-
Notifications
You must be signed in to change notification settings - Fork 62
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Warning: This shitty branch no longer maintained.
- Loading branch information
Showing
1 changed file
with
157 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,157 @@ | ||
| # harbian-audit with the UOS server deploy | ||
|
|
||
| ## Introduction | ||
| This release only support UOS server V20. | ||
|
|
||
| ## Usage | ||
|
|
||
| ### Pre-Install | ||
| ``` | ||
| # apt-get install -y bc net-tools pciutils network-manager | ||
| ``` | ||
|
|
||
| ### Start harbian-audit | ||
| ```console | ||
| $ git clone https://github.com/hardenedlinux/harbian-audit.git && cd harbian-audit | ||
| # cp etc/default.cfg /etc/default/cis-hardening | ||
| # sed -i "s#CIS_ROOT_DIR=.*#CIS_ROOT_DIR='$(pwd)'#" /etc/default/cis-hardening | ||
| # bin/hardening.sh --init | ||
| # bin/hardening.sh --audit-all | ||
| hardening [INFO] Treating /home/test/harbian-audit/bin/hardening/1.1_install_updates.sh | ||
| 1.1_install_updates [INFO] Working on 1.1_install_updates | ||
| 1.1_install_updates [INFO] Checking Configuration | ||
| 1.1_install_updates [INFO] Performing audit | ||
| 1.1_install_updates [INFO] Checking if apt needs an update | ||
| 1.1_install_updates [INFO] Fetching upgrades ... | ||
| 1.1_install_updates [ OK ] No upgrades available | ||
| 1.1_install_updates [ OK ] Check Passed | ||
| [...] | ||
| ################### SUMMARY ################### | ||
| Total Available Checks : 272 | ||
| Total Runned Checks : 272 | ||
| Total Passed Checks : [ 240/272 ] | ||
| Total Failed Checks : [ 32/272 ] | ||
| Enabled Checks Percentage : 100.00 % | ||
| Conformity Percentage : 88.24 % | ||
| # bin/hardening.sh --set-hardening-level 5 | ||
| # sed -i 's/^status=.*/status=disabled/' etc/conf.d/7.4.4_hosts_deny.cfg | ||
| # sed -i 's/^status=.*/status=disabled/' etc/conf.d/8.1.32_freeze_auditd_conf.cfg | ||
| # sed -i 's/^status=.*/status=disabled/' etc/conf.d/8.4.1_install_aide.cfg | ||
| # sed -i 's/^status=.*/status=disabled/' etc/conf.d/8.4.2_aide_cron.cfg | ||
| # sed -i 's/^status=.*/status=disabled/' etc/conf.d/9.5_pam_restrict_su.cfg | ||
| # bin/hardening.sh --apply | ||
| hardening [INFO] Treating /home/test/harbian-audit/bin/hardening/1.1_install_updates.sh | ||
| 1.1_install_updates [INFO] Working on 1.1_install_updates | ||
| 1.1_install_updates [INFO] Checking Configuration | ||
| 1.1_install_updates [INFO] Performing audit | ||
| 1.1_install_updates [INFO] Checking if apt needs an update | ||
| 1.1_install_updates [INFO] Fetching upgrades ... | ||
| 1.1_install_updates [ OK ] No upgrades available | ||
| 1.1_install_updates [INFO] Applying Hardening | ||
| 1.1_install_updates [ OK ] No Upgrades to apply | ||
| 1.1_install_updates [ OK ] Check Passed | ||
| [...] | ||
| # sed -i 's/^status=.*/status=enabled/' etc/conf.d/8.1.32_freeze_auditd_conf.cfg | ||
| # sed -i 's/^status=.*/status=enabled/' etc/conf.d/8.4.1_install_aide.cfg | ||
| # sed -i 's/^status=.*/status=enabled/' etc/conf.d/8.4.2_aide_cron.cfg | ||
| # ./bin/hardening.sh --apply --only 8.4.1 | ||
| # ./bin/hardening.sh --apply --only 8.4.2 | ||
| # ./bin/hardening.sh --apply --only 8.1.32 | ||
| ``` | ||
|
|
||
| ## After remediation (Very important) | ||
| When exec --apply and set-hardening-level are set to 5 (the highest level), you need to do the following: | ||
|
|
||
| 1) When applying 9.5(Restrict Access to the su Command), you must use the root account to log in to the OS because ordinary users cannot perform subsequent operations. | ||
| If you can only use ssh for remote login, you must use the su command when the normal user logs in. Then do the following: | ||
| ``` | ||
| # sed -i '/^[^#].*pam_wheel.so.*/s/^/# &/' /etc/pam.d/su | ||
| ``` | ||
| Temporarily comment out the line containing pam_wheel.so. After you have finished using the su command, please uncomment the line. | ||
|
|
||
| 2) When applying 7.4.4_hosts_deny.sh, the OS cannot be connected through the ssh service, so you need to set allow access host list on /etc/hosts.allow, example: | ||
| ``` | ||
| # echo "ALL: 192.168.1. 192.168.5." >> /etc/hosts.allow | ||
| ``` | ||
| This example only allows 192.168.1.[1-255] 192.168.5.[1-255] to access this system. Need to be configured according to your situation. | ||
|
|
||
| 3) Set capabilities for usual user, example(user name is test): | ||
| ``` | ||
| # sed -i "/^root/a\test ALL=(ALL:ALL) ALL" /etc/sudoers | ||
| ``` | ||
|
|
||
| 4) Set basic firewall rules | ||
| Set the corresponding firewall rules according to the applications used. HardenedLinux community for Debian GNU/Linux basic firewall rules: | ||
|
|
||
| Iptabels format rules: | ||
| [etc.iptables.rules.v4.sh](https://github.com/hardenedlinux/harbian-audit/blob/master/docs/configurations/etc.iptables.rules.v4.sh) | ||
| to do the following: | ||
| ``` | ||
| $ INTERFACENAME="your network interfacename(Example eth0)" | ||
| # bash docs/configurations/etc.iptables.rules.v4.sh $INTERFACENAME | ||
| # iptables-save > /etc/iptables/rules.v4 | ||
| # ip6tables-save > /etc/iptables/rules.v6 | ||
| ``` | ||
|
|
||
| 5) Config grub2 password protection | ||
| [Config grub2 password protection](https://github.com/hardenedlinux/harbian-audit/blob/master/docs/configurations/manual-operation-docs/how_to_config_grub2_password_protection.mkd) | ||
|
|
||
| ## Special Note | ||
| Some check items check a variety of situations and are interdependent, they must be applied (fix) multiple times, and the OS must be a reboot after each applies (fix). | ||
|
|
||
| ### Items that must be applied after the first application(reboot after is better) | ||
| 8.1.32 Because this item is set, the audit rules will not be added. | ||
|
|
||
| ### Items that must be applied after all application is ok | ||
| 8.4.1 | ||
| 8.4.2 | ||
| These are all related to the aide. It is best to fix all the items after they have been fixed to fix the integrity of the database in the system. | ||
|
|
||
| ### Items that need to be fix twice | ||
| 8.1.1.2 | ||
| 8.1.1.3 | ||
| 8.1.12 | ||
| 4.5 | ||
|
|
||
| ## Document | ||
|
|
||
| ### Harbian-audit benchmark for Debian GNU/Linux 9 | ||
| This document is a description of the additions to the sections not included in the [CIS reference documentation](https://benchmarks.cisecurity.org/downloads/show-single/index.cfm?file=debian8.100). Includes STIG reference documentation and additional checks recommended by the HardenedLinux community. | ||
|
|
||
| [CIS Debian GNU/Linux 8 Benchmark v1.0.0](https://benchmarks.cisecurity.org/downloads/show-single/index.cfm?file=debian8.100) | ||
| [CIS Debian GNU/Linux 9 Benchmark v1.0.0](https://benchmarks.cisecurity.org/downloads/show-single/index.cfm?file=debian8.100) | ||
| [harbian audit Debian Linux 9 Benchmark](https://github.com/hardenedlinux/harbian-audit/blob/master/docs/harbian_audit_Debian_9_Benchmark_v0.1.mkd) | ||
|
|
||
| ## harbian-audit License | ||
| GPL 3.0 | ||
|
|
||
| ## OVH Disclaimer | ||
|
|
||
| This project is a set of tools. They are meant to help the system administrator | ||
| built a secure environment. While we use it at OVH to harden our PCI-DSS compliant | ||
| infrastructure, we can not guarantee that it will work for you. It will not | ||
| magically secure any random host. | ||
|
|
||
| Additionally, quoting the License: | ||
|
|
||
| > THIS SOFTWARE IS PROVIDED BY OVH SAS AND CONTRIBUTORS ``AS IS'' AND ANY | ||
| > EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED | ||
| > WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE | ||
| > DISCLAIMED. IN NO EVENT SHALL OVH SAS AND CONTRIBUTORS BE LIABLE FOR ANY | ||
| > DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES | ||
| > (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; | ||
| > LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND | ||
| > ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT | ||
| > (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS | ||
| > SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | ||
| ## OVH License | ||
| 3-Clause BSD | ||
|
|
||
| ## Reference | ||
|
|
||
| - **Center for Internet Security**: [https://www.cisecurity.org](https://www.cisecurity.org) | ||
| - **STIG V1R4**: [https://iasecontent.disa.mil/stigs/zip/U_Red_Hat_Enterprise_Linux_7_V1R4_STIG.zip](https://iasecontent.disa.mil/stigs/zip/U_Red_Hat_Enterprise_Linux_7_V1R4_STIG.zip) | ||
| - **Firewall Rules**: [https://github.com/citypw/arsenal-4-sec-testing/blob/master/bt5_firewall/debian_fw](https://github.com/citypw/arsenal-4-sec-testing/blob/master/bt5_firewall/debian_fw) | ||
| - **harbian-audit Readme**: [https://github.com/hardenedlinux/harbian-audit/blob/master/README.md](https://github.com/hardenedlinux/harbian-audit/blob/master/README.md) |