From d54fa4f75c8c33e130ea3f9407e7c586fbd477f5 Mon Sep 17 00:00:00 2001 From: Samson-W Date: Sun, 26 Apr 2020 00:50:30 +0800 Subject: [PATCH] Remove the sudo command from docs. --- README-CN.md | 28 +++--- README.md | 28 +++--- ...w_to_creating_and_making_an_AMI_public.mkd | 87 +++++++++---------- ...use_harbian_audit_complianced_Debian_9.mkd | 2 +- ...ting_and_making_a_QEMU_img_for_centos8.mkd | 47 +++++----- ...ting_and_making_a_QEMU_img_for_debian9.mkd | 45 +++++----- .../how-to-build-deb-package.md | 2 +- ..._to_deploy_audisp_remote_for_audit_log.mkd | 4 +- ...g_from_iptables_to_nftables_in_debian10.md | 30 +++---- ...ersistent_iptables_rules_with_debian_9.mkd | 10 +-- ...to_persistent_nft_rules_with_debian_10.mkd | 22 ++--- docs/use-cases/apache2-usecase/Readme.mkd | 12 +-- .../hyperledger-cello-usecase/README.mkd | 20 ++--- .../nodejs-redis-mysql-usecase/README.md | 18 ++-- .../Readme.mkd | 20 ++--- .../Readme.mkd | 20 ++--- 16 files changed, 193 insertions(+), 202 deletions(-) diff --git a/README-CN.md b/README-CN.md index f1ee37e..ad75b5b 100644 --- a/README-CN.md +++ b/README-CN.md @@ -6,7 +6,7 @@ 审计功能的使用示例: ```console -$ sudo bash bin/hardening.sh --audit-all +# bash bin/hardening.sh --audit-all [...] hardening [INFO] Treating /home/test/harbian-audit/bin/hardening/13.15_check_duplicate_gid.sh 13.15_check_duplicate_gid [INFO] Working on 13.15_check_duplicate_gid @@ -29,13 +29,13 @@ hardening [INFO] Treating /home/test/harbian-audit/bin/hardening ### 下载及初始化 ```console $ git clone https://github.com/hardenedlinux/harbian-audit.git && cd harbian-audit -$ sudo cp etc/default.cfg /etc/default/cis-hardening -$ sudo sed -i "s#CIS_ROOT_DIR=.*#CIS_ROOT_DIR='$(pwd)'#" /etc/default/cis-hardening -$ sudo bin/hardening.sh --init +# cp etc/default.cfg /etc/default/cis-hardening +# sed -i "s#CIS_ROOT_DIR=.*#CIS_ROOT_DIR='$(pwd)'#" /etc/default/cis-hardening +# bin/hardening.sh --init ``` ### 对所有的安全检查项进行审计 ``` -$ sudo bin/hardening.sh --audit-all +# bin/hardening.sh --audit-all hardening [INFO] Treating /home/test/harbian-audit/bin/hardening/1.1_install_updates.sh 1.1_install_updates [INFO] Working on 1.1_install_updates 1.1_install_updates [INFO] Checking Configuration @@ -55,8 +55,8 @@ hardening [INFO] Treating /home/test/harbian-audit/bin/hardening ``` ### 设置加固级别并进行自动修复 ``` -$ sudo bin/hardening.sh --set-hardening-level 5 -$ sudo bin/hardening.sh --apply +# bin/hardening.sh --set-hardening-level 5 +# bin/hardening.sh --apply hardening [INFO] Treating /home/test/harbian-audit/bin/hardening/1.1_install_updates.sh 1.1_install_updates [INFO] Working on 1.1_install_updates 1.1_install_updates [INFO] Checking Configuration @@ -75,17 +75,17 @@ hardening [INFO] Treating /home/test/harbian-audit/bin/hardening ### 需要预装的软件 如果是使用的最小安装方式安装的Debian GNU/Linux系统,在使用此项目之前,需要安装如下的软件: ``` -sudo apt-get install -y bc net-tools pciutils +# apt-get install -y bc net-tools pciutils ``` 如果系统是Redhat/CentOS,在使用此项目前,需要安装如下的软件包: ``` -sudo yum install -y bc net-tools pciutils NetworkManager epel-release +# yum install -y bc net-tools pciutils NetworkManager epel-release ``` ### 需要预先进行的配置 在使用此项目前,必须给所有要用到的用户设置了密码。如果没有设置密码的话,将在进行自动化加固后不能够登录到系统。例如(用户:root和test): ``` -$ sudo -s + # passwd # passwd test ``` @@ -155,8 +155,8 @@ EXCEPTIONS="" 基于iptables的部署: ``` $ INTERFACENAME="your network interfacename(Example eth0)" -$ sudo bash docs/configurations/etc.iptables.rules.v4.sh $INTERFACENAME -$ sudo -s +# bash docs/configurations/etc.iptables.rules.v4.sh $INTERFACENAME + # iptables-save > /etc/iptables/rules.v4 # ip6tables-save > /etc/iptables/rules.v6 ``` @@ -164,13 +164,13 @@ $ sudo -s 按照以下命令修改nftables.conf(你的对外网口的名称,例如:eth0): ``` $ sed -i 's/^define int_if = ens33/define int_if = eth0/g' etc.nftables.conf -$ sudo nft -f ./etc.nftables.conf +# nft -f ./etc.nftables.conf ``` 5) 当所有安全基线项都修复完成后,使用--final方法将完成以下的最终的工作: 1.使用passwd命令去重新设置常规用户及root用户的密码,以满足pam_cracklib模块配置的密码强度和健壮性。 2. 重新初始化aide工具的数据库。 ``` -$ sudo bin/hardening.sh --final +# bin/hardening.sh --final ``` ## 特别注意 diff --git a/README.md b/README.md index e656acd..8732bb3 100644 --- a/README.md +++ b/README.md @@ -10,7 +10,7 @@ The code framework is based on the [OVH-debian-cis](https://github.com/ovh/debia ```console -$ sudo bash bin/hardening.sh --audit-all +# bash bin/hardening.sh --audit-all [...] hardening [INFO] Treating /home/test/harbian-audit/bin/hardening/13.15_check_duplicate_gid.sh 13.15_check_duplicate_gid [INFO] Working on 13.15_check_duplicate_gid @@ -32,10 +32,10 @@ hardening [INFO] Treating /home/test/harbian-audit/bin/hardening ```console $ git clone https://github.com/hardenedlinux/harbian-audit.git && cd harbian-audit -$ sudo cp etc/default.cfg /etc/default/cis-hardening -$ sudo sed -i "s#CIS_ROOT_DIR=.*#CIS_ROOT_DIR='$(pwd)'#" /etc/default/cis-hardening -$ sudo bin/hardening.sh --init -$ sudo bin/hardening.sh --audit-all +# cp etc/default.cfg /etc/default/cis-hardening +# sed -i "s#CIS_ROOT_DIR=.*#CIS_ROOT_DIR='$(pwd)'#" /etc/default/cis-hardening +# bin/hardening.sh --init +# bin/hardening.sh --audit-all hardening [INFO] Treating /home/test/harbian-audit/bin/hardening/1.1_install_updates.sh 1.1_install_updates [INFO] Working on 1.1_install_updates 1.1_install_updates [INFO] Checking Configuration @@ -52,8 +52,8 @@ hardening [INFO] Treating /home/test/harbian-audit/bin/hardening Total Failed Checks : [ 39/278 ] Enabled Checks Percentage : 100.00 % Conformity Percentage : 85.97 % -$ sudo bin/hardening.sh --set-hardening-level 5 -$ sudo bin/hardening.sh --apply +# bin/hardening.sh --set-hardening-level 5 +# bin/hardening.sh --apply hardening [INFO] Treating /home/test/harbian-audit/bin/hardening/1.1_install_updates.sh 1.1_install_updates [INFO] Working on 1.1_install_updates 1.1_install_updates [INFO] Checking Configuration @@ -73,18 +73,18 @@ hardening [INFO] Treating /home/test/harbian-audit/bin/hardening If use Network install from a minimal CD to installed Debian GNU/Linux, need install packages before use the hardening tool. ``` -sudo apt-get install -y bc net-tools pciutils network-manager +# apt-get install -y bc net-tools pciutils network-manager ``` Redhat/CentOS need install packages before use the hardening tool: ``` -sudo yum install -y bc net-tools pciutils NetworkManager epel-release +# yum install -y bc net-tools pciutils NetworkManager epel-release ``` ### Pre-Set You must set a password for all users before hardening. Otherwise, you will not be able to log in after the hardening is completed. Example(OS user: root and test): ``` -$ sudo -s + # passwd # passwd test ``` @@ -169,8 +169,8 @@ Set the corresponding firewall rules according to the applications used. Hardene to do the following: ``` $ INTERFACENAME="your network interfacename(Example eth0)" -$ sudo bash docs/configurations/etc.iptables.rules.v4.sh $INTERFACENAME -$ sudo -s +# bash docs/configurations/etc.iptables.rules.v4.sh $INTERFACENAME + # iptables-save > /etc/iptables/rules.v4 # ip6tables-save > /etc/iptables/rules.v6 ``` @@ -180,13 +180,13 @@ $ sudo -s to do the following(your network interfacename(Example eth0)): ``` $ sed -i 's/^define int_if = ens33/define int_if = eth0/g' etc.nftables.conf -$ sudo nft -f ./etc.nftables.conf +# nft -f ./etc.nftables.conf ``` 5) When all repairs are completed. --final method will: 1. Use passwd command to change the password of the regular and root user to apply the password complexity and robustness of the pam_cracklib module configuration. 2. Aide reinitializes. ``` -$ sudo bin/hardening.sh --final +# bin/hardening.sh --final ``` ## Special Note diff --git a/docs/complianced_image/AMI/how_to_creating_and_making_an_AMI_public.mkd b/docs/complianced_image/AMI/how_to_creating_and_making_an_AMI_public.mkd index d02379d..8e737e0 100644 --- a/docs/complianced_image/AMI/how_to_creating_and_making_an_AMI_public.mkd +++ b/docs/complianced_image/AMI/how_to_creating_and_making_an_AMI_public.mkd @@ -24,15 +24,15 @@ The creation process is as follows: ### Pre-Install ``` -$ sudo apt update -$ sudo apt install -y bc net-tools bc net-tools pciutils network-manager vim unzip +# apt update +# apt install -y bc net-tools bc net-tools pciutils network-manager vim unzip ``` ### Get harbian-audit project ``` $ cd /opt -/opt$ sudo wget https://github.com/hardenedlinux/harbian-audit/archive/master.zip -/opt$ sudo unzip master.zip +/opt# wget https://github.com/hardenedlinux/harbian-audit/archive/master.zip +/opt# unzip master.zip /opt$ cd harbian-audit-master/ ``` ### How to use harbian-audit to audit and apply @@ -40,7 +40,6 @@ $ cd /opt //maybe not need #### Set passwd to all user: ``` -admin@ip:/opt/harbian-audit-master$ sudo -s admin@ip:/opt/harbian-audit-master# passwd admin@ip:/opt/harbian-audit-master# passwd admin ``` @@ -49,27 +48,26 @@ admin@ip:/opt/harbian-audit-master# passwd admin ##### First audit && apply: ``` -admin@ip:/opt/harbian-audit-master$ sudo cp etc/default.cfg /etc/default/cis-hardening -admin@ip:/opt/harbian-audit-master$ sudo sed -i "s#CIS_ROOT_DIR=.*#CIS_ROOT_DIR='$(pwd)'#" /etc/default/cis-hardening -admin@ip:/opt/harbian-audit-master$ sudo ./bin/hardening.sh --init -admin@ip:/opt/harbian-audit-master$ sudo ./bin/hardening.sh --audit-all -admin@ip:/opt/harbian-audit-master$ sudo ./bin/hardening.sh --set-hardening-level 5 -admin@ip:/opt/harbian-audit-master$ sudo sed -i 's/^status=.*/status=disabled/' etc/conf.d/8.1.32_freeze_auditd_conf.cfg -admin@ip:/opt/harbian-audit-master$ sudo sed -i 's/^status=.*/status=disabled/' etc/conf.d/7.4.4_hosts_deny.cfg -admin@ip:/opt/harbian-audit-master$ sudo sed -i 's/^status=.*/status=disabled/' etc/conf.d/10.1.6_remove_nopasswd_sudoers.cfg -admin@ip:/opt/harbian-audit-master$ sudo sed -i 's/^status=.*/status=disabled/' etc/conf.d/8.4.1_install_aide.cfg -admin@ip:/opt/harbian-audit-master$ sudo sed -i 's/^status=.*/status=disabled/' etc/conf.d/8.4.2_aide_cron.cfg -admin@ip:/opt/harbian-audit-master$ sudo sed -i 's/^status=.*/status=disabled/' etc/conf.d/10.1.1_set_password_exp_days.cfg -admin@ip:/opt/harbian-audit-master$ sudo ./bin/hardening.sh --apply -admin@ip:/opt/harbian-audit-master$ sudo reboot +admin@ip:/opt/harbian-audit-master# cp etc/default.cfg /etc/default/cis-hardening +admin@ip:/opt/harbian-audit-master# sed -i "s#CIS_ROOT_DIR=.*#CIS_ROOT_DIR='$(pwd)'#" /etc/default/cis-hardening +admin@ip:/opt/harbian-audit-master# ./bin/hardening.sh --init +admin@ip:/opt/harbian-audit-master# ./bin/hardening.sh --audit-all +admin@ip:/opt/harbian-audit-master# ./bin/hardening.sh --set-hardening-level 5 +admin@ip:/opt/harbian-audit-master# sed -i 's/^status=.*/status=disabled/' etc/conf.d/8.1.32_freeze_auditd_conf.cfg +admin@ip:/opt/harbian-audit-master# sed -i 's/^status=.*/status=disabled/' etc/conf.d/7.4.4_hosts_deny.cfg +admin@ip:/opt/harbian-audit-master# sed -i 's/^status=.*/status=disabled/' etc/conf.d/10.1.6_remove_nopasswd_sudoers.cfg +admin@ip:/opt/harbian-audit-master# sed -i 's/^status=.*/status=disabled/' etc/conf.d/8.4.1_install_aide.cfg +admin@ip:/opt/harbian-audit-master# sed -i 's/^status=.*/status=disabled/' etc/conf.d/8.4.2_aide_cron.cfg +admin@ip:/opt/harbian-audit-master# sed -i 's/^status=.*/status=disabled/' etc/conf.d/10.1.1_set_password_exp_days.cfg +admin@ip:/opt/harbian-audit-master# ./bin/hardening.sh --apply +admin@ip:/opt/harbian-audit-master# reboot ``` ##### Second audit && apply(After reboot) Configuring the firewall: ``` admin@ip:/opt/harbian-audit-master$ INTERFACENAME="eth0" -admin@ip:/opt/harbian-audit-master$ sudo bash /opt/harbian-audit-master/docs/configurations/etc.iptables.rules.v4.sh $INTERFACENAME -admin@ip:/opt/harbian-audit-master$ sudo bash /opt/harbian-audit-master/docs/configurations/etc.iptables.rules.v6.sh $INTERFACENAME -admin@ip:/opt/harbian-audit-master$ sudo -s +admin@ip:/opt/harbian-audit-master# bash /opt/harbian-audit-master/docs/configurations/etc.iptables.rules.v4.sh $INTERFACENAME +admin@ip:/opt/harbian-audit-master# bash /opt/harbian-audit-master/docs/configurations/etc.iptables.rules.v6.sh $INTERFACENAME admin@ip:/opt/harbian-audit-master# iptables-save > /etc/iptables/rules.v4 admin@ip:/opt/harbian-audit-master# ip6tables-save > /etc/iptables/rules.v6 admin@ip:/opt/harbian-audit-master# exit @@ -77,28 +75,28 @@ admin@ip:/opt/harbian-audit-master# exit Apply need to apply twice items and that items of must apply after first apply: ``` -admin@ip:/opt/harbian-audit-master$ sudo ./bin/hardening.sh --apply --only 8.1.1.2 -admin@ip:/opt/harbian-audit-master$ sudo ./bin/hardening.sh --apply --only 8.1.1.3 -admin@ip:/opt/harbian-audit-master$ sudo ./bin/hardening.sh --apply --only 8.1.12 -admin@ip:/opt/harbian-audit-master$ sudo sed -i 's/^status=.*/status=enabled/' etc/conf.d/8.1.32_freeze_auditd_conf.cfg -admin@ip:/opt/harbian-audit-master$ sudo ./bin/hardening.sh --apply --only 8.1.32 -admin@ip:/opt/harbian-audit-master$ sudo ./bin/hardening.sh --apply --only 4.5 -admin@ip:/opt/harbian-audit-master$ sudo reboot +admin@ip:/opt/harbian-audit-master# ./bin/hardening.sh --apply --only 8.1.1.2 +admin@ip:/opt/harbian-audit-master# ./bin/hardening.sh --apply --only 8.1.1.3 +admin@ip:/opt/harbian-audit-master# ./bin/hardening.sh --apply --only 8.1.12 +admin@ip:/opt/harbian-audit-master# sed -i 's/^status=.*/status=enabled/' etc/conf.d/8.1.32_freeze_auditd_conf.cfg +admin@ip:/opt/harbian-audit-master# ./bin/hardening.sh --apply --only 8.1.32 +admin@ip:/opt/harbian-audit-master# ./bin/hardening.sh --apply --only 4.5 +admin@ip:/opt/harbian-audit-master# reboot ``` ##### Third apply(after reboot) Apply need to apply three times items: ``` -admin@ip:/opt/harbian-audit-master$ sudo sed -i 's/^status=.*/status=enabled/' etc/conf.d/8.4.1_install_aide.cfg -admin@ip:/opt/harbian-audit-master$ sudo sed -i 's/^status=.*/status=enabled/' etc/conf.d/8.4.2_aide_cron.cfg -admin@ip:/opt/harbian-audit-master$ sudo ./bin/hardening.sh --apply --only 8.4.1 -admin@ip:/opt/harbian-audit-master$ sudo ./bin/hardening.sh --apply --only 8.4.2 -admin@ip:/opt/harbian-audit-master$ sudo reboot +admin@ip:/opt/harbian-audit-master# sed -i 's/^status=.*/status=enabled/' etc/conf.d/8.4.1_install_aide.cfg +admin@ip:/opt/harbian-audit-master# sed -i 's/^status=.*/status=enabled/' etc/conf.d/8.4.2_aide_cron.cfg +admin@ip:/opt/harbian-audit-master# ./bin/hardening.sh --apply --only 8.4.1 +admin@ip:/opt/harbian-audit-master# ./bin/hardening.sh --apply --only 8.4.2 +admin@ip:/opt/harbian-audit-master# reboot ``` ### Set issues ``` -$ sudo sed -i "s/Debian GNU\/Linux 9/harbian-audit complianced for Debian GNU\/Linux 9/g" /etc/issue* +# sed -i "s/Debian GNU\/Linux 9/harbian-audit complianced for Debian GNU\/Linux 9/g" /etc/issue* ``` ### Hacking @@ -110,24 +108,23 @@ Use the following guidelines to reduce the attack surface and improve the reliab #### Clean harbian-audit temp file and conf ``` -$ sudo rm /opt/master.zip -$ sudo rm /opt/harbian-audit-master/tmp/backups/* -$ sudo rm /opt/harbian-audit-master/etc/conf.d/*.cfg +# rm /opt/master.zip +# rm /opt/harbian-audit-master/tmp/backups/* +# rm /opt/harbian-audit-master/etc/conf.d/*.cfg ``` #### Uninstall ``` -$ sudo apt-get purge --autoremove unzip -y +# apt-get purge --autoremove unzip -y ``` #### Clear the current log: ``` -$ sudo find /var/log/ -name "*.log" -exec shred -u {} \; -$ sudo find /var/log/ -name "*.log.*" -exec shred -u {} \; -$ sudo find / -name "authorized_keys" -exec shred -u {} \; -$ sudo rm /root/.wget-hsts -$ sudo rm /root/.viminfo -$ sudo -s +# find /var/log/ -name "*.log" -exec shred -u {} \; +# find /var/log/ -name "*.log.*" -exec shred -u {} \; +# find / -name "authorized_keys" -exec shred -u {} \; +# rm /root/.wget-hsts +# rm /root/.viminfo # echo > /var/log/debug # echo > /var/log/btmp # echo > /var/log/error @@ -145,7 +142,7 @@ $ sudo -s #### Final apply Reset password for all users and reinit aide database: ``` -admin@ip:/opt/harbian-audit-master$ sudo ./bin/hardening.sh --final +admin@ip:/opt/harbian-audit-master# ./bin/hardening.sh --final ``` #### Clear bash hostory diff --git a/docs/complianced_image/AMI/how_to_use_harbian_audit_complianced_Debian_9.mkd b/docs/complianced_image/AMI/how_to_use_harbian_audit_complianced_Debian_9.mkd index 558cd9c..faa7be6 100644 --- a/docs/complianced_image/AMI/how_to_use_harbian_audit_complianced_Debian_9.mkd +++ b/docs/complianced_image/AMI/how_to_use_harbian_audit_complianced_Debian_9.mkd @@ -28,7 +28,7 @@ ## Use harbian-audit to check ``` admin@ip-:~$ cd /opt/harbian-audit-master/ -admin@ip-:/opt/harbian-audit-master$ sudo ./bin/hardening.sh --audit-all +admin@ip-:/opt/harbian-audit-master# ./bin/hardening.sh --audit-all ...... ################### SUMMARY ################### diff --git a/docs/complianced_image/QEMU/how_to_creating_and_making_a_QEMU_img_for_centos8.mkd b/docs/complianced_image/QEMU/how_to_creating_and_making_a_QEMU_img_for_centos8.mkd index aa324f0..af597f8 100644 --- a/docs/complianced_image/QEMU/how_to_creating_and_making_a_QEMU_img_for_centos8.mkd +++ b/docs/complianced_image/QEMU/how_to_creating_and_making_a_QEMU_img_for_centos8.mkd @@ -77,9 +77,8 @@ root@harbian:/opt/harbian-audit-master# reboot After reboot: ``` -harbian-audit@harbian:/opt/harbian-audit-master$ sudo bash ./docs/configurations/etc.iptables.rules.v4.sh eth0 -harbian-audit@harbian:/opt/harbian-audit-master$ sudo bash ./docs/configurations/etc.iptables.rules.v6.sh eth0 -harbian-audit@harbian:/opt/harbian-audit-master$ sudo -s +harbian-audit@harbian:/opt/harbian-audit-master# bash ./docs/configurations/etc.iptables.rules.v4.sh eth0 +harbian-audit@harbian:/opt/harbian-audit-master# bash ./docs/configurations/etc.iptables.rules.v6.sh eth0 root@harbian:/opt/harbian-audit-master# iptables-save > /etc/sysconfig/iptables root@harbian:/opt/harbian-audit-master# ip6tables-save > /etc/sysconfig/ip6tables ``` @@ -88,7 +87,7 @@ Related how to use harbian-audit to adit and apply, please reference: ### Set issues ``` -$ sudo sed -i "s/Debian GNU\/Linux 9/harbian-audit complianced for Debian GNU\/Linux 9/g" /etc/issue* +# sed -i "s/Debian GNU\/Linux 9/harbian-audit complianced for Debian GNU\/Linux 9/g" /etc/issue* ``` ### Set grub passwd @@ -101,7 +100,6 @@ Related how to config grub2 password protection, please reference: ### Re-set passwd of all users ``` -harbian-audit@harbian:~$ sudo -s root@harbian:/home/harbian-audit# passwd root@harbian:/home/harbian-audit# passwd harbian-audit ``` @@ -113,38 +111,37 @@ If need adds a project on AMI, add the project on such as /opt, /usr/local/bin d #### Uninstall ``` -$ sudo apt-get purge --autoremove unzip -y +# apt-get purge --autoremove unzip -y ``` #### Clean harbian-audit temp file and conf ``` -$ sudo rm /opt/master.zip -$ sudo rm /opt/harbian-audit-master/tmp/backups/* +# rm /opt/master.zip +# rm /opt/harbian-audit-master/tmp/backups/* $ cd /opt/harbian-audit-master/etc/conf.d -$ sudo rm -f !(8.1.32_freeze_auditd_conf.cfg|8.4.1_install_aide.cfg|8.4.2_aide_cron.cfg) +# rm -f !(8.1.32_freeze_auditd_conf.cfg|8.4.1_install_aide.cfg|8.4.2_aide_cron.cfg) ``` #### Final fix ``` $ cd /opt/harbian-audit-master -$ sudo sed -i 's/^status=.*/status=enabled/' etc/conf.d/8.1.32_freeze_auditd_conf.cfg -$ sudo sed -i 's/^status=.*/status=enabled/' etc/conf.d/8.4.1_install_aide.cfg -$ sudo sed -i 's/^status=.*/status=enabled/' etc/conf.d/8.4.2_aide_cron.cfg -$ sudo bash bin/hardening.sh --apply --only 8.1.32 -$ sudo bash bin/hardening.sh --apply --only 8.4.1 -$ sudo bash bin/hardening.sh --apply --only 8.4.2 -$ sudo rm /opt/harbian-audit-master/tmp/backups/* -$ sudo rm /opt/harbian-audit-master/etc/conf.d/* +# sed -i 's/^status=.*/status=enabled/' etc/conf.d/8.1.32_freeze_auditd_conf.cfg +# sed -i 's/^status=.*/status=enabled/' etc/conf.d/8.4.1_install_aide.cfg +# sed -i 's/^status=.*/status=enabled/' etc/conf.d/8.4.2_aide_cron.cfg +# bash bin/hardening.sh --apply --only 8.1.32 +# bash bin/hardening.sh --apply --only 8.4.1 +# bash bin/hardening.sh --apply --only 8.4.2 +# rm /opt/harbian-audit-master/tmp/backups/* +# rm /opt/harbian-audit-master/etc/conf.d/* ``` #### Clear the current log ``` -$ sudo find /var/log/ -name "*.log" -exec shred -u {} \; -$ sudo find /var/log/ -name "*.log.*" -exec shred -u {} \; -$ sudo find / -name "authorized_keys" -exec shred -u {} \; -$ sudo rm /root/.wget-hsts -$ sudo rm /root/.viminfo -$ sudo -s +# find /var/log/ -name "*.log" -exec shred -u {} \; +# find /var/log/ -name "*.log.*" -exec shred -u {} \; +# find / -name "authorized_keys" -exec shred -u {} \; +# rm /root/.wget-hsts +# rm /root/.viminfo # echo > /var/log/debug # echo > /var/log/btmp # echo > /var/log/error @@ -160,7 +157,7 @@ $ sudo -s #### AIDE RE-INIT ``` -$ sudo aideinit -y -f +# aideinit -y -f ``` #### Clear bash hostory @@ -169,7 +166,7 @@ $ sudo aideinit -y -f # history -cw $ echo > ~/.bash_history $ history -cw -$ sudo poweroff +# poweroff ``` ## sign QEMU image diff --git a/docs/complianced_image/QEMU/how_to_creating_and_making_a_QEMU_img_for_debian9.mkd b/docs/complianced_image/QEMU/how_to_creating_and_making_a_QEMU_img_for_debian9.mkd index 284aeeb..e578e66 100644 --- a/docs/complianced_image/QEMU/how_to_creating_and_making_a_QEMU_img_for_debian9.mkd +++ b/docs/complianced_image/QEMU/how_to_creating_and_making_a_QEMU_img_for_debian9.mkd @@ -77,8 +77,7 @@ root@harbian:/opt/harbian-audit-master# reboot After reboot: ``` -harbian-audit@harbian:/opt/harbian-audit-master$ sudo bash ./docs/configurations/etc.iptables.rules.v4.sh eth0 -harbian-audit@harbian:/opt/harbian-audit-master$ sudo -s +harbian-audit@harbian:/opt/harbian-audit-master# bash ./docs/configurations/etc.iptables.rules.v4.sh eth0 root@harbian:/opt/harbian-audit-master# iptables-save > /etc/iptables/rules.v4 root@harbian:/opt/harbian-audit-master# ip6tables-save > /etc/iptables/rules.v6 ``` @@ -87,7 +86,7 @@ Related how to use harbian-audit to adit and apply, please reference: ### Set issues ``` -$ sudo sed -i "s/Debian GNU\/Linux 9/harbian-audit complianced for Debian GNU\/Linux 9/g" /etc/issue* +# sed -i "s/Debian GNU\/Linux 9/harbian-audit complianced for Debian GNU\/Linux 9/g" /etc/issue* ``` ### Set grub passwd @@ -100,7 +99,6 @@ Related how to config grub2 password protection, please reference: ### Re-set passwd of all users ``` -harbian-audit@harbian:~$ sudo -s root@harbian:/home/harbian-audit# passwd root@harbian:/home/harbian-audit# passwd harbian-audit ``` @@ -112,38 +110,37 @@ If need adds a project on AMI, add the project on such as /opt, /usr/local/bin d #### Uninstall ``` -$ sudo apt-get purge --autoremove unzip -y +# apt-get purge --autoremove unzip -y ``` #### Clean harbian-audit temp file and conf ``` -$ sudo rm /opt/master.zip -$ sudo rm /opt/harbian-audit-master/tmp/backups/* +# rm /opt/master.zip +# rm /opt/harbian-audit-master/tmp/backups/* $ cd /opt/harbian-audit-master/etc/conf.d -$ sudo rm -f !(8.1.32_freeze_auditd_conf.cfg|8.4.1_install_aide.cfg|8.4.2_aide_cron.cfg) +# rm -f !(8.1.32_freeze_auditd_conf.cfg|8.4.1_install_aide.cfg|8.4.2_aide_cron.cfg) ``` #### Final fix ``` $ cd /opt/harbian-audit-master -$ sudo sed -i 's/^status=.*/status=enabled/' etc/conf.d/8.1.32_freeze_auditd_conf.cfg -$ sudo sed -i 's/^status=.*/status=enabled/' etc/conf.d/8.4.1_install_aide.cfg -$ sudo sed -i 's/^status=.*/status=enabled/' etc/conf.d/8.4.2_aide_cron.cfg -$ sudo bash bin/hardening.sh --apply --only 8.1.32 -$ sudo bash bin/hardening.sh --apply --only 8.4.1 -$ sudo bash bin/hardening.sh --apply --only 8.4.2 -$ sudo rm /opt/harbian-audit-master/tmp/backups/* -$ sudo rm /opt/harbian-audit-master/etc/conf.d/* +# sed -i 's/^status=.*/status=enabled/' etc/conf.d/8.1.32_freeze_auditd_conf.cfg +# sed -i 's/^status=.*/status=enabled/' etc/conf.d/8.4.1_install_aide.cfg +# sed -i 's/^status=.*/status=enabled/' etc/conf.d/8.4.2_aide_cron.cfg +# bash bin/hardening.sh --apply --only 8.1.32 +# bash bin/hardening.sh --apply --only 8.4.1 +# bash bin/hardening.sh --apply --only 8.4.2 +# rm /opt/harbian-audit-master/tmp/backups/* +# rm /opt/harbian-audit-master/etc/conf.d/* ``` #### Clear the current log ``` -$ sudo find /var/log/ -name "*.log" -exec shred -u {} \; -$ sudo find /var/log/ -name "*.log.*" -exec shred -u {} \; -$ sudo find / -name "authorized_keys" -exec shred -u {} \; -$ sudo rm /root/.wget-hsts -$ sudo rm /root/.viminfo -$ sudo -s +# find /var/log/ -name "*.log" -exec shred -u {} \; +# find /var/log/ -name "*.log.*" -exec shred -u {} \; +# find / -name "authorized_keys" -exec shred -u {} \; +# rm /root/.wget-hsts +# rm /root/.viminfo # echo > /var/log/debug # echo > /var/log/btmp # echo > /var/log/error @@ -159,7 +156,7 @@ $ sudo -s #### AIDE RE-INIT ``` -$ sudo aideinit -y -f +# aideinit -y -f ``` #### Clear bash hostory @@ -168,7 +165,7 @@ $ sudo aideinit -y -f # history -cw $ echo > ~/.bash_history $ history -cw -$ sudo poweroff +# poweroff ``` ## sign QEMU image diff --git a/docs/configurations/debian-config-4-build-deb/how-to-build-deb-package.md b/docs/configurations/debian-config-4-build-deb/how-to-build-deb-package.md index 788c2b6..ebac75a 100644 --- a/docs/configurations/debian-config-4-build-deb/how-to-build-deb-package.md +++ b/docs/configurations/debian-config-4-build-deb/how-to-build-deb-package.md @@ -2,7 +2,7 @@ ## Pre-install ``` -sudo apt-get install build-essential dh-make debhelper lintian wget +# apt-get install build-essential dh-make debhelper lintian wget ``` ## Config evc var for dh_make ``` diff --git a/docs/configurations/manual-operation-docs/how_to_deploy_audisp_remote_for_audit_log.mkd b/docs/configurations/manual-operation-docs/how_to_deploy_audisp_remote_for_audit_log.mkd index 486bd33..ee697cc 100644 --- a/docs/configurations/manual-operation-docs/how_to_deploy_audisp_remote_for_audit_log.mkd +++ b/docs/configurations/manual-operation-docs/how_to_deploy_audisp_remote_for_audit_log.mkd @@ -3,7 +3,7 @@ ## Server ### Install package ``` -sudo apt install -y auditd +# apt install -y auditd ``` ### Configure @@ -21,7 +21,7 @@ systemctl restart auditd ## Client ### Install package ``` -sudo apt install -y audispd-plugins auditd +# apt install -y audispd-plugins auditd ``` ### Configure diff --git a/docs/configurations/manual-operation-docs/how_to_migrating_from_iptables_to_nftables_in_debian10.md b/docs/configurations/manual-operation-docs/how_to_migrating_from_iptables_to_nftables_in_debian10.md index b8823ce..5edfc29 100644 --- a/docs/configurations/manual-operation-docs/how_to_migrating_from_iptables_to_nftables_in_debian10.md +++ b/docs/configurations/manual-operation-docs/how_to_migrating_from_iptables_to_nftables_in_debian10.md @@ -3,7 +3,7 @@ Debian Buster uses the nftables framework by default. ## Pre-install ``` -$ sudo apt install nftables +# apt install nftables ``` ## Check iptables link point @@ -13,7 +13,7 @@ You can switch back and forth between iptables-nft and iptables-legacy by means Check iptables currently link: ``` -$ sudo update-alternatives --display iptables +# update-alternatives --display iptables iptables - auto mode link best version is /usr/sbin/iptables-nft link currently points to /usr/sbin/iptables-nft @@ -29,11 +29,11 @@ iptables - auto mode ``` If you see above, don't need switching, if currently link to iptables-legacy, need use command to switching to iptables-nft: ``` -$ sudo update-alternatives --set iptables /usr/sbin/iptables-nft -$ sudo update-alternatives --set ip6tables /usr/sbin/ip6tables-nft -$ sudo update-alternatives --set arptables /usr/sbin/arptables-nft -$ sudo update-alternatives --set ebtables /usr/sbin/ebtables-nft -$ sudo update-alternatives --display iptables +# update-alternatives --set iptables /usr/sbin/iptables-nft +# update-alternatives --set ip6tables /usr/sbin/ip6tables-nft +# update-alternatives --set arptables /usr/sbin/arptables-nft +# update-alternatives --set ebtables /usr/sbin/ebtables-nft +# update-alternatives --display iptables ``` ## Migrating move from an existing iptables ruleset to nftables: @@ -41,17 +41,17 @@ move from an existing iptables ruleset to nftables: ### Command translation You can generate a translation of an iptables/ip6tables command to know the nftables equivalent. ``` -$ sudo iptables-translate -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT +# iptables-translate -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT nft add rule ip filter INPUT tcp dport 22 ct state new counter accept -$ sudo ip6tables-translate -A FORWARD -i eth0 -o eth3 -p udp -m multiport --dports 111,222 -j ACCEPT +# ip6tables-translate -A FORWARD -i eth0 -o eth3 -p udp -m multiport --dports 111,222 -j ACCEPT nft add rule ip6 filter FORWARD iifname "eth0" oifname "eth3" meta l4proto udp udp dport { 111,222} counter accept ``` Instead of translating command by command, you can translate your whole ruleset in a single run: ``` -$ sudo iptables-save > save.txt -$ sudo iptables-restore-translate -f save.txt +# iptables-save > save.txt +# iptables-restore-translate -f save.txt # Translated by iptables-restore-translate v1.8.2 on Fri Jul 12 04:33:36 2019 add table ip filter add chain ip filter INPUT { type filter hook input priority 0; policy drop; } @@ -114,10 +114,10 @@ add chain ip mangle POSTROUTING { type filter hook postrouting priority -150; po ``` You should be able to directly give this to nftables: ``` -$ sudo iptables-restore-translate -f save.txt > ruleset.nft -$ sudo nft -f ruleset.nft +# iptables-restore-translate -f save.txt > ruleset.nft +# nft -f ruleset.nft ``` -$ sudo nft list ruleset +# nft list ruleset List nft ruleset: ``` table ip filter { @@ -263,7 +263,7 @@ table ip mangle { ## Uninstall iptables ``` -$ sudo apt purge --autoremove iptables +# apt purge --autoremove iptables ``` ## Reference diff --git a/docs/configurations/manual-operation-docs/how_to_persistent_iptables_rules_with_debian_9.mkd b/docs/configurations/manual-operation-docs/how_to_persistent_iptables_rules_with_debian_9.mkd index b89543a..3507175 100644 --- a/docs/configurations/manual-operation-docs/how_to_persistent_iptables_rules_with_debian_9.mkd +++ b/docs/configurations/manual-operation-docs/how_to_persistent_iptables_rules_with_debian_9.mkd @@ -9,7 +9,7 @@ netfilter-persistent 1.0.4+nmu2 ## Install ``` -$ sudo apt-get install -y iptables-persistent +# apt-get install -y iptables-persistent ``` This command will install iptables-persistent and netfilter-persistent(depended iptables-persistent), @@ -19,19 +19,19 @@ netfilter-persistent service is auto running when netfilter-persistent was insta Check service status: ``` -$ sudo systemctl status netfilter-persistent +# systemctl status netfilter-persistent ``` If netfilter-persistent service is not started, use the following command to enable netfilter-persistent service: ``` -$ sudo systemctl start netfilter-persistent +# systemctl start netfilter-persistent ``` ## How to config for persistent iptables First, when configuring iptables rules done, need use the following command to save current iptables rules: ``` -$ sudo dpkg-reconfigure iptables-persistent +# dpkg-reconfigure iptables-persistent ``` or @@ -45,5 +45,5 @@ Note: User iptables-save/ip6tables-save command, save file must is above file na ## Well-done Iptables rules would auto restore iptables rules when Operation system restart, or manual to exec following command: ``` -$ sudo systemctl restart netfilter-persistent +# systemctl restart netfilter-persistent ``` diff --git a/docs/configurations/manual-operation-docs/how_to_persistent_nft_rules_with_debian_10.mkd b/docs/configurations/manual-operation-docs/how_to_persistent_nft_rules_with_debian_10.mkd index 0109c9b..f0e4055 100644 --- a/docs/configurations/manual-operation-docs/how_to_persistent_nft_rules_with_debian_10.mkd +++ b/docs/configurations/manual-operation-docs/how_to_persistent_nft_rules_with_debian_10.mkd @@ -8,12 +8,12 @@ nftables 0.9.0-2 ## Pre-Install ``` -$ sudo apt-get install -y nftables netfilter-persistent +# apt-get install -y nftables netfilter-persistent ``` ## Uninstall iptables ``` -$ sudo apt purge --autoremove iptables +# apt purge --autoremove iptables ``` ## How to enable netfilter-persistent service @@ -22,12 +22,12 @@ netfilter-persistent service is auto running when netfilter-persistent was insta Check service status: ``` -$ sudo systemctl status netfilter-persistent +# systemctl status netfilter-persistent ``` If netfilter-persistent service is not started, use the following command to enable netfilter-persistent service: ``` -$ sudo systemctl start netfilter-persistent +# systemctl start netfilter-persistent ``` ## How to config for persistent nft rules @@ -35,7 +35,7 @@ $ sudo systemctl start netfilter-persistent ### Get nftables ruleset ``` ~$ wget https://raw.githubusercontent.com/hardenedlinux/harbian-audit/master/docs/configurations/etc.nftables.conf -~$ sudo mv etc.nftables.conf /etc/nftables.conf +~# mv etc.nftables.conf /etc/nftables.conf ``` Note: Please replace ens33 to interface name of your device @@ -43,32 +43,32 @@ Note: Please replace ens33 to interface name of your device ### Get plugin of netfilter-persistent ``` ~$ wget https://raw.githubusercontent.com/hardenedlinux/harbian-audit/master/docs/configurations/usr.share.netfilter-persistent.plugins.d.15-nft -~$ sudo mv usr.share.netfilter-persistent.plugins.d.15-nft /usr/share/netfilter-persistent/plugins.d/15-nft -~$ sudo chmod 755 /usr/share/netfilter-persistent/plugins.d/15-nft +~# mv usr.share.netfilter-persistent.plugins.d.15-nft /usr/share/netfilter-persistent/plugins.d/15-nft +~# chmod 755 /usr/share/netfilter-persistent/plugins.d/15-nft ``` ## Well-done Nft rules would auto restore nftables rules when Operation system restart, or manual to exec following command: ``` -$ sudo netfilter-persistent start +# netfilter-persistent start run-parts: executing /usr/share/netfilter-persistent/plugins.d/15-nft start ``` ## Additional usage ### Flush nft rules ``` -$ sudo netfilter-persistent flush +# netfilter-persistent flush run-parts: executing /usr/share/netfilter-persistent/plugins.d/15-nft flush ``` ### Save nft rules ``` -$ sudo netfilter-persistent save +# netfilter-persistent save run-parts: executing /usr/share/netfilter-persistent/plugins.d/15-nft save ``` ### Restore nft rules ``` -$ sudo netfilter-persistent start +# netfilter-persistent start run-parts: executing /usr/share/netfilter-persistent/plugins.d/15-nft start ``` diff --git a/docs/use-cases/apache2-usecase/Readme.mkd b/docs/use-cases/apache2-usecase/Readme.mkd index aaeab96..a76ac59 100644 --- a/docs/use-cases/apache2-usecase/Readme.mkd +++ b/docs/use-cases/apache2-usecase/Readme.mkd @@ -2,7 +2,7 @@ ## Install ``` -sudo apt-get install apache2 +# apt-get install apache2 ``` # How to use harbian-audit to audit and apply @@ -10,7 +10,7 @@ sudo apt-get install apache2 ## Set firewall ``` sed -i 's/PUB_IFS=.*/PUB_IFS="interface of machine"/g' ./etc.iptables.rules.v4.4http.sh -sudo bash ./etc.iptables.rules.v4.4http.sh +# bash ./etc.iptables.rules.v4.4http.sh ``` ## Audit and apply @@ -18,11 +18,11 @@ See the documentation for more details: [harbian-audit-readme](https://github.com/hardenedlinux/harbian-audit/blob/master/README.md) ``` -sudo bash bin/hardening.sh --audit-all +# bash bin/hardening.sh --audit-all # This is set special service to exception(6.10) -sudo bash bin/hardening.sh --set-hardening-level 5 --allow-service http -sudo bash bin/hardening.sh --audit-all -sudo bash bin/hardening.sh --apply +# bash bin/hardening.sh --set-hardening-level 5 --allow-service http +# bash bin/hardening.sh --audit-all +# bash bin/hardening.sh --apply ``` diff --git a/docs/use-cases/hyperledger-cello-usecase/README.mkd b/docs/use-cases/hyperledger-cello-usecase/README.mkd index 9f235b3..e8733cb 100644 --- a/docs/use-cases/hyperledger-cello-usecase/README.mkd +++ b/docs/use-cases/hyperledger-cello-usecase/README.mkd @@ -5,18 +5,18 @@ ## Master node ``` -sudo iptables-restore master-ufw-rules.conf -sudo bash bin/hardening.sh --audit-all -sudo bash bin/hardening.sh --set-hardening-level 5 -sudo bash bin/hardening.sh --audit-all -sudo bash bin/hardening.sh --apply +# iptables-restore master-ufw-rules.conf +# bash bin/hardening.sh --audit-all +# bash bin/hardening.sh --set-hardening-level 5 +# bash bin/hardening.sh --audit-all +# bash bin/hardening.sh --apply ``` ## Worker node ``` -sudo iptables-restore worker-ufw-rules.conf -sudo bash bin/hardening.sh --audit-all -sudo bash bin/hardening.sh --set-hardening-level 5 -sudo bash bin/hardening.sh --audit-all -sudo bash bin/hardening.sh --apply +# iptables-restore worker-ufw-rules.conf +# bash bin/hardening.sh --audit-all +# bash bin/hardening.sh --set-hardening-level 5 +# bash bin/hardening.sh --audit-all +# bash bin/hardening.sh --apply ``` diff --git a/docs/use-cases/nodejs-redis-mysql-usecase/README.md b/docs/use-cases/nodejs-redis-mysql-usecase/README.md index b342fb8..ff2d367 100644 --- a/docs/use-cases/nodejs-redis-mysql-usecase/README.md +++ b/docs/use-cases/nodejs-redis-mysql-usecase/README.md @@ -11,14 +11,14 @@ ### Install mysql ``` -$ sudo apt install mysql-server +# apt install mysql-server ``` #### Configurate database Create helloworld database ``` -$ sudo mysql -uroot +# mysql -uroot MariaDB [(none)]> CREATE DATABASE helloworld; ``` @@ -45,12 +45,12 @@ deb-src http://mirrors.163.com/debian/ stretch-backports main and update ``` -$ sudo apt update +# apt update ``` #### install the package ``` -$ sudo apt -t stretch-backports install -y redis-server +# apt -t stretch-backports install -y redis-server ``` #### Configurate Redis @@ -82,7 +82,7 @@ systemctl restart redis ### Install Nodejs ``` -$ sudo apt install curl -y +# apt install curl -y ``` #as root ``` @@ -206,8 +206,8 @@ module.exports = { //Installation PM2: ``` -$ sudo npm install pm2 -g -$ sudo chmod -R 755 /usr/lib/node_modules/pm2 +# npm install pm2 -g +# chmod -R 755 /usr/lib/node_modules/pm2 ``` ``` @@ -217,7 +217,7 @@ $ pm2 startup systemd [PM2] Init System found: systemd [PM2] To setup the Startup Script, copy/paste the following command: -sudo env PATH=$PATH:/usr/bin /usr/lib/node_modules/pm2/bin/pm2 startup systemd -u helloworld --hp /home/helloworld +# env PATH=$PATH:/usr/bin /usr/lib/node_modules/pm2/bin/pm2 startup systemd -u helloworld --hp /home/helloworld ``` change to root user and execute @@ -238,7 +238,7 @@ now start the service ## Set iptables rules ``` -$ sudo iptables -I INPUT -p tcp -m tcp --dport 3000 -j ACCEPT +# iptables -I INPUT -p tcp -m tcp --dport 3000 -j ACCEPT ``` ## Test diff --git a/docs/use-cases/tls-transmission-usecase/nginx-mutual-ssl-proxy-http-service/Readme.mkd b/docs/use-cases/tls-transmission-usecase/nginx-mutual-ssl-proxy-http-service/Readme.mkd index e6c2d74..c3a16f7 100644 --- a/docs/use-cases/tls-transmission-usecase/nginx-mutual-ssl-proxy-http-service/Readme.mkd +++ b/docs/use-cases/tls-transmission-usecase/nginx-mutual-ssl-proxy-http-service/Readme.mkd @@ -5,22 +5,22 @@ ## Server node ``` -sudo iptables-restore iptables_ufw-4-server.cfg -sudo bash bin/hardening.sh --audit-all +# iptables-restore iptables_ufw-4-server.cfg +# bash bin/hardening.sh --audit-all # This is set special service to exception(6.2 6.3 6.10) -sudo bash bin/hardening.sh --set-hardening-level 5 --allow-service dns,http,cups -sudo bash bin/hardening.sh --audit-all -sudo bash bin/hardening.sh --apply +# bash bin/hardening.sh --set-hardening-level 5 --allow-service dns,http,cups +# bash bin/hardening.sh --audit-all +# bash bin/hardening.sh --apply ``` ## Client node ``` -sudo iptables-restore iptables_ufw-4-client.cfg -sudo bash bin/hardening.sh --audit-all +# iptables-restore iptables_ufw-4-client.cfg +# bash bin/hardening.sh --audit-all # This is set special service to exception(6.10) -sudo bash bin/hardening.sh --set-hardening-level 5 --allow-service http -sudo bash bin/hardening.sh --audit-all -sudo bash bin/hardening.sh --apply +# bash bin/hardening.sh --set-hardening-level 5 --allow-service http +# bash bin/hardening.sh --audit-all +# bash bin/hardening.sh --apply ``` diff --git a/docs/use-cases/tls-transmission-usecase/using-Nginx-as-SSL-tunnel-4TCP-UDP-service/Readme.mkd b/docs/use-cases/tls-transmission-usecase/using-Nginx-as-SSL-tunnel-4TCP-UDP-service/Readme.mkd index 95ab8d4..d4fd291 100644 --- a/docs/use-cases/tls-transmission-usecase/using-Nginx-as-SSL-tunnel-4TCP-UDP-service/Readme.mkd +++ b/docs/use-cases/tls-transmission-usecase/using-Nginx-as-SSL-tunnel-4TCP-UDP-service/Readme.mkd @@ -5,22 +5,22 @@ ## Server node ``` -sudo iptables-restore iptables_ufw-4-server.cfg -sudo bash bin/hardening.sh --audit-all +# iptables-restore iptables_ufw-4-server.cfg +# bash bin/hardening.sh --audit-all # This is set special service to exception(6.2 6.3 6.10) -sudo bash bin/hardening.sh --set-hardening-level 5 --allow-service dns,http,cups -sudo bash bin/hardening.sh --audit-all -sudo bash bin/hardening.sh --apply +# bash bin/hardening.sh --set-hardening-level 5 --allow-service dns,http,cups +# bash bin/hardening.sh --audit-all +# bash bin/hardening.sh --apply ``` ## Client node ``` -sudo iptables-restore iptables_ufw-4-client.cfg -sudo bash bin/hardening.sh --audit-all +# iptables-restore iptables_ufw-4-client.cfg +# bash bin/hardening.sh --audit-all # This is set special service to exception(6.10) -sudo bash bin/hardening.sh --set-hardening-level 5 --allow-service http -sudo bash bin/hardening.sh --audit-all -sudo bash bin/hardening.sh --apply +# bash bin/hardening.sh --set-hardening-level 5 --allow-service http +# bash bin/hardening.sh --audit-all +# bash bin/hardening.sh --apply ```