From ab0dba9f954a9119f17968c8e893a0eb9eefd809 Mon Sep 17 00:00:00 2001 From: damcav35 <51324122+damcav35@users.noreply.github.com> Date: Fri, 4 Jul 2025 14:18:56 +0200 Subject: [PATCH] chore: drop debian 10 and below support (#264) Currently, the only LTS Debian are 11 and 12 We only support CIS for LTS debian Co-authored-by: Damien Cavagnini --- .github/workflows/functionnal-tests.yml | 7 ----- MANUAL.md | 4 +-- README.md | 6 ++-- bin/hardening.sh | 2 +- bin/hardening/acc_logindefs_sha512.sh | 12 ++----- bin/hardening/acc_pam_sha512.sh | 12 ++----- bin/hardening/acc_shadow_sha512.sh | 8 ++--- bin/hardening/check_distribution.sh | 4 +-- .../enable_lockout_failed_password.sh | 13 ++------ bin/hardening/ssh_cry_kex.sh | 9 +----- bin/hardening/ssh_cry_rekey.sh | 6 +--- debian/changelog | 9 ++++++ debian/cis-hardening.8 | 4 +-- lib/constants.sh | 2 +- lib/utils.sh | 6 +--- tests/docker/Dockerfile.debian10 | 22 ------------- tests/hardening/acc_logindefs_sha512.sh | 31 ------------------- tests/hardening/acc_pam_sha512.sh | 31 +------------------ 18 files changed, 32 insertions(+), 156 deletions(-) delete mode 100644 tests/docker/Dockerfile.debian10 diff --git a/.github/workflows/functionnal-tests.yml b/.github/workflows/functionnal-tests.yml index 9b745b3..51f7cd3 100644 --- a/.github/workflows/functionnal-tests.yml +++ b/.github/workflows/functionnal-tests.yml @@ -4,13 +4,6 @@ on: - pull_request - push jobs: - functionnal-tests-docker-debian10: - runs-on: ubuntu-latest - steps: - - name: Checkout repo - uses: actions/checkout@v4 - - name: Run the tests debian10 - run: ./tests/docker_build_and_run_tests.sh debian10 functionnal-tests-docker-debian11: runs-on: ubuntu-latest steps: diff --git a/MANUAL.md b/MANUAL.md index d336a8a..9ef73bb 100644 --- a/MANUAL.md +++ b/MANUAL.md @@ -4,7 +4,7 @@ # NAME -cis-hardening - CIS Debian 10/11/12 Hardening +cis-hardening - CIS Debian 11/12 Hardening # SYNOPSIS @@ -12,7 +12,7 @@ cis-hardening - CIS Debian 10/11/12 Hardening # DESCRIPTION -Modular Debian 10/11/12 security hardening scripts based on the CIS (https://www.cisecurity.org) recommendations. +Modular Debian 11/12 security hardening scripts based on the CIS (https://www.cisecurity.org) recommendations. We use it at OVHcloud (https://www.ovhcloud.com) to harden our PCI-DSS infrastructure. diff --git a/README.md b/README.md index 5ea0d3e..8b44bb6 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -# :lock: CIS Debian 10/11/12 Hardening +# :lock: CIS Debian 11/12 Hardening

@@ -13,7 +13,7 @@ ![License](https://img.shields.io/github/license/ovh/debian-cis) --- -Modular Debian 10/11/12 security hardening scripts based on [cisecurity.org](https://www.cisecurity.org) +Modular Debian 11/12 security hardening scripts based on [cisecurity.org](https://www.cisecurity.org) recommendations. We use it at [OVHcloud](https://www.ovhcloud.com) to harden our PCI-DSS infrastructure. NB : Although Debian 12 CIS Hardening guide is still in development, we do use this set of scripts @@ -174,7 +174,7 @@ Functional tests are available. They are to be run in a Docker environment. $ ./tests/docker_build_and_run_tests.sh [name of test script...] ``` -With `target` being like `debian10` or `debian11`. +With `target` being like `debian11` or `debian12`. Running without script arguments will run all tests in `./tests/hardening/` directory. Or you can specify one or several test script to be run. diff --git a/bin/hardening.sh b/bin/hardening.sh index ce4e257..31d72ea 100755 --- a/bin/hardening.sh +++ b/bin/hardening.sh @@ -254,7 +254,7 @@ if [ "$DISTRIBUTION" != "debian" ]; then echo "You can deactivate this message by setting the LOGLEVEL variable in /etc/hardening.cfg" fi else - if [ "$DEB_MAJ_VER" = "sid" ] || [ "$DEB_MAJ_VER" -gt "$HIGHEST_SUPPORTED_DEBIAN_VERSION" ]; then + if [ "$DEB_MAJ_VER" -gt "$HIGHEST_SUPPORTED_DEBIAN_VERSION" ]; then echo "Your debian version is too recent and is not supported yet because there is no official CIS PDF for this version yet." if [ "$ALLOW_UNSUPPORTED_DISTRIBUTION" -eq 0 ]; then echo "If you want to run it anyway, you can use the flag --allow-unsupported-distribution" diff --git a/bin/hardening/acc_logindefs_sha512.sh b/bin/hardening/acc_logindefs_sha512.sh index 263dccb..8e344ab 100755 --- a/bin/hardening/acc_logindefs_sha512.sh +++ b/bin/hardening/acc_logindefs_sha512.sh @@ -59,17 +59,9 @@ check_config() { : } -# As we use DEB_MAJ_VER, which is set by constants.sh, itself sourced by main.sh below, -# We need to call this in the subs called by main.sh when it is sourced, otherwise it would -# either be too soon (DEB_MAJ_VER not defined) or too late (test has already been run) _set_vars_jit() { - if [ "$DEB_MAJ_VER" = "sid" ] || [ "$DEB_MAJ_VER" -ge "11" ]; then - CONF_LINE_REGEX="ENCRYPT_METHOD (SHA512|yescrypt|YESCRYPT)" - CONF_LINE="ENCRYPT_METHOD YESCRYPT" - else - CONF_LINE_REGEX="ENCRYPT_METHOD SHA512" - CONF_LINE="ENCRYPT_METHOD SHA512" - fi + CONF_LINE_REGEX="ENCRYPT_METHOD (SHA512|yescrypt|YESCRYPT)" + CONF_LINE="ENCRYPT_METHOD YESCRYPT" } # Source Root Dir Parameter diff --git a/bin/hardening/acc_pam_sha512.sh b/bin/hardening/acc_pam_sha512.sh index e0b788a..99a5cff 100755 --- a/bin/hardening/acc_pam_sha512.sh +++ b/bin/hardening/acc_pam_sha512.sh @@ -49,11 +49,7 @@ apply() { ok "$CONF_LINE is present in $CONF_FILE" else warn "$CONF_LINE is not present in $CONF_FILE" - if [ "$DEB_MAJ_VER" = "sid" ] || [ "$DEB_MAJ_VER" -ge "11" ]; then - add_line_file_before_pattern "$CONF_FILE" "password [success=1 default=ignore] pam_unix.so yescrypt" "# pam-auth-update(8) for details." - else - add_line_file_before_pattern "$CONF_FILE" "password [success=1 default=ignore] pam_unix.so sha512" "# pam-auth-update(8) for details." - fi + add_line_file_before_pattern "$CONF_FILE" "password [success=1 default=ignore] pam_unix.so yescrypt" "# pam-auth-update(8) for details." fi fi } @@ -67,11 +63,7 @@ check_config() { # We need to call this in the subs called by main.sh when it is sourced, otherwise it would # either be too soon (DEB_MAJ_VER not defined) or too late (test has already been run) _set_vars_jit() { - if [ "$DEB_MAJ_VER" = "sid" ] || [ "$DEB_MAJ_VER" -ge "11" ]; then - CONF_LINE="^\s*password\s.+\s+pam_unix\.so\s+.*(sha512|yescrypt)" # https://github.com/ovh/debian-cis/issues/158 - else - CONF_LINE="^\s*password\s.+\s+pam_unix\.so\s+.*sha512" - fi + CONF_LINE="^\s*password\s.+\s+pam_unix\.so\s+.*(sha512|yescrypt)" # https://github.com/ovh/debian-cis/issues/158 } # Source Root Dir Parameter diff --git a/bin/hardening/acc_shadow_sha512.sh b/bin/hardening/acc_shadow_sha512.sh index 3519094..0366cc1 100755 --- a/bin/hardening/acc_shadow_sha512.sh +++ b/bin/hardening/acc_shadow_sha512.sh @@ -37,7 +37,7 @@ audit() { pw_found+="$user " ok "User $user has a disabled password." # yescrypt: Check password against $y$$ - elif [ "$DEB_MAJ_VER" -ge "11" ] && [[ $passwd =~ ^\$y\$[./A-Za-z0-9]+\$[./A-Za-z0-9]{,86}\$[./A-Za-z0-9]{43} ]]; then + elif [[ $passwd =~ ^\$y\$[./A-Za-z0-9]+\$[./A-Za-z0-9]{,86}\$[./A-Za-z0-9]{43} ]]; then pw_found+="$user " ok "User $user has suitable yescrypt hashed password." # sha512: Check password against $6$$, see `man 3 crypt` @@ -46,11 +46,7 @@ audit() { ok "User $user has suitable sha512crypt hashed password." else pw_found+="$user " - if [ "$DEB_MAJ_VER" -ge "11" ]; then - crit "User $user has a password that is not sha512crypt nor yescrypt hashed." - else - crit "User $user has a password that is not sha512crypt hashed." - fi + crit "User $user has a password that is not sha512crypt nor yescrypt hashed." fi done if [[ -z "$users_reviewed" ]]; then diff --git a/bin/hardening/check_distribution.sh b/bin/hardening/check_distribution.sh index d4c7b2f..ada4029 100755 --- a/bin/hardening/check_distribution.sh +++ b/bin/hardening/check_distribution.sh @@ -6,7 +6,7 @@ # # -# Ensure that the distribution version is debian and that the version is 9 or 10 +# Ensure that the distribution version is debian and supported # set -e # One error, it's over @@ -22,7 +22,7 @@ audit() { if [ "$DISTRIBUTION" != "debian" ]; then crit "Your distribution has been identified as $DISTRIBUTION which is not debian" else - if [ "$DEB_MAJ_VER" = "sid" ] || [ "$DEB_MAJ_VER" -gt "$HIGHEST_SUPPORTED_DEBIAN_VERSION" ]; then + if [ "$DEB_MAJ_VER" -gt "$HIGHEST_SUPPORTED_DEBIAN_VERSION" ]; then crit "Your distribution is too recent and is not yet supported." elif [ "$DEB_MAJ_VER" -lt "$SMALLEST_SUPPORTED_DEBIAN_VERSION" ]; then crit "Your distribution is debian but is deprecated. Consider upgrading to a supported version." diff --git a/bin/hardening/enable_lockout_failed_password.sh b/bin/hardening/enable_lockout_failed_password.sh index d8dabf5..fb256d4 100755 --- a/bin/hardening/enable_lockout_failed_password.sh +++ b/bin/hardening/enable_lockout_failed_password.sh @@ -59,23 +59,14 @@ apply() { ok "$PATTERN_AUTH is present in $FILE_AUTH" else warn "$PATTERN_AUTH is not present in $FILE_AUTH, adding it" - if [ 10 -ge "$DEB_MAJ_VER" ]; then - add_line_file_before_pattern "$FILE_AUTH" "auth required pam_tally2.so onerr=fail audit silent deny=5 unlock_time=900" "# pam-auth-update(8) for details." - else - add_line_file_before_pattern "$FILE_AUTH" "auth required pam_faillock.so onerr=fail audit silent deny=5 unlock_time=900" "# pam-auth-update(8) for details." - fi + add_line_file_before_pattern "$FILE_AUTH" "auth required pam_faillock.so onerr=fail audit silent deny=5 unlock_time=900" "# pam-auth-update(8) for details." fi does_pattern_exist_in_file "$FILE_ACCOUNT" "$PATTERN_ACCOUNT" if [ "$FNRET" = 0 ]; then ok "$PATTERN_ACCOUNT is present in $FILE_ACCOUNT" else warn "$PATTERN_ACCOUNT is not present in $FILE_ACCOUNT, adding it" - if [ 10 -ge "$DEB_MAJ_VER" ]; then - add_line_file_before_pattern "$FILE_ACCOUNT" "account required pam_tally2.so" "# pam-auth-update(8) for details." - else - add_line_file_before_pattern "$FILE_ACCOUNT" "account required pam_faillock.so" "# pam-auth-update(8) for details." - fi - + add_line_file_before_pattern "$FILE_ACCOUNT" "account required pam_faillock.so" "# pam-auth-update(8) for details." fi } diff --git a/bin/hardening/ssh_cry_kex.sh b/bin/hardening/ssh_cry_kex.sh index 272f1b3..01b6f6a 100755 --- a/bin/hardening/ssh_cry_kex.sh +++ b/bin/hardening/ssh_cry_kex.sh @@ -73,14 +73,7 @@ apply() { } create_config() { - set +u - debug "Debian version : $DEB_MAJ_VER " - if [[ "$DEB_MAJ_VER" -le 7 ]]; then - KEX='diffie-hellman-group-exchange-sha256' - else - KEX='curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256' - fi - set -u + KEX='curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256' cat < Fri, 04 Jul 2025 10:27:18 +0200 + cis-hardening (4.1-4) unstable; urgency=medium * allow multiple users in 5.2.18 (#228) diff --git a/debian/cis-hardening.8 b/debian/cis-hardening.8 index 1fcf7e4..40ecdda 100644 --- a/debian/cis-hardening.8 +++ b/debian/cis-hardening.8 @@ -4,13 +4,13 @@ .hy .SH NAME .PP -cis-hardening - CIS Debian 10/11/12 Hardening +cis-hardening - CIS Debian 11/12 Hardening .SH SYNOPSIS .PP \f[B]hardening.sh\f[R] RUN_MODE OPTIONS .SH DESCRIPTION .PP -Modular Debian 10/11/12 security hardening scripts based on the CIS +Modular Debian 11/12 security hardening scripts based on the CIS (https://www.cisecurity.org) recommendations. .PP We use it at OVHcloud (https://www.ovhcloud.com) to harden our PCI-DSS diff --git a/lib/constants.sh b/lib/constants.sh index 6a77a9d..bd623bb 100644 --- a/lib/constants.sh +++ b/lib/constants.sh @@ -57,6 +57,6 @@ get_distribution get_debian_major_version # shellcheck disable=SC2034 -SMALLEST_SUPPORTED_DEBIAN_VERSION=10 +SMALLEST_SUPPORTED_DEBIAN_VERSION=11 # shellcheck disable=SC2034 HIGHEST_SUPPORTED_DEBIAN_VERSION=12 diff --git a/lib/utils.sh b/lib/utils.sh index b805cd7..8e78d19 100644 --- a/lib/utils.sh +++ b/lib/utils.sh @@ -572,11 +572,7 @@ get_debian_major_version() { DEB_MAJ_VER="" does_file_exist /etc/debian_version if [ "$FNRET" = 0 ]; then - if grep -q "sid" /etc/debian_version; then - DEB_MAJ_VER="sid" - else - DEB_MAJ_VER=$(cut -d '.' -f1 /etc/debian_version) - fi + DEB_MAJ_VER=$(cut -d '.' -f1 /etc/debian_version) else # shellcheck disable=2034 DEB_MAJ_VER=$(lsb_release -r | cut -f2 | cut -d '.' -f 1) diff --git a/tests/docker/Dockerfile.debian10 b/tests/docker/Dockerfile.debian10 deleted file mode 100644 index a0da842..0000000 --- a/tests/docker/Dockerfile.debian10 +++ /dev/null @@ -1,22 +0,0 @@ -FROM debian:buster - -LABEL vendor="OVH" -LABEL project="debian-cis" -LABEL url="https://github.com/ovh/debian-cis" -LABEL description="This image is used to run tests" - -RUN groupadd -g 500 secaudit && useradd -u 500 -g 500 -s /bin/bash secaudit && install -m 700 -o secaudit -g secaudit -d /home/secaudit - -RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y openssh-server sudo syslog-ng net-tools auditd - -COPY --chown=500:500 . /opt/debian-cis/ - -COPY debian/default /etc/default/cis-hardening -RUN sed -i 's#cis-hardening#debian-cis#' /etc/default/cis-hardening - -COPY cisharden.sudoers /etc/sudoers.d/secaudit -RUN sed -i 's#cisharden#secaudit#' /etc/sudoers.d/secaudit - - -ENTRYPOINT ["/opt/debian-cis/tests/launch_tests.sh"] - diff --git a/tests/hardening/acc_logindefs_sha512.sh b/tests/hardening/acc_logindefs_sha512.sh index a71b650..f22ed03 100644 --- a/tests/hardening/acc_logindefs_sha512.sh +++ b/tests/hardening/acc_logindefs_sha512.sh @@ -36,35 +36,4 @@ test_audit() { register_test contain "is present in /etc/login.defs" run sha512pass "${CIS_CHECKS_DIR}/${script}.sh" --audit-all - # DEB_MAJ_VER cannot be overwritten here; - # therefore we need to trick get_debian_major_version - ORIGINAL_DEB_VER="$(cat /etc/debian_version)" - echo "sid" >/etc/debian_version - - describe Running on blank host as sid - register_test retvalshouldbe 0 - register_test contain "(SHA512|yescrypt|YESCRYPT)" - # shellcheck disable=2154 - run blanksid "${CIS_CHECKS_DIR}/${script}.sh" --audit-all - - cp /etc/login.defs /tmp/login.defs.bak - sed -ir 's/ENCRYPT_METHOD[[:space:]]\+.*/ENCRYPT_METHOD MD5/' /etc/login.defs - - describe Fail: wrong hash function configuration as sid - register_test retvalshouldbe 1 - register_test contain "(SHA512|yescrypt|YESCRYPT)" - run wrongconfsid "${CIS_CHECKS_DIR}/${script}.sh" --audit-all - - describe Correcting situation as sid - sed -i 's/audit/enabled/' "${CIS_CONF_DIR}/conf.d/${script}.cfg" - "${CIS_CHECKS_DIR}/${script}.sh" || true - - describe Checking resolved state as sid - register_test retvalshouldbe 0 - register_test contain "(SHA512|yescrypt|YESCRYPT)" - run sha512passsid "${CIS_CHECKS_DIR}/${script}.sh" --audit-all - - # Cleanup - echo -n "$ORIGINAL_DEB_VER" >/etc/debian_version - unset ORIGINAL_DEB_VER } diff --git a/tests/hardening/acc_pam_sha512.sh b/tests/hardening/acc_pam_sha512.sh index f2c530e..0f5e392 100644 --- a/tests/hardening/acc_pam_sha512.sh +++ b/tests/hardening/acc_pam_sha512.sh @@ -21,35 +21,6 @@ test_audit() { describe Checking resolved state register_test retvalshouldbe 0 register_test contain "is present in /etc/pam.d/common-password" - run solvedsid "${CIS_CHECKS_DIR}/${script}.sh" --audit-all + run resolved "${CIS_CHECKS_DIR}/${script}.sh" --audit-all - # DEB_MAJ_VER cannot be overwritten here; - # therefore we need to trick get_debian_major_version - ORIGINAL_DEB_VER="$(cat /etc/debian_version)" - echo "sid" >/etc/debian_version - - describe Running on blank host as sid - register_test retvalshouldbe 0 - register_test contain "(sha512|yescrypt)" - run blanksid "${CIS_CHECKS_DIR}/${script}.sh" --audit-all - - describe Tests purposely failing as sid - sed -i '/pam_unix.so/ s/sha512/sha256/' "/etc/pam.d/common-password" # Debian 10 - sed -i '/pam_unix.so/ s/yescrypt/sha256/' "/etc/pam.d/common-password" # Debian 11+ - register_test retvalshouldbe 1 - register_test contain "is not present" - run noncompliantsid "${CIS_CHECKS_DIR}/${script}.sh" --audit-all - - describe correcting situation as sid - sed -i 's/audit/enabled/' "${CIS_CONF_DIR}/conf.d/${script}.cfg" - "${CIS_CHECKS_DIR}/${script}.sh" --apply || true - - describe Checking resolved state as sid - register_test retvalshouldbe 0 - register_test contain "is present in /etc/pam.d/common-password" - run solvedsid "${CIS_CHECKS_DIR}/${script}.sh" --audit-all - - # Cleanup - echo -n "$ORIGINAL_DEB_VER" >/etc/debian_version - unset ORIGINAL_DEB_VER }