debian-cis/debian/cis-hardening.8

.\" Automatically generated by Pandoc 2.6
.\"
.TH "CIS-HARDENING" "8" "2016" "" ""
.hy
.SH NAME
.PP
cis-hardening - CIS Debian 9/10 Hardening
.SH SYNOPSIS
.PP
\f[B]hardening.sh\f[R] RUN_MODE OPTIONS
.SH DESCRIPTION
.PP
Modular Debian 9/10 security hardening scripts based on the CIS
(https://www.cisecurity.org) recommendations.
.PP
We use it at OVHcloud (https://www.ovhcloud.com) to harden our PCI-DSS
infrastructure.
.SH SCRIPTS CONFIGURATION
.PP
Hardening scripts are in \f[C]bin/hardening\f[R].
Each script has a corresponding configuration file in
\f[C]etc/conf.d/[script_name].cfg\f[R].
.PP
Each hardening script can be individually enabled from its configuration
file.
For example, this is the default configuration file for
\f[C]disable_system_accounts\f[R]:
.IP
.nf
\f[C]
# Configuration for script of same name
status=disabled
# Put here your exceptions concerning admin accounts shells separated by spaces
EXCEPTIONS=\[dq]\[dq]
\f[R]
.fi
.PP
\f[B]status\f[R] parameter may take 3 values:
.IP \[bu] 2
\f[C]disabled\f[R] (do nothing): The script will not run.
.IP \[bu] 2
\f[C]audit\f[R] (RO): The script will check if any change should be
applied.
.IP \[bu] 2
\f[C]enabled\f[R] (RW): The script will check if any change should be
done and automatically apply what it can.
.PP
Global configuration is in \f[C]etc/hardening.cfg\f[R].
This file controls the log level as well as the backup directory.
Whenever a script is instructed to edit a file, it will create a
timestamped backup in this directory.
.SH RUN MODE
.TP
.B \f[C]-h\f[R], \f[C]--help\f[R]
Display a friendly help message.
.TP
.B \f[C]--apply\f[R]
Apply hardening for enabled scripts.
Beware that NO confirmation is asked whatsoever, which is why you\[cq]re
warmly advised to use \f[C]--audit\f[R] before, which can be regarded as
a dry-run mode.
.TP
.B \f[C]--audit\f[R]
Audit configuration for enabled scripts.
No modification will be made on the system, we\[cq]ll only report on
your system compliance for each script.
.TP
.B \f[C]--audit-all\f[R]
Same as \f[C]--audit\f[R], but for \f[I]all\f[R] scripts, even disabled
ones.
This is a good way to peek at your compliance level if all scripts were
enabled, and might be a good starting point.
.TP
.B \f[C]--audit-all-enable-passed\f[R]
Same as \f[C]--audit-all\f[R], but in addition, will \f[I]modify\f[R]
the individual scripts configurations to enable those which passed for
your system.
This is an easy way to enable scripts for which you\[cq]re already
compliant.
However, please always review each activated script afterwards, this
option should only be regarded as a way to kickstart a configuration
from scratch.
Don\[cq]t run this if you have already customized the scripts
enable/disable configurations, obviously.
.TP
.B \f[C]--create-config-files-only\f[R]
Create the config files in etc/conf.d Must be run as root, before
running the audit with user secaudit
.TP
.B \f[C]-set-hardening-level=level\f[R]
Modifies the configuration to enable/disable tests given an hardening
level, between 1 to 5.
Don\[cq]t run this if you have already customized the scripts
enable/disable configurations.
1: very basic policy, failure to pass tests at this level indicates
severe misconfiguration of the machine that can have a huge security
impact 2: basic policy, some good practice rules that, once applied,
shouldn\[cq]t break anything on most systems 3: best practices policy,
passing all tests might need some configuration modifications (such as
specific partitioning, etc.) 4: high security policy, passing all tests
might be time-consuming and require high adaptation of your workflow 5:
placebo, policy rules that might be very difficult to apply and
maintain, with questionable security benefits
.TP
.B \f[C]--allow-service=service\f[R]
Use with \f[C]--set-hardening-level\f[R].
Modifies the policy to allow a certain kind of services on the machine,
such as http, mail, etc.
Can be specified multiple times to allow multiple services.
Use \[en]allow-service-list to get a list of supported services.
.SH OPTIONS
.TP
.B \f[C]--allow-service-list\f[R]
Get a list of supported service.
.TP
.B \f[C]--only test-number\f[R]
Modifies the RUN_MODE to only work on the test_number script.
Can be specified multiple times to work only on several scripts.
The test number is the numbered prefix of the script, i.e.\ the test
number of 1.2_script_name.sh is 1.2.
.TP
.B \f[C]--sudo\f[R]
This option lets you audit your system as a normal user, but allows sudo
escalation to gain read-only access to root files.
Note that you need to provide a sudoers file with NOPASSWD option in
/etc/sudoers.d/ because the -n option instructs sudo not to prompt for a
password.
Finally note that \f[C]--sudo\f[R] mode only works for audit mode.
.TP
.B \f[C]--batch\f[R]
While performing system audit, this option sets LOGLEVEL to `ok' and
captures all output to print only one line once the check is done,
formatted like : OK|KO OK|KO|WARN{subcheck results} [OK|KO|WARN{\&...}]
.SH AUTHORS
.IP \[bu] 2
Thibault Dewailly, OVHcloud <thibault.dewailly@ovhcloud.com>
.IP \[bu] 2
St\['e]phane Lesimple, OVHcloud <stephane.lesimple@ovhcloud.com>
.IP \[bu] 2
Thibault Ayanides, OVHcloud <thibault.ayanides@ovhcloud.com>
.IP \[bu] 2
Kevin Tanguy, OVHcloud <kevin.tanguy@ovhcloud.com>
.SH COPYRIGHT
.PP
Copyright 2020 OVHcloud
.PP
Licensed under the Apache License, Version 2.0 (the \[lq]License\[rq]);
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
.IP
.nf
\f[C]
   http://www.apache.org/licenses/LICENSE-2.0
\f[R]
.fi
.PP
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an \[lq]AS IS\[rq]
BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
implied.
See the License for the specific language governing permissions and
limitations under the License.
# SEE ALSO
.IP \[bu] 2
\f[B]Center for Internet Security\f[R]: https://www.cisecurity.org/
.IP \[bu] 2
\f[B]CIS recommendations\f[R]: https://learn.cisecurity.org/benchmarks
.IP \[bu] 2
\f[B]Project repository\f[R]: https://github.com/ovh/debian-cis