From 7f53ead92bc3f0ed3172f98673c1799631ddc44f Mon Sep 17 00:00:00 2001 From: "Hunter T." Date: Mon, 18 May 2026 14:00:08 -0700 Subject: [PATCH] docs: refine README files --- auditing/Lynis Installer/README.md | 11 +++++++++-- hardening/Nginx WAF/README.md | 5 +---- hardening/Root Locker/README.md | 13 ++++++++----- hardening/SSHD Hardening/README.md | 11 ++++++++--- hardening/UFW Cloudflare/README.md | 9 +++++++-- 5 files changed, 33 insertions(+), 16 deletions(-) diff --git a/auditing/Lynis Installer/README.md b/auditing/Lynis Installer/README.md index 91d78da..9d53c98 100644 --- a/auditing/Lynis Installer/README.md +++ b/auditing/Lynis Installer/README.md @@ -14,22 +14,29 @@ Downloads [Lynis](https://github.com/CISOfy/lynis), a security auditing tool for ## Usage -Run the installer from the repository root: +From the repository root: ```bash ./auditing/Lynis\ Installer/lynis-installer.bash ``` +OR from the script directory: + +```bash +./lynis-installer.bash +``` + ## After Installation To run a Lynis system audit: ```bash cd ~/lynis +clear sudo ./lynis audit system ``` -Review the Lynis output before applying any hardening changes. Lynis findings are recommendations, not a replacement for understanding the system's role and access requirements. +Before applying hardening changes, review the Lynis output carefully. Treat its findings as recommendations, not as a replacement for understanding your system’s security posture. ## Tested On diff --git a/hardening/Nginx WAF/README.md b/hardening/Nginx WAF/README.md index aba532f..e89d6f0 100644 --- a/hardening/Nginx WAF/README.md +++ b/hardening/Nginx WAF/README.md @@ -5,13 +5,11 @@ Installs and configures ModSecurity with the OWASP Core Rule Set for Nginx. -This script builds software from source, installs packages, writes Nginx configuration, enables ModSecurity, tests the Nginx configuration, and restarts Nginx. - ## Requirements - Bash 4.0 or newer - Root privileges -- Nginx installed and available in `PATH` +- Nginx 1.24.0 or newer, installed and available in `PATH` - A Debian/Ubuntu-style system with `apt-get` and `dpkg` - Internet access @@ -79,7 +77,6 @@ The script also creates or reuses build directories in the current working direc ## Safety Notes -- Run this in a test environment before using it on a production web server. - Review local Nginx packaging conventions before running it on systems with custom Nginx builds. - The OWASP Core Rule Set can block legitimate traffic until tuned for the application. - Existing local changes in reused `ModSecurity`, `ModSecurity-nginx`, or CRS clone directories may affect the run. diff --git a/hardening/Root Locker/README.md b/hardening/Root Locker/README.md index a006847..a753bee 100644 --- a/hardening/Root Locker/README.md +++ b/hardening/Root Locker/README.md @@ -1,6 +1,6 @@ # Root Locker -Locks the root account to prevent direct root login. +Locks the root account password to prevent password-based root logins. > [!NOTE] > This does not remove administrative access for users who already have valid sudo privileges. Users may still be able to gain a root shell through tools such as `sudo su` or `sudo -i`. @@ -13,16 +13,17 @@ Locks the root account to prevent direct root login. ## Usage -Run the script from the repository root: +From the repository root: ```bash sudo ./hardening/Root\ Locker/root-locker.bash ``` -## Safety Notes +OR from the script directory: -- Confirm that at least one non-root user has working sudo access before running this script. -- Do not run this on a system where direct root login is the only available administrative access path. +```bash +sudo ./root-locker.bash +``` ## Verify @@ -32,6 +33,8 @@ Check the root account state with: sudo passwd -S root ``` +The second field in the output shows the account status. `L` means the password is locked. + You can also confirm sudo access from a non-root administrative account: ```bash diff --git a/hardening/SSHD Hardening/README.md b/hardening/SSHD Hardening/README.md index d556b97..3f7824d 100644 --- a/hardening/SSHD Hardening/README.md +++ b/hardening/SSHD Hardening/README.md @@ -2,7 +2,7 @@ Hardens the OpenSSH server configuration using settings aligned with Lynis recommendations. -> [!NOTE] +> [!CAUTION] > This script modifies the system SSH daemon configuration. Treat it as a high-risk change on remote systems because an invalid or overly restrictive SSH configuration can lock you out. ## Requirements @@ -15,12 +15,18 @@ Hardens the OpenSSH server configuration using settings aligned with Lynis recom ## Usage -Run the script from the repository root: +From the repository root: ```bash sudo ./hardening/SSHD\ Hardening/harden-sshd.bash ``` +OR from the script directory: + +```bash +sudo ./harden-sshd.bash +``` + ## Changes Made The script updates supported settings in `/etc/ssh/sshd_config` when those settings are already present in the file: @@ -59,7 +65,6 @@ If `/etc/ssh/sshd_config.bak` already exists, the script asks whether to overwri ## Safety Notes - Keep your current SSH session open while testing a new login. -- Make sure you have console, provider, or other recovery access before running this on a remote system. - Review whether agent forwarding, TCP forwarding, X11 forwarding, and session limits are compatible with your use case. ## Verify diff --git a/hardening/UFW Cloudflare/README.md b/hardening/UFW Cloudflare/README.md index 3826e0a..751e163 100644 --- a/hardening/UFW Cloudflare/README.md +++ b/hardening/UFW Cloudflare/README.md @@ -15,12 +15,18 @@ Use this script for hosts where public web traffic should reach the origin serve ## Usage -Run the script from the repository root: +From the repository root: ```bash sudo ./hardening/UFW\ Cloudflare/ufw-cloudflare.bash ``` +OR from the script directory: + +```bash +sudo ./ufw-cloudflare.bash +``` + ## Execution Summary - Reads existing UFW rules marked with the `Cloudflare IP` comment. @@ -50,7 +56,6 @@ The temporary backup is removed during normal cleanup. ## Safety Notes -- Make sure you have recovery access before running it on a remote system. - Direct origin access may remain possible through other open ports or non-UFW firewall layers. ## Verify