diff --git a/README-CN.md b/README-CN.md index c4b52d0..0d7d273 100644 --- a/README-CN.md +++ b/README-CN.md @@ -154,14 +154,22 @@ EXCEPTIONS="" 执行如下的命令进行部署: ``` $ INTERFACENAME="your network interfacename(Example eth0)" -$ sed -i "s/PUB_IFS=.*/PUB_IFS=\"$INTERFACENAME\"/g" docs/configurations/etc.iptables.rules.v4.sh -$ sudo bash docs/configurations/etc.iptables.rules.v4.sh +$ sudo bash docs/configurations/etc.iptables.rules.v4.sh $INTERFACENAME $ sudo -s # iptables-save > /etc/iptables/rules.v4 # ip6tables-save > /etc/iptables/rules.v6 ``` 5) 使用passwd命令改变所有用户的密码,以满足pam_cracklib模块配置的密码复杂度及健壮性。 +6) 必须在第一次修复应用后进行修复的项 +``` +8.1.32 因为此项一旦设置,审计规则将不能够再进行添加。 +``` +7) 必须在所有项都修复应用后进行修复的项 +``` +8.4.1 8.4.2 这都是与aide检测文件完整性相关的项,最好是在所有项都修复好后再进行修复,以修复好的系统中的文件进行完整性的数据库的初始化。 +``` + ## 特别注意 一些检查项需要依赖多次修复,且操作系统需要多次重启。需要进行两次修复的项有: 8.1.1.2 diff --git a/README.md b/README.md index c70294e..02ece24 100644 --- a/README.md +++ b/README.md @@ -169,13 +169,24 @@ Set the corresponding firewall rules according to the applications used. Hardene to do the following: ``` $ INTERFACENAME="your network interfacename(Example eth0)" -$ sed -i "s/PUB_IFS=.*/PUB_IFS=\"$INTERFACENAME\"/g" docs/configurations/etc.iptables.rules.v4.sh -$ sudo bash docs/configurations/etc.iptables.rules.v4.sh +$ sudo bash docs/configurations/etc.iptables.rules.v4.sh $INTERFACENAME $ sudo -s # iptables-save > /etc/iptables/rules.v4 # ip6tables-save > /etc/iptables/rules.v6 ``` +5) Use the passwd command to change the passwords of all users to apply the password complexity and robustness of the pam_cracklib module configuration. + +6) Items that must be applied after the first application(reboot after is better) +``` +8.1.32 Because this item is set, the audit rules will not be added. +``` + +7) Items that must be applied after all application is ok +``` +8.4.1 8.4.2 These are all related to the aide. It is best to fix all the items after they have been fixed to fix the integrity of the database in the system. +``` + ### nft format rules: [nftables.conf](https://github.com/hardenedlinux/harbian-audit/blob/master/docs/configurations/etc.nftables.conf) to do the following(your network interfacename(Example eth0)): diff --git a/bin/hardening/8.1.32_record_Events_netfilter.sh b/bin/hardening/8.1.18_record_Events_netfilter.sh similarity index 100% rename from bin/hardening/8.1.32_record_Events_netfilter.sh rename to bin/hardening/8.1.18_record_Events_netfilter.sh diff --git a/bin/hardening/8.1.18_freeze_auditd_conf.sh b/bin/hardening/8.1.32_freeze_auditd_conf.sh similarity index 100% rename from bin/hardening/8.1.18_freeze_auditd_conf.sh rename to bin/hardening/8.1.32_freeze_auditd_conf.sh diff --git a/docs/complianced_image/QEMU/how_to_creating_and_making_a_QEMU_img.mkd b/docs/complianced_image/QEMU/how_to_creating_and_making_a_QEMU_img.mkd index 4fadd95..06cf65b 100644 --- a/docs/complianced_image/QEMU/how_to_creating_and_making_a_QEMU_img.mkd +++ b/docs/complianced_image/QEMU/how_to_creating_and_making_a_QEMU_img.mkd @@ -42,14 +42,14 @@ Then follow the wizard to install step by step. ### Pre-Install ``` -root@harbian:/home/harbian-audit# apt update && apt install -y bc net-tools vim unzip +root@harbian:/home/harbian-audit# apt update && apt install -y bc net-tools vim unzip pciutils network-manager ``` ### Get harbian-audit project ``` $ cd /opt root@harbian:/opt# wget https://github.com/hardenedlinux/harbian-audit/archive/master.zip -root@harbian:/opt# sudo unzip master.zip +root@harbian:/opt# unzip master.zip root@harbian:/opt# cd harbian-audit-master/ ``` @@ -59,7 +59,8 @@ root@harbian:/opt# cd harbian-audit-master/ ``` root@harbian:/opt/harbian-audit-master# cp debian/default /etc/default/cis-hardening root@harbian:/opt/harbian-audit-master# sed -i "s#CIS_ROOT_DIR=.*#CIS_ROOT_DIR='$(pwd)'#" /etc/default/cis-hardening -root@harbian:/opt/harbian-audit-master# ./bin/hardening.sh --audit-all +root@harbian:/opt/harbian-audit-master# bash bin/hardening.sh --init +root@harbian:/opt/harbian-audit-master# ./bin/hardening.sh --audit-all root@harbian:/opt/harbian-audit-master# ./bin/hardening.sh --set-hardening-level 5 root@harbian:/opt/harbian-audit-master# sed -i 's/^status=.*/status=disabled/' etc/conf.d/7.4.4_hosts_deny.cfg root@harbian:/opt/harbian-audit-master# ./bin/hardening.sh --apply @@ -84,7 +85,7 @@ $ sudo sed -i "s/Debian GNU\/Linux 9/harbian-audit complianced for Debian GNU\/L ### Set grub passwd superusers: harbiansuper -passwd: harbian_AUDIT,12@) +passwd: harbian_AUDIT,09)( Related how to config grub2 password protection, please reference: [how_to_config_grub2_password_protection.mkd](https://github.com/hardenedlinux/harbian-audit/blob/master/docs/configurations/manual-operation-docs/how_to_config_grub2_password_protection.mkd)