Remove the sudo command from docs.

This commit is contained in:
Samson-W 2020-04-26 00:50:30 +08:00
parent 2678bb54b4
commit d54fa4f75c
16 changed files with 193 additions and 202 deletions

View File

@ -6,7 +6,7 @@
审计功能的使用示例:
```console
$ sudo bash bin/hardening.sh --audit-all
# bash bin/hardening.sh --audit-all
[...]
hardening [INFO] Treating /home/test/harbian-audit/bin/hardening/13.15_check_duplicate_gid.sh
13.15_check_duplicate_gid [INFO] Working on 13.15_check_duplicate_gid
@ -29,13 +29,13 @@ hardening [INFO] Treating /home/test/harbian-audit/bin/hardening
### 下载及初始化
```console
$ git clone https://github.com/hardenedlinux/harbian-audit.git && cd harbian-audit
$ sudo cp etc/default.cfg /etc/default/cis-hardening
$ sudo sed -i "s#CIS_ROOT_DIR=.*#CIS_ROOT_DIR='$(pwd)'#" /etc/default/cis-hardening
$ sudo bin/hardening.sh --init
# cp etc/default.cfg /etc/default/cis-hardening
# sed -i "s#CIS_ROOT_DIR=.*#CIS_ROOT_DIR='$(pwd)'#" /etc/default/cis-hardening
# bin/hardening.sh --init
```
### 对所有的安全检查项进行审计
```
$ sudo bin/hardening.sh --audit-all
# bin/hardening.sh --audit-all
hardening [INFO] Treating /home/test/harbian-audit/bin/hardening/1.1_install_updates.sh
1.1_install_updates [INFO] Working on 1.1_install_updates
1.1_install_updates [INFO] Checking Configuration
@ -55,8 +55,8 @@ hardening [INFO] Treating /home/test/harbian-audit/bin/hardening
```
### 设置加固级别并进行自动修复
```
$ sudo bin/hardening.sh --set-hardening-level 5
$ sudo bin/hardening.sh --apply
# bin/hardening.sh --set-hardening-level 5
# bin/hardening.sh --apply
hardening [INFO] Treating /home/test/harbian-audit/bin/hardening/1.1_install_updates.sh
1.1_install_updates [INFO] Working on 1.1_install_updates
1.1_install_updates [INFO] Checking Configuration
@ -75,17 +75,17 @@ hardening [INFO] Treating /home/test/harbian-audit/bin/hardening
### 需要预装的软件
如果是使用的最小安装方式安装的Debian GNU/Linux系统在使用此项目之前需要安装如下的软件
```
sudo apt-get install -y bc net-tools pciutils
# apt-get install -y bc net-tools pciutils
```
如果系统是Redhat/CentOS在使用此项目前需要安装如下的软件包
```
sudo yum install -y bc net-tools pciutils NetworkManager epel-release
# yum install -y bc net-tools pciutils NetworkManager epel-release
```
### 需要预先进行的配置
在使用此项目前,必须给所有要用到的用户设置了密码。如果没有设置密码的话,将在进行自动化加固后不能够登录到系统。例如(用户root和test:
```
$ sudo -s
# passwd
# passwd test
```
@ -155,8 +155,8 @@ EXCEPTIONS=""
基于iptables的部署:
```
$ INTERFACENAME="your network interfacename(Example eth0)"
$ sudo bash docs/configurations/etc.iptables.rules.v4.sh $INTERFACENAME
$ sudo -s
# bash docs/configurations/etc.iptables.rules.v4.sh $INTERFACENAME
# iptables-save > /etc/iptables/rules.v4
# ip6tables-save > /etc/iptables/rules.v6
```
@ -164,13 +164,13 @@ $ sudo -s
按照以下命令修改nftables.conf(你的对外网口的名称例如eth0):
```
$ sed -i 's/^define int_if = ens33/define int_if = eth0/g' etc.nftables.conf
$ sudo nft -f ./etc.nftables.conf
# nft -f ./etc.nftables.conf
```
5) 当所有安全基线项都修复完成后,使用--final方法将完成以下的最终的工作
1.使用passwd命令去重新设置常规用户及root用户的密码以满足pam_cracklib模块配置的密码强度和健壮性。
2. 重新初始化aide工具的数据库。
```
$ sudo bin/hardening.sh --final
# bin/hardening.sh --final
```
## 特别注意

View File

@ -10,7 +10,7 @@ The code framework is based on the [OVH-debian-cis](https://github.com/ovh/debia
```console
$ sudo bash bin/hardening.sh --audit-all
# bash bin/hardening.sh --audit-all
[...]
hardening [INFO] Treating /home/test/harbian-audit/bin/hardening/13.15_check_duplicate_gid.sh
13.15_check_duplicate_gid [INFO] Working on 13.15_check_duplicate_gid
@ -32,10 +32,10 @@ hardening [INFO] Treating /home/test/harbian-audit/bin/hardening
```console
$ git clone https://github.com/hardenedlinux/harbian-audit.git && cd harbian-audit
$ sudo cp etc/default.cfg /etc/default/cis-hardening
$ sudo sed -i "s#CIS_ROOT_DIR=.*#CIS_ROOT_DIR='$(pwd)'#" /etc/default/cis-hardening
$ sudo bin/hardening.sh --init
$ sudo bin/hardening.sh --audit-all
# cp etc/default.cfg /etc/default/cis-hardening
# sed -i "s#CIS_ROOT_DIR=.*#CIS_ROOT_DIR='$(pwd)'#" /etc/default/cis-hardening
# bin/hardening.sh --init
# bin/hardening.sh --audit-all
hardening [INFO] Treating /home/test/harbian-audit/bin/hardening/1.1_install_updates.sh
1.1_install_updates [INFO] Working on 1.1_install_updates
1.1_install_updates [INFO] Checking Configuration
@ -52,8 +52,8 @@ hardening [INFO] Treating /home/test/harbian-audit/bin/hardening
Total Failed Checks : [ 39/278 ]
Enabled Checks Percentage : 100.00 %
Conformity Percentage : 85.97 %
$ sudo bin/hardening.sh --set-hardening-level 5
$ sudo bin/hardening.sh --apply
# bin/hardening.sh --set-hardening-level 5
# bin/hardening.sh --apply
hardening [INFO] Treating /home/test/harbian-audit/bin/hardening/1.1_install_updates.sh
1.1_install_updates [INFO] Working on 1.1_install_updates
1.1_install_updates [INFO] Checking Configuration
@ -73,18 +73,18 @@ hardening [INFO] Treating /home/test/harbian-audit/bin/hardening
If use Network install from a minimal CD to installed Debian GNU/Linux, need install packages before use the hardening tool.
```
sudo apt-get install -y bc net-tools pciutils network-manager
# apt-get install -y bc net-tools pciutils network-manager
```
Redhat/CentOS need install packages before use the hardening tool:
```
sudo yum install -y bc net-tools pciutils NetworkManager epel-release
# yum install -y bc net-tools pciutils NetworkManager epel-release
```
### Pre-Set
You must set a password for all users before hardening. Otherwise, you will not be able to log in after the hardening is completed. Example(OS user: root and test):
```
$ sudo -s
# passwd
# passwd test
```
@ -169,8 +169,8 @@ Set the corresponding firewall rules according to the applications used. Hardene
to do the following:
```
$ INTERFACENAME="your network interfacename(Example eth0)"
$ sudo bash docs/configurations/etc.iptables.rules.v4.sh $INTERFACENAME
$ sudo -s
# bash docs/configurations/etc.iptables.rules.v4.sh $INTERFACENAME
# iptables-save > /etc/iptables/rules.v4
# ip6tables-save > /etc/iptables/rules.v6
```
@ -180,13 +180,13 @@ $ sudo -s
to do the following(your network interfacename(Example eth0)):
```
$ sed -i 's/^define int_if = ens33/define int_if = eth0/g' etc.nftables.conf
$ sudo nft -f ./etc.nftables.conf
# nft -f ./etc.nftables.conf
```
5) When all repairs are completed. --final method will:
1. Use passwd command to change the password of the regular and root user to apply the password complexity and robustness of the pam_cracklib module configuration.
2. Aide reinitializes.
```
$ sudo bin/hardening.sh --final
# bin/hardening.sh --final
```
## Special Note

View File

@ -24,15 +24,15 @@ The creation process is as follows:
### Pre-Install
```
$ sudo apt update
$ sudo apt install -y bc net-tools bc net-tools pciutils network-manager vim unzip
# apt update
# apt install -y bc net-tools bc net-tools pciutils network-manager vim unzip
```
### Get harbian-audit project
```
$ cd /opt
/opt$ sudo wget https://github.com/hardenedlinux/harbian-audit/archive/master.zip
/opt$ sudo unzip master.zip
/opt# wget https://github.com/hardenedlinux/harbian-audit/archive/master.zip
/opt# unzip master.zip
/opt$ cd harbian-audit-master/
```
### How to use harbian-audit to audit and apply
@ -40,7 +40,6 @@ $ cd /opt
//maybe not need
#### Set passwd to all user:
```
admin@ip:/opt/harbian-audit-master$ sudo -s
admin@ip:/opt/harbian-audit-master# passwd
admin@ip:/opt/harbian-audit-master# passwd admin
```
@ -49,27 +48,26 @@ admin@ip:/opt/harbian-audit-master# passwd admin
##### First audit && apply:
```
admin@ip:/opt/harbian-audit-master$ sudo cp etc/default.cfg /etc/default/cis-hardening
admin@ip:/opt/harbian-audit-master$ sudo sed -i "s#CIS_ROOT_DIR=.*#CIS_ROOT_DIR='$(pwd)'#" /etc/default/cis-hardening
admin@ip:/opt/harbian-audit-master$ sudo ./bin/hardening.sh --init
admin@ip:/opt/harbian-audit-master$ sudo ./bin/hardening.sh --audit-all
admin@ip:/opt/harbian-audit-master$ sudo ./bin/hardening.sh --set-hardening-level 5
admin@ip:/opt/harbian-audit-master$ sudo sed -i 's/^status=.*/status=disabled/' etc/conf.d/8.1.32_freeze_auditd_conf.cfg
admin@ip:/opt/harbian-audit-master$ sudo sed -i 's/^status=.*/status=disabled/' etc/conf.d/7.4.4_hosts_deny.cfg
admin@ip:/opt/harbian-audit-master$ sudo sed -i 's/^status=.*/status=disabled/' etc/conf.d/10.1.6_remove_nopasswd_sudoers.cfg
admin@ip:/opt/harbian-audit-master$ sudo sed -i 's/^status=.*/status=disabled/' etc/conf.d/8.4.1_install_aide.cfg
admin@ip:/opt/harbian-audit-master$ sudo sed -i 's/^status=.*/status=disabled/' etc/conf.d/8.4.2_aide_cron.cfg
admin@ip:/opt/harbian-audit-master$ sudo sed -i 's/^status=.*/status=disabled/' etc/conf.d/10.1.1_set_password_exp_days.cfg
admin@ip:/opt/harbian-audit-master$ sudo ./bin/hardening.sh --apply
admin@ip:/opt/harbian-audit-master$ sudo reboot
admin@ip:/opt/harbian-audit-master# cp etc/default.cfg /etc/default/cis-hardening
admin@ip:/opt/harbian-audit-master# sed -i "s#CIS_ROOT_DIR=.*#CIS_ROOT_DIR='$(pwd)'#" /etc/default/cis-hardening
admin@ip:/opt/harbian-audit-master# ./bin/hardening.sh --init
admin@ip:/opt/harbian-audit-master# ./bin/hardening.sh --audit-all
admin@ip:/opt/harbian-audit-master# ./bin/hardening.sh --set-hardening-level 5
admin@ip:/opt/harbian-audit-master# sed -i 's/^status=.*/status=disabled/' etc/conf.d/8.1.32_freeze_auditd_conf.cfg
admin@ip:/opt/harbian-audit-master# sed -i 's/^status=.*/status=disabled/' etc/conf.d/7.4.4_hosts_deny.cfg
admin@ip:/opt/harbian-audit-master# sed -i 's/^status=.*/status=disabled/' etc/conf.d/10.1.6_remove_nopasswd_sudoers.cfg
admin@ip:/opt/harbian-audit-master# sed -i 's/^status=.*/status=disabled/' etc/conf.d/8.4.1_install_aide.cfg
admin@ip:/opt/harbian-audit-master# sed -i 's/^status=.*/status=disabled/' etc/conf.d/8.4.2_aide_cron.cfg
admin@ip:/opt/harbian-audit-master# sed -i 's/^status=.*/status=disabled/' etc/conf.d/10.1.1_set_password_exp_days.cfg
admin@ip:/opt/harbian-audit-master# ./bin/hardening.sh --apply
admin@ip:/opt/harbian-audit-master# reboot
```
##### Second audit && apply(After reboot)
Configuring the firewall:
```
admin@ip:/opt/harbian-audit-master$ INTERFACENAME="eth0"
admin@ip:/opt/harbian-audit-master$ sudo bash /opt/harbian-audit-master/docs/configurations/etc.iptables.rules.v4.sh $INTERFACENAME
admin@ip:/opt/harbian-audit-master$ sudo bash /opt/harbian-audit-master/docs/configurations/etc.iptables.rules.v6.sh $INTERFACENAME
admin@ip:/opt/harbian-audit-master$ sudo -s
admin@ip:/opt/harbian-audit-master# bash /opt/harbian-audit-master/docs/configurations/etc.iptables.rules.v4.sh $INTERFACENAME
admin@ip:/opt/harbian-audit-master# bash /opt/harbian-audit-master/docs/configurations/etc.iptables.rules.v6.sh $INTERFACENAME
admin@ip:/opt/harbian-audit-master# iptables-save > /etc/iptables/rules.v4
admin@ip:/opt/harbian-audit-master# ip6tables-save > /etc/iptables/rules.v6
admin@ip:/opt/harbian-audit-master# exit
@ -77,28 +75,28 @@ admin@ip:/opt/harbian-audit-master# exit
Apply need to apply twice items and that items of must apply after first apply:
```
admin@ip:/opt/harbian-audit-master$ sudo ./bin/hardening.sh --apply --only 8.1.1.2
admin@ip:/opt/harbian-audit-master$ sudo ./bin/hardening.sh --apply --only 8.1.1.3
admin@ip:/opt/harbian-audit-master$ sudo ./bin/hardening.sh --apply --only 8.1.12
admin@ip:/opt/harbian-audit-master$ sudo sed -i 's/^status=.*/status=enabled/' etc/conf.d/8.1.32_freeze_auditd_conf.cfg
admin@ip:/opt/harbian-audit-master$ sudo ./bin/hardening.sh --apply --only 8.1.32
admin@ip:/opt/harbian-audit-master$ sudo ./bin/hardening.sh --apply --only 4.5
admin@ip:/opt/harbian-audit-master$ sudo reboot
admin@ip:/opt/harbian-audit-master# ./bin/hardening.sh --apply --only 8.1.1.2
admin@ip:/opt/harbian-audit-master# ./bin/hardening.sh --apply --only 8.1.1.3
admin@ip:/opt/harbian-audit-master# ./bin/hardening.sh --apply --only 8.1.12
admin@ip:/opt/harbian-audit-master# sed -i 's/^status=.*/status=enabled/' etc/conf.d/8.1.32_freeze_auditd_conf.cfg
admin@ip:/opt/harbian-audit-master# ./bin/hardening.sh --apply --only 8.1.32
admin@ip:/opt/harbian-audit-master# ./bin/hardening.sh --apply --only 4.5
admin@ip:/opt/harbian-audit-master# reboot
```
##### Third apply(after reboot)
Apply need to apply three times items:
```
admin@ip:/opt/harbian-audit-master$ sudo sed -i 's/^status=.*/status=enabled/' etc/conf.d/8.4.1_install_aide.cfg
admin@ip:/opt/harbian-audit-master$ sudo sed -i 's/^status=.*/status=enabled/' etc/conf.d/8.4.2_aide_cron.cfg
admin@ip:/opt/harbian-audit-master$ sudo ./bin/hardening.sh --apply --only 8.4.1
admin@ip:/opt/harbian-audit-master$ sudo ./bin/hardening.sh --apply --only 8.4.2
admin@ip:/opt/harbian-audit-master$ sudo reboot
admin@ip:/opt/harbian-audit-master# sed -i 's/^status=.*/status=enabled/' etc/conf.d/8.4.1_install_aide.cfg
admin@ip:/opt/harbian-audit-master# sed -i 's/^status=.*/status=enabled/' etc/conf.d/8.4.2_aide_cron.cfg
admin@ip:/opt/harbian-audit-master# ./bin/hardening.sh --apply --only 8.4.1
admin@ip:/opt/harbian-audit-master# ./bin/hardening.sh --apply --only 8.4.2
admin@ip:/opt/harbian-audit-master# reboot
```
### Set issues
```
$ sudo sed -i "s/Debian GNU\/Linux 9/harbian-audit complianced for Debian GNU\/Linux 9/g" /etc/issue*
# sed -i "s/Debian GNU\/Linux 9/harbian-audit complianced for Debian GNU\/Linux 9/g" /etc/issue*
```
### Hacking
@ -110,24 +108,23 @@ Use the following guidelines to reduce the attack surface and improve the reliab
#### Clean harbian-audit temp file and conf
```
$ sudo rm /opt/master.zip
$ sudo rm /opt/harbian-audit-master/tmp/backups/*
$ sudo rm /opt/harbian-audit-master/etc/conf.d/*.cfg
# rm /opt/master.zip
# rm /opt/harbian-audit-master/tmp/backups/*
# rm /opt/harbian-audit-master/etc/conf.d/*.cfg
```
#### Uninstall
```
$ sudo apt-get purge --autoremove unzip -y
# apt-get purge --autoremove unzip -y
```
#### Clear the current log:
```
$ sudo find /var/log/ -name "*.log" -exec shred -u {} \;
$ sudo find /var/log/ -name "*.log.*" -exec shred -u {} \;
$ sudo find / -name "authorized_keys" -exec shred -u {} \;
$ sudo rm /root/.wget-hsts
$ sudo rm /root/.viminfo
$ sudo -s
# find /var/log/ -name "*.log" -exec shred -u {} \;
# find /var/log/ -name "*.log.*" -exec shred -u {} \;
# find / -name "authorized_keys" -exec shred -u {} \;
# rm /root/.wget-hsts
# rm /root/.viminfo
# echo > /var/log/debug
# echo > /var/log/btmp
# echo > /var/log/error
@ -145,7 +142,7 @@ $ sudo -s
#### Final apply
Reset password for all users and reinit aide database:
```
admin@ip:/opt/harbian-audit-master$ sudo ./bin/hardening.sh --final
admin@ip:/opt/harbian-audit-master# ./bin/hardening.sh --final
```
#### Clear bash hostory

View File

@ -28,7 +28,7 @@
## Use harbian-audit to check
```
admin@ip-:~$ cd /opt/harbian-audit-master/
admin@ip-:/opt/harbian-audit-master$ sudo ./bin/hardening.sh --audit-all
admin@ip-:/opt/harbian-audit-master# ./bin/hardening.sh --audit-all
......
################### SUMMARY ###################

View File

@ -77,9 +77,8 @@ root@harbian:/opt/harbian-audit-master# reboot
After reboot:
```
harbian-audit@harbian:/opt/harbian-audit-master$ sudo bash ./docs/configurations/etc.iptables.rules.v4.sh eth0
harbian-audit@harbian:/opt/harbian-audit-master$ sudo bash ./docs/configurations/etc.iptables.rules.v6.sh eth0
harbian-audit@harbian:/opt/harbian-audit-master$ sudo -s
harbian-audit@harbian:/opt/harbian-audit-master# bash ./docs/configurations/etc.iptables.rules.v4.sh eth0
harbian-audit@harbian:/opt/harbian-audit-master# bash ./docs/configurations/etc.iptables.rules.v6.sh eth0
root@harbian:/opt/harbian-audit-master# iptables-save > /etc/sysconfig/iptables
root@harbian:/opt/harbian-audit-master# ip6tables-save > /etc/sysconfig/ip6tables
```
@ -88,7 +87,7 @@ Related how to use harbian-audit to adit and apply, please reference:
### Set issues
```
$ sudo sed -i "s/Debian GNU\/Linux 9/harbian-audit complianced for Debian GNU\/Linux 9/g" /etc/issue*
# sed -i "s/Debian GNU\/Linux 9/harbian-audit complianced for Debian GNU\/Linux 9/g" /etc/issue*
```
### Set grub passwd
@ -101,7 +100,6 @@ Related how to config grub2 password protection, please reference:
### Re-set passwd of all users
```
harbian-audit@harbian:~$ sudo -s
root@harbian:/home/harbian-audit# passwd
root@harbian:/home/harbian-audit# passwd harbian-audit
```
@ -113,38 +111,37 @@ If need adds a project on AMI, add the project on such as /opt, /usr/local/bin d
#### Uninstall
```
$ sudo apt-get purge --autoremove unzip -y
# apt-get purge --autoremove unzip -y
```
#### Clean harbian-audit temp file and conf
```
$ sudo rm /opt/master.zip
$ sudo rm /opt/harbian-audit-master/tmp/backups/*
# rm /opt/master.zip
# rm /opt/harbian-audit-master/tmp/backups/*
$ cd /opt/harbian-audit-master/etc/conf.d
$ sudo rm -f !(8.1.32_freeze_auditd_conf.cfg|8.4.1_install_aide.cfg|8.4.2_aide_cron.cfg)
# rm -f !(8.1.32_freeze_auditd_conf.cfg|8.4.1_install_aide.cfg|8.4.2_aide_cron.cfg)
```
#### Final fix
```
$ cd /opt/harbian-audit-master
$ sudo sed -i 's/^status=.*/status=enabled/' etc/conf.d/8.1.32_freeze_auditd_conf.cfg
$ sudo sed -i 's/^status=.*/status=enabled/' etc/conf.d/8.4.1_install_aide.cfg
$ sudo sed -i 's/^status=.*/status=enabled/' etc/conf.d/8.4.2_aide_cron.cfg
$ sudo bash bin/hardening.sh --apply --only 8.1.32
$ sudo bash bin/hardening.sh --apply --only 8.4.1
$ sudo bash bin/hardening.sh --apply --only 8.4.2
$ sudo rm /opt/harbian-audit-master/tmp/backups/*
$ sudo rm /opt/harbian-audit-master/etc/conf.d/*
# sed -i 's/^status=.*/status=enabled/' etc/conf.d/8.1.32_freeze_auditd_conf.cfg
# sed -i 's/^status=.*/status=enabled/' etc/conf.d/8.4.1_install_aide.cfg
# sed -i 's/^status=.*/status=enabled/' etc/conf.d/8.4.2_aide_cron.cfg
# bash bin/hardening.sh --apply --only 8.1.32
# bash bin/hardening.sh --apply --only 8.4.1
# bash bin/hardening.sh --apply --only 8.4.2
# rm /opt/harbian-audit-master/tmp/backups/*
# rm /opt/harbian-audit-master/etc/conf.d/*
```
#### Clear the current log
```
$ sudo find /var/log/ -name "*.log" -exec shred -u {} \;
$ sudo find /var/log/ -name "*.log.*" -exec shred -u {} \;
$ sudo find / -name "authorized_keys" -exec shred -u {} \;
$ sudo rm /root/.wget-hsts
$ sudo rm /root/.viminfo
$ sudo -s
# find /var/log/ -name "*.log" -exec shred -u {} \;
# find /var/log/ -name "*.log.*" -exec shred -u {} \;
# find / -name "authorized_keys" -exec shred -u {} \;
# rm /root/.wget-hsts
# rm /root/.viminfo
# echo > /var/log/debug
# echo > /var/log/btmp
# echo > /var/log/error
@ -160,7 +157,7 @@ $ sudo -s
#### AIDE RE-INIT
```
$ sudo aideinit -y -f
# aideinit -y -f
```
#### Clear bash hostory
@ -169,7 +166,7 @@ $ sudo aideinit -y -f
# history -cw
$ echo > ~/.bash_history
$ history -cw
$ sudo poweroff
# poweroff
```
## sign QEMU image

View File

@ -77,8 +77,7 @@ root@harbian:/opt/harbian-audit-master# reboot
After reboot:
```
harbian-audit@harbian:/opt/harbian-audit-master$ sudo bash ./docs/configurations/etc.iptables.rules.v4.sh eth0
harbian-audit@harbian:/opt/harbian-audit-master$ sudo -s
harbian-audit@harbian:/opt/harbian-audit-master# bash ./docs/configurations/etc.iptables.rules.v4.sh eth0
root@harbian:/opt/harbian-audit-master# iptables-save > /etc/iptables/rules.v4
root@harbian:/opt/harbian-audit-master# ip6tables-save > /etc/iptables/rules.v6
```
@ -87,7 +86,7 @@ Related how to use harbian-audit to adit and apply, please reference:
### Set issues
```
$ sudo sed -i "s/Debian GNU\/Linux 9/harbian-audit complianced for Debian GNU\/Linux 9/g" /etc/issue*
# sed -i "s/Debian GNU\/Linux 9/harbian-audit complianced for Debian GNU\/Linux 9/g" /etc/issue*
```
### Set grub passwd
@ -100,7 +99,6 @@ Related how to config grub2 password protection, please reference:
### Re-set passwd of all users
```
harbian-audit@harbian:~$ sudo -s
root@harbian:/home/harbian-audit# passwd
root@harbian:/home/harbian-audit# passwd harbian-audit
```
@ -112,38 +110,37 @@ If need adds a project on AMI, add the project on such as /opt, /usr/local/bin d
#### Uninstall
```
$ sudo apt-get purge --autoremove unzip -y
# apt-get purge --autoremove unzip -y
```
#### Clean harbian-audit temp file and conf
```
$ sudo rm /opt/master.zip
$ sudo rm /opt/harbian-audit-master/tmp/backups/*
# rm /opt/master.zip
# rm /opt/harbian-audit-master/tmp/backups/*
$ cd /opt/harbian-audit-master/etc/conf.d
$ sudo rm -f !(8.1.32_freeze_auditd_conf.cfg|8.4.1_install_aide.cfg|8.4.2_aide_cron.cfg)
# rm -f !(8.1.32_freeze_auditd_conf.cfg|8.4.1_install_aide.cfg|8.4.2_aide_cron.cfg)
```
#### Final fix
```
$ cd /opt/harbian-audit-master
$ sudo sed -i 's/^status=.*/status=enabled/' etc/conf.d/8.1.32_freeze_auditd_conf.cfg
$ sudo sed -i 's/^status=.*/status=enabled/' etc/conf.d/8.4.1_install_aide.cfg
$ sudo sed -i 's/^status=.*/status=enabled/' etc/conf.d/8.4.2_aide_cron.cfg
$ sudo bash bin/hardening.sh --apply --only 8.1.32
$ sudo bash bin/hardening.sh --apply --only 8.4.1
$ sudo bash bin/hardening.sh --apply --only 8.4.2
$ sudo rm /opt/harbian-audit-master/tmp/backups/*
$ sudo rm /opt/harbian-audit-master/etc/conf.d/*
# sed -i 's/^status=.*/status=enabled/' etc/conf.d/8.1.32_freeze_auditd_conf.cfg
# sed -i 's/^status=.*/status=enabled/' etc/conf.d/8.4.1_install_aide.cfg
# sed -i 's/^status=.*/status=enabled/' etc/conf.d/8.4.2_aide_cron.cfg
# bash bin/hardening.sh --apply --only 8.1.32
# bash bin/hardening.sh --apply --only 8.4.1
# bash bin/hardening.sh --apply --only 8.4.2
# rm /opt/harbian-audit-master/tmp/backups/*
# rm /opt/harbian-audit-master/etc/conf.d/*
```
#### Clear the current log
```
$ sudo find /var/log/ -name "*.log" -exec shred -u {} \;
$ sudo find /var/log/ -name "*.log.*" -exec shred -u {} \;
$ sudo find / -name "authorized_keys" -exec shred -u {} \;
$ sudo rm /root/.wget-hsts
$ sudo rm /root/.viminfo
$ sudo -s
# find /var/log/ -name "*.log" -exec shred -u {} \;
# find /var/log/ -name "*.log.*" -exec shred -u {} \;
# find / -name "authorized_keys" -exec shred -u {} \;
# rm /root/.wget-hsts
# rm /root/.viminfo
# echo > /var/log/debug
# echo > /var/log/btmp
# echo > /var/log/error
@ -159,7 +156,7 @@ $ sudo -s
#### AIDE RE-INIT
```
$ sudo aideinit -y -f
# aideinit -y -f
```
#### Clear bash hostory
@ -168,7 +165,7 @@ $ sudo aideinit -y -f
# history -cw
$ echo > ~/.bash_history
$ history -cw
$ sudo poweroff
# poweroff
```
## sign QEMU image

View File

@ -2,7 +2,7 @@
## Pre-install
```
sudo apt-get install build-essential dh-make debhelper lintian wget
# apt-get install build-essential dh-make debhelper lintian wget
```
## Config evc var for dh_make
```

View File

@ -3,7 +3,7 @@
## Server
### Install package
```
sudo apt install -y auditd
# apt install -y auditd
```
### Configure
@ -21,7 +21,7 @@ systemctl restart auditd
## Client
### Install package
```
sudo apt install -y audispd-plugins auditd
# apt install -y audispd-plugins auditd
```
### Configure

View File

@ -3,7 +3,7 @@ Debian Buster uses the nftables framework by default.
## Pre-install
```
$ sudo apt install nftables
# apt install nftables
```
## Check iptables link point
@ -13,7 +13,7 @@ You can switch back and forth between iptables-nft and iptables-legacy by means
Check iptables currently link:
```
$ sudo update-alternatives --display iptables
# update-alternatives --display iptables
iptables - auto mode
link best version is /usr/sbin/iptables-nft
link currently points to /usr/sbin/iptables-nft
@ -29,11 +29,11 @@ iptables - auto mode
```
If you see above, don't need switching, if currently link to iptables-legacy, need use command to switching to iptables-nft:
```
$ sudo update-alternatives --set iptables /usr/sbin/iptables-nft
$ sudo update-alternatives --set ip6tables /usr/sbin/ip6tables-nft
$ sudo update-alternatives --set arptables /usr/sbin/arptables-nft
$ sudo update-alternatives --set ebtables /usr/sbin/ebtables-nft
$ sudo update-alternatives --display iptables
# update-alternatives --set iptables /usr/sbin/iptables-nft
# update-alternatives --set ip6tables /usr/sbin/ip6tables-nft
# update-alternatives --set arptables /usr/sbin/arptables-nft
# update-alternatives --set ebtables /usr/sbin/ebtables-nft
# update-alternatives --display iptables
```
## Migrating
move from an existing iptables ruleset to nftables:
@ -41,17 +41,17 @@ move from an existing iptables ruleset to nftables:
### Command translation
You can generate a translation of an iptables/ip6tables command to know the nftables equivalent.
```
$ sudo iptables-translate -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
# iptables-translate -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
nft add rule ip filter INPUT tcp dport 22 ct state new counter accept
$ sudo ip6tables-translate -A FORWARD -i eth0 -o eth3 -p udp -m multiport --dports 111,222 -j ACCEPT
# ip6tables-translate -A FORWARD -i eth0 -o eth3 -p udp -m multiport --dports 111,222 -j ACCEPT
nft add rule ip6 filter FORWARD iifname "eth0" oifname "eth3" meta l4proto udp udp dport { 111,222} counter accept
```
Instead of translating command by command, you can translate your whole ruleset in a single run:
```
$ sudo iptables-save > save.txt
$ sudo iptables-restore-translate -f save.txt
# iptables-save > save.txt
# iptables-restore-translate -f save.txt
# Translated by iptables-restore-translate v1.8.2 on Fri Jul 12 04:33:36 2019
add table ip filter
add chain ip filter INPUT { type filter hook input priority 0; policy drop; }
@ -114,10 +114,10 @@ add chain ip mangle POSTROUTING { type filter hook postrouting priority -150; po
```
You should be able to directly give this to nftables:
```
$ sudo iptables-restore-translate -f save.txt > ruleset.nft
$ sudo nft -f ruleset.nft
# iptables-restore-translate -f save.txt > ruleset.nft
# nft -f ruleset.nft
```
$ sudo nft list ruleset
# nft list ruleset
List nft ruleset:
```
table ip filter {
@ -263,7 +263,7 @@ table ip mangle {
## Uninstall iptables
```
$ sudo apt purge --autoremove iptables
# apt purge --autoremove iptables
```
## Reference

View File

@ -9,7 +9,7 @@ netfilter-persistent 1.0.4+nmu2
## Install
```
$ sudo apt-get install -y iptables-persistent
# apt-get install -y iptables-persistent
```
This command will install iptables-persistent and netfilter-persistent(depended iptables-persistent),
@ -19,19 +19,19 @@ netfilter-persistent service is auto running when netfilter-persistent was insta
Check service status:
```
$ sudo systemctl status netfilter-persistent
# systemctl status netfilter-persistent
```
If netfilter-persistent service is not started, use the following command to enable netfilter-persistent service:
```
$ sudo systemctl start netfilter-persistent
# systemctl start netfilter-persistent
```
## How to config for persistent iptables
First, when configuring iptables rules done, need use the following command to save current iptables rules:
```
$ sudo dpkg-reconfigure iptables-persistent
# dpkg-reconfigure iptables-persistent
```
or
@ -45,5 +45,5 @@ Note: User iptables-save/ip6tables-save command, save file must is above file na
## Well-done
Iptables rules would auto restore iptables rules when Operation system restart, or manual to exec following command:
```
$ sudo systemctl restart netfilter-persistent
# systemctl restart netfilter-persistent
```

View File

@ -8,12 +8,12 @@ nftables 0.9.0-2
## Pre-Install
```
$ sudo apt-get install -y nftables netfilter-persistent
# apt-get install -y nftables netfilter-persistent
```
## Uninstall iptables
```
$ sudo apt purge --autoremove iptables
# apt purge --autoremove iptables
```
## How to enable netfilter-persistent service
@ -22,12 +22,12 @@ netfilter-persistent service is auto running when netfilter-persistent was insta
Check service status:
```
$ sudo systemctl status netfilter-persistent
# systemctl status netfilter-persistent
```
If netfilter-persistent service is not started, use the following command to enable netfilter-persistent service:
```
$ sudo systemctl start netfilter-persistent
# systemctl start netfilter-persistent
```
## How to config for persistent nft rules
@ -35,7 +35,7 @@ $ sudo systemctl start netfilter-persistent
### Get nftables ruleset
```
~$ wget https://raw.githubusercontent.com/hardenedlinux/harbian-audit/master/docs/configurations/etc.nftables.conf
~$ sudo mv etc.nftables.conf /etc/nftables.conf
~# mv etc.nftables.conf /etc/nftables.conf
```
Note: Please replace ens33 to interface name of your device
@ -43,32 +43,32 @@ Note: Please replace ens33 to interface name of your device
### Get plugin of netfilter-persistent
```
~$ wget https://raw.githubusercontent.com/hardenedlinux/harbian-audit/master/docs/configurations/usr.share.netfilter-persistent.plugins.d.15-nft
~$ sudo mv usr.share.netfilter-persistent.plugins.d.15-nft /usr/share/netfilter-persistent/plugins.d/15-nft
~$ sudo chmod 755 /usr/share/netfilter-persistent/plugins.d/15-nft
~# mv usr.share.netfilter-persistent.plugins.d.15-nft /usr/share/netfilter-persistent/plugins.d/15-nft
~# chmod 755 /usr/share/netfilter-persistent/plugins.d/15-nft
```
## Well-done
Nft rules would auto restore nftables rules when Operation system restart, or manual to exec following command:
```
$ sudo netfilter-persistent start
# netfilter-persistent start
run-parts: executing /usr/share/netfilter-persistent/plugins.d/15-nft start
```
## Additional usage
### Flush nft rules
```
$ sudo netfilter-persistent flush
# netfilter-persistent flush
run-parts: executing /usr/share/netfilter-persistent/plugins.d/15-nft flush
```
### Save nft rules
```
$ sudo netfilter-persistent save
# netfilter-persistent save
run-parts: executing /usr/share/netfilter-persistent/plugins.d/15-nft save
```
### Restore nft rules
```
$ sudo netfilter-persistent start
# netfilter-persistent start
run-parts: executing /usr/share/netfilter-persistent/plugins.d/15-nft start
```

View File

@ -2,7 +2,7 @@
## Install
```
sudo apt-get install apache2
# apt-get install apache2
```
# How to use harbian-audit to audit and apply
@ -10,7 +10,7 @@ sudo apt-get install apache2
## Set firewall
```
sed -i 's/PUB_IFS=.*/PUB_IFS="interface of machine"/g' ./etc.iptables.rules.v4.4http.sh
sudo bash ./etc.iptables.rules.v4.4http.sh
# bash ./etc.iptables.rules.v4.4http.sh
```
## Audit and apply
@ -18,11 +18,11 @@ See the documentation for more details:
[harbian-audit-readme](https://github.com/hardenedlinux/harbian-audit/blob/master/README.md)
```
sudo bash bin/hardening.sh --audit-all
# bash bin/hardening.sh --audit-all
# This is set special service to exception(6.10)
sudo bash bin/hardening.sh --set-hardening-level 5 --allow-service http
sudo bash bin/hardening.sh --audit-all
sudo bash bin/hardening.sh --apply
# bash bin/hardening.sh --set-hardening-level 5 --allow-service http
# bash bin/hardening.sh --audit-all
# bash bin/hardening.sh --apply
```

View File

@ -5,18 +5,18 @@
## Master node
```
sudo iptables-restore master-ufw-rules.conf
sudo bash bin/hardening.sh --audit-all
sudo bash bin/hardening.sh --set-hardening-level 5
sudo bash bin/hardening.sh --audit-all
sudo bash bin/hardening.sh --apply
# iptables-restore master-ufw-rules.conf
# bash bin/hardening.sh --audit-all
# bash bin/hardening.sh --set-hardening-level 5
# bash bin/hardening.sh --audit-all
# bash bin/hardening.sh --apply
```
## Worker node
```
sudo iptables-restore worker-ufw-rules.conf
sudo bash bin/hardening.sh --audit-all
sudo bash bin/hardening.sh --set-hardening-level 5
sudo bash bin/hardening.sh --audit-all
sudo bash bin/hardening.sh --apply
# iptables-restore worker-ufw-rules.conf
# bash bin/hardening.sh --audit-all
# bash bin/hardening.sh --set-hardening-level 5
# bash bin/hardening.sh --audit-all
# bash bin/hardening.sh --apply
```

View File

@ -11,14 +11,14 @@
### Install mysql
```
$ sudo apt install mysql-server
# apt install mysql-server
```
#### Configurate database
Create helloworld database
```
$ sudo mysql -uroot
# mysql -uroot
MariaDB [(none)]> CREATE DATABASE helloworld;
```
@ -45,12 +45,12 @@ deb-src http://mirrors.163.com/debian/ stretch-backports main
and update
```
$ sudo apt update
# apt update
```
#### install the package
```
$ sudo apt -t stretch-backports install -y redis-server
# apt -t stretch-backports install -y redis-server
```
#### Configurate Redis
@ -82,7 +82,7 @@ systemctl restart redis
### Install Nodejs
```
$ sudo apt install curl -y
# apt install curl -y
```
#as root
```
@ -206,8 +206,8 @@ module.exports = {
//Installation PM2:
```
$ sudo npm install pm2 -g
$ sudo chmod -R 755 /usr/lib/node_modules/pm2
# npm install pm2 -g
# chmod -R 755 /usr/lib/node_modules/pm2
```
```
@ -217,7 +217,7 @@ $ pm2 startup systemd
[PM2] Init System found: systemd
[PM2] To setup the Startup Script, copy/paste the following command:
sudo env PATH=$PATH:/usr/bin /usr/lib/node_modules/pm2/bin/pm2 startup systemd -u helloworld --hp /home/helloworld
# env PATH=$PATH:/usr/bin /usr/lib/node_modules/pm2/bin/pm2 startup systemd -u helloworld --hp /home/helloworld
```
change to root user and execute
@ -238,7 +238,7 @@ now start the service
## Set iptables rules
```
$ sudo iptables -I INPUT -p tcp -m tcp --dport 3000 -j ACCEPT
# iptables -I INPUT -p tcp -m tcp --dport 3000 -j ACCEPT
```
## Test

View File

@ -5,22 +5,22 @@
## Server node
```
sudo iptables-restore iptables_ufw-4-server.cfg
sudo bash bin/hardening.sh --audit-all
# iptables-restore iptables_ufw-4-server.cfg
# bash bin/hardening.sh --audit-all
# This is set special service to exception(6.2 6.3 6.10)
sudo bash bin/hardening.sh --set-hardening-level 5 --allow-service dns,http,cups
sudo bash bin/hardening.sh --audit-all
sudo bash bin/hardening.sh --apply
# bash bin/hardening.sh --set-hardening-level 5 --allow-service dns,http,cups
# bash bin/hardening.sh --audit-all
# bash bin/hardening.sh --apply
```
## Client node
```
sudo iptables-restore iptables_ufw-4-client.cfg
sudo bash bin/hardening.sh --audit-all
# iptables-restore iptables_ufw-4-client.cfg
# bash bin/hardening.sh --audit-all
# This is set special service to exception(6.10)
sudo bash bin/hardening.sh --set-hardening-level 5 --allow-service http
sudo bash bin/hardening.sh --audit-all
sudo bash bin/hardening.sh --apply
# bash bin/hardening.sh --set-hardening-level 5 --allow-service http
# bash bin/hardening.sh --audit-all
# bash bin/hardening.sh --apply
```

View File

@ -5,22 +5,22 @@
## Server node
```
sudo iptables-restore iptables_ufw-4-server.cfg
sudo bash bin/hardening.sh --audit-all
# iptables-restore iptables_ufw-4-server.cfg
# bash bin/hardening.sh --audit-all
# This is set special service to exception(6.2 6.3 6.10)
sudo bash bin/hardening.sh --set-hardening-level 5 --allow-service dns,http,cups
sudo bash bin/hardening.sh --audit-all
sudo bash bin/hardening.sh --apply
# bash bin/hardening.sh --set-hardening-level 5 --allow-service dns,http,cups
# bash bin/hardening.sh --audit-all
# bash bin/hardening.sh --apply
```
## Client node
```
sudo iptables-restore iptables_ufw-4-client.cfg
sudo bash bin/hardening.sh --audit-all
# iptables-restore iptables_ufw-4-client.cfg
# bash bin/hardening.sh --audit-all
# This is set special service to exception(6.10)
sudo bash bin/hardening.sh --set-hardening-level 5 --allow-service http
sudo bash bin/hardening.sh --audit-all
sudo bash bin/hardening.sh --apply
# bash bin/hardening.sh --set-hardening-level 5 --allow-service http
# bash bin/hardening.sh --audit-all
# bash bin/hardening.sh --apply
```