Add dealing with debian 11

* ADD: add dockerfile for debian11 * FIX: fix crontab file not found on debian11 blank * Add workflow for debian11 * FIX: fix debian version func to manage debian11 * Add dealing with unsupported version and distro * Add 99.99 check that check if distro version is supported * Use global var for debian major and distro fix #26
2025-06-23 02:54:35 +02:00 · 2021-02-08 13:54:24 +01:00
parent 449c695415
commit 6ae05f3fa2
24 changed files with 266 additions and 39 deletions
--- a/bin/hardening/5.1.2_crontab_perm_ownership.sh
+++ b/bin/hardening/5.1.2_crontab_perm_ownership.sh
@ -24,6 +24,10 @@ GROUP='root'

 # This function will be called if the script status is on enabled / audit mode
 audit() {
+    does_file_exist "$FILE"
+    if [ "$FNRET" != 0 ]; then
+        crit "$FILE does not exist"
+    fi
    has_file_correct_ownership "$FILE" "$USER" "$GROUP"
    if [ "$FNRET" = 0 ]; then
        ok "$FILE has correct ownership"
--- a/bin/hardening/5.1.3_cron_hourly_perm_ownership.sh
+++ b/bin/hardening/5.1.3_cron_hourly_perm_ownership.sh
@ -24,6 +24,10 @@ GROUP='root'

 # This function will be called if the script status is on enabled / audit mode
 audit() {
+    does_file_exist "$FILE"
+    if [ "$FNRET" != 0 ]; then
+        crit "$FILE does not exist"
+    fi
    has_file_correct_ownership "$FILE" "$USER" "$GROUP"
    if [ "$FNRET" = 0 ]; then
        ok "$FILE has correct ownership"
--- a/bin/hardening/5.1.4_cron_daily_perm_ownership.sh
+++ b/bin/hardening/5.1.4_cron_daily_perm_ownership.sh
@ -24,6 +24,10 @@ GROUP='root'

 # This function will be called if the script status is on enabled / audit mode
 audit() {
+    does_file_exist "$FILE"
+    if [ "$FNRET" != 0 ]; then
+        crit "$FILE does not exist"
+    fi
    has_file_correct_ownership "$FILE" "$USER" "$GROUP"
    if [ "$FNRET" = 0 ]; then
        ok "$FILE has correct ownership"
--- a/bin/hardening/5.1.5_cron_weekly_perm_ownership.sh
+++ b/bin/hardening/5.1.5_cron_weekly_perm_ownership.sh
@ -24,6 +24,10 @@ GROUP='root'

 # This function will be called if the script status is on enabled / audit mode
 audit() {
+    does_file_exist "$FILE"
+    if [ "$FNRET" != 0 ]; then
+        crit "$FILE does not exist"
+    fi
    has_file_correct_ownership "$FILE" "$USER" "$GROUP"
    if [ "$FNRET" = 0 ]; then
        ok "$FILE has correct ownership"
--- a/bin/hardening/5.1.6_cron_monthly_perm_ownership.sh
+++ b/bin/hardening/5.1.6_cron_monthly_perm_ownership.sh
@ -24,6 +24,10 @@ GROUP='root'

 # This function will be called if the script status is on enabled / audit mode
 audit() {
+    does_file_exist "$FILE"
+    if [ "$FNRET" != 0 ]; then
+        crit "$FILE does not exist"
+    fi
    has_file_correct_ownership "$FILE" "$USER" "$GROUP"
    if [ "$FNRET" = 0 ]; then
        ok "$FILE has correct ownership"
--- a/bin/hardening/5.2.15_ssh_cry_kex.sh
+++ b/bin/hardening/5.2.15_ssh_cry_kex.sh
@ -73,15 +73,12 @@ apply() {
 }

 create_config() {
-    get_debian_major_version
    set +u
    debug "Debian version : $DEB_MAJ_VER "
-    if [[ -z "$DEB_MAJ_VER" ]] || [[ 7 -eq "$DEB_MAJ_VER" ]]; then
+    if [[ 7 -le "$DEB_MAJ_VER" ]]; then
        KEX='diffie-hellman-group-exchange-sha256'
-    elif [[ 8 -eq "$DEB_MAJ_VER" ]] || [[ 9 -eq "$DEB_MAJ_VER" ]]; then
-        KEX='curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256'
    else
-        KEX='diffie-hellman-group-exchange-sha256'
+        KEX='curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256'
    fi
    set -u
    cat <<EOF
@ -89,6 +86,7 @@ status=audit
 # Put your KexAlgorithms
 OPTIONS="KexAlgorithms=$KEX"
 EOF
+
 }

 # This function will check config parameters required
--- a/bin/hardening/99.5.2.2_ssh_cry_rekey.sh
+++ b/bin/hardening/99.5.2.2_ssh_cry_rekey.sh
@ -24,15 +24,14 @@ FILE='/etc/ssh/sshd_config'

 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    get_debian_major_version
    set +u
    debug "Debian version : $DEB_MAJ_VER "
-    if [[ -z $DEB_MAJ_VER ]]; then
+    if [[ -z "$DEB_MAJ_VER" ]]; then
        set -u
        crit "Cannot get Debian version. Aborting..."
        return
    fi
-    if [[ "${DEB_MAJ_VER}" -lt "8" ]]; then
+    if [[ "${DEB_MAJ_VER}" != "sid" ]] && [[ "${DEB_MAJ_VER}" -lt "8" ]]; then
        set -u
        warn "Debian version too old (${DEB_MAJ_VER}), check does not apply, you should disable this check."
        return
--- a/bin/hardening/99.99_check_distribution.sh
+++ b/bin/hardening/99.99_check_distribution.sh
@ -0,0 +1,65 @@
+#!/bin/bash
+
+# run-shellcheck
+#
+# OVH Security audit
+#
+
+#
+# 99.99 Ensure that the distribution version is debian and that the version is 9 or 10
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# shellcheck disable=2034
+HARDENING_LEVEL=1
+# shellcheck disable=2034
+DESCRIPTION="Check the distribution and the distribution version"
+
+# This function will be called if the script status is on enabled / audit mode
+audit() {
+    if [ "$DISTRIBUTION" != "debian" ]; then
+        crit "Your distribution has been identified as $DISTRIBUTION which is not debian"
+    else
+        if [ "$DEB_MAJ_VER" = "sid" ] || [ "$DEB_MAJ_VER" -gt "$HIGHEST_SUPPORTED_DEBIAN_VERSION" ]; then
+            crit "Your distribution is too recent and is not yet supported."
+        elif [ "$DEB_MAJ_VER" -lt "$SMALLEST_SUPPORTED_DEBIAN_VERSION" ]; then
+            crit "Your distribution is debian but is deprecated. Consider upgrading to a supported version."
+        else
+            ok "Your distribution is debian and the version is supported"
+
+        fi
+    fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply() {
+    echo "Reporting only here, upgrade your debian version to a supported version if you're on debian"
+    echo "If you use another distribution, consider applying rules corresponding with your distribution available at https://www.cisecurity.org/"
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_ROOT_DIR" ]; then
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    exit 128
+fi