Add some instructions relate to specific operations.
This commit is contained in:
parent
9d4dc5f1c4
commit
e6f5e9a69a
26
README.md
26
README.md
|
@ -82,12 +82,11 @@ Use the command to set the hardening level to make the corresponding level audit
|
|||
```
|
||||
# bash bin/hardening.sh --set-hardening-level <level>
|
||||
```
|
||||
|
||||
Global configuration is in ``etc/hardening.cfg``. This file controls the log level
|
||||
as well as the backup directory. Whenever a script is instructed to edit a file, it
|
||||
will create a timestamped backup in this directory.
|
||||
|
||||
### Run aka "Harden your distro"
|
||||
### Run aka "Harden your distro (After the hardened, you must perform the "After remediation" section)
|
||||
|
||||
To run the checks and apply the fixes, run ``bin/hardening.sh``.
|
||||
|
||||
|
@ -95,23 +94,30 @@ This command has 2 main operation modes:
|
|||
- ``--audit``: Audit your system with all enabled and audit mode scripts
|
||||
- ``--apply``: Audit your system with all enabled and audit mode scripts and apply changes for enabled scripts
|
||||
|
||||
Additionally, ``--audit-all`` can be used to force running all auditing scripts,
|
||||
including disabled ones. this will *not* change the system.
|
||||
Additionally, ``--audit-all`` can be used to force running all auditing scripts, including disabled ones. this will *not* change the system.
|
||||
|
||||
``--audit-all-enable-passed`` can be used as a quick way to kickstart your
|
||||
configuration. It will run all scripts in audit mode. If a script passes,
|
||||
it will automatically be enabled for future runs. Do NOT use this option
|
||||
if you have already started to customize your configuration.
|
||||
``--audit-all-enable-passed`` can be used as a quick way to kickstart your configuration. It will run all scripts in audit mode. If a script passes, it will automatically be enabled for future runs. Do NOT use this option if you have already started to customize your configuration.
|
||||
|
||||
## After remediation
|
||||
Use the command to harden your OS:
|
||||
```
|
||||
# bash bin/hardening.sh --apply
|
||||
```
|
||||
|
||||
## After remediation (Very important)
|
||||
When exec --apply and set-hardening-level are set to 5 (the highest level), you need to do the following:
|
||||
|
||||
1) When applying 9.5(Restrict Access to the su Command), you must use the root account to log in to the OS because ordinary users cannot perform subsequent operations.
|
||||
If you can only use ssh for remote login, you must use the su command when the normal user logs in. Then do the following:
|
||||
```
|
||||
# sed -i '/^[^#].*pam_wheel.so.*/s/^/# &/' /etc/pam.d/su
|
||||
```
|
||||
Temporarily comment out the line containing pam_wheel.so. After you have finished using the su command, please uncomment the line.
|
||||
|
||||
2) When applying 7.4.4_hosts_deny.sh, the OS cannot be connected through the ssh service, so you need to set allow access host list on /etc/hosts.allow, example:
|
||||
```
|
||||
# echo "ALL: 192.168.1. 192.168.5." >> /etc/hosts.allow
|
||||
```
|
||||
This example only allows 192.168.1.[1-255] 192.168.5.[1-255] to access this system. Need to be configured according to your situation.
|
||||
|
||||
3) Set capabilities for usual user, example(user name is test):
|
||||
```
|
||||
|
@ -119,7 +125,7 @@ When exec --apply and set-hardening-level are set to 5 (the highest level), you
|
|||
```
|
||||
|
||||
4) Set basic iptables rules
|
||||
Set the corresponding firewall rules according to the applications used. HardenedLinux community for Debian GNU/Linux firewall rules:
|
||||
Set the corresponding firewall rules according to the applications used. HardenedLinux community for Debian GNU/Linux basic firewall rules:
|
||||
[etc.iptables.rules.v4.sh](https://github.com/hardenedlinux/harbian-audit/blob/master/docs/examples/configurations/etc.iptables.rules.v4.sh)
|
||||
to do the following:
|
||||
```
|
||||
|
|
Loading…
Reference in New Issue