• Stars
    star
    4,863
  • Rank 8,643 (Top 0.2 %)
  • Language
  • Created over 5 years ago
  • Updated 9 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

A collection of awesome security hardening guides, tools and other resources

awesome-security-hardening

Awesome

A collection of awesome security hardening guides, best practices, checklists, benchmarks, tools and other resources. This is work in progress: please contribute by sending your suggestions. You may do this by creating issue tickets or forking, editing and sending pull requests. You may also send suggestions on Twitter to @decalage2, or use https://www.decalage.info/contact


Table of Contents


Security Hardening Guides and Best Practices

Hardening Guide Collections

GNU/Linux

Red Hat Enterprise Linux - RHEL

CentOS

SUSE

Ubuntu

Windows

See also Active Directory and ADFS below.

macOS

Network Devices

Switches

Routers

IPv6

Firewalls

Virtualization - VMware

Containers - Docker - Kubernetes

Services

SSH

TLS/SSL

Web Servers

Apache HTTP Server

Apache Tomcat

Eclipse Jetty

Microsoft IIS

Mail Servers

FTP Servers

Database Servers

Active Directory

ADFS

Kerberos

LDAP

DNS

NTP

NFS

CUPS

Authentication - Passwords

Hardware - CPU - BIOS - UEFI

Cloud

Tools

Tools to check security hardening

  • Chef InSpec - open-source testing framework by Chef that enables you to specify compliance, security, and other policy requirements. can run on Windows and many Linux distributions.

GNU/Linux

  • Lynis - script to check the configuration of Linux hosts
  • OpenSCAP Base - oscap command line tool
  • SCAP Workbench - GUI for oscap
  • Tiger - The Unix security audit and intrusion detection tool (might be outdated)
  • otseca - Open source security auditing tool to search and dump system configuration. It allows you to generate reports in HTML or RAW-HTML formats.
  • SUDO_KILLER - A tool to identify sudo rules' misconfigurations and vulnerabilities within sudo
  • CIS Benchmarks Audit - bash script which performs tests against your CentOS system to give an indication of whether the running server may comply with the CIS v2.2.0 Benchmarks for CentOS (only CentOS 7 for now)

Windows

  • Microsoft Security Compliance Toolkit 1.0 - set of tools that allows enterprise security administrators to download, analyze, test, edit, and store Microsoft-recommended security configuration baselines for Windows and other Microsoft products
  • Microsoft DSC Environment Analyzer (DSCEA) - simple implementation of PowerShell Desired State Configuration that uses the declarative nature of DSC to scan Windows OS based systems in an environment against a defined reference MOF file and generate compliance reports as to whether systems match the desired configuration
  • HardeningAuditor - Scripts for comparing Microsoft Windows compliance with the Australian ASD 1709 & Office 2016 Hardening Guides
  • PingCastle - Tool to check the security of Active Directory
  • MDE-AuditCheck - Tool to check that Windows audit settings are properly configured in the GPO for Microsoft Defender for Endpoint

Network Devices

  • Nipper-ng - to check the configuration of network devices (does not seem to be updated)

TLS/SSL

SSH

  • ssh-audit - SSH server auditing (banner, key exchange, encryption, mac, compression, compatibility, security, etc)

Hardware - CPU - BIOS - UEFI

Docker

  • Docker Bench for Security - script that checks for dozens of common best-practices around deploying Docker containers in production, inspired by the CIS Docker Community Edition Benchmark v1.1.0.

Cloud

Tools to apply security hardening

GNU/Linux

Windows

  • Microsoft Security Compliance Toolkit 1.0 - set of tools that allows enterprise security administrators to download, analyze, test, edit, and store Microsoft-recommended security configuration baselines for Windows and other Microsoft products
  • Hardentools - for Windows individual users (not corporate environments) at risk, who might want an extra level of security at the price of some usability.
  • Windows 10 Hardening - A collective resource of settings modifications (mostly opt-outs) that attempt to make Windows 10 as private and as secure as possible.
  • Disassembler0 Windows 10 Initial Setup Script - PowerShell script for automation of routine tasks done after fresh installations of Windows 10 / Server 2016 / Server 2019
  • Automated-AD-Setup - A PowerShell script that aims to have a fully configured domain built in under 10 minutes, but also apply security configuration and hardening
  • mackwage/windows_hardening.cmd - Script to perform some hardening of Windows 10

TLS/SSL

Cloud

Password Generators

Books

Other Awesome Lists

Other Awesome Security Lists

(borrowed from Awesome Security)

More Repositories

1

oletools

oletools - python tools to analyze MS OLE2 files (Structured Storage, Compound File Binary Format) and MS Office documents, for malware analysis, forensics and debugging.
Python
2,706
star
2

ViperMonkey

A VBA parser and emulation engine to analyze malicious macros.
Python
1,007
star
3

olefile

olefile is a Python package to parse, read and write Microsoft OLE2 files (also called Structured Storage, Compound File Binary Format or Compound Document File Format), such as Microsoft Office 97-2003 documents, vbaProject.bin in MS Office 2007+ files, Image Composer and FlashPix files, Outlook messages, StickyNotes, several Microscopy file formats, McAfee antivirus quarantine files, etc.
Python
211
star
4

balbuzard

Balbuzard is a package of malware analysis tools in python to extract patterns of interest from suspicious files (IP addresses, domain names, known file headers, interesting strings, etc). It can also crack malware obfuscation such as XOR, ROL, etc by bruteforcing and checking for those patterns.
YARA
121
star
5

exefilter

ExeFilter is an open-source tool and framework to filter file formats in e-mails, web pages or files. It detects many common file formats and can remove active content (scripts, macros, etc) according to a configurable policy.
Python
63
star
6

oledump-contrib

The oledump-contrib repository contains plugins and enhancements for the oledump tool published by Didier Stevens.
Python
50
star
7

pyhtgen

pyhtgen (formerly HTML.py) provides a few classes to easily generate HTML content such as tables and lists.
HTML
12
star
8

oletools_dll

A DLL to run some oletools functions from any language
C
7
star
9

pywordform

pywordform is a python module to parse Microsoft Word forms in docx format, extractings all field values with their tags into a dictionary. For more information: http://www.decalage.info/python/pywordform
Python
7
star
10

python-crash-course

This is a Python course I have written to quickly teach Python to my colleagues and students, made of slides and samples for hands-on exercises. It takes around four to five hours to present all the slides and to run the hands-on exercises. The original course was based on my mini Python tutorial. (http://www.decalage.info/python/tutorial)
7
star
11

iodeflib

iodeflib is a python library to create, parse and edit cyber incident reports using the IODEF XML format (RFC 5070).
Python
6
star
12

pyxmldsig

pyxmldsig is a Python module to create and verify XML Digital Signatures (XML-DSig). This is a simple interface to the PyXMLSec library, aiming to provide a more pythonic API suitable for Python applications. See http://www.decalage.info/python/pyxmldsig
Python
2
star
13

cherryproxy

CherryProxy is a simple HTTP proxy written in Python 2.x, based on the CherryPy WSGI server and httplib, extensible for content analysis and filtering.
Python
2
star