Update how_to_creating_and_making_an_AMI_public.mkd
This commit is contained in:
parent
16e1eeb5bf
commit
09871b9a98
|
@ -40,7 +40,7 @@ apply () {
|
||||||
mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
|
mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
|
||||||
else
|
else
|
||||||
apt_install $PACKAGE
|
apt_install $PACKAGE
|
||||||
aideinit
|
aideinit -y -f
|
||||||
info "${PACKAGE} is now installed but not fully functionnal, please see readme to go further"
|
info "${PACKAGE} is now installed but not fully functionnal, please see readme to go further"
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
|
@ -24,7 +24,8 @@ The creation process is as follows:
|
||||||
|
|
||||||
### Pre-Install
|
### Pre-Install
|
||||||
```
|
```
|
||||||
$ sudo apt update && sudo apt install -y bc net-tools vim unzip
|
$ sudo apt update
|
||||||
|
$ sudo apt install -y bc net-tools bc net-tools pciutils network-manager vim unzip
|
||||||
```
|
```
|
||||||
|
|
||||||
### Get harbian-audit project
|
### Get harbian-audit project
|
||||||
|
@ -45,30 +46,56 @@ admin@ip:/opt/harbian-audit-master# passwd admin
|
||||||
```
|
```
|
||||||
|
|
||||||
#### Audit && Apply:
|
#### Audit && Apply:
|
||||||
|
|
||||||
|
##### First audit && apply:
|
||||||
```
|
```
|
||||||
admin@ip:/opt/harbian-audit-master$ sudo cp debian/default /etc/default/cis-hardening
|
admin@ip:/opt/harbian-audit-master$ sudo cp debian/default /etc/default/cis-hardening
|
||||||
admin@ip:/opt/harbian-audit-master$ sudo sed -i "s#CIS_ROOT_DIR=.*#CIS_ROOT_DIR='$(pwd)'#" /etc/default/cis-hardening
|
admin@ip:/opt/harbian-audit-master$ sudo sed -i "s#CIS_ROOT_DIR=.*#CIS_ROOT_DIR='$(pwd)'#" /etc/default/cis-hardening
|
||||||
admin@ip:/opt/harbian-audit-master$ sudo ./bin/hardening.sh --init
|
admin@ip:/opt/harbian-audit-master$ sudo ./bin/hardening.sh --init
|
||||||
admin@ip:/opt/harbian-audit-master$ sudo ./bin/hardening.sh --audit-all
|
admin@ip:/opt/harbian-audit-master$ sudo ./bin/hardening.sh --audit-all
|
||||||
admin@ip:/opt/harbian-audit-master$ sudo ./bin/hardening.sh --set-hardening-level 5
|
admin@ip:/opt/harbian-audit-master$ sudo ./bin/hardening.sh --set-hardening-level 5
|
||||||
|
admin@ip:/opt/harbian-audit-master$ sudo sed -i 's/^status=.*/status=disabled/' etc/conf.d/8.1.32_freeze_auditd_conf.cfg
|
||||||
admin@ip:/opt/harbian-audit-master$ sudo sed -i 's/^status=.*/status=disabled/' etc/conf.d/7.4.4_hosts_deny.cfg
|
admin@ip:/opt/harbian-audit-master$ sudo sed -i 's/^status=.*/status=disabled/' etc/conf.d/7.4.4_hosts_deny.cfg
|
||||||
admin@ip:/opt/harbian-audit-master$ sudo sed -i 's/^status=.*/status=disabled/' etc/conf.d/10.1.6_remove_nopasswd_sudoers.cfg
|
admin@ip:/opt/harbian-audit-master$ sudo sed -i 's/^status=.*/status=disabled/' etc/conf.d/10.1.6_remove_nopasswd_sudoers.cfg
|
||||||
|
admin@ip:/opt/harbian-audit-master$ sudo sed -i 's/^status=.*/status=disabled/' etc/conf.d/8.4.1_install_aide.cfg
|
||||||
|
admin@ip:/opt/harbian-audit-master$ sudo sed -i 's/^status=.*/status=disabled/' etc/conf.d/8.4.2_aide_cron.cfg
|
||||||
|
admin@ip:/opt/harbian-audit-master$ sudo sed -i 's/^status=.*/status=disabled/' etc/conf.d/10.1.1_set_password_exp_days.cfg
|
||||||
admin@ip:/opt/harbian-audit-master$ sudo ./bin/hardening.sh --apply
|
admin@ip:/opt/harbian-audit-master$ sudo ./bin/hardening.sh --apply
|
||||||
admin@ip:/opt/harbian-audit-master$ sudo sed -i "/^root/a\admin ALL=(ALL:ALL) ALL" /etc/sudoers
|
|
||||||
admin@ip:/opt/harbian-audit-master$ sudo reboot
|
admin@ip:/opt/harbian-audit-master$ sudo reboot
|
||||||
```
|
```
|
||||||
After reboot:
|
##### Second audit && apply(After reboot)
|
||||||
|
Configuring the firewall:
|
||||||
```
|
```
|
||||||
admin@ip:/opt/harbian-audit-master$ INTERFACENAME="eth0"
|
admin@ip:/opt/harbian-audit-master$ INTERFACENAME="eth0"
|
||||||
admin@ip:/opt/harbian-audit-master$ sudo bash /opt/harbian-audit-master/docs/configurations/etc.iptables.rules.v4.sh $INTERFACENAME
|
admin@ip:/opt/harbian-audit-master$ sudo bash /opt/harbian-audit-master/docs/configurations/etc.iptables.rules.v4.sh $INTERFACENAME
|
||||||
|
admin@ip:/opt/harbian-audit-master$ sudo bash /opt/harbian-audit-master/docs/configurations/etc.iptables.rules.v6.sh $INTERFACENAME
|
||||||
admin@ip:/opt/harbian-audit-master$ sudo -s
|
admin@ip:/opt/harbian-audit-master$ sudo -s
|
||||||
admin@ip:/opt/harbian-audit-master# iptables-save > /etc/iptables/rules.v4
|
admin@ip:/opt/harbian-audit-master# iptables-save > /etc/iptables/rules.v4
|
||||||
admin@ip:/opt/harbian-audit-master# ip6tables-save > /etc/iptables/rules.v6
|
admin@ip:/opt/harbian-audit-master# ip6tables-save > /etc/iptables/rules.v6
|
||||||
|
admin@ip:/opt/harbian-audit-master# exit
|
||||||
```
|
```
|
||||||
|
|
||||||
Related how to use harbian-audit to adit and apply, please reference:
|
Apply need to apply twice items and that items of must apply after first apply:
|
||||||
[https://github.com/hardenedlinux/harbian-audit/blob/master/README.md](https://github.com/hardenedlinux/harbian-audit/blob/master/README.md)
|
```
|
||||||
|
admin@ip:/opt/harbian-audit-master$ sudo sed -i 's/^status=.*/status=enabled/' etc/conf.d/8.1.32_freeze_auditd_conf.cfg
|
||||||
|
admin@ip:/opt/harbian-audit-master$ sudo ./bin/hardening.sh --apply --only 8.1.32
|
||||||
|
admin@ip:/opt/harbian-audit-master$ sudo ./bin/hardening.sh --apply --only 8.1.1.2
|
||||||
|
admin@ip:/opt/harbian-audit-master$ sudo ./bin/hardening.sh --apply --only 8.1.1.3
|
||||||
|
admin@ip:/opt/harbian-audit-master$ sudo ./bin/hardening.sh --apply --only 8.1.12
|
||||||
|
admin@ip:/opt/harbian-audit-master$ sudo ./bin/hardening.sh --apply --only 4.5
|
||||||
|
admin@ip:/opt/harbian-audit-master$ sudo reboot
|
||||||
|
```
|
||||||
|
|
||||||
|
##### Third apply(after reboot)
|
||||||
|
Apply need to apply three times items:
|
||||||
|
```
|
||||||
|
admin@ip:/opt/harbian-audit-master$ sudo ./bin/hardening.sh --apply --only 4.5
|
||||||
|
admin@ip:/opt/harbian-audit-master$ sudo sed -i 's/^status=.*/status=enabled/' etc/conf.d/8.4.1_install_aide.cfg
|
||||||
|
admin@ip:/opt/harbian-audit-master$ sudo sed -i 's/^status=.*/status=enabled/' etc/conf.d/8.4.2_aide_cron.cfg
|
||||||
|
admin@ip:/opt/harbian-audit-master$ sudo ./bin/hardening.sh --apply --only 8.4.1
|
||||||
|
admin@ip:/opt/harbian-audit-master$ sudo ./bin/hardening.sh --apply --only 8.4.2
|
||||||
|
admin@ip:/opt/harbian-audit-master$ sudo reboot
|
||||||
|
```
|
||||||
|
|
||||||
### Set issues
|
### Set issues
|
||||||
```
|
```
|
||||||
|
@ -89,9 +116,14 @@ $ sudo rm /opt/harbian-audit-master/tmp/backups/*
|
||||||
$ sudo rm /opt/harbian-audit-master/etc/conf.d/*.cfg
|
$ sudo rm /opt/harbian-audit-master/etc/conf.d/*.cfg
|
||||||
```
|
```
|
||||||
|
|
||||||
#### AIDE RE-INIT
|
#### Final apply
|
||||||
|
Reset password for all users and reinit aide database:
|
||||||
```
|
```
|
||||||
$ sudo aideinit -y -f
|
admin@ip:/opt/harbian-audit-master$ sudo ./bin/hardening.sh --final
|
||||||
|
```
|
||||||
|
#### Uninstall
|
||||||
|
```
|
||||||
|
$ sudo apt-get purge --autoremove unzip
|
||||||
```
|
```
|
||||||
|
|
||||||
#### Clear the current log:
|
#### Clear the current log:
|
||||||
|
@ -149,6 +181,7 @@ $ history -cw
|
||||||
|
|
||||||
## Reference
|
## Reference
|
||||||
|
|
||||||
|
[https://github.com/hardenedlinux/harbian-audit/blob/master/README.md](https://github.com/hardenedlinux/harbian-audit/blob/master/README.md)
|
||||||
[https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AMIs.html](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AMIs.html)
|
[https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AMIs.html](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AMIs.html)
|
||||||
[https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/CopyingAMIs.html](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/CopyingAMIs.html)
|
[https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/CopyingAMIs.html](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/CopyingAMIs.html)
|
||||||
[https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/creating-an-ami-ebs.html](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/creating-an-ami-ebs.html)
|
[https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/creating-an-ami-ebs.html](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/creating-an-ami-ebs.html)
|
||||||
|
|
Loading…
Reference in New Issue