A collection of awesome security hardening guides, tools and other resources
Go to file
dependabot[bot] 9dfcd89acc
Bump lycheeverse/lychee-action from 1.5.0 to 1.5.4 in /.github/workflows
Bumps [lycheeverse/lychee-action](https://github.com/lycheeverse/lychee-action) from 1.5.0 to 1.5.4.
- [Release notes](https://github.com/lycheeverse/lychee-action/releases)
- [Commits](https://github.com/lycheeverse/lychee-action/compare/v1.5.0...v1.5.4)

---
updated-dependencies:
- dependency-name: lycheeverse/lychee-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-11-23 19:09:29 +00:00
.github Bump lycheeverse/lychee-action from 1.5.0 to 1.5.4 in /.github/workflows 2022-11-23 19:09:29 +00:00
README.md added VMware - Protecting vSphere From Specialized Malware, fixes #67 2022-09-30 10:32:36 +02:00

awesome-security-hardening

Awesome

A collection of awesome security hardening guides, best practices, checklists, benchmarks, tools and other resources. This is work in progress: please contribute by sending your suggestions. You may do this by creating issue tickets or forking, editing and sending pull requests. You may also send suggestions on Twitter to @decalage2, or use https://www.decalage.info/contact


Table of Contents


Security Hardening Guides and Best Practices

Hardening Guide Collections

GNU/Linux

Red Hat Enterprise Linux - RHEL

CentOS

SUSE

Ubuntu

Windows

See also Active Directory and ADFS below.

macOS

Network Devices

Switches

Routers

IPv6

  • ERNW - Developing an Enterprise IPv6 Security Strategy Part 1, Part 2, Part 3, Part 4 - Network Isolation on the Routing Layer, Traffic Filtering in IPv6 Networks
  • see also IPv6 links under GNU/Linux, Windows and macOS

Firewalls

Virtualization - VMware

Containers - Docker - Kubernetes

Services

SSH

TLS/SSL

Web Servers

Apache HTTP Server

Apache Tomcat

Eclipse Jetty

Microsoft IIS

Mail Servers

FTP Servers

Database Servers

Active Directory

ADFS

Kerberos

LDAP

DNS

NTP

NFS

CUPS

Authentication - Passwords

Hardware - CPU - BIOS - UEFI

Cloud

Tools

Tools to check security hardening

  • Chef InSpec - open-source testing framework by Chef that enables you to specify compliance, security, and other policy requirements. can run on Windows and many Linux distributions.

GNU/Linux

  • Lynis - script to check the configuration of Linux hosts
  • OpenSCAP Base - oscap command line tool
  • SCAP Workbench - GUI for oscap
  • Tiger - The Unix security audit and intrusion detection tool (might be outdated)
  • otseca - Open source security auditing tool to search and dump system configuration. It allows you to generate reports in HTML or RAW-HTML formats.
  • SUDO_KILLER - A tool to identify sudo rules' misconfigurations and vulnerabilities within sudo
  • CIS Benchmarks Audit - bash script which performs tests against your CentOS system to give an indication of whether the running server may comply with the CIS v2.2.0 Benchmarks for CentOS (only CentOS 7 for now)

Windows

  • Microsoft Security Compliance Toolkit 1.0 - set of tools that allows enterprise security administrators to download, analyze, test, edit, and store Microsoft-recommended security configuration baselines for Windows and other Microsoft products
  • Microsoft DSC Environment Analyzer (DSCEA) - simple implementation of PowerShell Desired State Configuration that uses the declarative nature of DSC to scan Windows OS based systems in an environment against a defined reference MOF file and generate compliance reports as to whether systems match the desired configuration
  • HardeningAuditor - Scripts for comparing Microsoft Windows compliance with the Australian ASD 1709 & Office 2016 Hardening Guides
  • PingCastle - Tool to check the security of Active Directory
  • MDE-AuditCheck - Tool to check that Windows audit settings are properly configured in the GPO for Microsoft Defender for Endpoint

Network Devices

  • Nipper-ng - to check the configuration of network devices (does not seem to be updated)

TLS/SSL

SSH

  • ssh-audit - SSH server auditing (banner, key exchange, encryption, mac, compression, compatibility, security, etc)

Hardware - CPU - BIOS - UEFI

Docker

  • Docker Bench for Security - script that checks for dozens of common best-practices around deploying Docker containers in production, inspired by the CIS Docker Community Edition Benchmark v1.1.0.

Cloud

Tools to apply security hardening

GNU/Linux

Windows

  • Microsoft Security Compliance Toolkit 1.0 - set of tools that allows enterprise security administrators to download, analyze, test, edit, and store Microsoft-recommended security configuration baselines for Windows and other Microsoft products
  • Hardentools - for Windows individual users (not corporate environments) at risk, who might want an extra level of security at the price of some usability.
  • Windows 10 Hardening - A collective resource of settings modifications (mostly opt-outs) that attempt to make Windows 10 as private and as secure as possible.
  • Disassembler0 Windows 10 Initial Setup Script - PowerShell script for automation of routine tasks done after fresh installations of Windows 10 / Server 2016 / Server 2019
  • Automated-AD-Setup - A PowerShell script that aims to have a fully configured domain built in under 10 minutes, but also apply security configuration and hardening
  • mackwage/windows_hardening.cmd - Script to perform some hardening of Windows 10

TLS/SSL

Cloud

Password Generators

Books

Other Awesome Lists

Other Awesome Security Lists

(borrowed from Awesome Security)