chore: drop debian 10 and below support (#264)

Currently, the only LTS Debian are 11 and 12
We only support CIS for LTS debian

Co-authored-by: Damien Cavagnini <damien.cavagnini@corp.ovh.com>

.github/workflows/functionnal-tests.yml

@@ -4,13 +4,6 @@ on:
   - pull_request
   - push
 jobs:
-  functionnal-tests-docker-debian10:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout repo
-        uses: actions/checkout@v4
-      - name: Run the tests debian10
-        run: ./tests/docker_build_and_run_tests.sh debian10
   functionnal-tests-docker-debian11:
     runs-on: ubuntu-latest
     steps:

MANUAL.md

@@ -4,7 +4,7 @@
 
 # NAME
 
-cis-hardening - CIS Debian 10/11/12 Hardening
+cis-hardening - CIS Debian 11/12 Hardening
 
 # SYNOPSIS
 
@@ -12,7 +12,7 @@ cis-hardening - CIS Debian 10/11/12 Hardening
 
 # DESCRIPTION
 
-Modular Debian 10/11/12 security hardening scripts based on the CIS (https://www.cisecurity.org) recommendations.
+Modular Debian 11/12 security hardening scripts based on the CIS (https://www.cisecurity.org) recommendations.
 
 We use it at OVHcloud (https://www.ovhcloud.com) to harden our PCI-DSS infrastructure.
 

README.md

@@ -1,4 +1,4 @@
-# :lock: CIS Debian 10/11/12 Hardening
+# :lock: CIS Debian 11/12 Hardening
 
 
 <p align="center">
@@ -13,7 +13,7 @@
 ![License](https://img.shields.io/github/license/ovh/debian-cis)
 ---
 
-Modular Debian 10/11/12 security hardening scripts based on [cisecurity.org](https://www.cisecurity.org)
+Modular Debian 11/12 security hardening scripts based on [cisecurity.org](https://www.cisecurity.org)
 recommendations. We use it at [OVHcloud](https://www.ovhcloud.com) to harden our PCI-DSS infrastructure.
 
 NB : Although Debian 12 CIS Hardening guide is still in development, we do use this set of scripts
@@ -174,7 +174,7 @@ Functional tests are available. They are to be run in a Docker environment.
 $ ./tests/docker_build_and_run_tests.sh <target> [name of test script...]
 ```
 
-With `target` being like `debian10` or `debian11`.
+With `target` being like `debian11` or `debian12`.
 
 Running without script arguments will run all tests in `./tests/hardening/` directory.
 Or you can specify one or several test script to be run.

bin/hardening.sh

@@ -254,7 +254,7 @@ if [ "$DISTRIBUTION" != "debian" ]; then
         echo "You can deactivate this message by setting the LOGLEVEL variable in /etc/hardening.cfg"
     fi
 else
-    if [ "$DEB_MAJ_VER" = "sid" ] || [ "$DEB_MAJ_VER" -gt "$HIGHEST_SUPPORTED_DEBIAN_VERSION" ]; then
+    if [ "$DEB_MAJ_VER" -gt "$HIGHEST_SUPPORTED_DEBIAN_VERSION" ]; then
         echo "Your debian version is too recent and is not supported yet because there is no official CIS PDF for this version yet."
         if [ "$ALLOW_UNSUPPORTED_DISTRIBUTION" -eq 0 ]; then
             echo "If you want to run it anyway, you can use the flag --allow-unsupported-distribution"

bin/hardening/acc_logindefs_sha512.sh

@@ -59,17 +59,9 @@ check_config() {
     :
 }
 
-# As we use DEB_MAJ_VER, which is set by constants.sh, itself sourced by main.sh below,
-# We need to call this in the subs called by main.sh when it is sourced, otherwise it would
-# either be too soon (DEB_MAJ_VER not defined) or too late (test has already been run)
 _set_vars_jit() {
-    if [ "$DEB_MAJ_VER" = "sid" ] || [ "$DEB_MAJ_VER" -ge "11" ]; then
-        CONF_LINE_REGEX="ENCRYPT_METHOD (SHA512|yescrypt|YESCRYPT)"
-        CONF_LINE="ENCRYPT_METHOD YESCRYPT"
-    else
-        CONF_LINE_REGEX="ENCRYPT_METHOD SHA512"
-        CONF_LINE="ENCRYPT_METHOD SHA512"
-    fi
+    CONF_LINE_REGEX="ENCRYPT_METHOD (SHA512|yescrypt|YESCRYPT)"
+    CONF_LINE="ENCRYPT_METHOD YESCRYPT"
 }
 
 # Source Root Dir Parameter

bin/hardening/acc_pam_sha512.sh

@@ -49,11 +49,7 @@ apply() {
             ok "$CONF_LINE is present in $CONF_FILE"
         else
             warn "$CONF_LINE is not present in $CONF_FILE"
-            if [ "$DEB_MAJ_VER" = "sid" ] || [ "$DEB_MAJ_VER" -ge "11" ]; then
-                add_line_file_before_pattern "$CONF_FILE" "password [success=1 default=ignore] pam_unix.so yescrypt" "# pam-auth-update(8) for details."
-            else
-                add_line_file_before_pattern "$CONF_FILE" "password [success=1 default=ignore] pam_unix.so sha512" "# pam-auth-update(8) for details."
-            fi
+            add_line_file_before_pattern "$CONF_FILE" "password [success=1 default=ignore] pam_unix.so yescrypt" "# pam-auth-update(8) for details."
         fi
     fi
 }
@@ -67,11 +63,7 @@ check_config() {
 # We need to call this in the subs called by main.sh when it is sourced, otherwise it would
 # either be too soon (DEB_MAJ_VER not defined) or too late (test has already been run)
 _set_vars_jit() {
-    if [ "$DEB_MAJ_VER" = "sid" ] || [ "$DEB_MAJ_VER" -ge "11" ]; then
-        CONF_LINE="^\s*password\s.+\s+pam_unix\.so\s+.*(sha512|yescrypt)" # https://github.com/ovh/debian-cis/issues/158
-    else
-        CONF_LINE="^\s*password\s.+\s+pam_unix\.so\s+.*sha512"
-    fi
+    CONF_LINE="^\s*password\s.+\s+pam_unix\.so\s+.*(sha512|yescrypt)" # https://github.com/ovh/debian-cis/issues/158
 }
 
 # Source Root Dir Parameter

bin/hardening/acc_shadow_sha512.sh

@@ -37,7 +37,7 @@ audit() {
             pw_found+="$user "
             ok "User $user has a disabled password."
         # yescrypt: Check password against $y$<salt>$<base64>
-        elif [ "$DEB_MAJ_VER" -ge "11" ] && [[ $passwd =~ ^\$y\$[./A-Za-z0-9]+\$[./A-Za-z0-9]{,86}\$[./A-Za-z0-9]{43} ]]; then
+        elif [[ $passwd =~ ^\$y\$[./A-Za-z0-9]+\$[./A-Za-z0-9]{,86}\$[./A-Za-z0-9]{43} ]]; then
             pw_found+="$user "
             ok "User $user has suitable yescrypt hashed password."
         # sha512: Check password against $6$<salt>$<base64>, see `man 3 crypt`
@@ -46,11 +46,7 @@ audit() {
             ok "User $user has suitable sha512crypt hashed password."
         else
             pw_found+="$user "
-            if [ "$DEB_MAJ_VER" -ge "11" ]; then
-                crit "User $user has a password that is not sha512crypt nor yescrypt hashed."
-            else
-                crit "User $user has a password that is not sha512crypt hashed."
-            fi
+            crit "User $user has a password that is not sha512crypt nor yescrypt hashed."
         fi
     done
     if [[ -z "$users_reviewed" ]]; then

bin/hardening/check_distribution.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# Ensure that the distribution version is debian and that the version is 9 or 10
+# Ensure that the distribution version is debian and supported
 #
 
 set -e # One error, it's over
@@ -22,7 +22,7 @@ audit() {
     if [ "$DISTRIBUTION" != "debian" ]; then
         crit "Your distribution has been identified as $DISTRIBUTION which is not debian"
     else
-        if [ "$DEB_MAJ_VER" = "sid" ] || [ "$DEB_MAJ_VER" -gt "$HIGHEST_SUPPORTED_DEBIAN_VERSION" ]; then
+        if [ "$DEB_MAJ_VER" -gt "$HIGHEST_SUPPORTED_DEBIAN_VERSION" ]; then
             crit "Your distribution is too recent and is not yet supported."
         elif [ "$DEB_MAJ_VER" -lt "$SMALLEST_SUPPORTED_DEBIAN_VERSION" ]; then
             crit "Your distribution is debian but is deprecated. Consider upgrading to a supported version."

bin/hardening/enable_lockout_failed_password.sh

@@ -59,23 +59,14 @@ apply() {
         ok "$PATTERN_AUTH is present in $FILE_AUTH"
     else
         warn "$PATTERN_AUTH is not present in $FILE_AUTH, adding it"
-        if [ 10 -ge "$DEB_MAJ_VER" ]; then
-            add_line_file_before_pattern "$FILE_AUTH" "auth required pam_tally2.so onerr=fail audit silent deny=5 unlock_time=900" "# pam-auth-update(8) for details."
-        else
-            add_line_file_before_pattern "$FILE_AUTH" "auth required pam_faillock.so onerr=fail audit silent deny=5 unlock_time=900" "# pam-auth-update(8) for details."
-        fi
+        add_line_file_before_pattern "$FILE_AUTH" "auth required pam_faillock.so onerr=fail audit silent deny=5 unlock_time=900" "# pam-auth-update(8) for details."
     fi
     does_pattern_exist_in_file "$FILE_ACCOUNT" "$PATTERN_ACCOUNT"
     if [ "$FNRET" = 0 ]; then
         ok "$PATTERN_ACCOUNT is present in $FILE_ACCOUNT"
     else
         warn "$PATTERN_ACCOUNT is not present in $FILE_ACCOUNT, adding it"
-        if [ 10 -ge "$DEB_MAJ_VER" ]; then
-            add_line_file_before_pattern "$FILE_ACCOUNT" "account required pam_tally2.so" "# pam-auth-update(8) for details."
-        else
-            add_line_file_before_pattern "$FILE_ACCOUNT" "account required pam_faillock.so" "# pam-auth-update(8) for details."
-        fi
-
+        add_line_file_before_pattern "$FILE_ACCOUNT" "account required pam_faillock.so" "# pam-auth-update(8) for details."
     fi
 }
 

bin/hardening/ssh_cry_kex.sh

@@ -73,14 +73,7 @@ apply() {
 }
 
 create_config() {
-    set +u
-    debug "Debian version : $DEB_MAJ_VER "
-    if [[ "$DEB_MAJ_VER" -le 7 ]]; then
-        KEX='diffie-hellman-group-exchange-sha256'
-    else
-        KEX='curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256'
-    fi
-    set -u
+    KEX='curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256'
     cat <<EOF
 status=audit
 # Put your KexAlgorithms

bin/hardening/ssh_cry_rekey.sh

@@ -30,11 +30,7 @@ audit() {
         crit "Cannot get Debian version. Aborting..."
         return
     fi
-    if [[ "${DEB_MAJ_VER}" != "sid" ]] && [[ "${DEB_MAJ_VER}" -lt "8" ]]; then
-        set -u
-        warn "Debian version too old (${DEB_MAJ_VER}), check does not apply, you should disable this check."
-        return
-    fi
+
     set -u
     is_pkg_installed "$PACKAGE"
     if [ "$FNRET" != 0 ]; then

debian/changelog

@@ -1,3 +1,12 @@
+cis-hardening (4.1-5) unstable; urgency=medium
+
+  * drop debian10 and below support
+  * fix: ipv6_is_enabled (#251)
+  * fix: record_mac_edit.sh (#195)
+  * add --set-version to manage multiple cis versions in the future
+
+ -- Damien Cavagnini <damien.cavagnini@ovhcloud.com>  Fri, 04 Jul 2025 10:27:18 +0200
+
 cis-hardening (4.1-4) unstable; urgency=medium
 
   * allow multiple users in 5.2.18 (#228)

debian/cis-hardening.8

@@ -4,13 +4,13 @@
 .hy
 .SH NAME
 .PP
-cis-hardening - CIS Debian 10/11/12 Hardening
+cis-hardening - CIS Debian 11/12 Hardening
 .SH SYNOPSIS
 .PP
 \f[B]hardening.sh\f[R] RUN_MODE OPTIONS
 .SH DESCRIPTION
 .PP
-Modular Debian 10/11/12 security hardening scripts based on the CIS
+Modular Debian 11/12 security hardening scripts based on the CIS
 (https://www.cisecurity.org) recommendations.
 .PP
 We use it at OVHcloud (https://www.ovhcloud.com) to harden our PCI-DSS

lib/constants.sh

@@ -57,6 +57,6 @@ get_distribution
 get_debian_major_version
 
 # shellcheck disable=SC2034
-SMALLEST_SUPPORTED_DEBIAN_VERSION=10
+SMALLEST_SUPPORTED_DEBIAN_VERSION=11
 # shellcheck disable=SC2034
 HIGHEST_SUPPORTED_DEBIAN_VERSION=12

lib/utils.sh

@@ -572,11 +572,7 @@ get_debian_major_version() {
     DEB_MAJ_VER=""
     does_file_exist /etc/debian_version
     if [ "$FNRET" = 0 ]; then
-        if grep -q "sid" /etc/debian_version; then
-            DEB_MAJ_VER="sid"
-        else
-            DEB_MAJ_VER=$(cut -d '.' -f1 /etc/debian_version)
-        fi
+        DEB_MAJ_VER=$(cut -d '.' -f1 /etc/debian_version)
     else
         # shellcheck disable=2034
         DEB_MAJ_VER=$(lsb_release -r | cut -f2 | cut -d '.' -f 1)

tests/docker/Dockerfile.debian10

@@ -1,22 +0,0 @@
-FROM debian:buster
-
-LABEL vendor="OVH"
-LABEL project="debian-cis"
-LABEL url="https://github.com/ovh/debian-cis"
-LABEL description="This image is used to run tests"
-
-RUN groupadd -g 500 secaudit && useradd  -u 500 -g 500 -s /bin/bash secaudit && install -m 700 -o secaudit -g secaudit -d /home/secaudit
-
-RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y openssh-server sudo syslog-ng net-tools auditd
-
-COPY --chown=500:500 . /opt/debian-cis/
-
-COPY debian/default /etc/default/cis-hardening
-RUN sed -i 's#cis-hardening#debian-cis#' /etc/default/cis-hardening
-
-COPY cisharden.sudoers /etc/sudoers.d/secaudit
-RUN sed -i 's#cisharden#secaudit#' /etc/sudoers.d/secaudit
-
-
-ENTRYPOINT ["/opt/debian-cis/tests/launch_tests.sh"]
-

tests/hardening/acc_logindefs_sha512.sh

@@ -36,35 +36,4 @@ test_audit() {
     register_test contain "is present in /etc/login.defs"
     run sha512pass "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
 
-    # DEB_MAJ_VER cannot be overwritten here;
-    # therefore we need to trick get_debian_major_version
-    ORIGINAL_DEB_VER="$(cat /etc/debian_version)"
-    echo "sid" >/etc/debian_version
-
-    describe Running on blank host as sid
-    register_test retvalshouldbe 0
-    register_test contain "(SHA512|yescrypt|YESCRYPT)"
-    # shellcheck disable=2154
-    run blanksid "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
-
-    cp /etc/login.defs /tmp/login.defs.bak
-    sed -ir 's/ENCRYPT_METHOD[[:space:]]\+.*/ENCRYPT_METHOD MD5/' /etc/login.defs
-
-    describe Fail: wrong hash function configuration as sid
-    register_test retvalshouldbe 1
-    register_test contain "(SHA512|yescrypt|YESCRYPT)"
-    run wrongconfsid "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
-
-    describe Correcting situation as sid
-    sed -i 's/audit/enabled/' "${CIS_CONF_DIR}/conf.d/${script}.cfg"
-    "${CIS_CHECKS_DIR}/${script}.sh" || true
-
-    describe Checking resolved state as sid
-    register_test retvalshouldbe 0
-    register_test contain "(SHA512|yescrypt|YESCRYPT)"
-    run sha512passsid "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
-
-    # Cleanup
-    echo -n "$ORIGINAL_DEB_VER" >/etc/debian_version
-    unset ORIGINAL_DEB_VER
 }

tests/hardening/acc_pam_sha512.sh

@@ -21,35 +21,6 @@ test_audit() {
     describe Checking resolved state
     register_test retvalshouldbe 0
     register_test contain "is present in /etc/pam.d/common-password"
-    run solvedsid "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+    run resolved "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
 
-    # DEB_MAJ_VER cannot be overwritten here;
-    # therefore we need to trick get_debian_major_version
-    ORIGINAL_DEB_VER="$(cat /etc/debian_version)"
-    echo "sid" >/etc/debian_version
-
-    describe Running on blank host as sid
-    register_test retvalshouldbe 0
-    register_test contain "(sha512|yescrypt)"
-    run blanksid "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
-
-    describe Tests purposely failing as sid
-    sed -i '/pam_unix.so/ s/sha512/sha256/' "/etc/pam.d/common-password"   # Debian 10
-    sed -i '/pam_unix.so/ s/yescrypt/sha256/' "/etc/pam.d/common-password" # Debian 11+
-    register_test retvalshouldbe 1
-    register_test contain "is not present"
-    run noncompliantsid "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
-
-    describe correcting situation as sid
-    sed -i 's/audit/enabled/' "${CIS_CONF_DIR}/conf.d/${script}.cfg"
-    "${CIS_CHECKS_DIR}/${script}.sh" --apply || true
-
-    describe Checking resolved state as sid
-    register_test retvalshouldbe 0
-    register_test contain "is present in /etc/pam.d/common-password"
-    run solvedsid "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
-
-    # Cleanup
-    echo -n "$ORIGINAL_DEB_VER" >/etc/debian_version
-    unset ORIGINAL_DEB_VER
 }