feat: add new checks for debian12

systemd_timesyncd_is_enabled_and_running.sh	-> 2.3.2.2
rpcbind_is_disabled.sh				-> 2.1.12
ftp_client_not_installed.sh			-> 2.2.6
chrony_with_chrony_user.sh			-> 2.3.3.2
ipv6_is_enabled.sh				-> 3.1.1

bin/hardening/chrony_with_chrony_user.sh

@@ -0,0 +1,79 @@
+#!/bin/bash
+
+# run-shellcheck
+#
+# CIS Debian Hardening
+#
+
+#
+# Ensure chrony is running as user _chrony (Automated)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# shellcheck disable=2034
+HARDENING_LEVEL=3
+# shellcheck disable=2034
+DESCRIPTION="Ensure chrony is running as user _chrony"
+FILE='/etc/chrony/chrony.conf'
+CHRONY_USER="_chrony"
+USER_PATTERN="^user"
+
+# This function will be called if the script status is on enabled / audit mode
+audit() {
+    CHRONY_USER_VALID=0
+
+    local running_user=""
+    running_user=$($SUDO_CMD ps -ef | awk '/[c]hronyd/ { print $1 }')
+    if [ -z "$running_user" ]; then
+        CHRONY_USER_VALID=1
+        crit "chrony is not running"
+    elif [[ "$running_user" != "$CHRONY_USER" ]]; then
+        CHRONY_USER_VALID=1
+        crit "chrony is running as root"
+    else
+        ok "chrony is running as $CHRONY_USER"
+    fi
+
+}
+
+# This function will be called if the script status is on enabled mode
+apply() {
+    audit
+
+    if [ "$CHRONY_USER_VALID" -ne 0 ]; then
+        does_pattern_exist_in_file "$FILE" "$USER_PATTERN"
+        if [ "$FNRET" -eq 0 ]; then
+            sed -i '/'$USER_PATTERN'/d' "$FILE"
+        fi
+
+        add_end_of_file "$FILE" "user $CHRONY_USER"
+        info "$FILE modified, please restart the service"
+    fi
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_LIB_DIR" ]; then
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_LIB_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "${CIS_LIB_DIR}"/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
+    exit 128
+fi

bin/hardening/disable_nfs_rpc.sh

@@ -19,7 +19,7 @@ DESCRIPTION="Ensure Network File System (nfs) and RPC are not enabled."
 # shellcheck disable=2034
 HARDENING_EXCEPTION=nfs
 
-PACKAGES='rpcbind nfs-kernel-server'
+PACKAGES='nfs-kernel-server'
 
 # This function will be called if the script status is on enabled / audit mode
 audit() {

bin/hardening/ftp_client_not_installed.sh

@@ -0,0 +1,69 @@
+#!/bin/bash
+
+# run-shellcheck
+#
+# CIS Debian Hardening
+#
+
+#
+# Ensure ftp client is not installed (Automated)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# shellcheck disable=2034
+HARDENING_LEVEL=3
+# shellcheck disable=2034
+DESCRIPTION="Ensure ftp client is not installed"
+PACKAGE='ftp'
+
+# This function will be called if the script status is on enabled / audit mode
+audit() {
+    # 0 means true in bash
+    PACKAGE_INSTALLED=1
+
+    is_pkg_installed "$PACKAGE"
+    if [ "$FNRET" -eq 0 ]; then
+        # var will be reused in 'apply'
+        PACKAGE_INSTALLED=0
+        crit "$PACKAGE is installed"
+    else
+        ok "$PACKAGE is not installed"
+    fi
+
+}
+
+# This function will be called if the script status is on enabled mode
+apply() {
+    audit
+    if [ "$PACKAGE_INSTALLED" -eq 0 ]; then
+        apt remove -y "$PACKAGE"
+        apt purge -y "$PACKAGE"
+    fi
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_LIB_DIR" ]; then
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_LIB_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "${CIS_LIB_DIR}"/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
+    exit 128
+fi

bin/hardening/ipv6_is_enabled.sh

@@ -0,0 +1,59 @@
+#!/bin/bash
+
+# run-shellcheck
+#
+# CIS Debian Hardening
+#
+
+#
+# Ensure IPv6 status is identified (Manual)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# shellcheck disable=2034
+HARDENING_LEVEL=3
+# shellcheck disable=2034
+DESCRIPTION="Ensure IPv6 status is identified"
+
+# This function will be called if the script status is on enabled / audit mode
+audit() {
+    is_ipv6_enabled
+    if [ "$FNRET" -eq 0 ]; then
+        ok "ipv6 is enabled"
+    else
+        crit "ipv6 is disabled"
+    fi
+
+}
+
+# This function will be called if the script status is on enabled mode
+apply() {
+    info "Enable or disable manually IPv6 in accordance with system requirements and local site policy"
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_LIB_DIR" ]; then
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_LIB_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "${CIS_LIB_DIR}"/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
+    exit 128
+fi

bin/hardening/network_services_listening.sh

@@ -24,11 +24,12 @@ EXCEPTIONS=""
 
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    local is_valid=0
+    # shellcheck disable=2162
     while read i; do
         socket=$(echo "$i" | awk '{print $5}')
         proc=$(echo "$i" | awk '{print $7}' | awk -F ',' '{print $1}' | sed 's/users:((//')
-        [ -n "$socket" ] && info -e "$proc listening on \t$socket"
+        if [ -n "$socket" ]; then
+            info -e "$proc listening on \t$socket"
 
             # output example :
             # "ntpd" listening on 	127.0.0.1:123
@@ -39,6 +40,7 @@ audit() {
             else
                 crit "$socket" is not an exception
             fi
+        fi
 
     done <<<"$($SUDO_CMD ss -plntuH)"
 

bin/hardening/rpcbind_is_disabled.sh

@@ -0,0 +1,106 @@
+#!/bin/bash
+
+# run-shellcheck
+#
+# CIS Debian Hardening
+#
+
+#
+# Ensure rpcbind services are not in use (Automated)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# shellcheck disable=2034
+HARDENING_LEVEL=3
+# shellcheck disable=2034
+DESCRIPTION="Ensure rpcbind services are not in use."
+PACKAGE='rpcbind'
+SERVICE="rpcbind.service"
+SOCKET="rpcbind.socket"
+
+# 2 scenario here:
+# - rcpbind is a dependency for another package -> disable the service, disable the socket
+# - rpcbind is not a dependency for another package -> remove the package
+
+# This function will be called if the script status is on enabled / audit mode
+audit() {
+    # 0 means true in bash
+    PACKAGE_INSTALLED=1
+    PACKAGE_IS_DEPENDENCY=1
+    SERVICE_ENABLED=1
+    SOCKET_ENABLED=1
+
+    is_pkg_installed "$PACKAGE"
+    [ "$FNRET" = 0 ] && PACKAGE_INSTALLED=0 # 0 means true in bash
+
+    is_pkg_a_dependency "$PACKAGE"
+    # dnsmasq is installed with dnsmasq-base, which
+    [ "$FNRET" = 0 ] && PACKAGE_IS_DEPENDENCY=0
+
+    is_service_enabled "$SERVICE"
+    [ "$FNRET" = 0 ] && SERVICE_ENABLED=0
+
+    is_socket_enabled "$SOCKET"
+    [ "$FNRET" = 0 ] && SOCKET_ENABLED=0
+
+    if [ "$PACKAGE_INSTALLED" -eq 0 ] && [ "$PACKAGE_IS_DEPENDENCY" -eq 1 ]; then
+        crit "$PACKAGE is installed and not a dependency"
+
+    elif [ "$PACKAGE_INSTALLED" -eq 0 ] && [ "$PACKAGE_IS_DEPENDENCY" -eq 0 ]; then
+        local active=1
+        [ "$SERVICE_ENABLED" -eq 0 ] && active=0 && crit "$SERVICE is enabled" && active=0
+        [ "$SOCKET_ENABLED" -eq 0 ] && active=0 && crit "$SOCKET_ENABLED is enabled"
+
+        [ "$active" -eq 1 ] && ok "$PACKAGE is not used"
+
+    fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply() {
+    audit
+    if [ "$PACKAGE_INSTALLED" -eq 0 ] && [ "$PACKAGE_IS_DEPENDENCY" -eq 1 ]; then
+        crit "$PACKAGE is installed and not a dependency, removing it"
+        apt_remove "$PACKAGE" -y
+        apt-get autoremove -y
+    elif [ "$PACKAGE_INSTALLED" -eq 0 ] && [ "$PACKAGE_IS_DEPENDENCY" -eq 0 ]; then
+        if [ "$SERVICE_ENABLED" -eq 0 ]; then
+            info "Stopping and masking $SERVICE"
+            systemctl stop "$SERVICE"
+            systemctl mask "$SERVICE"
+        fi
+
+        if [ "$SOCKET_ENABLED" -eq 0 ]; then
+            info "Stopping and masking $SOCKET"
+            systemctl stop "$SOCKET"
+            systemctl mask "$SOCKET"
+        fi
+    fi
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_LIB_DIR" ]; then
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_LIB_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "${CIS_LIB_DIR}"/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
+    exit 128
+fi

bin/hardening/systemd_timesyncd_is_enabled_and_running.sh

@@ -0,0 +1,91 @@
+#!/bin/bash
+
+# run-shellcheck
+#
+# CIS Debian Hardening
+#
+
+#
+# Ensure chrony is enabled and running (Automated)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# shellcheck disable=2034
+HARDENING_LEVEL=3
+# shellcheck disable=2034
+DESCRIPTION="Ensure chrony is enabled and running."
+PACKAGE="systemd-timesyncd"
+SERVICE="systemd-timesyncd.service"
+
+# This function will be called if the script status is on enabled / audit mode
+audit() {
+    TIMESYNCD_INSTALLED=0
+    TIMESYNCD_ENABLED=0
+    TIMESYNCD_RUNNING=0
+
+    is_pkg_installed "$PACKAGE"
+    if [ "$FNRET" -ne 0 ]; then
+        TIMESYNCD_INSTALLED=1
+        crit "$PACKAGE is not installed"
+    fi
+    # no package, no need to check further
+    return
+
+    is_service_enabled "$SERVICE"
+    if [ "$FNRET" -ne 0 ]; then
+        TIMESYNCD_ENABLED=1
+        crit "$SERVICE is not enabled"
+    fi
+
+    is_service_active "$SERVICE"
+    if [ "$FNRET" -ne 0 ]; then
+        TIMESYNCD_RUNNING=1
+        crit "$SERVICE is not running"
+    fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply() {
+    audit
+    if [ "$TIMESYNCD_INSTALLED" -eq 1 ]; then
+        warn "Please install $PACKAGE manually to ensure only one time synchronization system is installed"
+    fi
+
+    if [ "$TIMESYNCD_ENABLED" -eq 1 ]; then
+        info "Enabling $SERVICE service"
+        manage_service "enable" "$SERVICE"
+    fi
+
+    if [ "$TIMESYNCD_RUNNING" -eq 1 ]; then
+        info "Starting $SERVICE service"
+        manage_service "start" "$SERVICE"
+    fi
+
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    # shellcheck source=../../debian/default
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_LIB_DIR" ]; then
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_LIB_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
+    # shellcheck source=../../lib/main.sh
+    . "${CIS_LIB_DIR}"/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
+    exit 128
+fi

bin/hardening/use_time_sync.sh

@@ -25,7 +25,7 @@ audit() {
     for PACKAGE in $PACKAGES; do
         is_pkg_installed "$PACKAGE"
         if [ "$FNRET" -eq 0 ]; then
-            let count=$((count + 1))
+            count=$(("$count" + 1))
         fi
     done
     if [ "$count" -eq 0 ]; then

cisharden.sudoers

@@ -25,6 +25,8 @@ Cmnd_Alias SCL_CMD =    /bin/grep ,\
                         /sbin/modprobe,\
                         /usr/sbin/modprobe -n -v*,\
                         /usr/sbin/apparmor_status,\
-                        /usr/bin/ss *
+                        /usr/bin/ss *,\
+                        /bin/ss *,\
+                        /usr/bin/ps *
 
 cisharden ALL = (root) NOPASSWD: SCL_CMD

debian/control

@@ -10,7 +10,7 @@ Vcs-Browser: https://github.com/ovh/debian-cis/
 
 Package: cis-hardening
 Architecture: all
-Depends: ${misc:Depends}, patch, coreutils, iproute2
+Depends: ${misc:Depends}, patch, coreutils, iproute2, procps
 Description: Suite of configurable scripts to audit or harden a Debian.
  Modular Debian security hardening scripts based on cisecurity.org
  ⟨cisecurity.org⟩ recommendations. We use it at OVH ⟨https://www.ovh.com⟩ to

lib/utils.sh

@@ -326,6 +326,27 @@ is_service_enabled() {
     fi
 }
 
+is_socket_enabled() {
+    local SOCKET=$1
+
+    # if running in a container, it does not make much sense to test for systemd / service
+    # the var "IS_CONTAINER" defined in lib/constant may not be enough, in case we are using systemd slices
+    # currently, did not find a unified way to manage all cases, so we check this only for systemctl usage
+    is_using_sbin_init
+    if [ "$FNRET" -eq 1 ]; then
+        debug "host was not started using '/sbin/init', systemd should not be available"
+        FNRET=1
+        return
+    fi
+    if $SUDO_CMD systemctl -t socket is-enabled "$SOCKET" >/dev/null; then
+        debug "Socket $SOCKET is enabled"
+        FNRET=0
+    else
+        debug "Socket $SOCKET is disabled"
+        FNRET=1
+    fi
+}
+
 #
 # Kernel Options checks
 #

tests/docker/Dockerfile.debian11

@@ -7,7 +7,7 @@ LABEL description="This image is used to run tests"
 
 RUN groupadd -g 500 secaudit && useradd  -u 500 -g 500 -s /bin/bash secaudit && install -m 700 -o secaudit -g secaudit -d /home/secaudit
 
-RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y openssh-server sudo syslog-ng net-tools auditd cron iproute2
+RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y openssh-server sudo syslog-ng net-tools auditd cron iproute2 procps
 
 COPY --chown=500:500 . /opt/debian-cis/
 

tests/docker/Dockerfile.debian12

@@ -7,7 +7,7 @@ LABEL description="This image is used to run tests"
 
 RUN groupadd -g 500 secaudit && useradd  -u 500 -g 500 -s /bin/bash secaudit && install -m 700 -o secaudit -g secaudit -d /home/secaudit
 
-RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y openssh-server sudo syslog-ng net-tools auditd cron iproute2
+RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y openssh-server sudo syslog-ng net-tools auditd cron iproute2 procps
 
 COPY --chown=500:500 . /opt/debian-cis/
 

tests/hardening/chrony_is_enabled_and_running.sh

@@ -11,6 +11,7 @@ test_audit() {
     # not much to test here, we are running in a container, we wont check service state
     describe Checking blank host
     register_test retvalshouldbe 0
+    # shellcheck disable=2154
     run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
 
     apt remove -y chrony

tests/hardening/chrony_with_chrony_user.sh

@@ -0,0 +1,29 @@
+# shellcheck shell=bash
+# run-shellcheck
+test_audit() {
+
+    describe prepare failing test
+    apt install -y chrony
+    echo "user root" >>/etc/chrony/chrony.conf
+    /usr/sbin/chronyd -Ux
+
+    describe On purpose failing test
+    register_test retvalshouldbe 1
+    # shellcheck disable=2154
+    run failed "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+    describe correcting situation
+    sed -i 's/audit/enabled/' "${CIS_CONF_DIR}/conf.d/${script}.cfg"
+    "${CIS_CHECKS_DIR}/${script}.sh" --apply || true
+
+    pkill chronyd
+    /usr/sbin/chronyd -Ux
+
+    describe resolved test
+    register_test retvalshouldbe 0
+    run failed "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+    pkill chronyd
+    apt remove chrony -y
+
+}

tests/hardening/ftp_client_not_installed.sh

@@ -0,0 +1,21 @@
+# shellcheck shell=bash
+# run-shellcheck
+test_audit() {
+
+    describe Prepare on purpose failed test
+    apt install -y ftp
+
+    describe Running on purpose failed test
+    register_test retvalshouldbe 1
+    # shellcheck disable=2154
+    run failed "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+    describe correcting situation
+    sed -i 's/audit/enabled/' "${CIS_CONF_DIR}/conf.d/${script}.cfg"
+    "${CIS_CHECKS_DIR}/${script}.sh" --apply || true
+
+    describe Checking resolved state
+    register_test retvalshouldbe 0
+    run resolved "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+}

tests/hardening/ipv6_is_enabled.sh

@@ -0,0 +1,11 @@
+# shellcheck shell=bash
+# run-shellcheck
+test_audit() {
+
+    describe Running on blank host
+    register_test retvalshouldbe 0
+    dismiss_count_for_test
+    # shellcheck disable=2154
+    run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+}

tests/hardening/rpcbind_is_disabled.sh

@@ -0,0 +1,36 @@
+# shellcheck shell=bash
+# run-shellcheck
+test_audit() {
+
+    describe Prepare on purpose failed test
+    apt install -y rpcbind
+    # running on a container, will can only test the package installation, not the service management
+
+    describe Running on purpose failed test
+    register_test retvalshouldbe 1
+    # shellcheck disable=2154
+    run failed "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+    describe correcting situation
+    sed -i 's/audit/enabled/' "${CIS_CONF_DIR}/conf.d/${script}.cfg"
+    "${CIS_CHECKS_DIR}/${script}.sh" --apply || true
+
+    describe Checking resolved state
+    register_test retvalshouldbe 0
+    run resolved "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+    describe Prepare test package dependencies
+    # try to install a package that depends on 'rpcbind'
+    apt install -y rstatd
+    # running on a container, we can only test the package installation, not the service management
+
+    describe Running successfull test
+    register_test retvalshouldbe 0
+    # shellcheck disable=2154
+    run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+    describe clean installation
+    apt remove -y rpcbind rstatd
+    apt autoremove -y
+
+}

tests/hardening/systemd_timesyncd_is_enabled_and_running.sh

@@ -0,0 +1,20 @@
+# shellcheck shell=bash
+# run-shellcheck
+test_audit() {
+
+    describe Ensure package is installed
+
+    # install dependencies
+    apt update
+    apt install -y systemd-timesyncd
+
+    # not much to test here, we are running in a container, we wont check service state
+    describe Checking blank host
+    register_test retvalshouldbe 0
+    # shellcheck disable=2154
+    run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+    apt remove -y systemd-timesyncd
+    apt autoremove -y
+
+}