From b2b2698b331244d7fae8e1df388a57eb7f1d49f2 Mon Sep 17 00:00:00 2001 From: pyllyukko Date: Sun, 26 Jan 2025 17:44:16 +0200 Subject: [PATCH] Updated README --- README.md | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index 8997a7e1..1fa47dff 100644 --- a/README.md +++ b/README.md @@ -81,6 +81,7 @@ For a complete list you can run `ansible-playbook --list-tasks harden.yml`. * :warning: **WARNING**: If there are rules in `/etc/sudoers.d/` that match our `become: true` tasks that do not have explicit `EXEC`, it can "break" `sudo` as we define `Defaults noexec` in the main `sudoers` file. There is a "Fix NOPASSWD rules" task in `sudoers.yml` which tries to tackle this problem, but it's not guaranteed to work. * :wood: You can set the `sudo_iolog` in `vars.yml` to `true` to enable I/O logging * You can set the `sudo_ids` in `vars.yml` to `true` to enable "Intrusion Detection" as described in [Sudo Mastery](#other-docs) chapter 9 ([#59](https://github.com/pyllyukko/harden.yml/issues/59)) + * See also [notes](#information_source-notes) * :smiling_imp: [ClamAV](https://www.clamav.net/) configuration (see [clamav.yml](tasks/clamav.yml)) * Configures `clamd` & `freshclam` by first generating fresh configurations with [clamconf](https://docs.clamav.net/manual/Usage/Configuration.html#clamconf) * Configured ClamAV to unarchive with password "infected" (see [Passwords for archive files](https://docs.clamav.net/manual/Signatures/EncryptedArchives.html) & [ClamAV and ZIP File Decryption](https://blog.didierstevens.com/2017/02/15/quickpost-clamav-and-zip-file-decryption/)) @@ -227,7 +228,7 @@ Usage * :sandwich: Sudo hardening: * `noexec` is on by default, so you need to take this into account in your custom rules * :timer_clock: Interactive shells to `root` have timeout, so use `screen` for those longer administrative tasks -* Rebooting the system after running this is highly recommended +* :arrows_counterclockwise: Rebooting the system after running this is highly recommended * The AIDE DB creation is made [asynchronously](https://docs.ansible.com/ansible/latest/playbook_guide/playbooks_async.html) and without polling, so let that finish before rebooting * :bulb: You might want to get additional (unofficial) rules for ClamAV with [clamav-unofficial-sigs](https://github.com/extremeshok/clamav-unofficial-sigs) (although see [#425](https://github.com/extremeshok/clamav-unofficial-sigs/issues/425)). At least the following rulesets are freely available: * [Sanesecurity](https://sanesecurity.com/usage/signatures/) @@ -237,7 +238,7 @@ Usage * [InterServer](https://sigs.interserver.net) * [URLhaus](https://urlhaus.abuse.ch/downloads/urlhaus.ndb) * :warning: **WARNING**: There is a hazard with immutable `loginuid` enabled in auditing in non-systemd systems (Slackware). See longer description of this in the [wiki](https://github.com/pyllyukko/harden.yml/wiki/PAM#pam_loginuidso). -* Review `/etc/fstab.new` manually and deploy applicable changes to `/etc/fstab` +* :file_folder: Review `/etc/fstab.new` manually and deploy applicable changes to `/etc/fstab` * :bulb: Consider running a hardened kernel. For Slackware you can check out my other project [kspp\_confnbuild](https://github.com/pyllyukko/kspp_confnbuild) that has been (mostly) configured according to [KSPP](https://kspp.github.io/)'s [recommendations](https://kspp.github.io/Recommended_Settings). You can use [kernel-hardening-checker](https://github.com/a13xp0p0v/kernel-hardening-checker) to check your kernel configs. ### Tags @@ -304,7 +305,7 @@ Other tags are just metadata for now. You can list all the tags with * There is a `lock_account.yml` playbook that you can use to lock user accounts. Just modify the `hosts` & `user`. * Limited hardening for FreeBSD (see [freebsd.yml](tasks/freebsd.yml)) -* Experimental feature: If you enable `sudo_ids` in `vars.yml`, it enables "Sudo Intrusion Detection" as seen in chapter 9 of [Sudo Mastery](https://mwl.io/nonfiction/tools#sudo2) +* :sandwich: Experimental feature: If you enable `sudo_ids` in `vars.yml`, it enables "Sudo Intrusion Detection" as seen in chapter 9 of [Sudo Mastery](https://mwl.io/nonfiction/tools#sudo2) * Only for `SHELLS` `Cmnd_Alias` for now * You can run `make pamcheck` to see how the hardening modifies your PAM configurations in Slackware * :blowfish: You can create a new SSH moduli with `make /etc/ssh/moduli.new` @@ -323,9 +324,9 @@ Some of these documents are quite old, but most of the stuff still applies. * [CIS CentOS Linux 7 Benchmark](https://www.cisecurity.org/benchmark/centos_linux/) * [CIS Distribution Independent Linux](https://www.cisecurity.org/benchmark/distribution_independent_linux) * [SlackDocs: Security HOWTOs](http://docs.slackware.com/howtos:security:start) -* [Alien's Wiki: Security issues](http://alien.slackbook.org/dokuwiki/doku.php?id=linux:admin#security_issues) +* :alien: [Alien's Wiki: Security issues](http://alien.slackbook.org/dokuwiki/doku.php?id=linux:admin#security_issues) * [SlackWiki: Basic Security Fixes](http://slackwiki.com/Basic_Security_Fixes) -* [Wikipedia: Fork bomb Prevention](https://en.wikipedia.org/wiki/Fork_bomb#Prevention) +* :bomb: [Wikipedia: Fork bomb Prevention](https://en.wikipedia.org/wiki/Fork_bomb#Prevention) ### Other docs