From e6f5e9a69a15a7f89ba406e6d662525d6e68a41c Mon Sep 17 00:00:00 2001 From: samson Date: Mon, 10 Dec 2018 23:18:50 +0800 Subject: [PATCH] Add some instructions relate to specific operations. --- README.md | 34 ++++++++++++++++++++-------------- 1 file changed, 20 insertions(+), 14 deletions(-) diff --git a/README.md b/README.md index a18d385..87432ec 100644 --- a/README.md +++ b/README.md @@ -82,36 +82,42 @@ Use the command to set the hardening level to make the corresponding level audit ``` # bash bin/hardening.sh --set-hardening-level ``` - Global configuration is in ``etc/hardening.cfg``. This file controls the log level as well as the backup directory. Whenever a script is instructed to edit a file, it will create a timestamped backup in this directory. -### Run aka "Harden your distro" +### Run aka "Harden your distro (After the hardened, you must perform the "After remediation" section) To run the checks and apply the fixes, run ``bin/hardening.sh``. -This command has 2 main operation modes: -- ``--audit``: Audit your system with all enabled and audit mode scripts -- ``--apply``: Audit your system with all enabled and audit mode scripts and apply changes for enabled scripts +This command has 2 main operation modes: +- ``--audit``: Audit your system with all enabled and audit mode scripts +- ``--apply``: Audit your system with all enabled and audit mode scripts and apply changes for enabled scripts -Additionally, ``--audit-all`` can be used to force running all auditing scripts, -including disabled ones. this will *not* change the system. +Additionally, ``--audit-all`` can be used to force running all auditing scripts, including disabled ones. this will *not* change the system. -``--audit-all-enable-passed`` can be used as a quick way to kickstart your -configuration. It will run all scripts in audit mode. If a script passes, -it will automatically be enabled for future runs. Do NOT use this option -if you have already started to customize your configuration. +``--audit-all-enable-passed`` can be used as a quick way to kickstart your configuration. It will run all scripts in audit mode. If a script passes, it will automatically be enabled for future runs. Do NOT use this option if you have already started to customize your configuration. -## After remediation +Use the command to harden your OS: +``` +# bash bin/hardening.sh --apply +``` + +## After remediation (Very important) When exec --apply and set-hardening-level are set to 5 (the highest level), you need to do the following: -1) When applying 9.5(Restrict Access to the su Command), you must use the root account to log in to the OS because ordinary users cannot perform subsequent operations. +1) When applying 9.5(Restrict Access to the su Command), you must use the root account to log in to the OS because ordinary users cannot perform subsequent operations. +If you can only use ssh for remote login, you must use the su command when the normal user logs in. Then do the following: +``` +# sed -i '/^[^#].*pam_wheel.so.*/s/^/# &/' /etc/pam.d/su +``` +Temporarily comment out the line containing pam_wheel.so. After you have finished using the su command, please uncomment the line. 2) When applying 7.4.4_hosts_deny.sh, the OS cannot be connected through the ssh service, so you need to set allow access host list on /etc/hosts.allow, example: ``` # echo "ALL: 192.168.1. 192.168.5." >> /etc/hosts.allow ``` +This example only allows 192.168.1.[1-255] 192.168.5.[1-255] to access this system. Need to be configured according to your situation. 3) Set capabilities for usual user, example(user name is test): ``` @@ -119,7 +125,7 @@ When exec --apply and set-hardening-level are set to 5 (the highest level), you ``` 4) Set basic iptables rules -Set the corresponding firewall rules according to the applications used. HardenedLinux community for Debian GNU/Linux firewall rules: +Set the corresponding firewall rules according to the applications used. HardenedLinux community for Debian GNU/Linux basic firewall rules: [etc.iptables.rules.v4.sh](https://github.com/hardenedlinux/harbian-audit/blob/master/docs/examples/configurations/etc.iptables.rules.v4.sh) to do the following: ```