
|
|
.IP \[bu] 2
|
|
Kevin Tanguy, OVHcloud <kevin.tanguy@ovhcloud.com>
|
|
.SH COPYRIGHT
|
|
.PP
|
|
Copyright 2023 OVHcloud
|
|
.PP
|
|
Licensed under the Apache License, Version 2.0 (the \[lq]License\[rq]);
|
|
you may not use this file except in compliance with the License.
|
|
You may obtain a copy of the License at
|
|
.IP
|
|
.nf
|
|
\f[C]
|
|
http://www.apache.org/licenses/LICENSE-2.0
|
|
\f[R]
|
|
.fi
|
|
.PP
|
|
Unless required by applicable law or agreed to in writing, software
|
|
distributed under the License is distributed on an \[lq]AS IS\[rq]
|
|
BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
|
|
implied.
|
|
See the License for the specific language governing permissions and
|
|
limitations under the License.
|
|
# SEE ALSO
|
|
.IP \[bu] 2
|
|
\f[B]Center for Internet Security\f[R]: https://www.cisecurity.org/
|
|
.IP \[bu] 2
|
|
\f[B]CIS recommendations\f[R]: https://learn.cisecurity.org/benchmarks
|
|
.IP \[bu] 2
|
|
\f[B]Project repository\f[R]: https://github.com/ovh/debian-cis
|