{"id":13766683,"url":"https://github.com/ovh/debian-cis","last_synced_at":"2025-05-16T05:04:44.043Z","repository":{"id":37822236,"uuid":"56690366","full_name":"ovh/debian-cis","owner":"ovh","description":"PCI-DSS compliant Debian 10/11/12 hardening","archived":false,"fork":false,"pushed_at":"2024-09-16T22:28:53.000Z","size":1472,"stargazers_count":847,"open_issues_count":14,"forks_count":145,"subscribers_count":39,"default_branch":"master","last_synced_at":"2025-04-06T17:11:20.439Z","etag":null,"topics":["audit","cis","debian","pci-dss","security","shell"],"latest_commit_sha":null,"homepage":"","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/ovh.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":"AUTHORS","dei":null,"publiccode":null,"codemeta":null}},"created_at":"2016-04-20T13:43:51.000Z","updated_at":"2025-04-05T13:59:26.000Z","dependencies_parsed_at":"2023-11-10T15:26:47.944Z","dependency_job_id":"444fea92-73ce-4c45-b861-bc2dd18c8661","html_url":"https://github.com/ovh/debian-cis","commit_stats":null,"previous_names":[],"tags_count":39,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ovh%2Fdebian-cis","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ovh%2Fdebian-cis/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ovh%2Fdebian-cis/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ovh%2Fdebian-cis/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/ovh","download_url":"https://codeload.github.com/ovh/debian-cis/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":254471060,"owners_count":22076585,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["audit","cis","debian","pci-dss","security","shell"],"created_at":"2024-08-03T16:00:59.475Z","updated_at":"2025-05-16T05:04:44.022Z","avatar_url":"https://github.com/ovh.png","language":"Shell","funding_links":[],"categories":["Security","Shell","Hardening","Tools to check security hardening"],"sub_categories":["Hardening","Ghidra","GNU/Linux"],"readme":"# :lock: CIS Debian 10/11/12 Hardening\n\n\n\u003cp align=\"center\"\u003e\n      \u003cimg src=\"https://repository-images.githubusercontent.com/56690366/bbe7c380-55b2-11eb-84ba-d06bf153fe8b\" width=\"300px\"\u003e\n\u003c/p\u003e\n\n![Shell-linter](https://github.com/ovh/debian-cis/workflows/Run%20shell-linter/badge.svg)\n![Functionnal tests](https://github.com/ovh/debian-cis/workflows/Run%20functionnal%20tests/badge.svg)\n![Release](https://github.com/ovh/debian-cis/workflows/Create%20Release/badge.svg)\n\n![Realease](https://img.shields.io/github/v/release/ovh/debian-cis)\n![License](https://img.shields.io/github/license/ovh/debian-cis)\n---\n\nModular Debian 10/11/12 security hardening scripts based on [cisecurity.org](https://www.cisecurity.org)\nrecommendations. We use it at [OVHcloud](https://www.ovhcloud.com) to harden our PCI-DSS infrastructure.\n\nNB : Although Debian 12 CIS Hardening guide is still in development, we do use this set of scripts\nin production at OVHcloud on Debian 12 Operating Systems.\n\n```console\n$ bin/hardening.sh --audit-all\n[...]\nhardening [INFO] Treating /opt/cis-hardening/bin/hardening/6.2.19_check_duplicate_groupname.sh\n6.2.19_check_duplicate_gr [INFO] Working on 6.2.19_check_duplicate_groupname\n6.2.19_check_duplicate_gr [INFO] Checking Configuration\n6.2.19_check_duplicate_gr [INFO] Performing audit\n6.2.19_check_duplicate_gr [ OK ] No duplicate GIDs\n6.2.19_check_duplicate_gr [ OK ] Check Passed\n[...]\n################### SUMMARY ###################\n      Total Available Checks : 232\n         Total Runned Checks : 166\n         Total Passed Checks : [ 142/166 ]\n         Total Failed Checks : [  24/166 ]\n   Enabled Checks Percentage : 71.00 %\n       Conformity Percentage : 85.00 %\n```\n\n## :dizzy: Quickstart\n\n```console\n$ git clone https://github.com/ovh/debian-cis.git \u0026\u0026 cd debian-cis\n$ cp debian/default /etc/default/cis-hardening\n$ sed -i \"s#CIS_LIB_DIR=.*#CIS_LIB_DIR='$(pwd)'/lib#\" /etc/default/cis-hardening\n$ sed -i \"s#CIS_CHECKS_DIR=.*#CIS_CHECKS_DIR='$(pwd)'/bin/hardening#\" /etc/default/cis-hardening\n$ sed -i \"s#CIS_CONF_DIR=.*#CIS_CONF_DIR='$(pwd)'/etc#\" /etc/default/cis-hardening\n$ sed -i \"s#CIS_TMP_DIR=.*#CIS_TMP_DIR='$(pwd)'/tmp#\" /etc/default/cis-hardening\n$ ./bin/hardening/1.1.1.1_disable_freevxfs.sh --audit\n1.1.1.1_disable_freevxfs  [INFO] Working on 1.1.1.1_disable_freevxfs\n1.1.1.1_disable_freevxfs  [INFO] [DESCRIPTION] Disable mounting of freevxfs filesystems.\n1.1.1.1_disable_freevxfs  [INFO] Checking Configuration\n1.1.1.1_disable_freevxfs  [INFO] Performing audit\n1.1.1.1_disable_freevxfs  [ OK ] CONFIG_VXFS_FS is disabled\n1.1.1.1_disable_freevxfs  [ OK ] Check Passed\n```\n\n## :hammer: Usage\n\n### Configuration\n\nHardening scripts are in ``bin/hardening``. Each script has a corresponding\nconfiguration file in ``etc/conf.d/[script_name].cfg``.\n\nEach hardening script can be individually enabled from its configuration file.\nFor example, this is the default configuration file for ``disable_system_accounts``:\n\n```\n# Configuration for script of same name\nstatus=disabled\n# Put here your exceptions concerning admin accounts shells separated by spaces\nEXCEPTIONS=\"\"\n```\n\n``status`` parameter may take 3 values:\n- ``disabled`` (do nothing): The script will not run.\n- ``audit`` (RO): The script will check if any change *should* be applied.\n- ``enabled`` (RW): The script will check if any change should be done and automatically apply what it can.\n\nGlobal configuration is in ``etc/hardening.cfg``. This file controls the log level\nas well as the backup directory. Whenever a script is instructed to edit a file, it\nwill create a timestamped backup in this directory.\n\n### Run aka \"Harden your distro\"\n\nTo run the checks and apply the fixes, run ``bin/hardening.sh``.\n\nThis command has 2 main operation modes:\n- ``--audit``: Audit your system with all enabled and audit mode scripts\n- ``--apply``: Audit your system with all enabled and audit mode scripts and apply changes for enabled scripts\n\nAdditionally, some options add more granularity:\n\n ``--audit-all`` can be used to force running all auditing scripts,\nincluding disabled ones. this will *not* change the system.\n\n``--audit-all-enable-passed`` can be used as a quick way to kickstart your\nconfiguration. It will run all scripts in audit mode. If a script passes,\nit will automatically be enabled for future runs. Do NOT use this option\nif you have already started to customize your configuration.\n\n``--sudo``: audit your system as a normal user, but allow sudo escalation to read\nspecific root read-only files. You need to provide a sudoers file in /etc/sudoers.d/\nwith NOPASWD option, since checks are executed with ``sudo -n`` option, that will\nnot prompt for a password.\n\n``--batch``: while performing system audit, this option sets LOGLEVEL to 'ok' and\ncaptures all output to print only one line once the check is done, formatted like :\nOK|KO OK|KO|WARN{subcheck results} [OK|KO|WARN{...}]\n\n``--only \u003ccheck_number\u003e``: run only the selected checks.\n\n``--set-hardening-level``: run all checks that are lower or equal to the selected level.\nDo NOT use this option if you have already started to customize your configuration.\n\n``--allow-service \u003cservice\u003e``: use with --set-hardening-level. Modifies the policy \nto allow a certain kind of services on the machine, such as http, mail, etc.\nCan be specified multiple times to allow multiple services.\nUse --allow-service-list to get a list of supported services.\n\n``--set-log-level \u003clevel\u003e``: This option sets LOGLEVEL, you can choose : info, warning, error, ok, debug.\nDefault value is : info\n\n``--create-config-files-only``: create the config files in etc/conf.d. Must be run as root,\nbefore running the audit with user secaudit, to have the rights setup well on the conf files.\n\n``--allow-unsupported-distribution``: must be specified manually in the command line to allow \nthe run on non compatible version or distribution. If you want to mute the warning change the\nLOGLEVEL in /etc/hardening.cfg\n\n## :computer: Hacking\n\n**Getting the source**\n\n```console\n$ git clone https://github.com/ovh/debian-cis.git\n```\n\n**Building a debian Package** (the hacky way)\n\n```console\n$ debuild -us -uc\n```\n\n**Adding a custom hardening script**\n\n```console\n$ cp src/skel bin/hardening/99.99_custom_script.sh\n$ chmod +x bin/hardening/99.99_custom_script.sh\n$ cp src/skel.cfg etc/conf.d/99.99_custom_script.cfg\n```\nEvery custom check numerotation begins with 99. The numbering after it depends on the section the check refers to.\n\nIf the check replace somehow one that is in the CIS specifications,\nyou can use the numerotation of the check it replaces inplace. For example we check\nthe config of OSSEC (file integrity) in `1.4.x` whereas CIS recommends AIDE.\n\nDo not forget to specify in comment if it's a bonus check (suggested by CIS but not in the CIS numerotation), a legacy check (part from previous CIS specification but deleted in more recents one) or an OVHcloud security check.\n(part of OVHcloud security policy)\n\n\nCode your check explaining what it does then if you want to test\n\n```console\n$ sed -i \"s/status=.+/status=enabled/\" etc/conf.d/99.99_custom_script.cfg\n$ ./bin/hardening/99.99_custom_script.sh\n```\n## :sparkles: Functional testing\n\nFunctional tests are available. They are to be run in a Docker environment.\n\n```console\n$ ./tests/docker_build_and_run_tests.sh \u003ctarget\u003e [name of test script...]\n```\n\nWith `target` being like `debian10` or `debian11`.\n\nRunning without script arguments will run all tests in `./tests/hardening/` directory.\nOr you can specify one or several test script to be run.\n\nThis will build a new Docker image from the current state of the projet and run\na container that will assess a blank Debian system compliance for each check.  \nFor hardening audit points the audit is expected to fail, then be fixed so that\nrunning the audit a second time will succeed.  \nFor vulnerable items, the audit is expected to succeed on a blank\nsystem, then the functional tests will introduce a weak point, that is expected\nto be detected when running the audit test a second time. Finally running the `apply`\npart of debian-cis script will restore a compliance state that is expected to be\nassed by running the audit check a third time.\n\nFunctional tests can make use of the following helper functions :  \n\n* `describe \u003ctest description\u003e`\n* `run \u003cusecase\u003e \u003caudit_script\u003e \u003caudit_script_options\u003e`\n* `register_test \u003ctest content (see below)\u003e`\n  * `retvalshoudbe \u003cinteger\u003e` check the script return value\n  * `contain \"\u003cSAMPLE TEXT\u003e\"` check that the output contains the following text\n\nIn order to write your own functional test, you will find a code skeleton in\n`./src/skel.test`.\n\nSome tests ar labelled with a disclaimer warning that we only test on a blank host\nand that we will not test the apply function. It's because the check is very basic\n(like a package install) and that a test on it is not really necessary.\n\nFurthermore, some tests are disabled on docker because there not pertinent (kernel \nmodules, grub, partitions, ...)\nYou can disable a check on docker with:\n```bash\nif [ -f \"/.dockerenv\" ]; then\n  skip \"SKIPPED on docker\"\nelse\n...\nfi\n```\n\n## :art: Coding style\n### Shellcheck\n\nWe use [Shellcheck](https://github.com/koalaman/shellcheck) to check the \ncorrectness of the scripts and to respect best practices.\nIt can be used directly with the docker environnment to check all scripts \ncompliancy. By default it runs on every `.sh` it founds.\n\n```console\n$ ./shellcheck/launch_shellcheck.sh [name of script...]\n```\n\n### Shellfmt\n\nWe use [Shellfmt](https://github.com/mvdan/sh) to check the styling and to keep a \nconsistent style in every script. \nIdentically to shellcheck, it can be run through a script with the following:\n\n```console\n$ ./shellfmt/launch_shellfmt.sh\n```\nIt will automatically fix any styling problem on every script.\n\n\n## :heavy_exclamation_mark: Disclaimer\n\nThis project is a set of tools. They are meant to help the system administrator\nbuilt a secure environment. While we use it at OVHcloud to harden our PCI-DSS compliant\ninfrastructure, we can not guarantee that it will work for you. It will not\nmagically secure any random host.\n\nA word about numbering, implementation and sustainability over time of this repository:\nThis project is born with the Debian 7 distribution in 2016. Over time, CIS Benchmark PDF\nhas evolved, changing it's numbering, deleting obsolete checks.\nIn order to keep retro-compatiblity with the last maintained Debian, the numbering\nhas not been changed along with the PDF, because the configuration scripts are named after it.\nChanging the numbering might break automation for admins using it for years, and handling\nthis issue without breaking anything would require a huge refactoring.\nAs a consequence, please do not worry about numbering, the checks are there,\nbut the numbering accross PDFs might differ.\nPlease also note that all the check inside CIS Benchmark PDF might not be implemented\nin this set of scripts.\nWe did choose the most relevant to us at OVHcloud, do not hesitate to make a\nPull Request in order to add the missing script you might find relevant for you.\n\nAdditionally, quoting the License:\n\n\u003e THIS SOFTWARE IS PROVIDED BY OVH SAS AND CONTRIBUTORS ``AS IS'' AND ANY\n\u003e EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED\n\u003e WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE\n\u003e DISCLAIMED. IN NO EVENT SHALL OVHcloud SAS AND CONTRIBUTORS BE LIABLE FOR ANY\n\u003e DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES\n\u003e (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;\n\u003e LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND\n\u003e ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT\n\u003e (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS\n\u003e SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n\n\n## :satellite: Reference\n\n- **Center for Internet Security**: https://www.cisecurity.org/\n- **CIS recommendations**: https://learn.cisecurity.org/benchmarks\n\n## :page_facing_up: License\n\nApache, Version 2.0\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fovh%2Fdebian-cis","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fovh%2Fdebian-cis","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fovh%2Fdebian-cis/lists"}