{"id":1136,"date":"2025-03-19T13:52:24","date_gmt":"2025-03-19T13:52:24","guid":{"rendered":"https:\/\/virtualall.sk\/?p=1136"},"modified":"2026-05-08T07:32:25","modified_gmt":"2026-05-08T07:32:25","slug":"cis-benchmark-standard-pre-posilnenie-kybernetickej-bezpecnosti-ubuntu-server","status":"publish","type":"post","link":"https:\/\/virtualall.sk\/en\/2025\/03\/cis-benchmark-standard-pre-posilnenie-kybernetickej-bezpecnosti-ubuntu-server\/","title":{"rendered":"CIS Benchmark: \u0160tandard pre posilnenie kybernetickej bezpe\u010dnosti 2CIS Benchmark: Cybersecurity Hardening Standard Part 2"},"content":{"rendered":"\n

V digit\u00e1lnej \u00e9re je kybernetick\u00e1 bezpe\u010dnos\u0165<\/strong> k\u013e\u00fa\u010dov\u00fdm aspektom pre organiz\u00e1cie v\u0161etk\u00fdch ve\u013ekost\u00ed. Spr\u00e1vna konfigur\u00e1cia serverov<\/strong> je nevyhnutn\u00e1 na ochranu pred r\u00f4znymi hrozbami. Center for Internet Security (CIS)<\/strong> poskytuje CIS Benchmarks<\/strong>, \u010do s\u00fa osved\u010den\u00e9 postupy na bezpe\u010dn\u00fa konfigur\u00e1ciu IT syst\u00e9mov, vr\u00e1tane Ubuntu Linux serverov<\/strong>.<\/p>\n\n\n\n

\u010co je CIS Benchmark?<\/strong><\/h2>\n\n\n\n

CIS Benchmarks<\/strong> s\u00fa odpor\u00fa\u010dan\u00e9 bezpe\u010dnostn\u00e9 konfigur\u00e1cie<\/strong> vyvinut\u00e9 komunitou odborn\u00edkov na kybernetick\u00fa bezpe\u010dnos\u0165. Tieto odpor\u00fa\u010dania pokr\u00fdvaj\u00fa r\u00f4zne technol\u00f3gie a pom\u00e1haj\u00fa organiz\u00e1ci\u00e1m zabezpe\u010di\u0165 ich syst\u00e9my<\/strong> pod\u013ea najlep\u0161\u00edch prakt\u00edk. Pre Ubuntu Linux<\/strong> s\u00fa dostupn\u00e9 \u0161pecifick\u00e9 benchmarky, ktor\u00e9 poskytuj\u00fa podrobn\u00fd n\u00e1vod na bezpe\u010dn\u00fa konfigur\u00e1ciu syst\u00e9mu.<\/p>\n\n\n\n

Implement\u00e1cia CIS Benchmarku na Ubuntu Serveroch<\/strong><\/h2>\n\n\n\n

Ubuntu<\/strong> poskytuje n\u00e1stroje na automatiz\u00e1ciu s\u00faladu a auditu<\/strong> s CIS benchmarkmi. Ubuntu Security Guide (USG)<\/strong> je n\u00e1stroj, ktor\u00fd umo\u017e\u0148uje jednoduch\u00fa implement\u00e1ciu t\u00fdchto odpor\u00fa\u010dan\u00ed na Ubuntu 20.04 LTS a nov\u0161\u00edch verzi\u00e1ch. USG umo\u017e\u0148uje:<\/p>\n\n\n\n

    \n
  • Auditova\u0165 aktu\u00e1lny stav syst\u00e9mu<\/strong> vo\u010di CIS benchmarkom.<\/li>\n\n\n\n
  • Implementova\u0165 odpor\u00fa\u010dan\u00e9 nastavenia<\/strong> na dosiahnutie s\u00faladu.<\/li>\n\n\n\n
  • Prisp\u00f4sobi\u0165 nastavenia<\/strong> pod\u013ea \u0161pecifick\u00fdch potrieb organiz\u00e1cie.<\/li>\n<\/ul>\n\n\n\n

    Pre star\u0161ie verzie, ako s\u00fa Ubuntu 16.04 a 18.04 LTS, s\u00fa dostupn\u00e9 n\u00e1stroje na dosiahnutie s\u00faladu s CIS benchmarkmi.<\/p>\n\n\n\n

    Konfigur\u00e1cia SSH pod\u013ea CIS Benchmarku<\/strong><\/h2>\n\n\n\n

    Tento Bash skript<\/strong> sl\u00fa\u017ei na bezpe\u010dn\u00e9 nastavenie OpenSSH servera<\/strong> na Linuxe v s\u00falade s odpor\u00fa\u010daniami CIS Benchmarku<\/strong>. CIS (Center for Internet Security) poskytuje osved\u010den\u00e9 bezpe\u010dnostn\u00e9 postupy na zabezpe\u010denie serverov<\/strong>, vr\u00e1tane bezpe\u010dnej konfigur\u00e1cie SSH<\/strong> (Secure Shell), \u010do je kritick\u00fd komponent vzdialen\u00e9ho pr\u00edstupu.<\/p>\n\n\n\n

    \u010co tento skript rob\u00ed?<\/strong><\/h4>\n\n\n\n
      \n
    1. Logovanie a z\u00e1loha konfigur\u00e1cie:<\/strong>\n
        \n
      • Vytv\u00e1ra logovac\u00ed s\u00fabor<\/strong> \/var\/log\/hardening_script.log<\/code>.<\/li>\n\n\n\n
      • Pred zmenami vykon\u00e1va z\u00e1lohu<\/strong> s\u00faboru \/etc\/ssh\/sshd_config<\/code> (prid\u00e1va .bak<\/code> na koniec).<\/li>\n<\/ul>\n<\/li>\n\n\n\n
      • Aplik\u00e1cia bezpe\u010dnostn\u00fdch nastaven\u00ed pre SSH:<\/strong>\n
          \n
        • Zakazuje priame prihl\u00e1senie root pou\u017e\u00edvate\u013ea<\/strong>: PermitRootLogin no<\/code><\/li>\n\n\n\n
        • Obmedzuje po\u010det pokusov o autentifik\u00e1ciu<\/strong>: MaxAuthTries 3<\/code><\/li>\n\n\n\n
        • Zakazuje pr\u00e1zdne hesl\u00e1<\/strong>: PermitEmptyPasswords no<\/code><\/li>\n\n\n\n
        • Zakazuje forwarding a interakt\u00edvne autentifik\u00e1cie<\/strong>:\n
            \n
          • AllowAgentForwarding no<\/code><\/li>\n\n\n\n
          • AllowTcpForwarding no<\/code><\/li>\n\n\n\n
          • KbdInteractiveAuthentication no<\/code><\/li>\n<\/ul>\n<\/li>\n\n\n\n
          • Zakazuje X11 forwarding<\/strong>: X11Forwarding no<\/code><\/li>\n\n\n\n
          • Obmedzuje po\u010det paraleln\u00fdch session<\/strong>: MaxSessions 2<\/code><\/li>\n\n\n\n
          • Definuje maxim\u00e1lny po\u010det ne\u00faspe\u0161n\u00fdch spojen\u00ed pred blokovan\u00edm<\/strong>: MaxStartups 10:30:60<\/code><\/li>\n\n\n\n
          • Nastavuje \u0161ifrovacie algoritmy a MACs<\/strong>:\n
              \n
            • Odstra\u0148uje zastaran\u00e9 algoritmy (napr. 3DES, MD5, SHA1)<\/strong><\/li>\n\n\n\n
            • Ponech\u00e1va modern\u00e9 bezpe\u010dn\u00e9 algoritmy (napr. chacha20-poly1305)<\/strong><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n\n\n\n
              #!\/bin\/bash\n# Module: SSH Configuration\n# Description: Configures SSH for secure operations\n\nLOG_FILE=\"\/var\/log\/hardening_script.log\"\nBACKUP_SUFFIX=\".bak\"\n\necho \"Starting SSH Configuration...\"\n\nlog() {\n  echo \"[$(date +%Y-%m-%dT%H:%M:%S)] $1\" | tee -a \"$LOG_FILE\"\n}\n\nbackup_file() {\n  local file=\"$1\"\n  if [[ -f \"$file\" ]]; then\n    cp \"$file\" \"${file}${BACKUP_SUFFIX}\" && log \"Backup created for $file\"\n  else\n    log \"File $file not found, skipping backup.\"\n  fi\n}\n\n# Configure SSH\nSSHD_CONFIG=\"\/etc\/ssh\/sshd_config\"\n\nbackup_file \"$SSHD_CONFIG\"\n\ncat > \"$SSHD_CONFIG\" <<\/pre>\n\n\n\n
              Hardening slu\u017eieb pod\u013ea CIS Benchmarku<\/h2>\n\n\n\n
              Tento Bash skript<\/strong> vykon\u00e1va hardening syst\u00e9mu odstr\u00e1nen\u00edm nepotrebn\u00fdch slu\u017eieb<\/strong> na Ubuntu\/Linux serveroch<\/strong>. Jeho cie\u013eom je minimalizova\u0165 mo\u017en\u00e9 \u00fatokov\u00e9 vektory<\/strong> t\u00fdm, \u017ee zak\u00e1\u017ee a odstr\u00e1ni slu\u017eby, ktor\u00e9 nie s\u00fa nevyhnutn\u00e9 pre bezpe\u010dn\u00fa prev\u00e1dzku servera.<\/p>\n\n\n\n
              CIS (Center for Internet Security) Benchmark<\/strong> odpor\u00fa\u010da odstr\u00e1nenie alebo zak\u00e1zanie v\u0161etk\u00fdch nepou\u017e\u00edvan\u00fdch slu\u017eieb<\/strong>, aby sa zn\u00ed\u017eilo riziko exploit\u00e1cie. Skript implementuje CIS odpor\u00fa\u010dania pre minimaliz\u00e1ciu povrchovej plochy \u00fatoku<\/strong> t\u00fdm, \u017ee:<\/p>\n\n\n\n
                \n
              • Zakazuje nepotrebn\u00e9 slu\u017eby<\/strong> (systemctl disable<\/code>)<\/li>\n\n\n\n
              • Zastavuje slu\u017eby, ktor\u00e9 be\u017eia<\/strong> (systemctl stop<\/code>)<\/li>\n\n\n\n
              • Odstra\u0148uje slu\u017eby, ak s\u00fa nain\u0161talovan\u00e9<\/strong> (apt-get purge -y<\/code>)<\/li>\n<\/ul>\n\n\n\n
                \u010co tento skript rob\u00ed?<\/strong><\/h4>\n\n\n\n
                1\ufe0f\u20e3 Definuje logovac\u00ed mechanizmus a funkciu z\u00e1lohovania konfigur\u00e1cie.<\/strong>
                2\ufe0f\u20e3 Obsahuje funkciu na zak\u00e1zanie, zastavenie a odstr\u00e1nenie slu\u017eieb.<\/strong>
                3\ufe0f\u20e3 Iteruje cez zoznam potenci\u00e1lne nebezpe\u010dn\u00fdch slu\u017eieb a odstra\u0148uje ich.<\/strong>
                4\ufe0f\u20e3 Zapisuje v\u0161etky akcie do logovacieho s\u00faboru \/var\/log\/hardening_script.log<\/code>.<\/strong><\/p>\n\n\n\n
                #!\/bin\/bash\n# Module: Service Hardening\n# Description: Disables and removes unnecessary services for enhanced security\n\nLOG_FILE=\"\/var\/log\/hardening_script.log\"\nBACKUP_SUFFIX=\".bak\"\n\nlog() {\n  echo \"[$(date +%Y-%m-%dT%H:%M:%S)] $1\" | tee -a \"$LOG_FILE\"\n}\n\nbackup_file() {\n  local file=\"$1\"\n  if [[ -f \"$file\" ]]; then\n    cp \"$file\" \"${file}${BACKUP_SUFFIX}\" && log \"Backup created for $file\"\n  else\n    log \"File $file not found, skipping backup.\"\n  fi\n}\n\nremove_service() {\n  local service=\"$1\"\n  log \"Disabling and removing service: $service\"\n\n  # Stop the service if active\n  if systemctl is-active --quiet \"$service\"; then\n    validate_change \"systemctl stop \\\"$service\\\"\" \\\n      \"$service stopped successfully.\" \\\n      \"Failed to stop $service.\"\n  fi\n\n  # Disable the service if enabled\n  if systemctl is-enabled --quiet \"$service\"; then\n    validate_change \"systemctl disable \\\"$service\\\"\" \\\n      \"$service disabled successfully.\" \\\n      \"Failed to disable $service.\"\n  fi\n\n  # Remove the service package if installed\n  if dpkg -l | grep -q \"^ii.*$service\"; then\n    validate_change \"apt-get purge -y \\\"$service\\\"\" \\\n      \"$service removed successfully.\" \\\n      \"Failed to remove $service.\"\n  else\n    log \"$service is not installed. Skipping removal.\"\n  fi\n}\n\nvalidate_change() {\n  local cmd=\"$1\"\n  local success_msg=\"$2\"\n  local failure_msg=\"$3\"\n\n  if eval \"$cmd\" &>> \"$LOG_FILE\"; then\n    log \"$success_msg\"\n  else\n    log \"$failure_msg\"\n  fi\n}\n\nSERVICES_TO_REMOVE=(\n  \"autofs\" \"avahi-daemon\" \"isc-dhcp-server\" \"bind9\" \"dnsmasq\" \"slapd\"\n  \"dovecot-imapd\" \"dovecot-pop3d\" \"nfs-kernel-server\" \"ypserv\" \"cups\"\n  \"rpcbind\" \"rsync\" \"samba\" \"snmpd\" \"tftpd-hpa\" \"squid\" \"apache2\"\n  \"nginx\" \"xinetd\" \"xserver-common\" \"postfix\" \"nis\" \"rsh-client\"\n  \"talk\" \"telnet\" \"inetutils-telnet\" \"ldap-utils\" \"ftp\" \"tnftp\" \"lp\"\n  \"bluez\" \"gdm3\" \"whoopsie\" \"snapd\"\n)\n\nfor service in \"${SERVICES_TO_REMOVE[@]}\"; do\n  remove_service \"$service\"\ndone\n\nlog \"Service hardening completed.\"\n<\/code><\/pre>\n\n\n\n
                Hardening auditu a logovania pod\u013ea CIS Benchmarku<\/h2>\n\n\n\n
                Tento Bash skript konfiguruje auditovac\u00ed syst\u00e9m auditd na Linuxe v s\u00falade s odpor\u00fa\u010daniami CIS Benchmarku. Jeho cie\u013eom je zabezpe\u010di\u0165 monitorovanie kritick\u00fdch oper\u00e1ci\u00ed v syst\u00e9me, \u010d\u00edm umo\u017e\u0148uje detekciu podozrivej aktivity, neautorizovan\u00fdch zmien a potenci\u00e1lnych bezpe\u010dnostn\u00fdch incidentov.<\/p>\n\n\n\n
                CIS Benchmark d\u00f4razne odpor\u00fa\u010da akt\u00edvne monitorovanie a logovanie v\u0161etk\u00fdch d\u00f4le\u017eit\u00fdch akci\u00ed v syst\u00e9me. Tento skript implementuje CIS Level 1 a Level 2 pravidl\u00e1, ktor\u00e9:<\/p>\n\n\n\n
                \u2714 Zvy\u0161uj\u00fa vidite\u013enos\u0165 aktiv\u00edt v syst\u00e9me \u2013 detekcia podozriv\u00fdch oper\u00e1ci\u00ed.
                \u2714 Zabra\u0148uj\u00fa neautorizovan\u00fdm zmen\u00e1m \u2013 sleduj\u00fa d\u00f4le\u017eit\u00e9 konfigura\u010dn\u00e9 s\u00fabory.
                \u2714 Chr\u00e1n\u00ed pred eskal\u00e1ciou privil\u00e9gi\u00ed \u2013 monitorovanie sudo, passwd, usermod.
                \u2714 Zabezpe\u010duj\u00fa audit trail \u2013 v pr\u00edpade incidentu je mo\u017en\u00e9 sp\u00e4tne analyzova\u0165 udalosti.<\/p>\n\n\n\n
                \u010co tento skript rob\u00ed?<\/h4>\n\n\n\n
                Logovanie a z\u00e1loha konfigur\u00e1cie<\/strong><\/p>\n\n\n\n
                Zapisuje v\u0161etky zmeny do logovacieho s\u00faboru \/var\/log\/hardening_script.log\nPred \u00fapravami vytv\u00e1ra z\u00e1lohy d\u00f4le\u017eit\u00fdch s\u00faborov:\n    \/etc\/audit\/audit.rules (pravidl\u00e1 auditu)\n    \/etc\/audit\/auditd.conf (konfigur\u00e1cia auditd)<\/p>\n\n\n\n
                In\u0161tal\u00e1cia a konfigur\u00e1cia auditd<\/strong><\/p>\n\n\n\n
                In\u0161taluje auditovac\u00ed syst\u00e9m auditd (apt-get install -y auditd)\nAplikuje odpor\u00fa\u010dan\u00e9 pravidl\u00e1 auditu, aby sa sledovali d\u00f4le\u017eit\u00e9 akcie v syst\u00e9me<\/p>\n\n\n\n
                Monitorovanie kritick\u00fdch s\u00faborov a oper\u00e1ci\u00ed<\/strong><\/p>\n\n\n\n
                Sleduje d\u00f4le\u017eit\u00e9 konfigura\u010dn\u00e9 s\u00fabory (\/etc\/passwd, \/etc\/shadow, \/etc\/ssh\/sshd_config, at\u010f.)\nMonitoruje prihl\u00e1senia, ne\u00faspe\u0161n\u00e9 pokusy o pr\u00edstup, zmeny v sudoers\nDetekuje pokusy o \u00fapravu sie\u0165ov\u00fdch nastaven\u00ed, hostname, kernel parametrov\nSleduje zmeny v audite samotnom (zabr\u00e1nime vypnutiu monitorovania)<\/p>\n\n\n\n
                Konfigur\u00e1cia auditd.conf pre lep\u0161ie logovanie<\/strong><\/p>\n\n\n\n
                Zvy\u0161uje po\u010det uchov\u00e1van\u00fdch audit logov (num_logs = 10)\nZv\u00e4\u010d\u0161uje maxim\u00e1lnu ve\u013ekos\u0165 log s\u00faborov (max_log_file = 20MB)\nZabra\u0148uje automatick\u00e9mu prepisovaniu audit logov (max_log_file_action = keep_logs)<\/p>\n\n\n\n
                #!\/bin\/bash\n# Module: Audit Hardening\n# Description: Configures auditing and logging settings for enhanced security\n\nLOG_FILE=\"\/var\/log\/hardening_script.log\"\nBACKUP_SUFFIX=\".bak\"\nAUDIT_RULES_FILE=\"\/etc\/audit\/audit.rules\"\nAUDITD_CONF=\"\/etc\/audit\/auditd.conf\"\n\necho \"Starting Audit Hardening...\" >> \"$LOG_FILE\"\n\nlog() {\n  echo \"[$(date +%Y-%m-%dT%H:%M:%S)] $1\" | tee -a \"$LOG_FILE\"\n}\n\nbackup_file() {\n  local file=\"$1\"\n  if [[ -f \"$file\" ]]; then\n    cp \"$file\" \"${file}${BACKUP_SUFFIX}\" && log \"Backup created for $file\"\n  else\n    log \"File $file not found, skipping backup.\"\n  fi\n}\n\n# Install and configure auditd\nlog \"Installing auditd and setting up audit rules.\"\nif apt-get install -y auditd &>> \"$LOG_FILE\"; then\n  log \"auditd installed successfully.\"\nelse\n  log \"Failed to install auditd. Check the logs for details.\"\n  exit 1\nfi\n\n# Backup existing configuration files\nbackup_file \"$AUDIT_RULES_FILE\"\nbackup_file \"$AUDITD_CONF\"\n\n# Configure audit rules\ncat > \"$AUDIT_RULES_FILE\" <> \"$LOG_FILE\"; then\n  log \"auditd restarted successfully.\"\nelse\n  log \"Failed to restart auditd. Check the logs for details.\"\nfi\n\nlog \"Audit Hardening completed.\"\n<\/code><\/pre>\n\n\n\n
                Hardening procesov<\/h2>\n\n\n\n
                Tento Bash skript<\/strong> vykon\u00e1va hardening procesov a kernelov\u00fdch parametrov<\/strong>, \u010d\u00edm zvy\u0161uje bezpe\u010dnos\u0165 syst\u00e9mu v s\u00falade s odpor\u00fa\u010daniami CIS Benchmarku<\/strong>. Cie\u013eom je minimalizova\u0165 riziko exploit\u00e1cie procesov, pam\u00e4\u0165ov\u00fdch zranite\u013enost\u00ed a neopr\u00e1vnen\u00e9ho pr\u00edstupu k procesom<\/strong>.<\/p>\n\n\n\n
                CIS Benchmark odpor\u00fa\u010da aplikova\u0165 bezpe\u010dnostn\u00e9 nastavenia procesov a kernelu, preto\u017ee:<\/strong> \u2714 Zvy\u0161uje ochranu pred exploitmi<\/strong> \u2013 ASLR a ptrace scope chr\u00e1nia pred \u00fatokmi na procesy.
                \u2714 Zni\u017euje riziko \u00faniku citliv\u00fdch d\u00e1t<\/strong> \u2013 zak\u00e1zanie core dump s\u00faborov.
                \u2714 Odstra\u0148uje nepotrebn\u00e9 slu\u017eby<\/strong> \u2013 ktor\u00e9 m\u00f4\u017eu obsahova\u0165 zranite\u013enosti.
                \u2714 Minimalizuje zbyto\u010dn\u00e9 procesy<\/strong> \u2013 \u010d\u00edm zlep\u0161uje v\u00fdkon a stabilitu syst\u00e9mu.<\/p>\n\n\n\n
                \u010co tento skript rob\u00ed?<\/h4>\n\n\n\n
                Zabezpe\u010duje logovanie a z\u00e1lohu konfigur\u00e1cie<\/strong><\/p>\n\n\n\n
                  \n
                • Zapisuje v\u0161etky zmeny do log s\u00faboru<\/strong> \/var\/log\/hardening_script.log<\/code><\/li>\n\n\n\n
                • Pred \u00fapravami vytv\u00e1ra z\u00e1lohu<\/strong> \/etc\/sysctl.conf<\/code><\/li>\n<\/ul>\n\n\n\n
                  Aplikuje bezpe\u010dnostn\u00e9 kernelov\u00e9 parametre<\/strong><\/p>\n\n\n\n
                    \n
                  • Zap\u00edna randomiz\u00e1ciu pam\u00e4te ASLR<\/strong> (kernel.randomize_va_space=2<\/code>)<\/li>\n\n\n\n
                  • Zabra\u0148uje procesu sledova\u0165 in\u00e9 procesy<\/strong> (kernel.yama.ptrace_scope=2<\/code>)<\/li>\n\n\n\n
                  • Zakazuje vytv\u00e1ranie core dump s\u00faborov pre SUID bin\u00e1rky<\/strong> (fs.suid_dumpable=0<\/code>)<\/li>\n<\/ul>\n\n\n\n
                    Odstra\u0148uje nepotrebn\u00e9 a nebezpe\u010dn\u00e9 bal\u00edky<\/strong><\/p>\n\n\n\n
                      \n
                    • prelink<\/code><\/strong> (predvolen\u00e1 bin\u00e1rna optimaliz\u00e1cia, ktor\u00e1 zni\u017euje bezpe\u010dnos\u0165)<\/li>\n\n\n\n
                    • apport<\/code><\/strong> (automatick\u00e9 nahlasovanie ch\u00fdb m\u00f4\u017ee odhali\u0165 citliv\u00e9 inform\u00e1cie)<\/li>\n<\/ul>\n\n\n\n
                      Zakazuje nepotrebn\u00e9 slu\u017eby<\/strong><\/p>\n\n\n\n
                        \n
                      • Zastavuje a zakazuje apport<\/code><\/strong>, aby sa predi\u0161lo \u00faniku inform\u00e1ci\u00ed pri crash reporte<\/li>\n<\/ul>\n\n\n\n
                        #!\/bin\/bash\n# Module: Process Hardening\n# Description: Configures kernel parameters and removes unnecessary packages for process-level hardening\n\nLOG_FILE=\"\/var\/log\/hardening_script.log\"\nBACKUP_SUFFIX=\".bak\"\nSYSCTL_CONF=\"\/etc\/sysctl.conf\"\n\necho \"Starting Process Hardening...\" >> \"$LOG_FILE\"\n\nlog() {\n  echo \"[$(date +%Y-%m-%dT%H:%M:%S)] $1\" | tee -a \"$LOG_FILE\"\n}\n\nbackup_file() {\n  local file=\"$1\"\n  if [[ -f \"$file\" ]]; then\n    cp \"$file\" \"${file}${BACKUP_SUFFIX}\" && log \"Backup created for $file\"\n  else\n    log \"File $file not found, skipping backup.\"\n  fi\n}\n\napply_sysctl_param() {\n  local key=\"$1\"\n  local value=\"$2\"\n  if ! grep -q \"^$key\" \"$SYSCTL_CONF\"; then\n    echo \"$key = $value\" >> \"$SYSCTL_CONF\"\n  else\n    sed -i \"s\/^$key.*\/$key = $value\/\" \"$SYSCTL_CONF\"\n  fi\n  if sysctl -w \"$key=$value\" &>> \"$LOG_FILE\"; then\n    log \"Applied sysctl parameter: $key = $value\"\n  else\n    log \"Failed to apply sysctl parameter: $key = $value\"\n  fi\n}\n\n# Backup sysctl configuration\nbackup_file \"$SYSCTL_CONF\"\n\n# Kernel Parameters for Process Hardening\nparams=(\n  \"kernel.randomize_va_space=2\"\n  \"kernel.yama.ptrace_scope=2\"\n  \"fs.suid_dumpable=0\"\n)\n\nfor param in \"${params[@]}\"; do\n  IFS=\"=\" read -r key value <<< \"$param\"\n  apply_sysctl_param \"$key\" \"$value\"\ndone\n\n# Uninstall unnecessary packages\nPACKAGES_TO_REMOVE=(\"prelink\" \"apport\")\nfor package in \"${PACKAGES_TO_REMOVE[@]}\"; do\n  if dpkg-query -s \"$package\" &>> \"$LOG_FILE\"; then\n    apt-get purge -y \"$package\" &>> \"$LOG_FILE\" && log \"Removed $package successfully.\"\n  else\n    log \"$package is not installed, skipping removal.\"\n  fi\ndone\n\n# Disable unnecessary services\nSERVICES_TO_DISABLE=(\"apport\")\nfor service in \"${SERVICES_TO_DISABLE[@]}\"; do\n  if systemctl is-active --quiet \"$service\"; then\n    systemctl stop \"$service\" &>> \"$LOG_FILE\" && log \"Stopped $service.\"\n  fi\n  if systemctl is-enabled --quiet \"$service\"; then\n    systemctl disable \"$service\" &>> \"$LOG_FILE\" && log \"Disabled $service.\"\n  fi\ndone\n\nlog \"Process Hardening completed.\"\n<\/code><\/pre>\n\n\n\n
                        Synchroniz\u00e1cia \u010dasu<\/h2>\n\n\n\n
                        Tento Bash skript<\/strong> vykon\u00e1va hardening synchroniz\u00e1cie \u010dasu<\/strong>, aby zabezpe\u010dil presn\u00e9 a bezpe\u010dn\u00e9 NTP nastavenia<\/strong> v s\u00falade s odpor\u00fa\u010daniami CIS Benchmarku<\/strong>. Cie\u013eom je minimalizova\u0165 riziko \u010dasov\u00fdch \u00fatokov (napr. replay \u00fatokov), zabr\u00e1ni\u0165 neautorizovan\u00fdm zmen\u00e1m \u010dasu a zabezpe\u010di\u0165 presn\u00fa synchroniz\u00e1ciu pre auditovanie a forenzn\u00fa anal\u00fdzu<\/strong>.<\/p>\n\n\n\n
                        CIS Benchmark odpor\u00fa\u010da zabezpe\u010denie synchroniz\u00e1cie \u010dasu<\/strong>, preto\u017ee:
                        \u2714 Presn\u00fd \u010das je nevyhnutn\u00fd pre auditovanie a forenzn\u00fa anal\u00fdzu.<\/strong>
                        \u2714 Zabra\u0148uje \u00fato\u010dn\u00edkom manipulova\u0165 s \u010dasov\u00fdmi pe\u010diatkami (napr. pri \u00fatokoch na logy).<\/strong>
                        \u2714 Zabezpe\u010duje, \u017ee v\u0161etky syst\u00e9my v sieti pou\u017e\u00edvaj\u00fa rovnak\u00fd synchronizovan\u00fd \u010das.<\/strong>
                        \u2714 Minimalizuje riziko replay \u00fatokov a neautorizovan\u00fdch zmien \u010dasu.<\/strong><\/p>\n\n\n\n
                        \n\n\n\n
                        \u010co tento skript rob\u00ed?<\/strong><\/h4>\n\n\n\n
                        Zabezpe\u010duje logovanie a z\u00e1lohu konfigur\u00e1cie<\/strong><\/p>\n\n\n\n
                          \n
                        • Zapisuje v\u0161etky zmeny<\/strong> do log s\u00faboru<\/strong> \/var\/log\/hardening_script.log<\/code>.<\/li>\n\n\n\n
                        • Pred \u00fapravami vytv\u00e1ra z\u00e1lohu<\/strong> \/etc\/chrony\/chrony.conf<\/code>.<\/li>\n<\/ul>\n\n\n\n
                          In\u0161taluje a konfiguruje Chrony ako NTP klienta<\/strong><\/p>\n\n\n\n
                            \n
                          • In\u0161taluje chrony<\/code><\/strong>, ktor\u00fd je bezpe\u010dnej\u0161\u00ed a odpor\u00fa\u010dan\u00fd oproti star\u0161\u00edm NTP rie\u0161eniam.<\/li>\n\n\n\n
                          • Konfiguruje ho na synchroniz\u00e1ciu s d\u00f4veryhodn\u00fdmi NTP servermi<\/strong> (napr. pool.ntp.org<\/code>).<\/li>\n\n\n\n
                          • Obmedzuje pr\u00edstup na NTP len pre localhost<\/strong> (zabra\u0148uje neautorizovan\u00e9mu pr\u00edstupu).<\/li>\n\n\n\n
                          • Povol\u00ed logovanie synchroniz\u00e1cie<\/strong> pre auditn\u00e9 \u00fa\u010dely.<\/li>\n<\/ul>\n\n\n\n
                            Zakazuje systemd-timesyncd<\/code><\/strong>, aby sa predi\u0161lo konfliktom so chrony<\/code>.<\/p>\n\n\n\n
                            #!\/bin\/bash\n# Module: Time Synchronization Hardening\n# Description: Configures secure and accurate time synchronization settings\n\nLOG_FILE=\"\/var\/log\/hardening_script.log\"\nBACKUP_SUFFIX=\".bak\"\nCHRONY_CONF=\"\/etc\/chrony\/chrony.conf\"\nTIMESYNC_SERVICE=\"systemd-timesyncd\"\n\necho \"Starting Time Synchronization Hardening...\" >> \"$LOG_FILE\"\n\nlog() {\n  echo \"[$(date +%Y-%m-%dT%H:%M:%S)] $1\" | tee -a \"$LOG_FILE\"\n}\n\nbackup_file() {\n  local file=\"$1\"\n  if [[ -f \"$file\" ]]; then\n    cp \"$file\" \"${file}${BACKUP_SUFFIX}\" && log \"Backup created for $file\"\n  else\n    log \"File $file not found, skipping backup.\"\n  fi\n}\n\n# Install and configure chrony\nlog \"Installing chrony for time synchronization.\"\nif apt-get install -y chrony &>> \"$LOG_FILE\"; then\n  log \"chrony installed successfully.\"\nelse\n  log \"Failed to install chrony. Check the logs for details.\"\n  exit 1\nfi\n\n# Backup chrony configuration file\nbackup_file \"$CHRONY_CONF\"\n\n# Configure chrony with secure settings\ncat > \"$CHRONY_CONF\" <> \"$LOG_FILE\"; then\n  log \"chrony restarted successfully.\"\nelse\n  log \"Failed to restart chrony. Check the logs for details.\"\n  exit 1\nfi\n\n# Disable systemd-timesyncd if active\nif systemctl is-active --quiet \"$TIMESYNC_SERVICE\"; then\n  systemctl stop \"$TIMESYNC_SERVICE\" &>> \"$LOG_FILE\" && log \"Stopped $TIMESYNC_SERVICE.\"\nfi\nif systemctl is-enabled --quiet \"$TIMESYNC_SERVICE\"; then\n  systemctl disable \"$TIMESYNC_SERVICE\" &>> \"$LOG_FILE\" && log \"Disabled $TIMESYNC_SERVICE.\"\nfi\n\nlog \"Time Synchronization Hardening completed.\"<\/code><\/pre>\n\n\n\n
                            Hardening jadra syst\u00e9mu<\/h2>\n\n\n\n
                            Tento Bash skript<\/strong> vykon\u00e1va hardening jadra opera\u010dn\u00e9ho syst\u00e9mu<\/strong> pomocou sysctl parametrov<\/strong>, ktor\u00e9 zabezpe\u010duj\u00fa ochranu pred sie\u0165ov\u00fdmi \u00fatokmi, \u00fanikom citliv\u00fdch inform\u00e1ci\u00ed a posilnenie bezpe\u010dnosti procesov<\/strong>. Skript je v s\u00falade s CIS Benchmark odpor\u00fa\u010daniami<\/strong>, ktor\u00e9 s\u00fa \u0161tandardom pre bezpe\u010dn\u00e9 konfigur\u00e1cie Linux syst\u00e9mov.<\/p>\n\n\n\n
                            CIS Benchmark odpor\u00fa\u010da zabezpe\u010denie jadra<\/strong> pomocou sysctl<\/code> parametrov, aby:
                            \u2714 Zabr\u00e1nil \u00fanikom citliv\u00fdch inform\u00e1ci\u00ed o syst\u00e9me<\/strong> (kernel.kptr_restrict<\/code>, kernel.dmesg_restrict<\/code>)
                            \u2714 Zablokoval \u0161kodliv\u00e9 sie\u0165ov\u00e9 \u00fatoky<\/strong> (IP source routing, ICMP \u00fatoky, spoofing)
                            \u2714 Minimalizoval riziko buffer overflow exploitov<\/strong> (ASLR, fs.protected_hardlinks<\/code>, fs.protected_symlinks<\/code>)
                            \u2714 Zak\u00e1zal IPv6, ak nie je potrebn\u00e9<\/strong> (net.ipv6.conf.all.disable_ipv6<\/code>)
                            \u2714 Zabezpe\u010dil lep\u0161iu ochranu TCP spojen\u00ed<\/strong> (net.ipv4.tcp_syncookies=1<\/code>)<\/p>\n\n\n\n
                            \n\n\n\n
                            \u010co tento skript rob\u00ed?<\/strong><\/h4>\n\n\n\n
                            Zabezpe\u010duje logovanie a z\u00e1lohovanie aktu\u00e1lnej konfigur\u00e1cie<\/strong><\/p>\n\n\n\n
                              \n
                            • Zmeny sa loguj\u00fa do s\u00faboru \/var\/log\/hardening_script.log<\/code>.<\/li>\n\n\n\n
                            • Pred aplikovan\u00edm \u00faprav sa vytvor\u00ed z\u00e1loha s\u00faboru<\/strong> \/etc\/sysctl.conf<\/code>.<\/li>\n<\/ul>\n\n\n\n
                              Aplikuje bezpe\u010dnostn\u00e9 sysctl<\/code> parametre pre ochranu jadra a sie\u0165ovej komunik\u00e1cie<\/strong><\/p>\n\n\n\n
                                \n
                              • Nastavuje ochranu pam\u00e4te<\/strong> (ASLR, prevencia exploitov).<\/li>\n\n\n\n
                              • Blokuje nebezpe\u010dn\u00e9 sie\u0165ov\u00e9 protokoly a \u00fatoky<\/strong> (IP forwarding, source routing, ICMP).<\/li>\n\n\n\n
                              • Chr\u00e1ni pred zneu\u017eit\u00edm symbolick\u00fdch odkazov a tvrd\u00fdch odkazov<\/strong>.<\/li>\n<\/ul>\n\n\n\n
                                Aplikuje sysctl<\/code> parametre dynamicky a uklad\u00e1 ich do konfigur\u00e1cie<\/strong><\/p>\n\n\n\n
                                  \n
                                • V\u0161etky parametre sa zapisuj\u00fa do \/etc\/sysctl.conf<\/code> a okam\u017eite aplikuj\u00fa cez sysctl -w<\/code>.<\/li>\n<\/ul>\n\n\n\n
                                  #!\/bin\/bash\n# Module: Kernel Hardening\n# Description: Applies kernel-level hardening using sysctl parameters\n\nLOG_FILE=\"\/var\/log\/hardening_script.log\"\nBACKUP_SUFFIX=\".bak\"\nSYSCTL_CONF=\"\/etc\/sysctl.conf\"\n\nlog() {\n  echo \"[$(date +%Y-%m-%dT%H:%M:%S)] $1\" | tee -a \"$LOG_FILE\"\n}\n\nbackup_file() {\n  local file=\"$1\"\n  if [[ -f \"$file\" ]]; then\n    cp \"$file\" \"${file}${BACKUP_SUFFIX}\" && log \"Backup created for $file\"\n  else\n    log \"File $file not found, skipping backup.\"\n  fi\n}\n\napply_sysctl_param() {\n  local key=\"$1\"\n  local value=\"$2\"\n  if ! grep -q \"^$key\" \"$SYSCTL_CONF\"; then\n    echo \"$key = $value\" >> \"$SYSCTL_CONF\"\n  else\n    sed -i \"s\/^$key.*\/$key = $value\/\" \"$SYSCTL_CONF\"\n  fi\n  if sysctl -w \"$key=$value\"; then\n    log \"Applied sysctl parameter: $key=$value\"\n  else\n    log \"Failed to apply sysctl parameter: $key=$value\"\n  fi\n}\n\n# Backup sysctl configuration\nbackup_file \"$SYSCTL_CONF\"\n\n# Kernel Hardening Parameters\nparams=(\n  \"kernel.randomize_va_space=2\"\n  \"kernel.yama.ptrace_scope=2\"\n  \"fs.suid_dumpable=0\"\n  \"net.ipv4.ip_forward=0\"\n  \"net.ipv4.conf.all.send_redirects=0\"\n  \"net.ipv4.conf.default.send_redirects=0\"\n  \"net.ipv4.conf.all.accept_redirects=0\"\n  \"net.ipv4.conf.default.accept_redirects=0\"\n  \"net.ipv4.conf.all.secure_redirects=0\"\n  \"net.ipv4.conf.default.secure_redirects=0\"\n  \"net.ipv4.conf.all.log_martians=1\"\n  \"net.ipv4.conf.default.log_martians=1\"\n  \"net.ipv4.tcp_syncookies=1\"\n  \"net.ipv6.conf.all.disable_ipv6=1\"\n  \"net.ipv6.conf.default.disable_ipv6=1\"\n  \"net.ipv6.conf.all.forwarding=0\"\n  \"net.ipv6.conf.default.forwarding=0\"\n  \"net.ipv4.icmp_echo_ignore_broadcasts=1\"\n  \"net.ipv4.icmp_ignore_bogus_error_responses=1\"\n  \"net.ipv4.conf.all.rp_filter=1\"\n  \"net.ipv4.conf.default.rp_filter=1\"\n  \"net.ipv6.conf.all.accept_ra=0\"\n  \"net.ipv6.conf.default.accept_ra=0\"\n  \"net.ipv4.conf.all.accept_source_route=0\"\n  \"net.ipv4.conf.default.accept_source_route=0\"\n  \"net.ipv6.conf.all.accept_source_route=0\"\n  \"net.ipv6.conf.default.accept_source_route=0\"\n  \"fs.protected_hardlinks=1\"\n  \"fs.protected_symlinks=1\"\n  \"kernel.kptr_restrict=2\"\n  \"kernel.dmesg_restrict=1\"\n  \"net.ipv4.tcp_timestamps=0\"\n  \"net.ipv4.tcp_syncookies=1\"\n  \"net.ipv4.conf.all.rp_filter=1\"\n  \"net.ipv4.conf.default.rp_filter=1\"\n  \"net.ipv4.conf.all.log_martians=1\"\n  \"net.ipv4.conf.default.log_martians=1\"\n  \"net.ipv4.icmp_echo_ignore_broadcasts=1\"\n  \"net.ipv4.icmp_ignore_bogus_error_responses=1\"\n  \"net.ipv4.conf.all.accept_source_route=0\"\n  \"net.ipv4.conf.default.accept_source_route=0\"\n)\n\nfor param in \"${params[@]}\"; do\n  IFS=\"=\" read -r key value <<< \"$param\"\n  apply_sysctl_param \"$key\" \"$value\"\ndone\n\nlog \"Kernel hardening parameters applied.\"\n\necho \"Kernel Hardening Completed.\"\n<\/code><\/pre>\n\n\n\n
                                  Filesystem Configuration Hardening<\/h2>\n\n\n\n
                                  Tento Bash skript<\/strong> vykon\u00e1va hardening s\u00faborov\u00e9ho syst\u00e9mu<\/strong> t\u00fdm, \u017ee zak\u00e1\u017ee a zablokuje nepou\u017e\u00edvan\u00e9 s\u00faborov\u00e9 syst\u00e9my<\/strong> v Linuxe. Je v s\u00falade s CIS Benchmark odpor\u00fa\u010daniami<\/strong>, ktor\u00e9 odpor\u00fa\u010daj\u00fa zak\u00e1za\u0165 zbyto\u010dn\u00e9 s\u00faborov\u00e9 syst\u00e9my, aby sa minimalizoval povrch \u00fatoku<\/strong> a zv\u00fd\u0161ila bezpe\u010dnos\u0165 servera<\/strong>.<\/p>\n\n\n\n
                                  CIS Benchmark odpor\u00fa\u010da zak\u00e1za\u0165 nepou\u017e\u00edvan\u00e9 s\u00faborov\u00e9 syst\u00e9my<\/strong> z t\u00fdchto d\u00f4vodov:<\/p>\n\n\n\n
                                  \u2714 Zni\u017euje riziko exploitov a privilege escalation \u00fatokov<\/strong> (napr. overlayfs<\/code> sa v minulosti pou\u017e\u00edval na exploitovanie root pr\u00e1v).
                                  \u2714 Minimalizuje mo\u017enosti pre \u0161kodliv\u00fd k\u00f3d alebo rootkity<\/strong>, ktor\u00e9 m\u00f4\u017eu vyu\u017e\u00edva\u0165 alternat\u00edvne s\u00faborov\u00e9 syst\u00e9my.
                                  \u2714 Blokuje USB storage (usb-storage<\/code>)<\/strong>, \u010d\u00edm zabra\u0148uje neautorizovan\u00e9mu prenosu d\u00e1t cez USB zariadenia.
                                  \u2714 Zabra\u0148uje nahr\u00e1vaniu star\u00fdch a nepodporovan\u00fdch s\u00faborov\u00fdch syst\u00e9mov<\/strong> (hfs<\/code>, jffs2<\/code>, cramfs<\/code>).<\/p>\n\n\n\n
                                  \u010co tento skript rob\u00ed?<\/strong><\/h2>\n\n\n\n
                                  Vytv\u00e1ra logovac\u00ed mechanizmus a z\u00e1lohuje existuj\u00face konfigura\u010dn\u00e9 s\u00fabory<\/strong><\/p>\n\n\n\n
                                    \n
                                  • Loguje akcie do \/var\/log\/hardening_script.log<\/code>.<\/li>\n\n\n\n
                                  • Z\u00e1lohuje konfigura\u010dn\u00e9 s\u00fabory pred aplikovan\u00edm zmien<\/strong>.<\/li>\n<\/ul>\n\n\n\n
                                    Zakazuje nepou\u017e\u00edvan\u00e9 s\u00faborov\u00e9 syst\u00e9my \u00fapravou modprobe.d<\/code> konfigur\u00e1cie<\/strong><\/p>\n\n\n\n
                                      \n
                                    • Pou\u017e\u00edva install $FS \/bin\/false<\/code> na zak\u00e1zanie ich na\u010d\u00edtania.<\/li>\n\n\n\n
                                    • Prid\u00e1va blacklist $FS<\/code>, aby sa zabr\u00e1nilo ich zav\u00e1dzaniu.<\/li>\n<\/ul>\n\n\n\n
                                      Odstra\u0148uje nepou\u017e\u00edvan\u00e9 s\u00faborov\u00e9 syst\u00e9my z jadra<\/strong><\/p>\n\n\n\n
                                        \n
                                      • Ak s\u00fa nahran\u00e9, odstr\u00e1ni ich pomocou modprobe -r<\/code><\/strong>.<\/li>\n<\/ul>\n\n\n\n
                                        Zabezpe\u010duje, \u017ee v\u0161etky zmeny s\u00fa ulo\u017een\u00e9 a aplikovan\u00e9 pri re\u0161tarte syst\u00e9mu<\/strong>.<\/p>\n\n\n\n
                                        #!\/bin\/bash\n# Module: Filesystem Configuration\n# Description: Disables unnecessary filesystems for enhanced security\n\nLOG_FILE=\"\/var\/log\/hardening_script.log\"\nBACKUP_SUFFIX=\".bak\"\nDISABLED_FS_CONF=\"\/etc\/modprobe.d\/disabled-fs.conf\"\nMODPROBE_CONF=\"\/etc\/modprobe.d\/modprobe.conf\"\nFILESYSTEMS=(\"cramfs\" \"freevxfs\" \"hfs\" \"hfsplus\" \"overlayfs\" \"squashfs\" \"udf\" \"jffs2\" \"usb-storage\")\n\necho \"Starting Filesystem Configuration...\"\n\nlog() {\n  echo \"[$(date +%Y-%m-%dT%H:%M:%S)] $1\" | tee -a \"$LOG_FILE\"\n}\n\nbackup_file() {\n  local file=\"$1\"\n  if [[ -f \"$file\" ]]; then\n    cp \"$file\" \"${file}${BACKUP_SUFFIX}\" && log \"Backup created for $file\"\n  else\n    log \"File $file not found, skipping backup.\"\n  fi\n}\n\n# Ensure configuration files exist\nbackup_file \"$DISABLED_FS_CONF\"\nbackup_file \"$MODPROBE_CONF\"\n\ntouch \"$DISABLED_FS_CONF\"\ntouch \"$MODPROBE_CONF\"\n\n# Disable and blacklist filesystems\nfor FS in \"${FILESYSTEMS[@]}\"; do\n  echo \"install $FS \/bin\/false\" >> \"$DISABLED_FS_CONF\"\n  echo \"blacklist $FS\" >> \"$MODPROBE_CONF\"\n  log \"Disabled and blacklisted filesystem: $FS\"\ndone\n\n# Unload filesystem modules from the kernel\nfor FS in \"${FILESYSTEMS[@]}\"; do\n  if lsmod | grep -q \"^$FS\"; then\n    if modprobe -r \"$FS\"; then\n      log \"Unloaded filesystem module: $FS\"\n    else\n      log \"Failed to unload filesystem module: $FS\"\n    fi\n  else\n    log \"Filesystem module $FS is not loaded.\"\n  fi\ndone\n\n# Notify user of completion\necho \"Filesystem Configuration Completed.\"<\/code><\/pre>\n\n\n\n
                                        Audit Hardening<\/h2>\n\n\n\n
                                        Tento Bash skript<\/strong> vykon\u00e1va hardening auditu a logovania<\/strong> v Linuxe pomocou auditd<\/strong>. Je v s\u00falade s CIS Benchmark odpor\u00fa\u010daniami<\/strong>, ktor\u00e9 definuj\u00fa spr\u00e1vne konfigur\u00e1cie auditd<\/strong> a audit.rules<\/strong> na zabezpe\u010denie sledovania podstatn\u00fdch syst\u00e9mov\u00fdch udalost\u00ed.<\/p>\n\n\n\n
                                        CIS Benchmark odpor\u00fa\u010da aktivova\u0165 auditd<\/strong> a sledova\u0165 d\u00f4le\u017eit\u00e9 udalosti v syst\u00e9me:<\/p>\n\n\n\n
                                        \u2714 Monitoruje \u00fapravy syst\u00e9mov\u00fdch s\u00faborov (\/etc\/passwd<\/code>, \/etc\/shadow<\/code>)<\/strong>
                                        \u2714 Sleduje pr\u00edkazy vykonan\u00e9 s root opr\u00e1vneniami<\/strong>
                                        \u2714 Zaznamen\u00e1va sudo pr\u00edkazy a prihl\u00e1senia pou\u017e\u00edvate\u013eov<\/strong>
                                        \u2714 Monitoruje kritick\u00e9 bezpe\u010dnostn\u00e9 nastavenia (sysctl<\/code>, network config<\/code>)<\/strong>
                                        \u2714 Zabezpe\u010duje ukladanie logov a br\u00e1ni ich neopr\u00e1vnenej zmene<\/strong><\/p>\n\n\n\n
                                        \n\n\n\n
                                        \u010co tento skript rob\u00ed?<\/strong><\/h2>\n\n\n\n
                                        Logovanie a z\u00e1lohovanie auditd konfigur\u00e1cie<\/strong><\/p>\n\n\n\n
                                          \n
                                        • Loguje akcie do \/var\/log\/hardening_script.log<\/code><\/li>\n\n\n\n
                                        • Z\u00e1lohuje auditd konfigur\u00e1cie pred aplikovan\u00edm zmien<\/li>\n<\/ul>\n\n\n\n
                                          In\u0161tal\u00e1cia a konfigur\u00e1cia auditd<\/strong><\/p>\n\n\n\n
                                            \n
                                          • Skontroluje a nain\u0161taluje auditd<\/strong>, ak nie je pr\u00edtomn\u00fd<\/li>\n\n\n\n
                                          • Konfiguruje audit.rules<\/strong> na sledovanie podstatn\u00fdch aktiv\u00edt<\/li>\n<\/ul>\n\n\n\n
                                            Nastavenie audit pravidiel na sledovanie<\/strong><\/p>\n\n\n\n
                                              \n
                                            • \u00daprav auditu, zmien v \/etc\/passwd<\/strong>, sudo pr\u00edkazov, a podozriv\u00fdch aktiv\u00edt<\/li>\n\n\n\n
                                            • Zaznamen\u00e1va v\u0161etky pokusy o neopr\u00e1vnen\u00fd pr\u00edstup k syst\u00e9mov\u00fdm s\u00faborom<\/strong><\/li>\n\n\n\n
                                            • Sledovanie zmeny konfigur\u00e1cie syst\u00e9mu, procesov, a sie\u0165ov\u00fdch nastaven\u00ed<\/li>\n<\/ul>\n\n\n\n
                                              #!\/bin\/bash\n# Module: Audit Hardening\n# Description: Configures auditing and logging settings for enhanced security\n\nLOG_FILE=\"\/var\/log\/hardening_script.log\"\nBACKUP_SUFFIX=\".bak\"\nAUDIT_RULES_FILE=\"\/etc\/audit\/audit.rules\"\nAUDITD_CONF=\"\/etc\/audit\/auditd.conf\"\n\necho \"Starting Audit Hardening...\" >> \"$LOG_FILE\"\n\nlog() {\n  echo \"[$(date +%Y-%m-%dT%H:%M:%S)] $1\" | tee -a \"$LOG_FILE\"\n}\n\nbackup_file() {\n  local file=\"$1\"\n  if [[ -f \"$file\" ]]; then\n    cp \"$file\" \"${file}${BACKUP_SUFFIX}\" && log \"Backup created for $file\"\n  else\n    log \"File $file not found, skipping backup.\"\n  fi\n}\n\n# Install and configure auditd\nlog \"Installing auditd and setting up audit rules.\"\nif apt-get install -y auditd &>> \"$LOG_FILE\"; then\n  log \"auditd installed successfully.\"\nelse\n  log \"Failed to install auditd. Check the logs for details.\"\n  exit 1\nfi\n\n# Backup existing configuration files\nbackup_file \"$AUDIT_RULES_FILE\"\nbackup_file \"$AUDITD_CONF\"\n\n# Configure audit rules\ncat > \"$AUDIT_RULES_FILE\" <> \"$LOG_FILE\"; then\n  log \"auditd restarted successfully.\"\nelse\n  log \"Failed to restart auditd. Check the logs for details.\"\nfi\n\nlog \"Audit Hardening completed.\"\n<\/code><\/pre>\n\n\n\n
                                              Nastavenie AppArmor<\/h2>\n\n\n\n
                                              Tento Bash skript<\/strong> vykon\u00e1va in\u0161tal\u00e1ciu a konfigur\u00e1ciu AppArmor<\/strong> \u2013 bezpe\u010dnostn\u00e9ho roz\u0161\u00edrenia pre Linux Mandatory Access Control (MAC)<\/strong>. Je v s\u00falade s CIS Benchmark odpor\u00fa\u010daniami<\/strong>, ktor\u00e9 stanovuj\u00fa spr\u00e1vne nastavenie AppArmor<\/strong> na ochranu syst\u00e9mov\u00fdch aplik\u00e1ci\u00ed.<\/p>\n\n\n\n
                                              Pod\u013ea CIS Ubuntu Server Benchmark<\/strong> by mal by\u0165 AppArmor akt\u00edvny a nakonfigurovan\u00fd<\/strong> na ochranu syst\u00e9mov\u00fdch aplik\u00e1ci\u00ed. Tento skript zabezpe\u010duje:<\/p>\n\n\n\n
                                              \u2714 In\u0161tal\u00e1ciu AppArmor a jeho n\u00e1strojov<\/strong>
                                              \u2714 Aktiv\u00e1ciu AppArmor v GRUB konfigur\u00e1cii<\/strong>
                                              \u2714 Povolenie AppArmor pri \u0161tarte syst\u00e9mu<\/strong>
                                              \u2714 Zmenu re\u017eimu profilov na \"complain\" pre bezpe\u010dn\u00e9 ladenie pravidiel<\/strong><\/p>\n\n\n\n
                                              D\u00f4le\u017eit\u00e9: Po testovan\u00ed v re\u017eime \"complain\" by sa mali profily nastavi\u0165 do re\u017eimu \"enforce\" pre pln\u00fa ochranu.<\/strong><\/p>\n\n\n\n
                                              #!\/bin\/bash\n# Module: AppArmor Setup\n# Description: Installs and configures AppArmor for Mandatory Access Control\n\nLOG_FILE=\"\/var\/log\/hardening_script.log\"\nBACKUP_SUFFIX=\".bak\"\n\nlog() {\n  echo \"[$(date +%Y-%m-%dT%H:%M:%S)] $1\" | tee -a \"$LOG_FILE\"\n}\n\nbackup_file() {\n  local file=\"$1\"\n  if [[ -f \"$file\" ]]; then\n    cp \"$file\" \"${file}${BACKUP_SUFFIX}\" && log \"Backup created for $file\"\n  else\n    log \"File $file not found, skipping backup.\"\n  fi\n}\n\nvalidate_change() {\n  local cmd=\"$1\"\n  local success_msg=\"$2\"\n  local failure_msg=\"$3\"\n\n  if eval \"$cmd\" &>> \"$LOG_FILE\"; then\n    log \"$success_msg\"\n  else\n    log \"$failure_msg\"\n  fi\n}\n\ninstall_apparmor() {\n  log \"Installing AppArmor and utilities...\"\n  validate_change \"apt-get update -y && apt-get install -y apparmor apparmor-utils\" \\\n    \"AppArmor installed successfully.\" \\\n    \"Failed to install AppArmor. Check log for details.\"\n}\n\nconfigure_grub_for_apparmor() {\n  local grub_file=\"\/etc\/default\/grub\"\n  backup_file \"$grub_file\"\n\n  if ! grep -q \"apparmor=1 security=apparmor\" \"$grub_file\"; then\n    validate_change \"sed -i '\/^GRUB_CMDLINE_LINUX=\/ s\/\\\"$\/ apparmor=1 security=apparmor\\\"\/' \\\"$grub_file\\\" && update-grub\" \\\n      \"AppArmor configuration added to GRUB and GRUB updated successfully.\" \\\n      \"Failed to configure GRUB for AppArmor.\"\n  else\n    log \"AppArmor is already configured in GRUB.\"\n  fi\n}\n\nset_profiles_to_complain_mode() {\n  log \"Setting AppArmor profiles to complain mode...\"\n  local profiles\n  profiles=$(apparmor_status | awk '\/profiles are loaded\/{print $1}' 2>> \"$LOG_FILE\")\n\n  if [[ -z \"$profiles\" ]]; then\n    log \"No active AppArmor profiles found.\"\n  else\n    for profile in $(apparmor_status | awk '\/enforce\/{print $NF}' 2>> \"$LOG_FILE\"); do\n      validate_change \"aa-complain \\\"$profile\\\"\" \\\n        \"Set $profile to complain mode.\" \\\n        \"Failed to set $profile to complain mode.\"\n    done\n  fi\n}\n\n# Main Execution\ninstall_apparmor\nconfigure_grub_for_apparmor\nset_profiles_to_complain_mode\n\nlog \"AppArmor setup completed.\"\n<\/code><\/pre>\n\n\n\n
                                              Zabezpe\u010denie pou\u017e\u00edvate\u013esk\u00fdch \u00fa\u010dtov<\/h2>\n\n\n\n
                                              Tento Bash skript<\/strong> zabezpe\u010duje pou\u017e\u00edvate\u013esk\u00e9 \u00fa\u010dty<\/strong> v Linuxe pod\u013ea CIS Benchmark odpor\u00fa\u010dan\u00ed<\/strong>. Cie\u013eom je minimalizova\u0165 riziko neopr\u00e1vnen\u00e9ho pr\u00edstupu<\/strong>, implementova\u0165 siln\u00e9 heslov\u00e9 politiky<\/strong> a uzamkn\u00fa\u0165 neakt\u00edvne \u00fa\u010dty<\/strong>.<\/p>\n\n\n\n
                                              Pod\u013ea CIS Ubuntu Server Benchmark<\/strong> musia by\u0165 zabezpe\u010den\u00e9 v\u0161etky pou\u017e\u00edvate\u013esk\u00e9 \u00fa\u010dty:<\/p>\n\n\n\n
                                              \u2714 Zak\u00e1zanie nepou\u017e\u00edvan\u00fdch syst\u00e9mov\u00fdch \u00fa\u010dtov<\/strong>
                                              \u2714 Z\u00e1kaz pr\u00e1zdnych hesiel<\/strong>
                                              \u2714 Siln\u00e1 heslov\u00e1 politika<\/strong>
                                              \u2714 Expir\u00e1cia hesiel pre neakt\u00edvnych pou\u017e\u00edvate\u013eov<\/strong>
                                              \u2714 Pou\u017eitie SHA-512 na bezpe\u010dn\u00e9 hashovanie hesiel<\/strong><\/p>\n\n\n\n
                                              \u010co tento skript rob\u00ed?<\/strong><\/h4>\n\n\n\n
                                              1\ufe0f\u20e3 Z\u00e1lohuje d\u00f4le\u017eit\u00e9 konfigura\u010dn\u00e9 s\u00fabory<\/strong>
                                              2\ufe0f\u20e3 Uzamyk\u00e1 syst\u00e9mov\u00e9 \u00fa\u010dty, ktor\u00e9 nie s\u00fa potrebn\u00e9<\/strong>
                                              3\ufe0f\u20e3 Zabezpe\u010duje, aby \u017eiadny \u00fa\u010det nemal pr\u00e1zdne heslo<\/strong>
                                              4\ufe0f\u20e3 Konfiguruje politiky pre hesl\u00e1 v \/etc\/login.defs<\/code><\/strong>
                                              5\ufe0f\u20e3 Nastavuje expir\u00e1cie hesiel pre neakt\u00edvne \u00fa\u010dty<\/strong><\/p>\n\n\n\n
                                              #!\/bin\/bash\n# Module: Account Security Hardening\n# Description: Configures user accounts for enhanced security\n\nLOG_FILE=\"\/var\/log\/hardening_script.log\"\nBACKUP_SUFFIX=\".bak\"\n\necho \"Starting Account Security Hardening...\" >> \"$LOG_FILE\"\n\nlog() {\n  echo \"[$(date +%Y-%m-%dT%H:%M:%S)] $1\" | tee -a \"$LOG_FILE\"\n}\n\nbackup_file() {\n  local file=\"$1\"\n  if [[ -f \"$file\" ]]; then\n    cp \"$file\" \"${file}${BACKUP_SUFFIX}\" && log \"Backup created for $file\"\n  else\n    log \"File $file not found, skipping backup.\"\n  fi\n}\n\n# Lock unnecessary system accounts\nlog \"Locking unnecessary system accounts.\"\nfor account in $(awk -F: '($3 < 1000 && $1 != \"root\") {print $1}' \/etc\/passwd); do\n  usermod -L \"$account\" &>> \"$LOG_FILE\" && log \"Locked account: $account.\"\ndone\n\n# Ensure no accounts have empty passwords\nlog \"Checking for accounts with empty passwords.\"\nfor user in $(awk -F: '($2 == \"\" && $3 >= 1000) {print $1}' \/etc\/shadow); do\n  passwd -l \"$user\" &>> \"$LOG_FILE\" && log \"Locked user with empty password: $user.\"\ndone\n\n# Enforce strong password policies in \/etc\/login.defs\nLOGIN_DEFS=\"\/etc\/login.defs\"\nbackup_file \"$LOGIN_DEFS\"\nsed -i 's\/^PASS_MAX_DAYS.*\/PASS_MAX_DAYS   90\/' \"$LOGIN_DEFS\"\nsed -i 's\/^PASS_MIN_DAYS.*\/PASS_MIN_DAYS   7\/' \"$LOGIN_DEFS\"\nsed -i 's\/^PASS_WARN_AGE.*\/PASS_WARN_AGE   14\/' \"$LOGIN_DEFS\"\nif ! grep -q \"^ENCRYPT_METHOD\" \"$LOGIN_DEFS\"; then\n  echo \"ENCRYPT_METHOD SHA512\" >> \"$LOGIN_DEFS\"\nelse\n  sed -i 's\/^ENCRYPT_METHOD.*\/ENCRYPT_METHOD SHA512\/' \"$LOGIN_DEFS\"\nfi\nlog \"Updated $LOGIN_DEFS with secure password policies.\"\n\n# Expire passwords for inactive accounts\nlog \"Expiring passwords for inactive accounts.\"\nfor user in $(awk -F: '($3 >= 1000) {print $1}' \/etc\/passwd); do\n  chage --inactive 30 \"$user\" &>> \"$LOG_FILE\" && log \"Set password expiration for $user.\"\ndone\n\nlog \"Account Security Hardening completed.\"<\/code><\/pre>\n\n\n\n
                                              Hardening syst\u00e9mov\u00fdch logov<\/h2>\n\n\n\n
                                              Tento Bash skript zabezpe\u010duje syst\u00e9mov\u00e9 logovanie v Linuxe pod\u013ea CIS Benchmark odpor\u00fa\u010dan\u00ed. Cie\u013eom je zlep\u0161i\u0165 bezpe\u010dnos\u0165 logov, zabra\u0165 pr\u00edstup nepovolen\u00fdm pou\u017e\u00edvate\u013eom a zabezpe\u010di\u0165 spo\u013eahliv\u00e9 uchov\u00e1vanie logov.<\/p>\n\n\n\n
                                              Pod\u013ea CIS Ubuntu Server Benchmark<\/strong> mus\u00ed by\u0165 syst\u00e9mov\u00e9 logovanie zabezpe\u010den\u00e9<\/strong>:<\/p>\n\n\n\n
                                              \u2714 In\u0161tal\u00e1cia a konfigur\u00e1cia rsyslog<\/code> pre bezpe\u010dn\u00e9 logovanie<\/strong>
                                              \u2714 Obmedzenie pr\u00edstupu k log s\u00faborom len pre root pou\u017e\u00edvate\u013ea<\/strong>
                                              \u2714 Z\u00e1lohovanie a ochrana konfigura\u010dn\u00fdch s\u00faborov logovania<\/strong>
                                              \u2714 Ulo\u017eenie d\u00f4le\u017eit\u00fdch logov do ur\u010den\u00fdch s\u00faborov pre jednoduch\u00fa kontrolu<\/strong><\/p>\n\n\n\n
                                              \u010co tento skript rob\u00ed?<\/strong><\/h2>\n\n\n\n
                                              1\ufe0f\u20e3 Z\u00e1lohuje existuj\u00face konfigura\u010dn\u00e9 s\u00fabory logovania<\/strong>
                                              2\ufe0f\u20e3 In\u0161taluje a konfiguruje rsyslog<\/code> pre bezpe\u010dn\u00e9 logovanie<\/strong>
                                              3\ufe0f\u20e3 Obmedzuje pr\u00edstup k log s\u00faborom (zabra\u0148uje \u010d\u00edtaniu neautorizovan\u00fdmi pou\u017e\u00edvate\u013emi)<\/strong><\/p>\n\n\n\n
                                              #!\/bin\/bash\n# Module: System Log Hardening\n# Description: Configures logging settings to ensure secure and reliable system logging\n\nLOG_FILE=\"\/var\/log\/hardening_script.log\"\nRSYSLOG_CONF=\"\/etc\/rsyslog.conf\"\nRSYSLOG_D_DIR=\"\/etc\/rsyslog.d\"\n\necho \"Starting System Log Hardening...\" >> \"$LOG_FILE\"\n\nlog() {\n  echo \"[$(date +%Y-%m-%dT%H:%M:%S)] $1\" | tee -a \"$LOG_FILE\"\n}\n\nbackup_file() {\n  local file=\"$1\"\n  if [[ -f \"$file\" ]]; then\n    cp \"$file\" \"${file}.bak\" && log \"Backup created for $file.\"\n  else\n    log \"File $file not found, skipping backup.\"\n  fi\n}\n\n# Ensure rsyslog is installed\nlog \"Installing rsyslog if not already installed.\"\nif apt-get install -y rsyslog &>> \"$LOG_FILE\"; then\n  log \"rsyslog installed successfully.\"\nelse\n  log \"Failed to install rsyslog. Check the logs for details.\"\n  exit 1\nfi\n\n# Backup existing rsyslog configuration\nbackup_file \"$RSYSLOG_CONF\"\n\n# Update rsyslog configuration for secure logging\ncat > \"$RSYSLOG_CONF\" <> \"$LOG_FILE\"; then\n  log \"rsyslog restarted successfully.\"\nelse\n  log \"Failed to restart rsyslog. Check the logs for details.\"\nfi\n\nlog \"System Log Hardening completed.\"\n<\/code><\/pre>\n\n\n\n
                                              Hardening PAM<\/h2>\n\n\n\n
                                              Tento Bash skript<\/strong> implementuje hardening PAM (Pluggable Authentication Modules)<\/strong> pod\u013ea CIS Benchmark odpor\u00fa\u010dan\u00ed<\/strong>. Jeho cie\u013eom je zabezpe\u010di\u0165 siln\u00e9 hesl\u00e1, kontrolu ne\u00faspe\u0161n\u00fdch prihl\u00e1sen\u00ed a testova\u0165 politiku overovania<\/strong>.<\/p>\n\n\n\n
                                              Pod\u013ea CIS Ubuntu Server Benchmark mus\u00ed by\u0165 PAM nastaven\u00fd tak, aby zabezpe\u010dil:<\/p>\n\n\n\n
                                              \u2714 Pou\u017eitie siln\u00fdch hesiel
                                              \u2714 Minim\u00e1lnu d\u013a\u017eku hesla a po\u017eiadavky na \u0161peci\u00e1lne znaky
                                              \u2714 Zablokovanie \u00fa\u010dtov po ne\u00faspe\u0161n\u00fdch pokusoch o prihl\u00e1senie
                                              \u2714 Automatick\u00e9 testovanie politiky hesiel a zamykania \u00fa\u010dtov<\/p>\n\n\n\n
                                              \u010co tento skript rob\u00ed?<\/p>\n\n\n\n
                                              1\ufe0f\u20e3 Z\u00e1lohuje existuj\u00face PAM konfigur\u00e1cie
                                              2\ufe0f\u20e3 In\u0161taluje kni\u017enicu libpam-pwquality na zabezpe\u010denie siln\u00fdch hesiel
                                              3\ufe0f\u20e3 Konfiguruje PAM, aby vy\u017eadoval siln\u00e9 hesl\u00e1 (minim\u00e1lna d\u013a\u017eka, ve\u013ek\u00e9\/mal\u00e9 p\u00edsmen\u00e1, \u010d\u00edsla, \u0161peci\u00e1lne znaky)
                                              4\ufe0f\u20e3 Testuje politiku hesiel a zamykania \u00fa\u010dtu po viacer\u00fdch ne\u00faspe\u0161n\u00fdch pokusoch<\/p>\n\n\n\n
                                              #!\/bin\/bash\n# Module: PAM Hardening\n# Description: Configures Pluggable Authentication Modules (PAM) for enhanced security\n\nLOG_FILE=\"\/var\/log\/hardening_script.log\"\nPAM_COMMON_AUTH=\"\/etc\/pam.d\/common-auth\"\nPAM_COMMON_PASSWORD=\"\/etc\/pam.d\/common-password\"\n\nlog() {\n  echo \"[$(date +%Y-%m-%dT%H:%M:%S)] $1\" | tee -a \"$LOG_FILE\"\n}\n\nbackup_file() {\n  local file=\"$1\"\n  if [[ -f \"$file\" ]]; then\n    cp \"$file\" \"${file}.bak\" && log \"Backup created for $file.\"\n  else\n    log \"File $file not found, skipping backup.\"\n  fi\n}\n\n# Ensure required packages are installed\nlog \"Installing required PAM packages.\"\nif apt-get install -y libpam-pwquality &>> \"$LOG_FILE\"; then\n  log \"Required PAM packages installed successfully.\"\nelse\n  log \"Failed to install required PAM packages. Check logs for details.\"\n  exit 1\nfi\n\nlog \"Starting PAM Hardening...\"\n\n# Backup PAM configuration files\nbackup_file \"$PAM_COMMON_AUTH\"\nbackup_file \"$PAM_COMMON_PASSWORD\"\n\n# Configure PAM to enforce strong password policies\nlog \"Configuring strong password policies in PAM.\"\nsed -i '\/pam_pwquality.so\/d' \"$PAM_COMMON_PASSWORD\"\necho \"password requisite pam_pwquality.so retry=3 minlen=12 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1\" >> \"$PAM_COMMON_PASSWORD\"\nlog \"Updated $PAM_COMMON_PASSWORD to enforce strong passwords.\"\n\n# # Configure lockout policy for failed login attempts\n# log \"Configuring lockout policy for failed logins.\"\n# sed -i '\/pam_tally2.so\/d' \"$PAM_COMMON_AUTH\"\n# echo \"auth required pam_tally2.so deny=5 unlock_time=600 onerr=fail audit\" >> \"$PAM_COMMON_AUTH\"\n# log \"Updated $PAM_COMMON_AUTH to lock accounts after 5 failed attempts.\"\n\n# Test PAM configuration\nlog \"Testing PAM configuration for password policies.\"\necho \"Testing password policy: Expect rejection for weak passwords.\"\necho \"weakpassword\" | passwd --stdin testuser 2>> \"$LOG_FILE\"\nif [[ $? -ne 0 ]]; then\n  log \"Password policy test passed: Weak password rejected.\"\nelse\n  log \"Password policy test failed: Weak password accepted.\"\n  exit 1\nfi\n\nlog \"Testing lockout policy: Expect lockout after 5 failed attempts.\"\nfor i in {1..5}; do\n  su -c \"echo wrongpassword | su testuser\" 2>> \"$LOG_FILE\"\ndone\nif faillog -u testuser | grep -q \"FAILURES\"; then\n  log \"Lockout policy test passed: User locked out after repeated failures.\"\nelse\n  log \"Lockout policy test failed: User not locked out.\"\n  exit 1\nfi\n\nlog \"PAM Hardening completed successfully.\"\n<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"
                                              Tento pr\u00edspevok sa venuje CIS Benchmarku a jeho aplik\u00e1cii na Ubuntu Server. CIS Benchmark je s\u00fabor odpor\u00fa\u010dan\u00ed pre zabezpe\u010denie syst\u00e9mov pod\u013ea best practices v kybernetickej bezpe\u010dnosti. Pr\u00edspevok sa s\u00fastred\u00ed na PAM hardening, ktor\u00fd zabezpe\u010duje siln\u00e9 hesl\u00e1 s minim\u00e1lnou d\u013a\u017ekou a \u0161peci\u00e1lnymi znakmi, zamykanie \u00fa\u010dtov po ne\u00faspe\u0161n\u00fdch pokusoch o prihl\u00e1senie a overovanie konfigur\u00e1cie cez automatizovan\u00e9 testy. Implement\u00e1cia t\u00fdchto nastaven\u00ed zvy\u0161uje bezpe\u010dnos\u0165 servera a chr\u00e1ni ho pred neopr\u00e1vnen\u00fdm pr\u00edstupom.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[53],"tags":[112],"class_list":["post-1136","post","type-post","status-publish","format-standard","hentry","category-linux","tag-bezpecnost"],"_links":{"self":[{"href":"https:\/\/virtualall.sk\/en\/wp-json\/wp\/v2\/posts\/1136","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/virtualall.sk\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/virtualall.sk\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/virtualall.sk\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/virtualall.sk\/en\/wp-json\/wp\/v2\/comments?post=1136"}],"version-history":[{"count":4,"href":"https:\/\/virtualall.sk\/en\/wp-json\/wp\/v2\/posts\/1136\/revisions"}],"predecessor-version":[{"id":2078,"href":"https:\/\/virtualall.sk\/en\/wp-json\/wp\/v2\/posts\/1136\/revisions\/2078"}],"wp:attachment":[{"href":"https:\/\/virtualall.sk\/en\/wp-json\/wp\/v2\/media?parent=1136"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/virtualall.sk\/en\/wp-json\/wp\/v2\/categories?post=1136"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/virtualall.sk\/en\/wp-json\/wp\/v2\/tags?post=1136"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}