The creation process is as follows:
# apt update
# apt install -y bc net-tools bc net-tools pciutils network-manager vim unzip
$ cd /opt
/opt# wget https://github.com/hardenedlinux/harbian-audit/archive/master.zip
/opt# unzip master.zip
/opt$ cd harbian-audit-master/
//maybe not need
admin@ip:/opt/harbian-audit-master# passwd
admin@ip:/opt/harbian-audit-master# passwd admin
admin@ip:/opt/harbian-audit-master# cp etc/default.cfg /etc/default/cis-hardening
admin@ip:/opt/harbian-audit-master# sed -i "s#CIS_ROOT_DIR=.*#CIS_ROOT_DIR='$(pwd)'#" /etc/default/cis-hardening
admin@ip:/opt/harbian-audit-master# ./bin/hardening.sh --init
admin@ip:/opt/harbian-audit-master# ./bin/hardening.sh --audit-all
admin@ip:/opt/harbian-audit-master# ./bin/hardening.sh --set-hardening-level 5
admin@ip:/opt/harbian-audit-master# sed -i 's/^status=.*/status=disabled/' etc/conf.d/8.1.35_freeze_auditd_conf.cfg
admin@ip:/opt/harbian-audit-master# sed -i 's/^status=.*/status=disabled/' etc/conf.d/7.4.4_hosts_deny.cfg
admin@ip:/opt/harbian-audit-master# sed -i 's/^status=.*/status=disabled/' etc/conf.d/10.1.6_remove_nopasswd_sudoers.cfg
admin@ip:/opt/harbian-audit-master# sed -i 's/^status=.*/status=disabled/' etc/conf.d/8.4.1_install_aide.cfg
admin@ip:/opt/harbian-audit-master# sed -i 's/^status=.*/status=disabled/' etc/conf.d/8.4.2_aide_cron.cfg
admin@ip:/opt/harbian-audit-master# sed -i 's/^status=.*/status=disabled/' etc/conf.d/10.1.1_set_password_exp_days.cfg
admin@ip:/opt/harbian-audit-master# ./bin/hardening.sh --apply
admin@ip:/opt/harbian-audit-master# reboot
Configuring the firewall:
admin@ip:/opt/harbian-audit-master$ INTERFACENAME="eth0"
admin@ip:/opt/harbian-audit-master# bash /opt/harbian-audit-master/docs/configurations/etc.iptables.rules.v4.sh $INTERFACENAME
admin@ip:/opt/harbian-audit-master# bash /opt/harbian-audit-master/docs/configurations/etc.iptables.rules.v6.sh $INTERFACENAME
admin@ip:/opt/harbian-audit-master# iptables-save > /etc/iptables/rules.v4
admin@ip:/opt/harbian-audit-master# ip6tables-save > /etc/iptables/rules.v6
admin@ip:/opt/harbian-audit-master# exit
Apply need to apply twice items and that items of must apply after first apply:
admin@ip:/opt/harbian-audit-master# ./bin/hardening.sh --apply --only 8.1.1.2
admin@ip:/opt/harbian-audit-master# ./bin/hardening.sh --apply --only 8.1.1.3
admin@ip:/opt/harbian-audit-master# ./bin/hardening.sh --apply --only 8.1.12
admin@ip:/opt/harbian-audit-master# sed -i 's/^status=.*/status=enabled/' etc/conf.d/8.1.35_freeze_auditd_conf.cfg
admin@ip:/opt/harbian-audit-master# ./bin/hardening.sh --apply --only 8.1.35
admin@ip:/opt/harbian-audit-master# ./bin/hardening.sh --apply --only 4.5
admin@ip:/opt/harbian-audit-master# reboot
Apply need to apply three times items:
admin@ip:/opt/harbian-audit-master# sed -i 's/^status=.*/status=enabled/' etc/conf.d/8.4.1_install_aide.cfg
admin@ip:/opt/harbian-audit-master# sed -i 's/^status=.*/status=enabled/' etc/conf.d/8.4.2_aide_cron.cfg
admin@ip:/opt/harbian-audit-master# ./bin/hardening.sh --apply --only 8.4.1
admin@ip:/opt/harbian-audit-master# ./bin/hardening.sh --apply --only 8.4.2
admin@ip:/opt/harbian-audit-master# reboot
# sed -i "s/Debian GNU\/Linux 9/harbian-audit complianced for Debian GNU\/Linux 9/g" /etc/issue*
If need adds a project on AMI, add the project on such as /opt, /usr/local/bin dir etc.
Use the following guidelines to reduce the attack surface and improve the reliability of the AMIs you create, please reference:
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/building-shared-amis.html
# rm /opt/master.zip
# rm /opt/harbian-audit-master/tmp/backups/*
# rm /opt/harbian-audit-master/etc/conf.d/*.cfg
# apt-get purge --autoremove unzip -y
$ echo > ~/.ssh/known_hosts
# find /var/log/ -name "*.log" -exec shred -u {} \;
# find /var/log/ -name "*.log.*" -exec shred -u {} \;
# find / -name "authorized_keys" -exec shred -u {} \;
# rm /root/.wget-hsts
# rm /root/.viminfo
# echo > /var/log/debug
# echo > /var/log/btmp
# echo > /var/log/error
# echo > /var/log/exim4/mainlog
# echo > /var/log/exim4/paniclog
# echo > /var/log/faillog
# echo > /var/log/messages
# echo > /var/log/syslog
# echo > /var/log/tallylog
# echo > /var/log/lastlog
# echo > /var/log/wtmp
# echo > /var/log/sudo.log
Reset password for all users and reinit aide database:
admin@ip:/opt/harbian-audit-master# ./bin/hardening.sh --final
# echo > ~/.bash_history
# history -cw
$ echo > ~/.bash_history
$ history -cw
https://github.com/hardenedlinux/harbian-audit/blob/master/README.md
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AMIs.html
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/CopyingAMIs.html
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/creating-an-ami-ebs.html
https://aws.amazon.com/cn/articles/public-ami-publishing-hardening-and-clean-up-requirements/
https://aws.amazon.com/cn/articles/how-to-share-and-use-public-amis-in-a-secure-manner/