• Stars
    star
    331
  • Rank 127,308 (Top 3 %)
  • Language
    Shell
  • License
    GNU General Publi...
  • Created over 6 years ago
  • Updated over 1 year ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Hardened Debian GNU/Linux distro auditing

harbian-audit Hardening

Introduction

Hardened Debian GNU/Linux and CentOS 8 distro auditing.

The main test environment is in debian GNU/Linux 9/10/11/12 and CentOS 8, and other versions are not fully tested. There are no implementations of desktop related items in this release.

The code framework is based on the OVH-debian-cis project, Modified some of the original implementations according to the features of Debian 9/10/11/12 and CentOS 8, added and implemented check items for STIG Red_Hat_Enterprise_Linux_7_V2R5 STIG Ubuntu V1R2 and cisecurity.org recommendations, and also added and implemented some check items by the HardenedLinux community. The audit and apply functions of the infrastructure are implemented, and the automatic fix function is implemented for the items that can be automatically fixed.

# bash bin/hardening.sh --audit-all
[...]
hardening                 [INFO] Treating /home/test/harbian-audit/bin/hardening/13.15_check_duplicate_gid.sh
13.15_check_duplicate_gid [INFO] Working on 13.15_check_duplicate_gid
13.15_check_duplicate_gid [INFO] Checking Configuration
13.15_check_duplicate_gid [INFO] Performing audit
13.15_check_duplicate_gid [ OK ] No duplicate GIDs
13.15_check_duplicate_gid [ OK ] Check Passed

[...]
################### SUMMARY ###################
      Total Available Checks : 270
         Total Runned Checks : 270
         Total Passed Checks : [ 226/270 ]
         Total Failed Checks : [  44/270 ]
   Enabled Checks Percentage : 100.00 %
       Conformity Percentage : 83.70 %```
## Quickstart

```console
$ git clone https://github.com/hardenedlinux/harbian-audit.git && cd harbian-audit
# cp etc/default.cfg /etc/default/cis-hardening
# sed -i "s#CIS_ROOT_DIR=.*#CIS_ROOT_DIR='$(pwd)'#" /etc/default/cis-hardening
# bin/hardening.sh --init
# bin/hardening.sh --audit-all
hardening                 [INFO] Treating /home/test/harbian-audit/bin/hardening/1.1_install_updates.sh
1.1_install_updates       [INFO] Working on 1.1_install_updates
1.1_install_updates       [INFO] Checking Configuration
1.1_install_updates       [INFO] Performing audit
1.1_install_updates       [INFO] Checking if apt needs an update
1.1_install_updates       [INFO] Fetching upgrades ...
1.1_install_updates       [ OK ] No upgrades available
1.1_install_updates       [ OK ] Check Passed
[...]
################### SUMMARY ###################
      Total Available Checks : 270
         Total Runned Checks : 270
         Total Passed Checks : [ 226/270 ]
         Total Failed Checks : [  44/270 ]
   Enabled Checks Percentage : 100.00 %
       Conformity Percentage : 83.70 %
# bin/hardening.sh --set-hardening-level 5
# bin/hardening.sh --apply 
hardening                 [INFO] Treating /home/test/harbian-audit/bin/hardening/1.1_install_updates.sh
1.1_install_updates       [INFO] Working on 1.1_install_updates
1.1_install_updates       [INFO] Checking Configuration
1.1_install_updates       [INFO] Performing audit
1.1_install_updates       [INFO] Checking if apt needs an update
1.1_install_updates       [INFO] Fetching upgrades ...
1.1_install_updates       [ OK ] No upgrades available
1.1_install_updates       [INFO] Applying Hardening
1.1_install_updates       [ OK ] No Upgrades to apply
1.1_install_updates       [ OK ] Check Passed
[...]

Usage

Pre-Install

If use Network install from a minimal CD to installed Debian GNU/Linux, need install packages before use the hardening tool.

# apt-get install -y bc net-tools pciutils network-manager 

Redhat/CentOS need install packages before use the hardening tool:

# yum install -y bc net-tools pciutils NetworkManager epel-release 

Pre-Set

You must set a password for all users before hardening. Otherwise, you will not be able to log in after the hardening is completed. Example(OS user: root and test):

 
# passwd 
# passwd test 

Configuration

Hardening scripts are in bin/hardening. Each script has a corresponding configuration file in etc/conf.d/[script_name].cfg.

Each hardening script can be individually enabled from its configuration file. For example, this is the default configuration file for disable_system_accounts:

# Configuration for script of same name
status=disabled
# Put here your exceptions concerning admin accounts shells separated by spaces
EXCEPTIONS=""

status parameter may take 3 values:

  • disabled (do nothing): The script will not run.
  • audit (RO): The script will check if any change should be applied.
  • enabled (RW): The script will check if any change should be done and automatically apply what it can.

You can also set the configuration item to enable by modifying the level, following command:

  1. Generate etc/conf.d/[script_name].cfg by audit-all when first use
# bash bin/hardening.sh --audit-all
  1. Enable [script_name].cfg by set-hardening-level Use the command to set the hardening level to make the corresponding level audit entry take effect.
# bash bin/hardening.sh --set-hardening-level <level>

Global configuration is in etc/hardening.cfg. This file controls the log level as well as the backup directory. Whenever a script is instructed to edit a file, it will create a timestamped backup in this directory.

Run aka "Harden your distro (After the hardened, you must perform the "After remediation" section)

To run the checks and apply the fixes, run bin/hardening.sh.

This command has 2 main operation modes:

  • --audit: Audit your system with all enabled and audit mode scripts
  • --apply: Audit your system with all enabled and audit mode scripts and apply changes for enabled scripts

Additionally, --audit-all can be used to force running all auditing scripts, including disabled ones. this will not change the system.

--audit-all-enable-passed can be used as a quick way to kickstart your configuration. It will run all scripts in audit mode. If a script passes, it will automatically be enabled for future runs. Do NOT use this option if you have already started to customize your configuration.

Use the command to harden your OS:

# bash bin/hardening.sh --apply 

rsyslog config

If rsyslog is used, and you want to print the harbian-audit log to a separate log file, the configuration is as follows:

user.info			/var/log/harbian-audit.log
user.*				-/var/log/user.log

The log will be output to the file /var/log/harbian-audit.log.

If you apply docs/configurations/etc.iptables.rules.v4.sh to your firewall rules, and want to print the iptables log to a separate log file, insert the following lines to rsyslog.conf:

:msg,contains,"FW-"                     -/var/log/firewalllog.log
&                                       stop

After remediation (Very important)

When exec --apply and set-hardening-level are set to 5 (the highest level), you need to do the following:

  1. When applying 9.4(Restrict Access to the su Command), you must use the root account to log in to the OS because ordinary users cannot perform subsequent operations. If you can only use ssh for remote login, you must use the su command when the normal user logs in. Then do the following:
# sed -i '/^[^#].*pam_wheel.so.*/s/^/# &/' /etc/pam.d/su 

Temporarily comment out the line containing pam_wheel.so. After you have finished using the su command, please uncomment the line.

  1. When applying 7.4.4_hosts_deny.sh, the OS cannot be connected through the ssh service, so you need to set allow access host list on /etc/hosts.allow, example:
# echo "ALL: 192.168.1. 192.168.5." >> /etc/hosts.allow

This example only allows 192.168.1.[1-255] 192.168.5.[1-255] to access this system. Need to be configured according to your situation.

  1. Set capabilities for usual user, example(user name is test):
# sed -i "/^root/a\test    ALL=(ALL:ALL) ALL" /etc/sudoers 
  1. Set basic firewall rules Set the corresponding firewall rules according to the applications used. HardenedLinux community for Debian GNU/Linux basic firewall rules:

Iptabels format rules:

etc.iptables.rules.v4.sh to do the following:

$ INTERFACENAME="your network interfacename(Example eth0)"
# bash docs/configurations/etc.iptables.rules.v4.sh $INTERFACENAME

# iptables-save > /etc/iptables/rules.v4 
# ip6tables-save > /etc/iptables/rules.v6 

nft format rules:

nftables.conf to do the following(your network interfacename(Example eth0)):

$ sed -i 's/^define int_if = ens33/define int_if = eth0/g' etc.nftables.conf 
# nft -f ./etc.nftables.conf 
  1. When all repairs are completed. --final method will:
    1. Use passwd command to change the password of the regular and root user to apply the password complexity and robustness of the pam_cracklib module configuration.
    2. Aide reinitializes.
# bin/hardening.sh --final

Special Note

Some check items check a variety of situations and are interdependent, they must be applied (fix) multiple times, and the OS must be a reboot after each applies (fix).

Items that must be applied after the first application(reboot after is better)

8.1.35 Because this item is set, the audit rules will not be added.

Items that must be applied after all application is ok

8.4.1
8.4.2
These are all related to the aide. It is best to fix all the items after they have been fixed to fix the integrity of the database in the system.

Items that need to be fix twice

4.5

Hacking

Getting the source

$ git clone https://github.com/hardenedlinux/harbian-audit.git

Adding a custom hardening script

$ cp src/skel bin/hardening/99.99_custom_script.sh
$ chmod +x bin/hardening/99.99_custom_script.sh
$ cp src/skel.cfg etc/conf.d/99.99_custom_script.cfg

Code your check explaining what it does then if you want to test

$ sed -i "s/status=.+/status=enabled/" etc/conf.d/99.99_custom_script.cfg
$ bash bin/hardening.sh --audit --only 99.99
$ bash bin/hardening.sh --apply --only 99.99

Document

Harbian-audit benchmark for Debian GNU/Linux 9

This document is a description of the additions to the sections not included in the CIS reference documentation. Includes STIG reference documentation and additional checks recommended by the HardenedLinux community.

CIS Debian GNU/Linux 8 Benchmark v1.0.0
CIS Debian GNU/Linux 9 Benchmark v1.0.0
harbian audit Debian Linux 9 Benchmark

Manual Operation docs

How to config grub2 password protection
How to persistent iptables rules with debian 9
How to deploy audisp-remote for auditd log
How to migrating from iptables to nftables in debian10
How to persistent nft rules with debian 10
How to fix SELinux access denied

Use case docs

Nodejs + redis + mysql demo
deploy-hyperledger-cello-on-debian-9
nginx-mutual-ssl-proxy-http
nginx-mutual-ssl-proxy-tcp-udp

harbian-audit complianced image

AMI(Amazon Machine Image) Public

The HardenedLinux community has created public AMI images for three different regions.

Destination region: US East(Ohio)
AMI ID: ami-091d37e9d358aaa84
AMI Name: harbian-audit complianced for Debian GNU/Linux 9

Destination region: EU(Frankfurt)
AMI ID: ami-073725a8c2cf45418
AMI Name: harbian-audit complianced for Debian GNU/Linux 9

Destination region: Asia Pacific(Tokyo)
AMI ID: ami-06c0adb6ee5e7d417
AMI Name: harbian-audit complianced for Debian GNU/Linux 9

Docs

how to creating and making an AMI public
how to use harbian-audit complianced for GNU/Linux Debian 9

QEMU Image

Docs

How to creating and making a QEMU image of harbian-audit complianced Debian GNU/Linux 9
How to use QEMU image of harbian-audit complicanced Debian GNU/Linux 9

harbian-audit License

GPL 3.0

OVH Disclaimer

This project is a set of tools. They are meant to help the system administrator built a secure environment. While we use it at OVH to harden our PCI-DSS compliant infrastructure, we can not guarantee that it will work for you. It will not magically secure any random host.

Additionally, quoting the License:

THIS SOFTWARE IS PROVIDED BY OVH SAS AND CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL OVH SAS AND CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

OVH License

3-Clause BSD

Reference

More Repositories

1

linux-exploit-development-tutorial

a series tutorial for linux exploit development to newbie.
C
546
star
2

grsecurity-101-tutorials

C
340
star
3

Debian-GNU-Linux-Profiles

Debian GNU/Linux based Services Profiles
Shell
230
star
4

cheap-pcb

Cheap PCB: Better understanding the current status of hardware supply chain
167
star
5

firmware-anatomy

Tear the firmware apart with your bare hands;-)
Assembly
162
star
6

STIG-4-Debian

Security Technical Implementation Guide for Debian
Shell
142
star
7

offensive_poc

Writing PoC for fun and educate people take security seriously;-)
C
139
star
8

harbian-qa

Bug hunting through fuzzer/*-sanitizer/etc...
Roff
127
star
9

embedded-iot_profile

embedded-iot_profile
86
star
10

hardenedlinux_profiles

It contains hardenedlinux community documentation.
Verilog
58
star
11

hardenedlinux-zeek-scripts

Zeek
38
star
12

armv7-nexus7-grsec

Hardened PoC: PaX for Android
38
star
13

hardenedlinux.github.io

hardenedlinux.org website
HTML
30
star
14

grsecurity-reproducible-build

Some scripts to create a reproducible build for grsecurity
Shell
29
star
15

hardenedlinux_translations

21
star
16

TraditionalMitigation

Traditional Mitigation in GCC to defend Memory Corruption Vulnerability
C
17
star
17

RAP-optimizations

This rap optimizations and hl_cfi have be merged in hardenedlinux/linux-unofficial_grsec
C
16
star
18

coreboot4HiFive1

coreboot for HiFive1
C
12
star
19

security-chain

This is not the cyber you ever expected....did I just say cyyyberrrr....
11
star
20

nixpkgs-hardenedlinux

Nix
10
star
21

zeek2nix

An operator which calls zeek to nix-ecosystem simply.
Nix
9
star
22

Infosec-data-science

8
star
23

platform-resiliency-docs

Infrastructure Platform Resilency Technical Guidleline
8
star
24

HardenedNixOS

Hardened NixOS with feature of Grescurity and aggressive security settings
Nix
8
star
25

Hardenedlinux_design

Hardenedlinux design.
7
star
26

debian-nix-manager

Using nix(DevOps) to deploy Network Security Monitoring System on Debian
Nix
5
star
27

elfix-deb

elfix for Debian package
Shell
5
star
28

debrepo

A Debian repository includes necessary packages for HardenedLinux. Of HardenedLinux, by HardenedLinux, for HardenedLinux.
5
star
29

pax-bites

A small tool provides add/delete/view the binary of PaX flags
Shell
3
star
30

hardened_argus

Hardened Argus
Go
2
star
31

io386

C
2
star
32

tpm_pcrtool

a command line tool to operate PCRs with a TPM
C
2
star
33

hardenedlinux-jupyter-lab

Nix
1
star
34

harbian-pack

Package building system of Harbian.
Shell
1
star
35

STIG-OS-mirror

STIGs Document Library of OS mirror
1
star
36

LLVMIncTrans

A tool change LLVM .inc file to c code that can accommodate for mainly Capstone source.
C++
1
star
37

flake-registry

1
star
38

hardenedlinux-osquery-scripts

hardenedlinux-osquery-script
1
star