debian-cis/MANUAL.md

% CIS-HARDENING(8) % % 2016

NAME

cis-hardening - CIS Debian 9/10 Hardening

SYNOPSIS

hardening.sh RUN_MODE [OPTIONS]

DESCRIPTION

Modular Debian 9/10 security hardening scripts based on the CIS (https://www.cisecurity.org) recommendations.

We use it at OVHcloud (https://www.ovhcloud.com) to harden our PCI-DSS infrastructure.

SCRIPTS CONFIGURATION

Hardening scripts are in bin/hardening. Each script has a corresponding configuration file in etc/conf.d/[script_name].cfg.

Each hardening script can be individually enabled from its configuration file. For example, this is the default configuration file for disable_system_accounts:

# Configuration for script of same name
status=disabled
# Put here your exceptions concerning admin accounts shells separated by spaces
EXCEPTIONS=""

status parameter may take 3 values:

• disabled (do nothing): The script will not run.
• audit (RO): The script will check if any change should be applied.
• enabled (RW): The script will check if any change should be done and automatically apply what it can.

Global configuration is in etc/hardening.cfg. This file controls the log level as well as the backup directory. Whenever a script is instructed to edit a file, it will create a timestamped backup in this directory.

RUN MODE

-h, --help

Display a friendly help message.

--apply

Apply hardening for enabled scripts. Beware that NO confirmation is asked whatsoever, which is why you're warmly advised to use --audit before, which can be regarded as a dry-run mode.

--audit

Audit configuration for enabled scripts. No modification will be made on the system, we'll only report on your system compliance for each script.

--audit-all

Same as --audit, but for all scripts, even disabled ones. This is a good way to peek at your compliance level if all scripts were enabled, and might be a good starting point.

--audit-all-enable-passed

Same as --audit-all, but in addition, will modify the individual scripts configurations to enable those which passed for your system. This is an easy way to enable scripts for which you're already compliant. However, please always review each activated script afterwards, this option should only be regarded as a way to kickstart a configuration from scratch. Don't run this if you have already customized the scripts enable/disable configurations, obviously.

--create-config-files-only

Create the config files in etc/conf.d Must be run as root, before running the audit with user secaudit

-set-hardening-level=level

Modifies the configuration to enable/disable tests given an hardening level, between 1 to 5. Don't run this if you have already customized the scripts enable/disable configurations. 1: very basic policy, failure to pass tests at this level indicates severe misconfiguration of the machine that can have a huge security impact 2: basic policy, some good practice rules that, once applied, shouldn't break anything on most systems 3: best practices policy, passing all tests might need some configuration modifications (such as specific partitioning, etc.) 4: high security policy, passing all tests might be time-consuming and require high adaptation of your workflow 5: placebo, policy rules that might be very difficult to apply and maintain, with questionable security benefits

--allow-service=service

Use with --set-hardening-level. Modifies the policy to allow a certain kind of services on the machine, such as http, mail, etc. Can be specified multiple times to allow multiple services. Use --allow-service-list to get a list of supported services.

OPTIONS

--allow-service-list

Get a list of supported service.

--only test-number

Modifies the RUN_MODE to only work on the test_number script. Can be specified multiple times to work only on several scripts. The test number is the numbered prefix of the script, i.e. the test number of 1.2_script_name.sh is 1.2.

--sudo

This option lets you audit your system as a normal user, but allows sudo escalation to gain read-only access to root files. Note that you need to provide a sudoers file with NOPASSWD option in /etc/sudoers.d/ because the -n option instructs sudo not to prompt for a password. Finally note that --sudo mode only works for audit mode.

--batch

While performing system audit, this option sets LOGLEVEL to 'ok' and captures all output to print only one line once the check is done, formatted like : OK|KO OK|KO|WARN{subcheck results} [OK|KO|WARN{...}]

AUTHORS

• Thibault Dewailly, OVHcloud thibault.dewailly@ovhcloud.com
• Stéphane Lesimple, OVHcloud stephane.lesimple@ovhcloud.com
• Thibault Ayanides, OVHcloud thibault.ayanides@ovhcloud.com
• Kevin Tanguy, OVHcloud kevin.tanguy@ovhcloud.com

COPYRIGHT

MIT License

Copyright (c) 2016, OVHcloud

Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

SEE ALSO

• Center for Internet Security: https://www.cisecurity.org/
• CIS recommendations: https://learn.cisecurity.org/benchmarks
• Project repository: https://github.com/ovh/debian-cis