2021-01-18 09:11:47 +00:00
|
|
|
.\" Automatically generated by Pandoc 2.6
|
|
|
|
.\"
|
|
|
|
.TH "CIS-HARDENING" "8" "2016" "" ""
|
|
|
|
.hy
|
2016-04-21 12:00:20 +02:00
|
|
|
.SH NAME
|
|
|
|
.PP
|
2021-01-18 09:11:47 +00:00
|
|
|
cis-hardening - CIS Debian 9/10 Hardening
|
|
|
|
.SH SYNOPSIS
|
|
|
|
.PP
|
|
|
|
\f[B]hardening.sh\f[R] RUN_MODE OPTIONS
|
2016-04-21 12:00:20 +02:00
|
|
|
.SH DESCRIPTION
|
|
|
|
.PP
|
2021-01-18 09:11:47 +00:00
|
|
|
Modular Debian 9/10 security hardening scripts based on the CIS
|
|
|
|
(https://www.cisecurity.org) recommendations.
|
2016-04-21 12:00:20 +02:00
|
|
|
.PP
|
2021-01-18 09:11:47 +00:00
|
|
|
We use it at OVHcloud (https://www.ovhcloud.com) to harden our PCI-DSS
|
|
|
|
infrastructure.
|
|
|
|
.SH SCRIPTS CONFIGURATION
|
2016-04-21 12:00:20 +02:00
|
|
|
.PP
|
2021-01-18 09:11:47 +00:00
|
|
|
Hardening scripts are in \f[C]bin/hardening\f[R].
|
|
|
|
Each script has a corresponding configuration file in
|
|
|
|
\f[C]etc/conf.d/[script_name].cfg\f[R].
|
2016-04-21 12:00:20 +02:00
|
|
|
.PP
|
2021-01-18 09:11:47 +00:00
|
|
|
Each hardening script can be individually enabled from its configuration
|
|
|
|
file.
|
|
|
|
For example, this is the default configuration file for
|
|
|
|
\f[C]disable_system_accounts\f[R]:
|
|
|
|
.IP
|
2016-04-21 12:00:20 +02:00
|
|
|
.nf
|
2021-01-18 09:11:47 +00:00
|
|
|
\f[C]
|
2016-04-21 12:00:20 +02:00
|
|
|
# Configuration for script of same name
|
|
|
|
status=disabled
|
|
|
|
# Put here your exceptions concerning admin accounts shells separated by spaces
|
2021-01-18 09:11:47 +00:00
|
|
|
EXCEPTIONS=\[dq]\[dq]
|
|
|
|
\f[R]
|
2016-04-21 12:00:20 +02:00
|
|
|
.fi
|
|
|
|
.PP
|
2021-01-18 09:11:47 +00:00
|
|
|
\f[B]status\f[R] parameter may take 3 values:
|
|
|
|
.IP \[bu] 2
|
|
|
|
\f[C]disabled\f[R] (do nothing): The script will not run.
|
|
|
|
.IP \[bu] 2
|
|
|
|
\f[C]audit\f[R] (RO): The script will check if any change should be
|
|
|
|
applied.
|
|
|
|
.IP \[bu] 2
|
|
|
|
\f[C]enabled\f[R] (RW): The script will check if any change should be
|
|
|
|
done and automatically apply what it can.
|
|
|
|
.PP
|
|
|
|
Global configuration is in \f[C]etc/hardening.cfg\f[R].
|
|
|
|
This file controls the log level as well as the backup directory.
|
|
|
|
Whenever a script is instructed to edit a file, it will create a
|
|
|
|
timestamped backup in this directory.
|
|
|
|
.SH RUN MODE
|
|
|
|
.TP
|
|
|
|
.B \f[C]-h\f[R], \f[C]--help\f[R]
|
|
|
|
Display a friendly help message.
|
|
|
|
.TP
|
|
|
|
.B \f[C]--apply\f[R]
|
|
|
|
Apply hardening for enabled scripts.
|
|
|
|
Beware that NO confirmation is asked whatsoever, which is why you\[cq]re
|
|
|
|
warmly advised to use \f[C]--audit\f[R] before, which can be regarded as
|
|
|
|
a dry-run mode.
|
|
|
|
.TP
|
|
|
|
.B \f[C]--audit\f[R]
|
|
|
|
Audit configuration for enabled scripts.
|
|
|
|
No modification will be made on the system, we\[cq]ll only report on
|
|
|
|
your system compliance for each script.
|
|
|
|
.TP
|
|
|
|
.B \f[C]--audit-all\f[R]
|
|
|
|
Same as \f[C]--audit\f[R], but for \f[I]all\f[R] scripts, even disabled
|
|
|
|
ones.
|
|
|
|
This is a good way to peek at your compliance level if all scripts were
|
|
|
|
enabled, and might be a good starting point.
|
|
|
|
.TP
|
|
|
|
.B \f[C]--audit-all-enable-passed\f[R]
|
|
|
|
Same as \f[C]--audit-all\f[R], but in addition, will \f[I]modify\f[R]
|
|
|
|
the individual scripts configurations to enable those which passed for
|
|
|
|
your system.
|
|
|
|
This is an easy way to enable scripts for which you\[cq]re already
|
|
|
|
compliant.
|
|
|
|
However, please always review each activated script afterwards, this
|
|
|
|
option should only be regarded as a way to kickstart a configuration
|
|
|
|
from scratch.
|
|
|
|
Don\[cq]t run this if you have already customized the scripts
|
|
|
|
enable/disable configurations, obviously.
|
|
|
|
.TP
|
|
|
|
.B \f[C]--create-config-files-only\f[R]
|
|
|
|
Create the config files in etc/conf.d Must be run as root, before
|
|
|
|
running the audit with user secaudit
|
|
|
|
.TP
|
|
|
|
.B \f[C]-set-hardening-level=level\f[R]
|
|
|
|
Modifies the configuration to enable/disable tests given an hardening
|
|
|
|
level, between 1 to 5.
|
|
|
|
Don\[cq]t run this if you have already customized the scripts
|
|
|
|
enable/disable configurations.
|
|
|
|
1: very basic policy, failure to pass tests at this level indicates
|
|
|
|
severe misconfiguration of the machine that can have a huge security
|
|
|
|
impact 2: basic policy, some good practice rules that, once applied,
|
|
|
|
shouldn\[cq]t break anything on most systems 3: best practices policy,
|
|
|
|
passing all tests might need some configuration modifications (such as
|
|
|
|
specific partitioning, etc.) 4: high security policy, passing all tests
|
|
|
|
might be time-consuming and require high adaptation of your workflow 5:
|
|
|
|
placebo, policy rules that might be very difficult to apply and
|
|
|
|
maintain, with questionable security benefits
|
|
|
|
.TP
|
|
|
|
.B \f[C]--allow-service=service\f[R]
|
|
|
|
Use with \f[C]--set-hardening-level\f[R].
|
|
|
|
Modifies the policy to allow a certain kind of services on the machine,
|
|
|
|
such as http, mail, etc.
|
|
|
|
Can be specified multiple times to allow multiple services.
|
|
|
|
Use \[en]allow-service-list to get a list of supported services.
|
|
|
|
.SH OPTIONS
|
|
|
|
.TP
|
|
|
|
.B \f[C]--allow-service-list\f[R]
|
|
|
|
Get a list of supported service.
|
|
|
|
.TP
|
|
|
|
.B \f[C]--only test-number\f[R]
|
|
|
|
Modifies the RUN_MODE to only work on the test_number script.
|
|
|
|
Can be specified multiple times to work only on several scripts.
|
|
|
|
The test number is the numbered prefix of the script, i.e.\ the test
|
|
|
|
number of 1.2_script_name.sh is 1.2.
|
|
|
|
.TP
|
|
|
|
.B \f[C]--sudo\f[R]
|
|
|
|
This option lets you audit your system as a normal user, but allows sudo
|
|
|
|
escalation to gain read-only access to root files.
|
|
|
|
Note that you need to provide a sudoers file with NOPASSWD option in
|
|
|
|
/etc/sudoers.d/ because the -n option instructs sudo not to prompt for a
|
|
|
|
password.
|
|
|
|
Finally note that \f[C]--sudo\f[R] mode only works for audit mode.
|
|
|
|
.TP
|
2021-02-04 16:21:49 +01:00
|
|
|
.B \f[C]--set-log-level=level\f[R]
|
|
|
|
This option sets LOGLEVEL, you can choose : info, warning, error, ok,
|
|
|
|
debug.
|
|
|
|
Default value is : info
|
|
|
|
.TP
|
2021-01-18 09:11:47 +00:00
|
|
|
.B \f[C]--batch\f[R]
|
|
|
|
While performing system audit, this option sets LOGLEVEL to `ok' and
|
|
|
|
captures all output to print only one line once the check is done,
|
|
|
|
formatted like : OK|KO OK|KO|WARN{subcheck results} [OK|KO|WARN{\&...}]
|
2021-02-08 13:54:24 +01:00
|
|
|
.PP
|
|
|
|
\f[C]--allow-unsupported-distribution\f[R] Must be specified manually in
|
|
|
|
the command line to allow the run on non compatible version or
|
|
|
|
distribution.
|
|
|
|
If you want to mute the warning change the LOGLEVEL in
|
|
|
|
/etc/hardening.cfg
|
2021-01-18 09:11:47 +00:00
|
|
|
.SH AUTHORS
|
|
|
|
.IP \[bu] 2
|
|
|
|
Thibault Dewailly, OVHcloud <thibault.dewailly@ovhcloud.com>
|
|
|
|
.IP \[bu] 2
|
|
|
|
St\['e]phane Lesimple, OVHcloud <stephane.lesimple@ovhcloud.com>
|
|
|
|
.IP \[bu] 2
|
|
|
|
Thibault Ayanides, OVHcloud <thibault.ayanides@ovhcloud.com>
|
|
|
|
.IP \[bu] 2
|
|
|
|
Kevin Tanguy, OVHcloud <kevin.tanguy@ovhcloud.com>
|
|
|
|
.SH COPYRIGHT
|
|
|
|
.PP
|
2021-01-18 13:13:04 +00:00
|
|
|
Copyright 2020 OVHcloud
|
2021-01-18 09:11:47 +00:00
|
|
|
.PP
|
2021-01-18 13:13:04 +00:00
|
|
|
Licensed under the Apache License, Version 2.0 (the \[lq]License\[rq]);
|
|
|
|
you may not use this file except in compliance with the License.
|
|
|
|
You may obtain a copy of the License at
|
|
|
|
.IP
|
|
|
|
.nf
|
|
|
|
\f[C]
|
|
|
|
http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
\f[R]
|
|
|
|
.fi
|
2021-01-18 09:11:47 +00:00
|
|
|
.PP
|
2021-01-18 13:13:04 +00:00
|
|
|
Unless required by applicable law or agreed to in writing, software
|
|
|
|
distributed under the License is distributed on an \[lq]AS IS\[rq]
|
|
|
|
BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
|
|
|
|
implied.
|
|
|
|
See the License for the specific language governing permissions and
|
|
|
|
limitations under the License.
|
|
|
|
# SEE ALSO
|
2021-01-18 09:11:47 +00:00
|
|
|
.IP \[bu] 2
|
|
|
|
\f[B]Center for Internet Security\f[R]: https://www.cisecurity.org/
|
|
|
|
.IP \[bu] 2
|
|
|
|
\f[B]CIS recommendations\f[R]: https://learn.cisecurity.org/benchmarks
|
|
|
|
.IP \[bu] 2
|
|
|
|
\f[B]Project repository\f[R]: https://github.com/ovh/debian-cis
|