How to use debian-cis? [explained for non expert Linux admins]

[bluepuma77]

Here we are, moving to zero trust, everyone needs to tighten their IT security, and there is debian-cis to the rescue 🙂

As a developer in a small company and not a full-time Linux sysadmin, I am still missing an easy "Getting started" guide, just running 1.1.1.1_disable_freevxfs.sh doesn't cut it for me, with 243 checks available as of today.

Maybe I don't read the right information from the docs, but I don't want to manually edit 243 different files on the server to check what they are about and potentially enable them. And I don't want just passing checks enabled with --audit-all-enable-passed, that doesn't make sense to me, I expected some active changes to the system.

What do I expect? I initially thought I would just run this and it would tweak my Debian server, make it more secure, like disable SSH password input, install fail2ban. By now I do understand that some checks are more relevant for me than others, I might quickly walk through 243 line items answering if I want each checked or even fixed. Moving SSH to a different port is a manual process, as I need to decide which port to use, so this might not be done automatically.

Is there no such simple line-by-line enablement function? What are the rules of engagement with this tool? How to use this for 10 servers without a week of spare time? Or is this a tool only intended for full-time admins running thousands of servers?

[ThibaultDewailly]

Hello Bluepuma and welcome !

TL;DR : use $ ./hardening.sh --set-hardening-level 2 to have a base hardening let me fix https://github.com/ovh/debian-cis/issues/230 first ;)

I totally understand the need, and it totally makes sense for a small company not to spend dozens of hours to understand what is inside this repository.

To answer your question, have you considered looking at the HARDENING_LEVEL variable which is used on all scripts ? It basically tells you whether it's a base hardening, or a paranoid parameter not so useful but still present for the most secured infrastructure.

To give you an example, the sshd configuration right is utterly important to respect and represent a severe security issue https://github.com/ovh/debian-cis/blob/master/bin/hardening/5.2.1_sshd_conf_perm_ownership.sh On the opposite side of the scale, halting the system when audit is not able to log anymore is very paranoid, and should be used with care. https://github.com/ovh/debian-cis/blob/master/bin/hardening/4.1.2.2_halt_when_audit_log_full.sh

This is an opinionated ranking and open to discussion, but if you don't want to spend too much time, I'd recommend to use level 2 hardening, it shall give you a good head start.

I hope this answer your question, have a great day

[ThibaultDewailly]

https://github.com/ovh/debian-cis/issues/230 is fixed

[bluepuma77]

Thanks @ThibaultDewailly !

Okay, here we go, newbie wants to do basic hardening.

I had to remove the ' around '$(pwd)' for /etc/default/cis-hardening to make sense:

git clone https://github.com/ovh/debian-cis.git && cd debian-cis
cp debian/default /etc/default/cis-hardening
sed -i "s#CIS_LIB_DIR=.*#CIS_LIB_DIR=$(pwd)/lib#" /etc/default/cis-hardening
sed -i "s#CIS_CHECKS_DIR=.*#CIS_CHECKS_DIR=$(pwd)/bin/hardening#" /etc/default/cis-hardening
sed -i "s#CIS_CONF_DIR=.*#CIS_CONF_DIR=$(pwd)/etc#" /etc/default/cis-hardening
sed -i "s#CIS_TMP_DIR=.*#CIS_TMP_DIR=$(pwd)/tmp#" /etc/default/cis-hardening

./bin/hardening.sh --apply --set-hardening-level 2

Now I get a lot of:

sed: can't read /root/debian-cis/etc/conf.d/1.1.1.1_disable_freevxfs.cfg: No such file or directory
sed: can't read /root/debian-cis/etc/conf.d/1.1.1.2_disable_jffs2.cfg: No such file or directory
sed: can't read /root/debian-cis/etc/conf.d/1.1.1.3_disable_hfs.cfg: No such file or directory
...
The script 5.4.5_default_timeout doesn't have a hardening level, configuration untouched for it
...
sed: can't read /root/debian-cis/etc/conf.d/99.5.4.5.1_acc_logindefs_sha512.cfg: No such file or directory
sed: can't read /root/debian-cis/etc/conf.d/99.5.4.5.2_acc_shadow_sha512.cfg: No such file or directory
sed: can't read /root/debian-cis/etc/conf.d/99.99_check_distribution.cfg: No such file or directory
Configuration modified to enable scripts for hardening level at or below 2

This does not seem like the correct way to do it.

[ManuGithubSteam]

Hello Bluepuma,

I just installed it like the main page shows. Im not sure what you did with your setup...

Then i do this:

cd /opt/debian-cis/bin/ ./hardening.sh --audit #(No changes to the system)

I get back this:

1.1.5_tmp_noexec [INFO] Verifying that /tmp is a partition 1.1.5_tmp_noexec [ OK ] /tmp is a partition 1.1.5_tmp_noexec [ KO ] /tmp has no option noexec in fstab! 1.1.5_tmp_noexec [ KO ] Check Failed hardening [INFO] Treating /opt/debian-cis/bin/hardening/1.1.6.1_var_nodev.sh 1.1.6.1_var_nodev [INFO] Working on 1.1.6.1_var_nodev 1.1.6.1_var_nodev [INFO] [DESCRIPTION] /var partition with nodev option. 1.1.6.1_var_nodev [INFO] Checking Configuration 1.1.6.1_var_nodev [INFO] Performing audit 1.1.6.1_var_nodev [INFO] Verifying that /var is a partition 1.1.6.1_var_nodev [ OK ] /var is a partition 1.1.6.1_var_nodev [ KO ] /var has no option nodev in fstab! 1.1.6.1_var_nodev [ KO ] Check Failed

Now i read up on the errors and correct them by hand. This way i know what i did. You could of course also use the script to harden it but i prefer the manual way as it forces me to do some reading about the options and so on.

I kinda like the gameification of it with the score. It keeps me going.

[ThibaultDewailly]

closing issue as I cannot reproduce the issue, you might want to keep the code up to date