mirror of
https://github.com/ovh/debian-cis.git
synced 2024-11-26 23:41:08 +01:00
156 lines
5.4 KiB
Groff
156 lines
5.4 KiB
Groff
.TH "CIS Debian 7 Hardening" 8 "OVH Group"
|
|
.SH NAME
|
|
cis-hardening - CIS Debian 7 Hardening
|
|
.PP
|
|
.SH DESCRIPTION
|
|
.PP
|
|
Modular Debian 7 security hardening scripts based on cisecurity.org \[la]https://www.cisecurity.org\[ra]
|
|
recommendations. We use it at OVH \[la]https://www.ovh.com\[ra] to harden our PCI\-DSS infrastructure.
|
|
.PP
|
|
.RS
|
|
.nf
|
|
$ bin/hardening.sh \-\-audit\-all
|
|
[...]
|
|
hardening [INFO] Treating /opt/cis\-hardening/bin/hardening/13.15_check_duplicate_gid.sh
|
|
13.15_check_duplicate_gid [INFO] Working on 13.15_check_duplicate_gid
|
|
13.15_check_duplicate_gid [INFO] Checking Configuration
|
|
13.15_check_duplicate_gid [INFO] Performing audit
|
|
13.15_check_duplicate_gid [ OK ] No duplicate GIDs
|
|
13.15_check_duplicate_gid [ OK ] Check Passed
|
|
[...]
|
|
################### SUMMARY ###################
|
|
Total Available Checks : 191
|
|
Total Runned Checks : 191
|
|
Total Passed Checks : [ 170/191 ]
|
|
Total Failed Checks : [ 21/191 ]
|
|
Enabled Checks Percentage : 100.00 %
|
|
Conformity Percentage : 89.01 %
|
|
.fi
|
|
.RE
|
|
.SH Quickstart
|
|
.PP
|
|
.RS
|
|
.nf
|
|
$ git clone https://github.com/ovh/debian\-cis.git && cd debian\-cis
|
|
$ cp debian/default /etc/default/cis\-hardening
|
|
$ sed \-i "s#CIS_ROOT_DIR=.*#CIS_ROOT_DIR='$(pwd)'#" /etc/default/cis\-hardening
|
|
$ bin/hardening/1.1_install_updates.sh \-\-audit\-all
|
|
1.1_install_updates [INFO] Working on 1.1_install_updates
|
|
1.1_install_updates [INFO] Checking Configuration
|
|
1.1_install_updates [INFO] Performing audit
|
|
1.1_install_updates [INFO] Checking if apt needs an update
|
|
1.1_install_updates [INFO] Fetching upgrades ...
|
|
1.1_install_updates [ OK ] No upgrades available
|
|
1.1_install_updates [ OK ] Check Passed
|
|
.fi
|
|
.RE
|
|
.SH Usage
|
|
.SS Configuration
|
|
.PP
|
|
Hardening scripts are in \fB\fCbin/hardening\fR\&. Each script has a corresponding
|
|
configuration file in \fB\fCetc/conf.d/[script_name].cfg\fR\&.
|
|
.PP
|
|
Each hardening script can be individually enabled from its configuration file.
|
|
For example, this is the default configuration file for \fB\fCdisable_system_accounts\fR:
|
|
.PP
|
|
.RS
|
|
.nf
|
|
# Configuration for script of same name
|
|
status=disabled
|
|
# Put here your exceptions concerning admin accounts shells separated by spaces
|
|
EXCEPTIONS=""
|
|
.fi
|
|
.RE
|
|
.PP
|
|
\fB\fCstatus\fR parameter may take 3 values:
|
|
\fB\fCdisabled\fR (do nothing): The script will not run.
|
|
\fB\fCaudit\fR (RO): The script will check if any change \fIshould\fP be applied.
|
|
\fB\fCenabled\fR (RW): The script will check if any change should be done and automatically apply what it can.
|
|
.PP
|
|
Global configuration is in \fB\fCetc/hardening.cfg\fR\&. This file controls the log level
|
|
as well as the backup directory. Whenever a script is instructed to edit a file, it
|
|
will create a timestamped backup in this directory.
|
|
.SS Run aka "Harden your distro"
|
|
.PP
|
|
To run the checks and apply the fixes, run \fB\fCbin/hardening.sh\fR\&.
|
|
.PP
|
|
This command has 2 main operation modes:
|
|
\fB\fC\-\-audit\fR: Audit your system with all enabled and audit mode scripts
|
|
\fB\fC\-\-apply\fR: Audit your system with all enabled and audit mode scripts and apply changes for enabled scripts
|
|
.PP
|
|
Additionally, \fB\fC\-\-audit\-all\fR can be used to force running all auditing scripts,
|
|
including disabled ones. this will \fInot\fP change the system.
|
|
.PP
|
|
\fB\fC\-\-audit\-all\-enable\-passed\fR can be used as a quick way to kickstart your
|
|
configuration. It will run all scripts in audit mode. If a script passes,
|
|
it will automatically be enabled for future runs. Do NOT use this option
|
|
if you have already started to customize your configuration.
|
|
.SH Hacking
|
|
.PP
|
|
\fBGetting the source\fP
|
|
.PP
|
|
.RS
|
|
.nf
|
|
$ git clone https://github.com/ovh/debian\-cis.git
|
|
.fi
|
|
.RE
|
|
.PP
|
|
\fBBuilding a debian Package\fP (the hacky way)
|
|
.PP
|
|
.RS
|
|
.nf
|
|
$ debuild \-us \-uc
|
|
.fi
|
|
.RE
|
|
.PP
|
|
\fBAdding a custom hardening script\fP
|
|
.PP
|
|
.RS
|
|
.nf
|
|
$ cp src/skel bin/hardening/99.99_custom_script.sh
|
|
$ chmod +x bin/hardening/99.99_custom_script.sh
|
|
$ cp src/skel.cfg etc/conf.d/99.99_custom_script.cfg
|
|
.fi
|
|
.RE
|
|
.PP
|
|
Code your check explaining what it does then if you want to test
|
|
.PP
|
|
.RS
|
|
.nf
|
|
$ sed \-i "s/status=.+/status=enabled/" etc/conf.d/99.99_custom_script.cfg
|
|
$ ./bin/hardening/99.99_custom_script.sh
|
|
.fi
|
|
.RE
|
|
.SH Disclaimer
|
|
.PP
|
|
This project is a set of tools. They are meant to help the system administrator
|
|
built a secure environment. While we use it at OVH to harden our PCI\-DSS compliant
|
|
infrastructure, we can not guarantee that it will work for you. It will not
|
|
magically secure any random host.
|
|
.PP
|
|
Additionally, quoting the License:
|
|
.PP
|
|
.RS
|
|
THIS SOFTWARE IS PROVIDED BY OVH SAS AND CONTRIBUTORS ``AS IS'' AND ANY
|
|
EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
|
|
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
|
|
DISCLAIMED. IN NO EVENT SHALL OVH SAS AND CONTRIBUTORS BE LIABLE FOR ANY
|
|
DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
|
|
(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
|
|
LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
|
|
ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
|
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
|
|
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
.RE
|
|
.SH Reference
|
|
.PP
|
|
.RS
|
|
.nf
|
|
**Center for Internet Security**: https://www.cisecurity.org/
|
|
**CIS recommendations**: https://benchmarks.cisecurity.org/downloads/show\-single/index.cfm?file=debian7.100
|
|
.fi
|
|
.RE
|
|
.SH License
|
|
.PP
|
|
3\-Clause BSD
|