From 04457e7df26cea610e65d991e0ef4aad2b5118a7 Mon Sep 17 00:00:00 2001 From: GoldenKiwi Date: Tue, 2 May 2023 14:16:19 +0200 Subject: [PATCH] feat: official Debian 11 compatibility (#176) Introduce Debian 11 compatibility Based on CIS_Debian_Linux_11_Benchmark_v1.0.0 After review, here are the notable changes : - Harden /var/log more (noexec,nodev,nosuid) - Harden /var/log/audit more (noexec,nodev,nosuid) - Harden /home more (nosuid) - Disable cramfs - Fix 5.3.4_acc_pam_sha512.sh - Deprecate Debian 9 and remove useless docker images NB : more audit log rules have been introduced and will be inserted in the checks later Fix #158 --- .github/workflows/functionnal-tests.yml | 7 -- README.md | 9 +- bin/hardening/1.1.1.8_disable_cramfs.sh | 76 +++++++++++++++ bin/hardening/1.1.11.1_var_log_noexec.sh | 92 +++++++++++++++++++ bin/hardening/1.1.11.2_var_log_nosuid.sh | 92 +++++++++++++++++++ bin/hardening/1.1.11.3_var_log_nodev.sh | 92 +++++++++++++++++++ .../1.1.12.1_var_log_audit_noexec.sh | 92 +++++++++++++++++++ .../1.1.12.2_var_log_audit_nosuid.sh | 92 +++++++++++++++++++ bin/hardening/1.1.12.3_var_log_audit_nodev.sh | 92 +++++++++++++++++++ bin/hardening/1.1.14.1_home_nosuid.sh | 92 +++++++++++++++++++ bin/hardening/1.1.6.1_var_nodev.sh | 92 +++++++++++++++++++ bin/hardening/1.1.6.2_var_nosuid.sh | 92 +++++++++++++++++++ bin/hardening/1.6.3.1_disable_apport.sh | 69 ++++++++++++++ bin/hardening/5.3.4_acc_pam_sha512.sh | 11 ++- lib/constants.sh | 4 +- tests/docker/Dockerfile.debian8 | 22 ----- tests/docker/Dockerfile.debian9 | 22 ----- tests/hardening/1.1.1.8_disable_cramfs.sh | 20 ++++ tests/hardening/1.1.11.1_var_log_noexec.sh | 16 ++++ tests/hardening/1.1.11.2_var_log_nosuid.sh | 16 ++++ tests/hardening/1.1.11.3_var_log_nodev.sh | 16 ++++ .../1.1.12.1_var_log_audit_noexec.sh | 16 ++++ .../1.1.12.2_var_log_audit_nosuid.sh | 16 ++++ .../hardening/1.1.12.3_var_log_audit_nodev.sh | 16 ++++ tests/hardening/1.1.14.1_home_nosuid.sh | 16 ++++ tests/hardening/1.1.6.1_var_nodev.sh | 16 ++++ tests/hardening/1.1.6.2_var_nosuid.sh | 16 ++++ tests/hardening/1.6.3.1_disable_apport.sh | 16 ++++ tests/hardening/5.3.4_acc_pam_sha512.sh | 2 +- 29 files changed, 1168 insertions(+), 62 deletions(-) create mode 100755 bin/hardening/1.1.1.8_disable_cramfs.sh create mode 100755 bin/hardening/1.1.11.1_var_log_noexec.sh create mode 100755 bin/hardening/1.1.11.2_var_log_nosuid.sh create mode 100755 bin/hardening/1.1.11.3_var_log_nodev.sh create mode 100755 bin/hardening/1.1.12.1_var_log_audit_noexec.sh create mode 100755 bin/hardening/1.1.12.2_var_log_audit_nosuid.sh create mode 100755 bin/hardening/1.1.12.3_var_log_audit_nodev.sh create mode 100755 bin/hardening/1.1.14.1_home_nosuid.sh create mode 100755 bin/hardening/1.1.6.1_var_nodev.sh create mode 100755 bin/hardening/1.1.6.2_var_nosuid.sh create mode 100755 bin/hardening/1.6.3.1_disable_apport.sh delete mode 100644 tests/docker/Dockerfile.debian8 delete mode 100644 tests/docker/Dockerfile.debian9 create mode 100644 tests/hardening/1.1.1.8_disable_cramfs.sh create mode 100644 tests/hardening/1.1.11.1_var_log_noexec.sh create mode 100644 tests/hardening/1.1.11.2_var_log_nosuid.sh create mode 100644 tests/hardening/1.1.11.3_var_log_nodev.sh create mode 100644 tests/hardening/1.1.12.1_var_log_audit_noexec.sh create mode 100644 tests/hardening/1.1.12.2_var_log_audit_nosuid.sh create mode 100644 tests/hardening/1.1.12.3_var_log_audit_nodev.sh create mode 100644 tests/hardening/1.1.14.1_home_nosuid.sh create mode 100644 tests/hardening/1.1.6.1_var_nodev.sh create mode 100644 tests/hardening/1.1.6.2_var_nosuid.sh create mode 100644 tests/hardening/1.6.3.1_disable_apport.sh diff --git a/.github/workflows/functionnal-tests.yml b/.github/workflows/functionnal-tests.yml index 93d6f66..69c4ae1 100644 --- a/.github/workflows/functionnal-tests.yml +++ b/.github/workflows/functionnal-tests.yml @@ -4,13 +4,6 @@ on: - pull_request - push jobs: - functionnal-tests-docker-debian9: - runs-on: ubuntu-latest - steps: - - name: Checkout repo - uses: actions/checkout@v3 - - name: Run the tests debian9 - run: ./tests/docker_build_and_run_tests.sh debian9 functionnal-tests-docker-debian10: runs-on: ubuntu-latest steps: diff --git a/README.md b/README.md index f05a918..379d60c 100644 --- a/README.md +++ b/README.md @@ -1,7 +1,4 @@ -# :lock: CIS Debian 9/10 Hardening - -:tada: **News**: this project is back in the game and is from now on maintained. Be free to use and to -report issues if you find any! +# :lock: CIS Debian 10/11 Hardening

@@ -16,7 +13,7 @@ report issues if you find any! ![License](https://img.shields.io/github/license/ovh/debian-cis) --- -Modular Debian 9/10 security hardening scripts based on [cisecurity.org](https://www.cisecurity.org) +Modular Debian 10/11 security hardening scripts based on [cisecurity.org](https://www.cisecurity.org) recommendations. We use it at [OVHcloud](https://www.ovhcloud.com) to harden our PCI-DSS infrastructure. ```console @@ -172,7 +169,7 @@ Functional tests are available. They are to be run in a Docker environment. $ ./tests/docker_build_and_run_tests.sh [name of test script...] ``` -With `target` being like `debian9` or `debian10`. +With `target` being like `debian10` or `debian11`. Running without script arguments will run all tests in `./tests/hardening/` directory. Or you can specify one or several test script to be run. diff --git a/bin/hardening/1.1.1.8_disable_cramfs.sh b/bin/hardening/1.1.1.8_disable_cramfs.sh new file mode 100755 index 0000000..6821561 --- /dev/null +++ b/bin/hardening/1.1.1.8_disable_cramfs.sh @@ -0,0 +1,76 @@ +#!/bin/bash + +# run-shellcheck +# +# CIS Debian Hardening +# + +# +# 1.1.1.1 Ensure Mounting of cramfs filesystems is disabled (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +# shellcheck disable=2034 +HARDENING_LEVEL=2 +# shellcheck disable=2034 +DESCRIPTION="Disable mounting of cramfs filesystems." + +KERNEL_OPTION="CONFIG_CRAMFS" +MODULE_NAME="cramfs" + +# This function will be called if the script status is on enabled / audit mode +audit() { + if [ "$IS_CONTAINER" -eq 1 ]; then + # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it + ok "Container detected, consider host enforcing or disable this check!" + else + is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" + if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated + crit "$MODULE_NAME is enabled!" + else + ok "$MODULE_NAME is disabled" + fi + fi +} + +# This function will be called if the script status is on enabled mode +apply() { + if [ "$IS_CONTAINER" -eq 1 ]; then + # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it + ok "Container detected, consider host enforcing!" + else + is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" + if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated + warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)" + else + ok "$MODULE_NAME is disabled" + fi + fi +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ -r /etc/default/cis-hardening ]; then + # shellcheck source=../../debian/default + . /etc/default/cis-hardening +fi +if [ -z "$CIS_ROOT_DIR" ]; then + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." + exit 128 +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then + # shellcheck source=../../lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh +else + echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" + exit 128 +fi diff --git a/bin/hardening/1.1.11.1_var_log_noexec.sh b/bin/hardening/1.1.11.1_var_log_noexec.sh new file mode 100755 index 0000000..cbc4d03 --- /dev/null +++ b/bin/hardening/1.1.11.1_var_log_noexec.sh @@ -0,0 +1,92 @@ +#!/bin/bash + +# run-shellcheck +# +# CIS Debian Hardening +# + +# +# 1.1.11.1 Ensure noexec option set on /var/log partition (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +# shellcheck disable=2034 +HARDENING_LEVEL=3 +# shellcheck disable=2034 +DESCRIPTION="/var/log partition with noexec option." + +# Quick factoring as many script use the same logic +PARTITION="/var/log" +OPTION="noexec" + +# This function will be called if the script status is on enabled / audit mode +audit() { + info "Verifying that $PARTITION is a partition" + FNRET=0 + is_a_partition "$PARTITION" + if [ "$FNRET" -gt 0 ]; then + crit "$PARTITION is not a partition" + FNRET=2 + else + ok "$PARTITION is a partition" + has_mount_option "$PARTITION" "$OPTION" + if [ "$FNRET" -gt 0 ]; then + crit "$PARTITION has no option $OPTION in fstab!" + FNRET=1 + else + ok "$PARTITION has $OPTION in fstab" + has_mounted_option "$PARTITION" "$OPTION" + if [ "$FNRET" -gt 0 ]; then + warn "$PARTITION is not mounted with $OPTION at runtime" + FNRET=3 + else + ok "$PARTITION mounted with $OPTION" + fi + fi + fi +} + +# This function will be called if the script status is on enabled mode +apply() { + if [ "$FNRET" = 0 ]; then + ok "$PARTITION is correctly set" + elif [ "$FNRET" = 2 ]; then + crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here" + elif [ "$FNRET" = 1 ]; then + info "Adding $OPTION to fstab" + add_option_to_fstab "$PARTITION" "$OPTION" + info "Remounting $PARTITION from fstab" + remount_partition "$PARTITION" + elif [ "$FNRET" = 3 ]; then + info "Remounting $PARTITION from fstab" + remount_partition "$PARTITION" + fi +} + +# This function will check config parameters required +check_config() { + # No param for this script + : +} + +# Source Root Dir Parameter +if [ -r /etc/default/cis-hardening ]; then + # shellcheck source=../../debian/default + . /etc/default/cis-hardening +fi +if [ -z "$CIS_ROOT_DIR" ]; then + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." + exit 128 +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then + # shellcheck source=../../lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh +else + echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" + exit 128 +fi diff --git a/bin/hardening/1.1.11.2_var_log_nosuid.sh b/bin/hardening/1.1.11.2_var_log_nosuid.sh new file mode 100755 index 0000000..126f596 --- /dev/null +++ b/bin/hardening/1.1.11.2_var_log_nosuid.sh @@ -0,0 +1,92 @@ +#!/bin/bash + +# run-shellcheck +# +# CIS Debian Hardening +# + +# +# 1.1.11.2 Ensure nosuid option set on /var/log partition (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +# shellcheck disable=2034 +HARDENING_LEVEL=2 +# shellcheck disable=2034 +DESCRIPTION="/var/log partition with nosuid option." + +# Quick factoring as many script use the same logic +PARTITION="/var/log" +OPTION="nosuid" + +# This function will be called if the script status is on enabled / audit mode +audit() { + info "Verifying that $PARTITION is a partition" + FNRET=0 + is_a_partition "$PARTITION" + if [ "$FNRET" -gt 0 ]; then + crit "$PARTITION is not a partition" + FNRET=2 + else + ok "$PARTITION is a partition" + has_mount_option "$PARTITION" "$OPTION" + if [ "$FNRET" -gt 0 ]; then + crit "$PARTITION has no option $OPTION in fstab!" + FNRET=1 + else + ok "$PARTITION has $OPTION in fstab" + has_mounted_option "$PARTITION" "$OPTION" + if [ "$FNRET" -gt 0 ]; then + warn "$PARTITION is not mounted with $OPTION at runtime" + FNRET=3 + else + ok "$PARTITION mounted with $OPTION" + fi + fi + fi +} + +# This function will be called if the script status is on enabled mode +apply() { + if [ "$FNRET" = 0 ]; then + ok "$PARTITION is correctly set" + elif [ "$FNRET" = 2 ]; then + crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here" + elif [ "$FNRET" = 1 ]; then + info "Adding $OPTION to fstab" + add_option_to_fstab "$PARTITION" "$OPTION" + info "Remounting $PARTITION from fstab" + remount_partition "$PARTITION" + elif [ "$FNRET" = 3 ]; then + info "Remounting $PARTITION from fstab" + remount_partition "$PARTITION" + fi +} + +# This function will check config parameters required +check_config() { + # No param for this script + : +} + +# Source Root Dir Parameter +if [ -r /etc/default/cis-hardening ]; then + # shellcheck source=../../debian/default + . /etc/default/cis-hardening +fi +if [ -z "$CIS_ROOT_DIR" ]; then + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." + exit 128 +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then + # shellcheck source=../../lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh +else + echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" + exit 128 +fi diff --git a/bin/hardening/1.1.11.3_var_log_nodev.sh b/bin/hardening/1.1.11.3_var_log_nodev.sh new file mode 100755 index 0000000..09eb3be --- /dev/null +++ b/bin/hardening/1.1.11.3_var_log_nodev.sh @@ -0,0 +1,92 @@ +#!/bin/bash + +# run-shellcheck +# +# CIS Debian Hardening +# + +# +# 1.1.11.3 ensure nodev option set on /var/log partition (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +# shellcheck disable=2034 +HARDENING_LEVEL=2 +# shellcheck disable=2034 +DESCRIPTION="/var/log partition with nodev option." + +# Quick factoring as many script use the same logic +PARTITION="/var/log" +OPTION="nodev" + +# This function will be called if the script status is on enabled / audit mode +audit() { + info "Verifying that $PARTITION is a partition" + FNRET=0 + is_a_partition "$PARTITION" + if [ "$FNRET" -gt 0 ]; then + crit "$PARTITION is not a partition" + FNRET=2 + else + ok "$PARTITION is a partition" + has_mount_option "$PARTITION" "$OPTION" + if [ "$FNRET" -gt 0 ]; then + crit "$PARTITION has no option $OPTION in fstab!" + FNRET=1 + else + ok "$PARTITION has $OPTION in fstab" + has_mounted_option "$PARTITION" "$OPTION" + if [ "$FNRET" -gt 0 ]; then + warn "$PARTITION is not mounted with $OPTION at runtime" + FNRET=3 + else + ok "$PARTITION mounted with $OPTION" + fi + fi + fi +} + +# This function will be called if the script status is on enabled mode +apply() { + if [ "$FNRET" = 0 ]; then + ok "$PARTITION is correctly set" + elif [ "$FNRET" = 2 ]; then + crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here" + elif [ "$FNRET" = 1 ]; then + info "Adding $OPTION to fstab" + add_option_to_fstab "$PARTITION" "$OPTION" + info "Remounting $PARTITION from fstab" + remount_partition "$PARTITION" + elif [ "$FNRET" = 3 ]; then + info "Remounting $PARTITION from fstab" + remount_partition "$PARTITION" + fi +} + +# This function will check config parameters required +check_config() { + # No param for this script + : +} + +# Source Root Dir Parameter +if [ -r /etc/default/cis-hardening ]; then + # shellcheck source=../../debian/default + . /etc/default/cis-hardening +fi +if [ -z "$CIS_ROOT_DIR" ]; then + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." + exit 128 +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then + # shellcheck source=../../lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh +else + echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" + exit 128 +fi diff --git a/bin/hardening/1.1.12.1_var_log_audit_noexec.sh b/bin/hardening/1.1.12.1_var_log_audit_noexec.sh new file mode 100755 index 0000000..0e1666d --- /dev/null +++ b/bin/hardening/1.1.12.1_var_log_audit_noexec.sh @@ -0,0 +1,92 @@ +#!/bin/bash + +# run-shellcheck +# +# CIS Debian Hardening +# + +# +# 1.1.12.1 Ensure noexec option set on /var/log/audit partition (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +# shellcheck disable=2034 +HARDENING_LEVEL=3 +# shellcheck disable=2034 +DESCRIPTION="/var/log/audit partition with noexec option." + +# Quick factoring as many script use the same logic +PARTITION="/var/log/audit" +OPTION="noexec" + +# This function will be called if the script status is on enabled / audit mode +audit() { + info "Verifying that $PARTITION is a partition" + FNRET=0 + is_a_partition "$PARTITION" + if [ "$FNRET" -gt 0 ]; then + crit "$PARTITION is not a partition" + FNRET=2 + else + ok "$PARTITION is a partition" + has_mount_option "$PARTITION" "$OPTION" + if [ "$FNRET" -gt 0 ]; then + crit "$PARTITION has no option $OPTION in fstab!" + FNRET=1 + else + ok "$PARTITION has $OPTION in fstab" + has_mounted_option "$PARTITION" "$OPTION" + if [ "$FNRET" -gt 0 ]; then + warn "$PARTITION is not mounted with $OPTION at runtime" + FNRET=3 + else + ok "$PARTITION mounted with $OPTION" + fi + fi + fi +} + +# This function will be called if the script status is on enabled mode +apply() { + if [ "$FNRET" = 0 ]; then + ok "$PARTITION is correctly set" + elif [ "$FNRET" = 2 ]; then + crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here" + elif [ "$FNRET" = 1 ]; then + info "Adding $OPTION to fstab" + add_option_to_fstab "$PARTITION" "$OPTION" + info "Remounting $PARTITION from fstab" + remount_partition "$PARTITION" + elif [ "$FNRET" = 3 ]; then + info "Remounting $PARTITION from fstab" + remount_partition "$PARTITION" + fi +} + +# This function will check config parameters required +check_config() { + # No param for this script + : +} + +# Source Root Dir Parameter +if [ -r /etc/default/cis-hardening ]; then + # shellcheck source=../../debian/default + . /etc/default/cis-hardening +fi +if [ -z "$CIS_ROOT_DIR" ]; then + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." + exit 128 +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then + # shellcheck source=../../lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh +else + echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" + exit 128 +fi diff --git a/bin/hardening/1.1.12.2_var_log_audit_nosuid.sh b/bin/hardening/1.1.12.2_var_log_audit_nosuid.sh new file mode 100755 index 0000000..0970a0f --- /dev/null +++ b/bin/hardening/1.1.12.2_var_log_audit_nosuid.sh @@ -0,0 +1,92 @@ +#!/bin/bash + +# run-shellcheck +# +# CIS Debian Hardening +# + +# +# 1.1.12.2 Ensure nosuid option set on /var/log/audit partition (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +# shellcheck disable=2034 +HARDENING_LEVEL=2 +# shellcheck disable=2034 +DESCRIPTION="/var/log/audit partition with nosuid option." + +# Quick factoring as many script use the same logic +PARTITION="/var/log/audit" +OPTION="nosuid" + +# This function will be called if the script status is on enabled / audit mode +audit() { + info "Verifying that $PARTITION is a partition" + FNRET=0 + is_a_partition "$PARTITION" + if [ "$FNRET" -gt 0 ]; then + crit "$PARTITION is not a partition" + FNRET=2 + else + ok "$PARTITION is a partition" + has_mount_option "$PARTITION" "$OPTION" + if [ "$FNRET" -gt 0 ]; then + crit "$PARTITION has no option $OPTION in fstab!" + FNRET=1 + else + ok "$PARTITION has $OPTION in fstab" + has_mounted_option "$PARTITION" "$OPTION" + if [ "$FNRET" -gt 0 ]; then + warn "$PARTITION is not mounted with $OPTION at runtime" + FNRET=3 + else + ok "$PARTITION mounted with $OPTION" + fi + fi + fi +} + +# This function will be called if the script status is on enabled mode +apply() { + if [ "$FNRET" = 0 ]; then + ok "$PARTITION is correctly set" + elif [ "$FNRET" = 2 ]; then + crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here" + elif [ "$FNRET" = 1 ]; then + info "Adding $OPTION to fstab" + add_option_to_fstab "$PARTITION" "$OPTION" + info "Remounting $PARTITION from fstab" + remount_partition "$PARTITION" + elif [ "$FNRET" = 3 ]; then + info "Remounting $PARTITION from fstab" + remount_partition "$PARTITION" + fi +} + +# This function will check config parameters required +check_config() { + # No param for this script + : +} + +# Source Root Dir Parameter +if [ -r /etc/default/cis-hardening ]; then + # shellcheck source=../../debian/default + . /etc/default/cis-hardening +fi +if [ -z "$CIS_ROOT_DIR" ]; then + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." + exit 128 +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then + # shellcheck source=../../lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh +else + echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" + exit 128 +fi diff --git a/bin/hardening/1.1.12.3_var_log_audit_nodev.sh b/bin/hardening/1.1.12.3_var_log_audit_nodev.sh new file mode 100755 index 0000000..bb6cd17 --- /dev/null +++ b/bin/hardening/1.1.12.3_var_log_audit_nodev.sh @@ -0,0 +1,92 @@ +#!/bin/bash + +# run-shellcheck +# +# CIS Debian Hardening +# + +# +# 1.1.12.3 Ensure nodev option set on /var/log/audit partition (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +# shellcheck disable=2034 +HARDENING_LEVEL=2 +# shellcheck disable=2034 +DESCRIPTION="/var/log/audit partition with nodev option." + +# Quick factoring as many script use the same logic +PARTITION="/var/log/audit" +OPTION="nodev" + +# This function will be called if the script status is on enabled / audit mode +audit() { + info "Verifying that $PARTITION is a partition" + FNRET=0 + is_a_partition "$PARTITION" + if [ "$FNRET" -gt 0 ]; then + crit "$PARTITION is not a partition" + FNRET=2 + else + ok "$PARTITION is a partition" + has_mount_option "$PARTITION" "$OPTION" + if [ "$FNRET" -gt 0 ]; then + crit "$PARTITION has no option $OPTION in fstab!" + FNRET=1 + else + ok "$PARTITION has $OPTION in fstab" + has_mounted_option "$PARTITION" "$OPTION" + if [ "$FNRET" -gt 0 ]; then + warn "$PARTITION is not mounted with $OPTION at runtime" + FNRET=3 + else + ok "$PARTITION mounted with $OPTION" + fi + fi + fi +} + +# This function will be called if the script status is on enabled mode +apply() { + if [ "$FNRET" = 0 ]; then + ok "$PARTITION is correctly set" + elif [ "$FNRET" = 2 ]; then + crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here" + elif [ "$FNRET" = 1 ]; then + info "Adding $OPTION to fstab" + add_option_to_fstab "$PARTITION" "$OPTION" + info "Remounting $PARTITION from fstab" + remount_partition "$PARTITION" + elif [ "$FNRET" = 3 ]; then + info "Remounting $PARTITION from fstab" + remount_partition "$PARTITION" + fi +} + +# This function will check config parameters required +check_config() { + # No param for this script + : +} + +# Source Root Dir Parameter +if [ -r /etc/default/cis-hardening ]; then + # shellcheck source=../../debian/default + . /etc/default/cis-hardening +fi +if [ -z "$CIS_ROOT_DIR" ]; then + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." + exit 128 +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then + # shellcheck source=../../lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh +else + echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" + exit 128 +fi diff --git a/bin/hardening/1.1.14.1_home_nosuid.sh b/bin/hardening/1.1.14.1_home_nosuid.sh new file mode 100755 index 0000000..5fc1b6c --- /dev/null +++ b/bin/hardening/1.1.14.1_home_nosuid.sh @@ -0,0 +1,92 @@ +#!/bin/bash + +# run-shellcheck +# +# CIS Debian Hardening +# + +# +# 1.1.14.1 Ensure nosuid option set on /home partition (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +# shellcheck disable=2034 +HARDENING_LEVEL=2 +# shellcheck disable=2034 +DESCRIPTION="/home partition with nosuid option." + +# Quick factoring as many script use the same logic +PARTITION="/home" +OPTION="nosuid" + +# This function will be called if the script status is on enabled / audit mode +audit() { + info "Verifying that $PARTITION is a partition" + FNRET=0 + is_a_partition "$PARTITION" + if [ "$FNRET" -gt 0 ]; then + crit "$PARTITION is not a partition" + FNRET=2 + else + ok "$PARTITION is a partition" + has_mount_option "$PARTITION" "$OPTION" + if [ "$FNRET" -gt 0 ]; then + crit "$PARTITION has no option $OPTION in fstab!" + FNRET=1 + else + ok "$PARTITION has $OPTION in fstab" + has_mounted_option "$PARTITION" "$OPTION" + if [ "$FNRET" -gt 0 ]; then + warn "$PARTITION is not mounted with $OPTION at runtime" + FNRET=3 + else + ok "$PARTITION mounted with $OPTION" + fi + fi + fi +} + +# This function will be called if the script status is on enabled mode +apply() { + if [ "$FNRET" = 0 ]; then + ok "$PARTITION is correctly set" + elif [ "$FNRET" = 2 ]; then + crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here" + elif [ "$FNRET" = 1 ]; then + info "Adding $OPTION to fstab" + add_option_to_fstab "$PARTITION" "$OPTION" + info "Remounting $PARTITION from fstab" + remount_partition "$PARTITION" + elif [ "$FNRET" = 3 ]; then + info "Remounting $PARTITION from fstab" + remount_partition "$PARTITION" + fi +} + +# This function will check config parameters required +check_config() { + # No param for this script + : +} + +# Source Root Dir Parameter +if [ -r /etc/default/cis-hardening ]; then + # shellcheck source=../../debian/default + . /etc/default/cis-hardening +fi +if [ -z "$CIS_ROOT_DIR" ]; then + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." + exit 128 +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then + # shellcheck source=../../lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh +else + echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" + exit 128 +fi diff --git a/bin/hardening/1.1.6.1_var_nodev.sh b/bin/hardening/1.1.6.1_var_nodev.sh new file mode 100755 index 0000000..a84b642 --- /dev/null +++ b/bin/hardening/1.1.6.1_var_nodev.sh @@ -0,0 +1,92 @@ +#!/bin/bash + +# run-shellcheck +# +# CIS Debian Hardening +# + +# +# 1.1.6.1 Ensure nodev option set for /var Partition (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +# shellcheck disable=2034 +HARDENING_LEVEL=2 +# shellcheck disable=2034 +DESCRIPTION="/var partition with nodev option." + +# Quick factoring as many script use the same logic +PARTITION="/var" +OPTION="nodev" + +# This function will be called if the script status is on enabled / audit mode +audit() { + info "Verifying that $PARTITION is a partition" + FNRET=0 + is_a_partition "$PARTITION" + if [ "$FNRET" -gt 0 ]; then + crit "$PARTITION is not a partition" + FNRET=2 + else + ok "$PARTITION is a partition" + has_mount_option "$PARTITION" "$OPTION" + if [ "$FNRET" -gt 0 ]; then + crit "$PARTITION has no option $OPTION in fstab!" + FNRET=1 + else + ok "$PARTITION has $OPTION in fstab" + has_mounted_option "$PARTITION" "$OPTION" + if [ "$FNRET" -gt 0 ]; then + warn "$PARTITION is not mounted with $OPTION at runtime" + FNRET=3 + else + ok "$PARTITION mounted with $OPTION" + fi + fi + fi +} + +# This function will be called if the script status is on enabled mode +apply() { + if [ "$FNRET" = 0 ]; then + ok "$PARTITION is correctly set" + elif [ "$FNRET" = 2 ]; then + crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here" + elif [ "$FNRET" = 1 ]; then + info "Adding $OPTION to fstab" + add_option_to_fstab "$PARTITION" "$OPTION" + info "Remounting $PARTITION from fstab" + remount_partition "$PARTITION" + elif [ "$FNRET" = 3 ]; then + info "Remounting $PARTITION from fstab" + remount_partition "$PARTITION" + fi +} + +# This function will check config parameters required +check_config() { + # No param for this script + : +} + +# Source Root Dir Parameter +if [ -r /etc/default/cis-hardening ]; then + # shellcheck source=../../debian/default + . /etc/default/cis-hardening +fi +if [ -z "$CIS_ROOT_DIR" ]; then + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." + exit 128 +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then + # shellcheck source=../../lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh +else + echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" + exit 128 +fi diff --git a/bin/hardening/1.1.6.2_var_nosuid.sh b/bin/hardening/1.1.6.2_var_nosuid.sh new file mode 100755 index 0000000..42a4a0e --- /dev/null +++ b/bin/hardening/1.1.6.2_var_nosuid.sh @@ -0,0 +1,92 @@ +#!/bin/bash + +# run-shellcheck +# +# CIS Debian Hardening +# + +# +# 1.1.6.2 Ensure nosuid option set for /var Partition (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +# shellcheck disable=2034 +HARDENING_LEVEL=2 +# shellcheck disable=2034 +DESCRIPTION="/var partition with nosuid option." + +# Quick factoring as many script use the same logic +PARTITION="/var" +OPTION="nosuid" + +# This function will be called if the script status is on enabled / audit mode +audit() { + info "Verifying that $PARTITION is a partition" + FNRET=0 + is_a_partition "$PARTITION" + if [ "$FNRET" -gt 0 ]; then + crit "$PARTITION is not a partition" + FNRET=2 + else + ok "$PARTITION is a partition" + has_mount_option "$PARTITION" "$OPTION" + if [ "$FNRET" -gt 0 ]; then + crit "$PARTITION has no option $OPTION in fstab!" + FNRET=1 + else + ok "$PARTITION has $OPTION in fstab" + has_mounted_option "$PARTITION" "$OPTION" + if [ "$FNRET" -gt 0 ]; then + warn "$PARTITION is not mounted with $OPTION at runtime" + FNRET=3 + else + ok "$PARTITION mounted with $OPTION" + fi + fi + fi +} + +# This function will be called if the script status is on enabled mode +apply() { + if [ "$FNRET" = 0 ]; then + ok "$PARTITION is correctly set" + elif [ "$FNRET" = 2 ]; then + crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here" + elif [ "$FNRET" = 1 ]; then + info "Adding $OPTION to fstab" + add_option_to_fstab "$PARTITION" "$OPTION" + info "Remounting $PARTITION from fstab" + remount_partition "$PARTITION" + elif [ "$FNRET" = 3 ]; then + info "Remounting $PARTITION from fstab" + remount_partition "$PARTITION" + fi +} + +# This function will check config parameters required +check_config() { + # No param for this script + : +} + +# Source Root Dir Parameter +if [ -r /etc/default/cis-hardening ]; then + # shellcheck source=../../debian/default + . /etc/default/cis-hardening +fi +if [ -z "$CIS_ROOT_DIR" ]; then + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." + exit 128 +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then + # shellcheck source=../../lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh +else + echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" + exit 128 +fi diff --git a/bin/hardening/1.6.3.1_disable_apport.sh b/bin/hardening/1.6.3.1_disable_apport.sh new file mode 100755 index 0000000..c64bd8f --- /dev/null +++ b/bin/hardening/1.6.3.1_disable_apport.sh @@ -0,0 +1,69 @@ +#!/bin/bash + +# run-shellcheck +# +# CIS Debian Hardening +# + +# +# 1.6.3.1 Ensure apport is disabled (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +# shellcheck disable=2034 +HARDENING_LEVEL=2 +# shellcheck disable=2034 +DESCRIPTION="Disable apport to avoid confidential data leaks." + +PACKAGE='apport' + +# This function will be called if the script status is on enabled / audit mode +audit() { + is_pkg_installed "$PACKAGE" + if [ "$FNRET" = 0 ]; then + crit "$PACKAGE is installed!" + else + ok "$PACKAGE is absent" + fi + : +} + +# This function will be called if the script status is on enabled mode +apply() { + is_pkg_installed "$PACKAGE" + if [ "$FNRET" = 0 ]; then + crit "$PACKAGE is installed, purging it" + apt-get purge "$PACKAGE" -y + apt-get autoremove + else + ok "$PACKAGE is absent" + fi + : +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ -r /etc/default/cis-hardening ]; then + # shellcheck source=../../debian/default + . /etc/default/cis-hardening +fi +if [ -z "$CIS_ROOT_DIR" ]; then + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." + exit 128 +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then + # shellcheck source=../../lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh +else + echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" + exit 128 +fi diff --git a/bin/hardening/5.3.4_acc_pam_sha512.sh b/bin/hardening/5.3.4_acc_pam_sha512.sh index 25a40ab..6d449fc 100755 --- a/bin/hardening/5.3.4_acc_pam_sha512.sh +++ b/bin/hardening/5.3.4_acc_pam_sha512.sh @@ -15,7 +15,7 @@ set -u # One variable unset, it's over # shellcheck disable=2034 HARDENING_LEVEL=2 # shellcheck disable=2034 -DESCRIPTION="Check that any password that may exist in /etc/shadow is SHA512 hashed and salted" +DESCRIPTION="Check that any password that may exist in /etc/shadow is yescrypt (or SHA512 for debian 10) hashed and salted" CONF_FILE="/etc/pam.d/common-password" CONF_LINE="^\s*password\s.+\s+pam_unix\.so\s+.*sha512" @@ -26,6 +26,9 @@ audit() { if $SUDO_CMD [ ! -r "$CONF_FILE" ]; then crit "$CONF_FILE is not readable" else + if [ "$DEB_MAJ_VER" -ge "11" ]; then + CONF_LINE="^\s*password\s.+\s+pam_unix\.so\s+.*yescrypt" # https://github.com/ovh/debian-cis/issues/158 + fi # shellcheck disable=SC2001 does_pattern_exist_in_file "$CONF_FILE" "$(sed 's/ /[[:space:]]+/g' <<<"$CONF_LINE")" if [ "$FNRET" = 0 ]; then @@ -47,7 +50,11 @@ apply() { ok "$CONF_LINE is present in $CONF_FILE" else warn "$CONF_LINE is not present in $CONF_FILE" - add_line_file_before_pattern "$CONF_FILE" "password [success=1 default=ignore] pam_unix.so sha512" "# pam-auth-update(8) for details." + if [ "$DEB_MAJ_VER" -ge "11" ]; then + add_line_file_before_pattern "$CONF_FILE" "password [success=1 default=ignore] pam_unix.so yescrypt" "# pam-auth-update(8) for details." + else + add_line_file_before_pattern "$CONF_FILE" "password [success=1 default=ignore] pam_unix.so sha512" "# pam-auth-update(8) for details." + fi fi fi } diff --git a/lib/constants.sh b/lib/constants.sh index d9efa64..8a5d86d 100644 --- a/lib/constants.sh +++ b/lib/constants.sh @@ -57,6 +57,6 @@ get_distribution get_debian_major_version # shellcheck disable=SC2034 -SMALLEST_SUPPORTED_DEBIAN_VERSION=9 +SMALLEST_SUPPORTED_DEBIAN_VERSION=10 # shellcheck disable=SC2034 -HIGHEST_SUPPORTED_DEBIAN_VERSION=10 +HIGHEST_SUPPORTED_DEBIAN_VERSION=11 diff --git a/tests/docker/Dockerfile.debian8 b/tests/docker/Dockerfile.debian8 deleted file mode 100644 index f09e938..0000000 --- a/tests/docker/Dockerfile.debian8 +++ /dev/null @@ -1,22 +0,0 @@ -FROM debian:jessie - -LABEL vendor="OVH" -LABEL project="debian-cis" -LABEL url="https://github.com/ovh/debian-cis" -LABEL description="This image is used to run tests" - -RUN groupadd -g 500 secaudit && useradd -u 500 -g 500 -s /bin/bash secaudit && install -m 700 -o secaudit -g secaudit -d /home/secaudit - -RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y openssh-server sudo syslog-ng net-tools auditd - -COPY --chown=500:500 . /opt/debian-cis/ - -COPY debian/default /etc/default/cis-hardening -RUN sed -i 's#cis-hardening#debian-cis#' /etc/default/cis-hardening - -COPY cisharden.sudoers /etc/sudoers.d/secaudit -RUN sed -i 's#cisharden#secaudit#' /etc/sudoers.d/secaudit - - -ENTRYPOINT ["/opt/debian-cis/tests/launch_tests.sh"] - diff --git a/tests/docker/Dockerfile.debian9 b/tests/docker/Dockerfile.debian9 deleted file mode 100644 index de50a1e..0000000 --- a/tests/docker/Dockerfile.debian9 +++ /dev/null @@ -1,22 +0,0 @@ -FROM debian:stretch - -LABEL vendor="OVH" -LABEL project="debian-cis" -LABEL url="https://github.com/ovh/debian-cis" -LABEL description="This image is used to run tests" - -RUN groupadd -g 500 secaudit && useradd -u 500 -g 500 -s /bin/bash secaudit && install -m 700 -o secaudit -g secaudit -d /home/secaudit - -RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y openssh-server sudo syslog-ng net-tools auditd - -COPY --chown=500:500 . /opt/debian-cis/ - -COPY debian/default /etc/default/cis-hardening -RUN sed -i 's#cis-hardening#debian-cis#' /etc/default/cis-hardening - -COPY cisharden.sudoers /etc/sudoers.d/secaudit -RUN sed -i 's#cisharden#secaudit#' /etc/sudoers.d/secaudit - - -ENTRYPOINT ["/opt/debian-cis/tests/launch_tests.sh"] - diff --git a/tests/hardening/1.1.1.8_disable_cramfs.sh b/tests/hardening/1.1.1.8_disable_cramfs.sh new file mode 100644 index 0000000..5195a49 --- /dev/null +++ b/tests/hardening/1.1.1.8_disable_cramfs.sh @@ -0,0 +1,20 @@ +# shellcheck shell=bash +# run-shellcheck +test_audit() { + if [ -f "/.dockerenv" ]; then + skip "SKIPPED on docker" + else + describe Running on blank host + register_test retvalshouldbe 0 + dismiss_count_for_test + # shellcheck disable=2154 + run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all + fi + + ################################################################## + # For this test, we only check that it runs properly on a blank # + # host, and we check root/sudo consistency. But, we don't test # + # the apply function because it can't be automated or it is very # + # long to test and not very useful. # + ################################################################## +} diff --git a/tests/hardening/1.1.11.1_var_log_noexec.sh b/tests/hardening/1.1.11.1_var_log_noexec.sh new file mode 100644 index 0000000..a5243cb --- /dev/null +++ b/tests/hardening/1.1.11.1_var_log_noexec.sh @@ -0,0 +1,16 @@ +# shellcheck shell=bash +# run-shellcheck +test_audit() { + describe Running on blank host + register_test retvalshouldbe 0 + dismiss_count_for_test + # shellcheck disable=2154 + run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all + + ################################################################## + # For this test, we only check that it runs properly on a blank # + # host, and we check root/sudo consistency. But, we don't test # + # the apply function because it can't be automated or it is very # + # long to test and not very useful. # + ################################################################## +} diff --git a/tests/hardening/1.1.11.2_var_log_nosuid.sh b/tests/hardening/1.1.11.2_var_log_nosuid.sh new file mode 100644 index 0000000..a5243cb --- /dev/null +++ b/tests/hardening/1.1.11.2_var_log_nosuid.sh @@ -0,0 +1,16 @@ +# shellcheck shell=bash +# run-shellcheck +test_audit() { + describe Running on blank host + register_test retvalshouldbe 0 + dismiss_count_for_test + # shellcheck disable=2154 + run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all + + ################################################################## + # For this test, we only check that it runs properly on a blank # + # host, and we check root/sudo consistency. But, we don't test # + # the apply function because it can't be automated or it is very # + # long to test and not very useful. # + ################################################################## +} diff --git a/tests/hardening/1.1.11.3_var_log_nodev.sh b/tests/hardening/1.1.11.3_var_log_nodev.sh new file mode 100644 index 0000000..a5243cb --- /dev/null +++ b/tests/hardening/1.1.11.3_var_log_nodev.sh @@ -0,0 +1,16 @@ +# shellcheck shell=bash +# run-shellcheck +test_audit() { + describe Running on blank host + register_test retvalshouldbe 0 + dismiss_count_for_test + # shellcheck disable=2154 + run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all + + ################################################################## + # For this test, we only check that it runs properly on a blank # + # host, and we check root/sudo consistency. But, we don't test # + # the apply function because it can't be automated or it is very # + # long to test and not very useful. # + ################################################################## +} diff --git a/tests/hardening/1.1.12.1_var_log_audit_noexec.sh b/tests/hardening/1.1.12.1_var_log_audit_noexec.sh new file mode 100644 index 0000000..a5243cb --- /dev/null +++ b/tests/hardening/1.1.12.1_var_log_audit_noexec.sh @@ -0,0 +1,16 @@ +# shellcheck shell=bash +# run-shellcheck +test_audit() { + describe Running on blank host + register_test retvalshouldbe 0 + dismiss_count_for_test + # shellcheck disable=2154 + run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all + + ################################################################## + # For this test, we only check that it runs properly on a blank # + # host, and we check root/sudo consistency. But, we don't test # + # the apply function because it can't be automated or it is very # + # long to test and not very useful. # + ################################################################## +} diff --git a/tests/hardening/1.1.12.2_var_log_audit_nosuid.sh b/tests/hardening/1.1.12.2_var_log_audit_nosuid.sh new file mode 100644 index 0000000..a5243cb --- /dev/null +++ b/tests/hardening/1.1.12.2_var_log_audit_nosuid.sh @@ -0,0 +1,16 @@ +# shellcheck shell=bash +# run-shellcheck +test_audit() { + describe Running on blank host + register_test retvalshouldbe 0 + dismiss_count_for_test + # shellcheck disable=2154 + run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all + + ################################################################## + # For this test, we only check that it runs properly on a blank # + # host, and we check root/sudo consistency. But, we don't test # + # the apply function because it can't be automated or it is very # + # long to test and not very useful. # + ################################################################## +} diff --git a/tests/hardening/1.1.12.3_var_log_audit_nodev.sh b/tests/hardening/1.1.12.3_var_log_audit_nodev.sh new file mode 100644 index 0000000..a5243cb --- /dev/null +++ b/tests/hardening/1.1.12.3_var_log_audit_nodev.sh @@ -0,0 +1,16 @@ +# shellcheck shell=bash +# run-shellcheck +test_audit() { + describe Running on blank host + register_test retvalshouldbe 0 + dismiss_count_for_test + # shellcheck disable=2154 + run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all + + ################################################################## + # For this test, we only check that it runs properly on a blank # + # host, and we check root/sudo consistency. But, we don't test # + # the apply function because it can't be automated or it is very # + # long to test and not very useful. # + ################################################################## +} diff --git a/tests/hardening/1.1.14.1_home_nosuid.sh b/tests/hardening/1.1.14.1_home_nosuid.sh new file mode 100644 index 0000000..a5243cb --- /dev/null +++ b/tests/hardening/1.1.14.1_home_nosuid.sh @@ -0,0 +1,16 @@ +# shellcheck shell=bash +# run-shellcheck +test_audit() { + describe Running on blank host + register_test retvalshouldbe 0 + dismiss_count_for_test + # shellcheck disable=2154 + run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all + + ################################################################## + # For this test, we only check that it runs properly on a blank # + # host, and we check root/sudo consistency. But, we don't test # + # the apply function because it can't be automated or it is very # + # long to test and not very useful. # + ################################################################## +} diff --git a/tests/hardening/1.1.6.1_var_nodev.sh b/tests/hardening/1.1.6.1_var_nodev.sh new file mode 100644 index 0000000..a5243cb --- /dev/null +++ b/tests/hardening/1.1.6.1_var_nodev.sh @@ -0,0 +1,16 @@ +# shellcheck shell=bash +# run-shellcheck +test_audit() { + describe Running on blank host + register_test retvalshouldbe 0 + dismiss_count_for_test + # shellcheck disable=2154 + run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all + + ################################################################## + # For this test, we only check that it runs properly on a blank # + # host, and we check root/sudo consistency. But, we don't test # + # the apply function because it can't be automated or it is very # + # long to test and not very useful. # + ################################################################## +} diff --git a/tests/hardening/1.1.6.2_var_nosuid.sh b/tests/hardening/1.1.6.2_var_nosuid.sh new file mode 100644 index 0000000..a5243cb --- /dev/null +++ b/tests/hardening/1.1.6.2_var_nosuid.sh @@ -0,0 +1,16 @@ +# shellcheck shell=bash +# run-shellcheck +test_audit() { + describe Running on blank host + register_test retvalshouldbe 0 + dismiss_count_for_test + # shellcheck disable=2154 + run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all + + ################################################################## + # For this test, we only check that it runs properly on a blank # + # host, and we check root/sudo consistency. But, we don't test # + # the apply function because it can't be automated or it is very # + # long to test and not very useful. # + ################################################################## +} diff --git a/tests/hardening/1.6.3.1_disable_apport.sh b/tests/hardening/1.6.3.1_disable_apport.sh new file mode 100644 index 0000000..a5243cb --- /dev/null +++ b/tests/hardening/1.6.3.1_disable_apport.sh @@ -0,0 +1,16 @@ +# shellcheck shell=bash +# run-shellcheck +test_audit() { + describe Running on blank host + register_test retvalshouldbe 0 + dismiss_count_for_test + # shellcheck disable=2154 + run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all + + ################################################################## + # For this test, we only check that it runs properly on a blank # + # host, and we check root/sudo consistency. But, we don't test # + # the apply function because it can't be automated or it is very # + # long to test and not very useful. # + ################################################################## +} diff --git a/tests/hardening/5.3.4_acc_pam_sha512.sh b/tests/hardening/5.3.4_acc_pam_sha512.sh index 400226c..e7e167f 100644 --- a/tests/hardening/5.3.4_acc_pam_sha512.sh +++ b/tests/hardening/5.3.4_acc_pam_sha512.sh @@ -3,7 +3,7 @@ test_audit() { describe Running on blank host register_test retvalshouldbe 0 - register_test contain "[ OK ] ^\s*password\s.+\s+pam_unix\.so\s+.*sha512 is present in /etc/pam.d/common-password" + register_test contain REGEX "[ OK ] .*(sha512|yescrypt) is present in /etc/pam.d/common-password" # shellcheck disable=2154 run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all }