智慧物流>> cis_benchmarks_audit>> 返回
项目作者: finalduty

项目描述 :
Simple command line tool to check for compliance against CIS Benchmarks
高级语言: Shell
项目地址: git://github.com/finalduty/cis_benchmarks_audit.git
创建时间: 2017-08-03T00:10:32Z
项目社区:https://github.com/finalduty/cis_benchmarks_audit
开源协议:Apache License 2.0
下载


CIS Benchmarks Audit



Latest version


GitHub Actions



License





CodeFactor


Code style: black

This repo provides an unofficial, standalone, zero-install, zero-dependency, Python 3 script which can check your system against published CIS Hardening Benchmarks to offer an indication of your system’s preparedness for compliance to the official standard.

How do I use this?

Download:

  1. curl -LO https://raw.githubusercontent.com/finalduty/cis_benchmarks_audit/main/cis_audit.py && chmod 750 cis_audit.py

Run

  1. #usage: cis_audit.py [-h] [--level {1,2}] [--include INCLUDES [INCLUDES ...]]
  2.                     [--exclude EXCLUDES [EXCLUDES ...]]
  3.                     [-l {DEBUG,INFO,WARNING,CRITICAL}] [--debug] [--nice]
  4.                     [--no-nice] [--no-colour]
  5.                     [--system-type {server,workstation}] [--server]
  6.                     [--workstation] [--outformat {csv,json,psv,text,tsv}]
  7.                     [--text] [--json] [--csv] [--psv] [--tsv] [-V] [-c CONFIG]
  9. This script runs tests on the system to check for compliance against the CIS Benchmarks. No changes are made to system files by this script.
  11. optional arguments:
  12.   -h, --help            show this help message and exit
  13.   --level {1,2}         Run tests for the specified level only
  14.   --include INCLUDES [INCLUDES ...]
  15.                         Space delimited list of tests to include
  16.   --exclude EXCLUDES [EXCLUDES ...]
  17.                         Space delimited list of tests to exclude
  18.   -l {DEBUG,INFO,WARNING,CRITICAL}, --log-level {DEBUG,INFO,WARNING,CRITICAL}
  19.                         Set log output level
  20.   --debug               Run script with debug output turned on. Equivalent to --log-level DEBUG
  21.   --nice                Lower the CPU priority for test execution. This is the default behaviour.
  22.   --no-nice             Do not lower CPU priority for test execution. This may make the tests complete faster but at the cost of putting a higher load on the server. Setting this overrides the --nice option.
  23.   --no-colour, --no-color
  24.                         Disable colouring for STDOUT. Output redirected to a file/pipe is never coloured.
  25.   --system-type {server,workstation}
  26.                         Set which test level to reference
  27.   --server              Use "server" levels to determine which tests to run. Equivalent to --system-type server [Default]
  28.   --workstation         Use "workstation" levels to determine which tests to run. Equivalent to --system-type workstation
  29.   --outformat {csv,json,psv,text,tsv}
  30.                         Output type for results
  31.   --text                Output results as text. Equivalent to --output text [default]
  32.   --json                Output results as json. Equivalent to --output json
  33.   --csv                 Output results as comma-separated values. Equivalent to --output csv
  34.   --psv                 Output results as pipe-separated values. Equivalent to --output psv
  35.   --tsv                 Output results as tab-separated values. Equivalent to --output tsv
  36.   -V, --version         Print version and exit
  37.   -c CONFIG, --config CONFIG
  38.                         Location of config file to load
  40. Examples:
  42.     Run with debug enabled:
  43.     ./cis_audit.py --debug
  45.     Exclude tests from section 1.1 and 1.3.2:
  46.     ./cis_audit.py --exclude 1.1 1.3.2
  48.     Include tests only from section 4.1 but exclude tests from section 4.1.1:
  49.     ./cis_audit.py --include 4.1 --exclude 4.1.1
  51.     Run only level 1 tests
  52.     ./cis_audit.py --level 1
  54.     Run level 1 tests and include some but not all SELinux questions
  55.     ./cis_audit.py --level 1 --include 1.6 --exclude 1.6.1.2

Example Results

  1. # ./cis-audit.sh --include 5.2
  2. [00:00:01] (✓) 14 of 14 tests completed 
  4.  CIS CentOS 7 Benchmark v2.2.0 Results 
  5. ---------------------------------------
  6. ID      Description                                                Scoring  Level  Result  Duration
  7. --      -----------                                                -------  -----  ------  --------
  9. 5       Access Authentication and Authorization
  10. 5.2     SSH Server Configuration
  11. 5.2.1   Ensure permissions on /etc/ssh/sshd_config are configured  Scored   1      Pass    33ms
  12. 5.2.2   Ensure SSH Protocol is set to 2                            Scored   1      Pass    5ms
  13. 5.2.3   Ensure SSH LogLevel is set to INFO                         Scored   1      Pass    6ms
  14. 5.2.4   Ensure SSH X11 forwarding is disabled                      Scored   1      Pass    4ms
  15. 5.2.5   Ensure SSH MaxAuthTries is set to 4 or less                Scored   1      Pass    9ms
  16. 5.2.6   Ensure SSH IgnoreRhosts is enabled                         Scored   1      Pass    5ms
  17. 5.2.7   Ensure SSH HostbasedAuthentication is disabled             Scored   1      Pass    5ms
  18. 5.2.8   Ensure SSH root login is disabled                          Scored   1      Fail    8ms
  19. 5.2.9   Ensure SSH PermitEmptyPasswords is disabled                Scored   1      Pass    5ms
  20. 5.2.10  Ensure SSH PermitUserEnvironment is disabled               Scored   1      Pass    8ms
  21. 5.2.11  Ensure only approved ciphers are used                      Scored   1      Pass    16ms
  22. 5.2.12  Ensure only approved MAC algorithms are used               Scored   1      Pass    45ms
  23. 5.2.13  Ensure SSH Idle Timeout Interval is configured             Scored   1      Fail    15ms
  24. 5.2.14  Ensure SSH LoginGraceTime is set to one minute or less     Scored   1      Pass    11ms
  25. 5.2.15  Ensure SSH access is limited                               Skipped  1              
  26. 5.2.16  Ensure SSH warning banner is configured                    Scored   1      Pass    6ms
  28. Passed 13 of 15 tests in 1 seconds (1 Skipped, 0 Errors)

Supported Versions

OS Benchmark Versions Python Version
CentOS 7 3.1.2 3.6

Caveats

Terms of Use

Use of the CIS Benchmarks are subject to the Terms of Use for Non-Member CIS Products

CentOS 7 & Python 3

Whilst this repo intends to follow a zero dependency approach, it is not practical to support Python 2.7, which is what is installed by default on CentOS 7. You can however easily install Python 3.6 via yum, which I hope is ok for your environment:

  1. $ sudo yum install python3 -y

Disclaimer

This is not a replacement for a full audit and a passing result from this script does not necessarily mean that you are compliant (but it should give you a good idea of where to start).

No warranty is offered and no responsibility will be taken for damage to systems resulting from the use of this tool.

License

This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.

CC BY-NC-SA 4.0