From 3aa6e343fd819a38fa07eabb97c404c03d3ba6ed Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Lesimple?= <stephane.lesimple@corp.ovh.com>
Date: Thu, 21 Jan 2021 10:56:26 +0000
Subject: [PATCH] doc: add pointers to the-bastion-ansible-wrapper & debian-cis

---
 README.md                         | 4 +++-
 doc/sphinx/installation/basic.rst | 2 +-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index c6e08c9..dcd680c 100644
--- a/README.md
+++ b/README.md
@@ -162,8 +162,10 @@ Even with the most conservative, precautionous and paranoid coding process, code
 
 ### Optional tools
 
-- [yubico-piv-checker](https://github.com/ovh/yubico-piv-checker) - a self-contained go binary to check the validity of PIV keys and certificates. Optional, to enable The Bastion PIV-aware functionalities.
+- [yubico-piv-checker](https://github.com/ovh/yubico-piv-checker) - a self-contained go binary to check the validity of PIV keys and certificates. Optional, to enable The Bastion PIV-aware functionalities
 - [puppet-thebastion](https://forge.puppet.com/modules/goldenkiwi/thebastion) ([GitHub](https://github.com/ovh/puppet-thebastion)) - a Puppet module to automate and maintain the configuration of The Bastion machines
+- [the-bastion-ansible-wrapper](https://github.com/ovh/the-bastion-ansible-wrapper) - a wrapper to make it possible to run Ansible playbooks through The Bastion
+- [debian-cis](https://github.com/ovh/debian-cis) - a script to apply and monitor the hardening of Debian hosts as per the [CIS](https://www.cisecurity.org/benchmark/debian_linux/) recommendations
 
 ## License
 
diff --git a/doc/sphinx/installation/basic.rst b/doc/sphinx/installation/basic.rst
index 540ab9f..a181e73 100644
--- a/doc/sphinx/installation/basic.rst
+++ b/doc/sphinx/installation/basic.rst
@@ -47,7 +47,7 @@ Other BSD variants partially work but are unsupported and discouraged as they ha
 - OpenBSD 5.4+
 - NetBSD 7+
 
-In any case, you are expected to install this on a properly secured machine (including, but not limited to: ``iptables``/``pf``, reduced-set of installed software and daemons, general system hardening, etc.). If you use Debian, following the CIS Hardening guidelines is a good start.
+In any case, you are expected to install this on a properly secured machine (including, but not limited to: ``iptables``/``pf``, reduced-set of installed software and daemons, general system hardening, etc.). If you use Debian, following the `CIS Hardening guidelines <https://www.cisecurity.org/benchmark/debian_linux/>`_ is a good start. We have a `tool <https://github.com/ovh/debian-cis`_ to check for compliance against these guidelines. If you use Debian and don't yet have your own hardened template, this script should help you getting up to speed, and ensuring your hardened host stays hardened over time, through a daily audit you might want to setup through cron.
 
 Great care has been taken to write secure, tested code, but of course this is worthless if your machine is a hacker highway. Ensuring that all the layers below the bastion code (the operating system and the hardware it's running on) is your job.