The main test environment is in debian 9, and other versions are not fully tested. There are no implementations of desktop and SELinux related items in this release.
The code framework is based on the [OVH-debian-cis]( project, Modified some of the original implementations according to the features of Debian 9, added and implemented check items for [STIG V1R4]( and []( recommendations, and also added and implemented some check items by the HardenedLinux community. The audit and apply functions of the infrastructure are implemented, and the automatic fix function is implemented for the items that can be automatically fixed.
You must set a password for all users before hardening. Otherwise, you will not be able to log in after the hardening is completed. Example(OS user: root and test):
``--audit-all-enable-passed`` can be used as a quick way to kickstart your configuration. It will run all scripts in audit mode. If a script passes, it will automatically be enabled for future runs. Do NOT use this option if you have already started to customize your configuration.
1) When applying 9.5(Restrict Access to the su Command), you must use the root account to log in to the OS because ordinary users cannot perform subsequent operations.
If you can only use ssh for remote login, you must use the su command when the normal user logs in. Then do the following:
# sed -i '/^[^#].**/s/^/# &/' /etc/pam.d/su
Temporarily comment out the line containing After you have finished using the su command, please uncomment the line.
2) When applying, the OS cannot be connected through the ssh service, so you need to set allow access host list on /etc/hosts.allow, example:
5) Use the passwd command to change the passwords of all users, and change the password to a secure and reliable password entry with the same password complexity set by the pam_cracklib module.
Some check items check a variety of situations and are interdependent, they must be applied (fix) multiple times, and the OS must be a reboot after each applies (fix).
This document is a description of the additions to the sections not included in the [CIS reference documentation]( Includes STIG reference documentation and additional checks recommended by the HardenedLinux community.
[How to config grub2 password protection](
[How to persistent iptables rules with debian 9](
[How to deploy audisp-remote for auditd log](
[how to creating and making an AMI public](
[how to use harbian-audit complianced for GNU/Linux Debian 9](
[How to creating and making a QEMU image of harbian-audit complianced Debian GNU/Linux 9](
[How to use QEMU image of harbian-audit complicanced Debian GNU/Linux 9](