hardening.md

opensource-hardening

A collection of open source hardening tools

Collections

3rd-party guides

• unassassinable/PAW - Privileged Access Workstation
• PaulSec/awesome-windows-domain-hardening - A curated list of awesome Security Hardening techniques for Windows
• ernw/hardening - Repository of Hardening Guides

Windows

• A-mIn3/WINspect - Powershell-based Windows Security Auditing Toolbox
• securitywithoutborders/hardentools - a utility that disables a number of risky Windows features
• zodiacon/DriverMon - Monitor activity of any driver
• EyeOfRa/WinConMon - a demonstration version of how to monitoring Windows console (starting from Windows 8)
• ubeeri/Invoke-PWAudit - A PowerShell tool which provides an easy way to check for shared passwords between Windows Active Directory accounts
• gist: reclaimWindows10.ps1 - This Windows 10 Setup Script turns off a bunch of unnecessary Windows 10 telemetery, bloatware, & privacy things
• jephthai/OpenPasswordFilter - An open source custom password filter DLL and userspace service to better protect / control Active Directory domain passwords
• gist: mackwage/windows_hardening.cmd - Script to perform some hardening of Windows OS

Windows AD

• clr2of8/DPAT - Domain Password Audit Tool for Pentesters
• canix1/ADACLScanner - Your number one script for ACL's in Active Directory - 找ACL配置缺陷
• NotSoSecure/AD_delegation_hunting - An attempt to automated hunting for delegation access across the domain
• cyberark/ACLight - A script for advanced discovery of Privileged Accounts - includes Shadow Admins
• ANSSI-FR/AD-permissions - Active Directory permissions (ACL/ACE) auditing tools
• Group policy
  • gpoguy/GetVulnerableGPO - PowerShell script to find 'vulnerable' security-related GPOs that should be hardended

Linux

• openwall: LKRG - Linux Kernel Runtime Guard
• trimstray/otseca - Open source security auditing tool to search and dump system configuration. It allows you to generate reports in HTML or RAW-HTML formats
• a13xp0p0v/kconfig-hardened-check - A script for checking the hardening options in the Linux kernel config
• CISOfy/lynis - Lynis - Security auditing tool for Linux, macOS, and UNIX-based systems
• dev-sec/ansible-os-hardening - This Ansible role provides numerous security-related configurations, providing all-round base protection
• uber/pam-ussh - uber's ssh certificate pam module

MacOS

• drduh/macOS-Security-and-Privacy-Guide - Guide to securing and improving privacy on macOS

SQLServer

• sqlcollaborative/dbachecks - a framework created by and for SQL Server pros who need to validate their environments

Firefox

• pyllyukko/user.js - Firefox configuration hardening

Sandbox

• kkamagui/shadow-box-for-x86 - Lightweight and Practical Kernel Protector for x86
• adtac/fssb - A filesystem sandbox for Linux using syscall intercepts
• google/gvisor - Container Runtime Sandbox
• google/nsjail - A light-weight process isolation tool, making use of Linux namespaces and seccomp-bpf syscall filters
  • Tutorial: Sandboxing ImageMagick with nsjail
• netblue30/firejail - Linux namespaces and seccomp-bpf sandbox
• genuinetools/binctr - Create fully static, including rootfs embedded, binaries that pop you directly into a container

Deception

• bhdresh/Dejavu - DejaVU - Open Source Deception Framework
• samratashok/Deploy-Deception - A PowerShell module to deploy active directory decoy objects

Uncategorized

• gist: a list of DNS over HTTP service providers

Tutorials

• Hardening Microsoft Windows 10 version 1709 Workstations