{"id":1136,"date":"2025-03-19T13:52:24","date_gmt":"2025-03-19T13:52:24","guid":{"rendered":"https:\/\/virtualall.sk\/?p=1136"},"modified":"2026-01-11T08:45:53","modified_gmt":"2026-01-11T08:45:53","slug":"cis-benchmark-standard-pre-posilnenie-kybernetickej-bezpecnosti-ubuntu-server","status":"publish","type":"post","link":"https:\/\/virtualall.sk\/en\/2025\/03\/cis-benchmark-standard-pre-posilnenie-kybernetickej-bezpecnosti-ubuntu-server\/","title":{"rendered":"<!--:sk-->CIS Benchmark: \u0160tandard pre posilnenie kybernetickej bezpe\u010dnosti 2<!--:--><!--:en-->CIS Benchmark: Cybersecurity Hardening Standard Part 2<!--:-->"},"content":{"rendered":"<div style=\"background-color: #e7f3ff; border-left: 4px solid #2196F3; padding: 15px; margin: 20px 0;\">\n<strong>TL;DR &#8211; R\u00fdchle zhrnutie:<\/strong> CIS Benchmark pre Ubuntu je \u0161tandard bezpe\u010dnej konfigur\u00e1cie servera. Ubuntu Security Guide (USG) automatizuje audit a implement\u00e1ciu. K\u013e\u00fa\u010dov\u00e9: zak\u00e1za\u0165 root SSH login, obmedzi\u0165 MaxAuthTries na 3, vypn\u00fa\u0165 pr\u00e1zdne hesl\u00e1, zak\u00e1za\u0165 X11 forwarding.\n<\/div>\n<div style=\"background-color: #f0f0f0; padding: 15px; margin: 20px 0; border-radius: 5px;\">\n<strong>R\u00fdchle fakty o CIS Benchmark Ubuntu:<\/strong><\/p>\n<ul>\n<li><strong>Organiz\u00e1cia:<\/strong> Center for Internet Security (CIS)<\/li>\n<li><strong>N\u00e1stroj:<\/strong> Ubuntu Security Guide (USG)<\/li>\n<li><strong>\u00darovne:<\/strong> Level 1 (z\u00e1kladn\u00e9), Level 2 (pokro\u010dil\u00e9)<\/li>\n<li><strong>Verzie:<\/strong> Ubuntu 20.04 LTS a nov\u0161ie<\/li>\n<li><strong>Oblasti:<\/strong> SSH, firewall, audit, pr\u00e1va, \u0161ifrovanie<\/li>\n<li><strong>\u00da\u010del:<\/strong> Hardening, compliance, NIS2<\/li>\n<\/ul>\n<\/div>\n<p>V digit\u00e1lnej \u00e9re je <strong>kybernetick\u00e1 bezpe\u010dnos\u0165<\/strong> k\u013e\u00fa\u010dov\u00e1. <strong>CIS Benchmarks<\/strong> s\u00fa osved\u010den\u00e9 postupy na bezpe\u010dn\u00fa konfigur\u00e1ciu Ubuntu Linux serverov.<\/p>\n<h2>\u010co je CIS Benchmark?<\/h2>\n<p><strong>CIS Benchmarks<\/strong> s\u00fa odpor\u00fa\u010dan\u00e9 bezpe\u010dnostn\u00e9 konfigur\u00e1cie vyvinut\u00e9 komunitou expertov. Pre Ubuntu Linux poskytuj\u00fa podrobn\u00fd n\u00e1vod na zabezpe\u010denie syst\u00e9mu.<\/p>\n<h2>Ubuntu Security Guide (USG)<\/h2>\n<p>Ubuntu poskytuje n\u00e1stroj <strong>USG<\/strong> pre automatiz\u00e1ciu:<\/p>\n<ul>\n<li>Audit aktu\u00e1lneho stavu syst\u00e9mu<\/li>\n<li>Implement\u00e1cia odpor\u00fa\u010dan\u00fdch nastaven\u00ed<\/li>\n<li>Prisp\u00f4sobenie pod\u013ea potrieb organiz\u00e1cie<\/li>\n<\/ul>\n<h2>Konfigur\u00e1cia SSH pod\u013ea CIS Benchmark<\/h2>\n<h3>Bezpe\u010dnostn\u00e9 nastavenia SSH:<\/h3>\n<ul>\n<li><strong>PermitRootLogin no<\/strong> &#8211; zak\u00e1za\u0165 root prihl\u00e1senie<\/li>\n<li><strong>MaxAuthTries 3<\/strong> &#8211; max 3 pokusy o autentifik\u00e1ciu<\/li>\n<li><strong>PermitEmptyPasswords no<\/strong> &#8211; zak\u00e1za\u0165 pr\u00e1zdne hesl\u00e1<\/li>\n<li><strong>AllowAgentForwarding no<\/strong><\/li>\n<li><strong>AllowTcpForwarding no<\/strong><\/li>\n<li><strong>X11Forwarding no<\/strong> &#8211; zak\u00e1za\u0165 X11 forwarding<\/li>\n<li><strong>MaxSessions 2<\/strong> &#8211; max 2 paraleln\u00e9 session<\/li>\n<\/ul>\n<h3>Logovanie a z\u00e1loha<\/h3>\n<p>Pred zmenami v\u017edy:<\/p>\n<ul>\n<li>Vytvorte z\u00e1lohu \/etc\/ssh\/sshd_config<\/li>\n<li>Logujte do \/var\/log\/hardening_script.log<\/li>\n<\/ul>\n<h2>Zhrnutie<\/h2>\n<p><strong>CIS Benchmark pre Ubuntu<\/strong> zvy\u0161uje bezpe\u010dnos\u0165:<\/p>\n<ul>\n<li>USG automatizuje audit a implement\u00e1ciu<\/li>\n<li>SSH hardening je kritick\u00fd<\/li>\n<li>Z\u00e1lohy pred ka\u017edou zmenou<\/li>\n<li>Splnenie NIS2 a ISO 27001<\/li>\n<\/ul>\n<h2>\u010casto kladen\u00e9 ot\u00e1zky (FAQ)<\/h2>\n<h3>\u010co je CIS Benchmark?<\/h3>\n<p><strong>CIS Benchmark<\/strong> je s\u00fabor bezpe\u010dnostn\u00fdch odpor\u00fa\u010dan\u00ed od Center for Internet Security. Obsahuje konkr\u00e9tne konfigura\u010dn\u00e9 nastavenia pre opera\u010dn\u00e9 syst\u00e9my, aplik\u00e1cie a siete na minimaliz\u00e1ciu bezpe\u010dnostn\u00fdch riz\u00edk.<\/p>\n<h3>Ak\u00fd je rozdiel medzi Level 1 a Level 2?<\/h3>\n<p><strong>Level 1<\/strong> obsahuje z\u00e1kladn\u00e9 odpor\u00fa\u010dania s minim\u00e1lnym vplyvom na funkcionalitu. <strong>Level 2<\/strong> s\u00fa pokro\u010dil\u00e9 nastavenia pre vysoko bezpe\u010dn\u00e9 prostredia, ktor\u00e9 m\u00f4\u017eu vy\u017eadova\u0165 zmeny v spr\u00e1ve IT.<\/p>\n<h3>\u010co je Ubuntu Security Guide (USG)?<\/h3>\n<p><strong>USG<\/strong> je n\u00e1stroj od Canonical pre Ubuntu 20.04+. Automatizuje audit syst\u00e9mu vo\u010di CIS benchmarkom a umo\u017e\u0148uje jednoduch\u00e9 aplikovanie bezpe\u010dnostn\u00fdch nastaven\u00ed.<\/p>\n<h3>Pre\u010do zak\u00e1za\u0165 root SSH login?<\/h3>\n<p>Root \u00fa\u010det je cie\u013eom brute-force \u00fatokov. Zak\u00e1zan\u00edm <strong>PermitRootLogin no<\/strong> \u00fato\u010dn\u00edci nem\u00f4\u017eu priamo z\u00edska\u0165 root pr\u00edstup. Pou\u017e\u00edvatelia sa prihlasuj\u00fa be\u017en\u00fdm \u00fa\u010dtom a pou\u017e\u00edvaj\u00fa sudo.<\/p>\n<h3>\u010co je MaxAuthTries a pre\u010do ho obmedzi\u0165?<\/h3>\n<p><strong>MaxAuthTries<\/strong> definuje po\u010det pokusov o autentifik\u00e1ciu pred odpojen\u00edm. Nastavenie na 3 spoma\u013euje brute-force \u00fatoky a chr\u00e1ni pred automatizovan\u00fdmi skriptami.<\/p>\n<h3>Ako aplikova\u0165 CIS Benchmark na existuj\u00faci server?<\/h3>\n<p>Najprv <strong>z\u00e1lohujte konfigur\u00e1cie<\/strong>. Potom pou\u017eite USG na audit aktu\u00e1lneho stavu. Postupne aplikujte odpor\u00fa\u010dania a testujte funk\u010dnos\u0165 po ka\u017edej zmene. Nikdy neaplikujte v\u0161etko naraz.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Tento pr\u00edspevok sa venuje CIS Benchmarku a jeho aplik\u00e1cii na Ubuntu Server. CIS Benchmark je s\u00fabor odpor\u00fa\u010dan\u00ed pre zabezpe\u010denie syst\u00e9mov pod\u013ea best practices v kybernetickej bezpe\u010dnosti. Pr\u00edspevok sa s\u00fastred\u00ed na PAM hardening, ktor\u00fd zabezpe\u010duje siln\u00e9 hesl\u00e1 s minim\u00e1lnou d\u013a\u017ekou a \u0161peci\u00e1lnymi znakmi, zamykanie \u00fa\u010dtov po ne\u00faspe\u0161n\u00fdch pokusoch o prihl\u00e1senie a overovanie konfigur\u00e1cie cez automatizovan\u00e9 testy. Implement\u00e1cia t\u00fdchto nastaven\u00ed zvy\u0161uje bezpe\u010dnos\u0165 servera a chr\u00e1ni ho pred neopr\u00e1vnen\u00fdm pr\u00edstupom.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[53],"tags":[112],"class_list":["post-1136","post","type-post","status-publish","format-standard","hentry","category-linux","tag-bezpecnost"],"_links":{"self":[{"href":"https:\/\/virtualall.sk\/en\/wp-json\/wp\/v2\/posts\/1136","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/virtualall.sk\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/virtualall.sk\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/virtualall.sk\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/virtualall.sk\/en\/wp-json\/wp\/v2\/comments?post=1136"}],"version-history":[{"count":3,"href":"https:\/\/virtualall.sk\/en\/wp-json\/wp\/v2\/posts\/1136\/revisions"}],"predecessor-version":[{"id":1909,"href":"https:\/\/virtualall.sk\/en\/wp-json\/wp\/v2\/posts\/1136\/revisions\/1909"}],"wp:attachment":[{"href":"https:\/\/virtualall.sk\/en\/wp-json\/wp\/v2\/media?parent=1136"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/virtualall.sk\/en\/wp-json\/wp\/v2\/categories?post=1136"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/virtualall.sk\/en\/wp-json\/wp\/v2\/tags?post=1136"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}