Code Monkey home page Code Monkey logo

Comments (5)

ThibaultDewailly avatar ThibaultDewailly commented on August 20, 2024

Hello Bluepuma and welcome !

TL;DR : use $ ./hardening.sh --set-hardening-level 2 to have a base hardening
let me fix #230 first ;)

I totally understand the need, and it totally makes sense for a small company not to spend dozens of hours to understand what is inside this repository.

To answer your question, have you considered looking at the HARDENING_LEVEL variable which is used on all scripts ? It basically tells you whether it's a base hardening, or a paranoid parameter not so useful but still present for the most secured infrastructure.

To give you an example, the sshd configuration right is utterly important to respect and represent a severe security issue
https://github.com/ovh/debian-cis/blob/master/bin/hardening/5.2.1_sshd_conf_perm_ownership.sh
On the opposite side of the scale, halting the system when audit is not able to log anymore is very paranoid, and should be used with care.
https://github.com/ovh/debian-cis/blob/master/bin/hardening/4.1.2.2_halt_when_audit_log_full.sh

This is an opinionated ranking and open to discussion, but if you don't want to spend too much time, I'd recommend to use level 2
hardening, it shall give you a good head start.

I hope this answer your question, have a great day

from debian-cis.

ThibaultDewailly avatar ThibaultDewailly commented on August 20, 2024

#230 is fixed

from debian-cis.

bluepuma77 avatar bluepuma77 commented on August 20, 2024

Thanks @ThibaultDewailly !

Okay, here we go, newbie wants to do basic hardening.

I had to remove the ' around '$(pwd)' for /etc/default/cis-hardening to make sense:

git clone https://github.com/ovh/debian-cis.git && cd debian-cis
cp debian/default /etc/default/cis-hardening
sed -i "s#CIS_LIB_DIR=.*#CIS_LIB_DIR=$(pwd)/lib#" /etc/default/cis-hardening
sed -i "s#CIS_CHECKS_DIR=.*#CIS_CHECKS_DIR=$(pwd)/bin/hardening#" /etc/default/cis-hardening
sed -i "s#CIS_CONF_DIR=.*#CIS_CONF_DIR=$(pwd)/etc#" /etc/default/cis-hardening
sed -i "s#CIS_TMP_DIR=.*#CIS_TMP_DIR=$(pwd)/tmp#" /etc/default/cis-hardening

./bin/hardening.sh --apply --set-hardening-level 2

Now I get a lot of:

sed: can't read /root/debian-cis/etc/conf.d/1.1.1.1_disable_freevxfs.cfg: No such file or directory
sed: can't read /root/debian-cis/etc/conf.d/1.1.1.2_disable_jffs2.cfg: No such file or directory
sed: can't read /root/debian-cis/etc/conf.d/1.1.1.3_disable_hfs.cfg: No such file or directory
...
The script 5.4.5_default_timeout doesn't have a hardening level, configuration untouched for it
...
sed: can't read /root/debian-cis/etc/conf.d/99.5.4.5.1_acc_logindefs_sha512.cfg: No such file or directory
sed: can't read /root/debian-cis/etc/conf.d/99.5.4.5.2_acc_shadow_sha512.cfg: No such file or directory
sed: can't read /root/debian-cis/etc/conf.d/99.99_check_distribution.cfg: No such file or directory
Configuration modified to enable scripts for hardening level at or below 2

This does not seem like the correct way to do it.

from debian-cis.

ManuGithubSteam avatar ManuGithubSteam commented on August 20, 2024

Hello Bluepuma,

I just installed it like the main page shows. Im not sure what you did with your setup...

Then i do this:

cd /opt/debian-cis/bin/
./hardening.sh --audit #(No changes to the system)

I get back this:

1.1.5_tmp_noexec [INFO] Verifying that /tmp is a partition
1.1.5_tmp_noexec [ OK ] /tmp is a partition
1.1.5_tmp_noexec [ KO ] /tmp has no option noexec in fstab!
1.1.5_tmp_noexec [ KO ] Check Failed
hardening [INFO] Treating /opt/debian-cis/bin/hardening/1.1.6.1_var_nodev.sh
1.1.6.1_var_nodev [INFO] Working on 1.1.6.1_var_nodev
1.1.6.1_var_nodev [INFO] [DESCRIPTION] /var partition with nodev option.
1.1.6.1_var_nodev [INFO] Checking Configuration
1.1.6.1_var_nodev [INFO] Performing audit
1.1.6.1_var_nodev [INFO] Verifying that /var is a partition
1.1.6.1_var_nodev [ OK ] /var is a partition
1.1.6.1_var_nodev [ KO ] /var has no option nodev in fstab!
1.1.6.1_var_nodev [ KO ] Check Failed

Now i read up on the errors and correct them by hand. This way i know what i did. You could of course also use the script to harden it but i prefer the manual way as it forces me to do some reading about the options and so on.

I kinda like the gameification of it with the score. It keeps me going.

from debian-cis.

ThibaultDewailly avatar ThibaultDewailly commented on August 20, 2024

closing issue as I cannot reproduce the issue, you might want to keep the code up to date

from debian-cis.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.