Add some instructions relate to specific operations.

This commit is contained in:
samson 2018-12-10 23:18:50 +08:00
parent 9d4dc5f1c4
commit e6f5e9a69a
1 changed files with 20 additions and 14 deletions

View File

@ -82,12 +82,11 @@ Use the command to set the hardening level to make the corresponding level audit
```
# bash bin/hardening.sh --set-hardening-level <level>
```
Global configuration is in ``etc/hardening.cfg``. This file controls the log level
as well as the backup directory. Whenever a script is instructed to edit a file, it
will create a timestamped backup in this directory.
### Run aka "Harden your distro"
### Run aka "Harden your distro (After the hardened, you must perform the "After remediation" section)
To run the checks and apply the fixes, run ``bin/hardening.sh``.
@ -95,23 +94,30 @@ This command has 2 main operation modes:
- ``--audit``: Audit your system with all enabled and audit mode scripts
- ``--apply``: Audit your system with all enabled and audit mode scripts and apply changes for enabled scripts
Additionally, ``--audit-all`` can be used to force running all auditing scripts,
including disabled ones. this will *not* change the system.
Additionally, ``--audit-all`` can be used to force running all auditing scripts, including disabled ones. this will *not* change the system.
``--audit-all-enable-passed`` can be used as a quick way to kickstart your
configuration. It will run all scripts in audit mode. If a script passes,
it will automatically be enabled for future runs. Do NOT use this option
if you have already started to customize your configuration.
``--audit-all-enable-passed`` can be used as a quick way to kickstart your configuration. It will run all scripts in audit mode. If a script passes, it will automatically be enabled for future runs. Do NOT use this option if you have already started to customize your configuration.
## After remediation
Use the command to harden your OS:
```
# bash bin/hardening.sh --apply
```
## After remediation (Very important)
When exec --apply and set-hardening-level are set to 5 (the highest level), you need to do the following:
1) When applying 9.5(Restrict Access to the su Command), you must use the root account to log in to the OS because ordinary users cannot perform subsequent operations.
If you can only use ssh for remote login, you must use the su command when the normal user logs in. Then do the following:
```
# sed -i '/^[^#].*pam_wheel.so.*/s/^/# &/' /etc/pam.d/su
```
Temporarily comment out the line containing pam_wheel.so. After you have finished using the su command, please uncomment the line.
2) When applying 7.4.4_hosts_deny.sh, the OS cannot be connected through the ssh service, so you need to set allow access host list on /etc/hosts.allow, example:
```
# echo "ALL: 192.168.1. 192.168.5." >> /etc/hosts.allow
```
This example only allows 192.168.1.[1-255] 192.168.5.[1-255] to access this system. Need to be configured according to your situation.
3) Set capabilities for usual user, example(user name is test):
```
@ -119,7 +125,7 @@ When exec --apply and set-hardening-level are set to 5 (the highest level), you
```
4) Set basic iptables rules
Set the corresponding firewall rules according to the applications used. HardenedLinux community for Debian GNU/Linux firewall rules:
Set the corresponding firewall rules according to the applications used. HardenedLinux community for Debian GNU/Linux basic firewall rules:
[etc.iptables.rules.v4.sh](https://github.com/hardenedlinux/harbian-audit/blob/master/docs/examples/configurations/etc.iptables.rules.v4.sh)
to do the following:
```