elie/debian-cis
1
0
Fork 0
mirror of https://github.com/ovh/debian-cis.git synced 2025-07-14 21:02:18 +02:00
Code Issues Packages Projects Releases Wiki Activity

chore: drop debian 10 and below support (#264)

Browse Source 
Currently, the only LTS Debian are 11 and 12
We only support CIS for LTS debian

Co-authored-by: Damien Cavagnini <damien.cavagnini@corp.ovh.com>
This commit is contained in:
damcav35
2025-07-04 14:18:56 +02:00
committed by GitHub
parent f2c6f36b94
commit ab0dba9f95
18 changed files with 32 additions and 156 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
.github/workflows/functionnal-tests.yml vendored
View File

@ -4,13 +4,6 @@ on:
- pull_request - pull_request
- push - push
jobs: jobs:
functionnal-tests-docker-debian10:
runs-on: ubuntu-latest
steps:
- name: Checkout repo
uses: actions/checkout@v4
- name: Run the tests debian10
run: ./tests/docker_build_and_run_tests.sh debian10
functionnal-tests-docker-debian11: functionnal-tests-docker-debian11:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:

4
MANUAL.md
View File

@ -4,7 +4,7 @@
# NAME # NAME
cis-hardening - CIS Debian 10/11/12 Hardening cis-hardening - CIS Debian 11/12 Hardening
# SYNOPSIS # SYNOPSIS
@ -12,7 +12,7 @@ cis-hardening - CIS Debian 10/11/12 Hardening
# DESCRIPTION # DESCRIPTION
Modular Debian 10/11/12 security hardening scripts based on the CIS (https://www.cisecurity.org) recommendations. Modular Debian 11/12 security hardening scripts based on the CIS (https://www.cisecurity.org) recommendations.
We use it at OVHcloud (https://www.ovhcloud.com) to harden our PCI-DSS infrastructure. We use it at OVHcloud (https://www.ovhcloud.com) to harden our PCI-DSS infrastructure.

6
README.md
View File

@ -1,4 +1,4 @@
# :lock: CIS Debian 10/11/12 Hardening # :lock: CIS Debian 11/12 Hardening
<p align="center"> <p align="center">
@ -13,7 +13,7 @@
![License](https://img.shields.io/github/license/ovh/debian-cis) ![License](https://img.shields.io/github/license/ovh/debian-cis)
--- ---
Modular Debian 10/11/12 security hardening scripts based on [cisecurity.org](https://www.cisecurity.org) Modular Debian 11/12 security hardening scripts based on [cisecurity.org](https://www.cisecurity.org)
recommendations. We use it at [OVHcloud](https://www.ovhcloud.com) to harden our PCI-DSS infrastructure. recommendations. We use it at [OVHcloud](https://www.ovhcloud.com) to harden our PCI-DSS infrastructure.
NB : Although Debian 12 CIS Hardening guide is still in development, we do use this set of scripts NB : Although Debian 12 CIS Hardening guide is still in development, we do use this set of scripts
@ -174,7 +174,7 @@ Functional tests are available. They are to be run in a Docker environment.
$ ./tests/docker_build_and_run_tests.sh <target> [name of test script...] $ ./tests/docker_build_and_run_tests.sh <target> [name of test script...]
``` ```
With `target` being like `debian10` or `debian11`. With `target` being like `debian11` or `debian12`.
Running without script arguments will run all tests in `./tests/hardening/` directory. Running without script arguments will run all tests in `./tests/hardening/` directory.
Or you can specify one or several test script to be run. Or you can specify one or several test script to be run.

2
bin/hardening.sh
View File

@ -254,7 +254,7 @@ if [ "$DISTRIBUTION" != "debian" ]; then
echo "You can deactivate this message by setting the LOGLEVEL variable in /etc/hardening.cfg" echo "You can deactivate this message by setting the LOGLEVEL variable in /etc/hardening.cfg"
fi fi
else else
if [ "$DEB_MAJ_VER" = "sid" ] || [ "$DEB_MAJ_VER" -gt "$HIGHEST_SUPPORTED_DEBIAN_VERSION" ]; then if [ "$DEB_MAJ_VER" -gt "$HIGHEST_SUPPORTED_DEBIAN_VERSION" ]; then
echo "Your debian version is too recent and is not supported yet because there is no official CIS PDF for this version yet." echo "Your debian version is too recent and is not supported yet because there is no official CIS PDF for this version yet."
if [ "$ALLOW_UNSUPPORTED_DISTRIBUTION" -eq 0 ]; then if [ "$ALLOW_UNSUPPORTED_DISTRIBUTION" -eq 0 ]; then
echo "If you want to run it anyway, you can use the flag --allow-unsupported-distribution" echo "If you want to run it anyway, you can use the flag --allow-unsupported-distribution"

12
bin/hardening/acc_logindefs_sha512.sh
View File

@ -59,17 +59,9 @@ check_config() {
: :
} }
# As we use DEB_MAJ_VER, which is set by constants.sh, itself sourced by main.sh below,
# We need to call this in the subs called by main.sh when it is sourced, otherwise it would
# either be too soon (DEB_MAJ_VER not defined) or too late (test has already been run)
_set_vars_jit() { _set_vars_jit() {
if [ "$DEB_MAJ_VER" = "sid" ] || [ "$DEB_MAJ_VER" -ge "11" ]; then CONF_LINE_REGEX="ENCRYPT_METHOD (SHA512|yescrypt|YESCRYPT)"
CONF_LINE_REGEX="ENCRYPT_METHOD (SHA512|yescrypt|YESCRYPT)" CONF_LINE="ENCRYPT_METHOD YESCRYPT"
CONF_LINE="ENCRYPT_METHOD YESCRYPT"
else
CONF_LINE_REGEX="ENCRYPT_METHOD SHA512"
CONF_LINE="ENCRYPT_METHOD SHA512"
fi
} }
# Source Root Dir Parameter # Source Root Dir Parameter

12
bin/hardening/acc_pam_sha512.sh
View File

@ -49,11 +49,7 @@ apply() {
ok "$CONF_LINE is present in $CONF_FILE" ok "$CONF_LINE is present in $CONF_FILE"
else else
warn "$CONF_LINE is not present in $CONF_FILE" warn "$CONF_LINE is not present in $CONF_FILE"
if [ "$DEB_MAJ_VER" = "sid" ] || [ "$DEB_MAJ_VER" -ge "11" ]; then add_line_file_before_pattern "$CONF_FILE" "password [success=1 default=ignore] pam_unix.so yescrypt" "# pam-auth-update(8) for details."
add_line_file_before_pattern "$CONF_FILE" "password [success=1 default=ignore] pam_unix.so yescrypt" "# pam-auth-update(8) for details."
else
add_line_file_before_pattern "$CONF_FILE" "password [success=1 default=ignore] pam_unix.so sha512" "# pam-auth-update(8) for details."
fi
fi fi
fi fi
} }
@ -67,11 +63,7 @@ check_config() {
# We need to call this in the subs called by main.sh when it is sourced, otherwise it would # We need to call this in the subs called by main.sh when it is sourced, otherwise it would
# either be too soon (DEB_MAJ_VER not defined) or too late (test has already been run) # either be too soon (DEB_MAJ_VER not defined) or too late (test has already been run)
_set_vars_jit() { _set_vars_jit() {
if [ "$DEB_MAJ_VER" = "sid" ] || [ "$DEB_MAJ_VER" -ge "11" ]; then CONF_LINE="^\s*password\s.+\s+pam_unix\.so\s+.*(sha512|yescrypt)" # https://github.com/ovh/debian-cis/issues/158
CONF_LINE="^\s*password\s.+\s+pam_unix\.so\s+.*(sha512|yescrypt)" # https://github.com/ovh/debian-cis/issues/158
else
CONF_LINE="^\s*password\s.+\s+pam_unix\.so\s+.*sha512"
fi
} }
# Source Root Dir Parameter # Source Root Dir Parameter

8
bin/hardening/acc_shadow_sha512.sh
View File

@ -37,7 +37,7 @@ audit() {
pw_found+="$user " pw_found+="$user "
ok "User $user has a disabled password." ok "User $user has a disabled password."
# yescrypt: Check password against $y$<salt>$<base64> # yescrypt: Check password against $y$<salt>$<base64>
elif [ "$DEB_MAJ_VER" -ge "11" ] && [[ $passwd =~ ^\$y\$[./A-Za-z0-9]+\$[./A-Za-z0-9]{,86}\$[./A-Za-z0-9]{43} ]]; then elif [[ $passwd =~ ^\$y\$[./A-Za-z0-9]+\$[./A-Za-z0-9]{,86}\$[./A-Za-z0-9]{43} ]]; then
pw_found+="$user " pw_found+="$user "
ok "User $user has suitable yescrypt hashed password." ok "User $user has suitable yescrypt hashed password."
# sha512: Check password against $6$<salt>$<base64>, see `man 3 crypt` # sha512: Check password against $6$<salt>$<base64>, see `man 3 crypt`
@ -46,11 +46,7 @@ audit() {
ok "User $user has suitable sha512crypt hashed password." ok "User $user has suitable sha512crypt hashed password."
else else
pw_found+="$user " pw_found+="$user "
if [ "$DEB_MAJ_VER" -ge "11" ]; then crit "User $user has a password that is not sha512crypt nor yescrypt hashed."
crit "User $user has a password that is not sha512crypt nor yescrypt hashed."
else
crit "User $user has a password that is not sha512crypt hashed."
fi
fi fi
done done
if [[ -z "$users_reviewed" ]]; then if [[ -z "$users_reviewed" ]]; then

4
bin/hardening/check_distribution.sh
View File

@ -6,7 +6,7 @@
# #
# #
# Ensure that the distribution version is debian and that the version is 9 or 10 # Ensure that the distribution version is debian and supported
# #
set -e # One error, it's over set -e # One error, it's over
@ -22,7 +22,7 @@ audit() {
if [ "$DISTRIBUTION" != "debian" ]; then if [ "$DISTRIBUTION" != "debian" ]; then
crit "Your distribution has been identified as $DISTRIBUTION which is not debian" crit "Your distribution has been identified as $DISTRIBUTION which is not debian"
else else
if [ "$DEB_MAJ_VER" = "sid" ] || [ "$DEB_MAJ_VER" -gt "$HIGHEST_SUPPORTED_DEBIAN_VERSION" ]; then if [ "$DEB_MAJ_VER" -gt "$HIGHEST_SUPPORTED_DEBIAN_VERSION" ]; then
crit "Your distribution is too recent and is not yet supported." crit "Your distribution is too recent and is not yet supported."
elif [ "$DEB_MAJ_VER" -lt "$SMALLEST_SUPPORTED_DEBIAN_VERSION" ]; then elif [ "$DEB_MAJ_VER" -lt "$SMALLEST_SUPPORTED_DEBIAN_VERSION" ]; then
crit "Your distribution is debian but is deprecated. Consider upgrading to a supported version." crit "Your distribution is debian but is deprecated. Consider upgrading to a supported version."

13
bin/hardening/enable_lockout_failed_password.sh
View File

@ -59,23 +59,14 @@ apply() {
ok "$PATTERN_AUTH is present in $FILE_AUTH" ok "$PATTERN_AUTH is present in $FILE_AUTH"
else else
warn "$PATTERN_AUTH is not present in $FILE_AUTH, adding it" warn "$PATTERN_AUTH is not present in $FILE_AUTH, adding it"
if [ 10 -ge "$DEB_MAJ_VER" ]; then add_line_file_before_pattern "$FILE_AUTH" "auth required pam_faillock.so onerr=fail audit silent deny=5 unlock_time=900" "# pam-auth-update(8) for details."
add_line_file_before_pattern "$FILE_AUTH" "auth required pam_tally2.so onerr=fail audit silent deny=5 unlock_time=900" "# pam-auth-update(8) for details."
else
add_line_file_before_pattern "$FILE_AUTH" "auth required pam_faillock.so onerr=fail audit silent deny=5 unlock_time=900" "# pam-auth-update(8) for details."
fi
fi fi
does_pattern_exist_in_file "$FILE_ACCOUNT" "$PATTERN_ACCOUNT" does_pattern_exist_in_file "$FILE_ACCOUNT" "$PATTERN_ACCOUNT"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$PATTERN_ACCOUNT is present in $FILE_ACCOUNT" ok "$PATTERN_ACCOUNT is present in $FILE_ACCOUNT"
else else
warn "$PATTERN_ACCOUNT is not present in $FILE_ACCOUNT, adding it" warn "$PATTERN_ACCOUNT is not present in $FILE_ACCOUNT, adding it"
if [ 10 -ge "$DEB_MAJ_VER" ]; then add_line_file_before_pattern "$FILE_ACCOUNT" "account required pam_faillock.so" "# pam-auth-update(8) for details."
add_line_file_before_pattern "$FILE_ACCOUNT" "account required pam_tally2.so" "# pam-auth-update(8) for details."
else
add_line_file_before_pattern "$FILE_ACCOUNT" "account required pam_faillock.so" "# pam-auth-update(8) for details."
fi
fi fi
} }

9
bin/hardening/ssh_cry_kex.sh
View File

@ -73,14 +73,7 @@ apply() {
} }
create_config() { create_config() {
set +u KEX='curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256'
debug "Debian version : $DEB_MAJ_VER "
if [[ "$DEB_MAJ_VER" -le 7 ]]; then
KEX='diffie-hellman-group-exchange-sha256'
else
KEX='curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256'
fi
set -u
cat <<EOF cat <<EOF
status=audit status=audit
# Put your KexAlgorithms # Put your KexAlgorithms

6
bin/hardening/ssh_cry_rekey.sh
View File

@ -30,11 +30,7 @@ audit() {
crit "Cannot get Debian version. Aborting..." crit "Cannot get Debian version. Aborting..."
return return
fi fi
if [[ "${DEB_MAJ_VER}" != "sid" ]] && [[ "${DEB_MAJ_VER}" -lt "8" ]]; then
set -u
warn "Debian version too old (${DEB_MAJ_VER}), check does not apply, you should disable this check."
return
fi
set -u set -u
is_pkg_installed "$PACKAGE" is_pkg_installed "$PACKAGE"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then

9
debian/changelog vendored
View File

@ -1,3 +1,12 @@
cis-hardening (4.1-5) unstable; urgency=medium
* drop debian10 and below support
* fix: ipv6_is_enabled (#251)
* fix: record_mac_edit.sh (#195)
* add --set-version to manage multiple cis versions in the future
-- Damien Cavagnini <damien.cavagnini@ovhcloud.com> Fri, 04 Jul 2025 10:27:18 +0200
cis-hardening (4.1-4) unstable; urgency=medium cis-hardening (4.1-4) unstable; urgency=medium
* allow multiple users in 5.2.18 (#228) * allow multiple users in 5.2.18 (#228)

4
debian/cis-hardening.8 vendored
View File

@ -4,13 +4,13 @@
.hy .hy
.SH NAME .SH NAME
.PP .PP
cis-hardening - CIS Debian 10/11/12 Hardening cis-hardening - CIS Debian 11/12 Hardening
.SH SYNOPSIS .SH SYNOPSIS
.PP .PP
\f[B]hardening.sh\f[R] RUN_MODE OPTIONS \f[B]hardening.sh\f[R] RUN_MODE OPTIONS
.SH DESCRIPTION .SH DESCRIPTION
.PP .PP
Modular Debian 10/11/12 security hardening scripts based on the CIS Modular Debian 11/12 security hardening scripts based on the CIS
(https://www.cisecurity.org) recommendations. (https://www.cisecurity.org) recommendations.
.PP .PP
We use it at OVHcloud (https://www.ovhcloud.com) to harden our PCI-DSS We use it at OVHcloud (https://www.ovhcloud.com) to harden our PCI-DSS

2
lib/constants.sh
View File

@ -57,6 +57,6 @@ get_distribution
get_debian_major_version get_debian_major_version
# shellcheck disable=SC2034 # shellcheck disable=SC2034
SMALLEST_SUPPORTED_DEBIAN_VERSION=10 SMALLEST_SUPPORTED_DEBIAN_VERSION=11
# shellcheck disable=SC2034 # shellcheck disable=SC2034
HIGHEST_SUPPORTED_DEBIAN_VERSION=12 HIGHEST_SUPPORTED_DEBIAN_VERSION=12

6
lib/utils.sh
View File

@ -572,11 +572,7 @@ get_debian_major_version() {
DEB_MAJ_VER="" DEB_MAJ_VER=""
does_file_exist /etc/debian_version does_file_exist /etc/debian_version
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
if grep -q "sid" /etc/debian_version; then DEB_MAJ_VER=$(cut -d '.' -f1 /etc/debian_version)
DEB_MAJ_VER="sid"
else
DEB_MAJ_VER=$(cut -d '.' -f1 /etc/debian_version)
fi
else else
# shellcheck disable=2034 # shellcheck disable=2034
DEB_MAJ_VER=$(lsb_release -r | cut -f2 | cut -d '.' -f 1) DEB_MAJ_VER=$(lsb_release -r | cut -f2 | cut -d '.' -f 1)

22
tests/docker/Dockerfile.debian10
View File

@ -1,22 +0,0 @@
FROM debian:buster
LABEL vendor="OVH"
LABEL project="debian-cis"
LABEL url="https://github.com/ovh/debian-cis"
LABEL description="This image is used to run tests"
RUN groupadd -g 500 secaudit && useradd -u 500 -g 500 -s /bin/bash secaudit && install -m 700 -o secaudit -g secaudit -d /home/secaudit
RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y openssh-server sudo syslog-ng net-tools auditd
COPY --chown=500:500 . /opt/debian-cis/
COPY debian/default /etc/default/cis-hardening
RUN sed -i 's#cis-hardening#debian-cis#' /etc/default/cis-hardening
COPY cisharden.sudoers /etc/sudoers.d/secaudit
RUN sed -i 's#cisharden#secaudit#' /etc/sudoers.d/secaudit
ENTRYPOINT ["/opt/debian-cis/tests/launch_tests.sh"]

31
tests/hardening/acc_logindefs_sha512.sh
View File

@ -36,35 +36,4 @@ test_audit() {
register_test contain "is present in /etc/login.defs" register_test contain "is present in /etc/login.defs"
run sha512pass "${CIS_CHECKS_DIR}/${script}.sh" --audit-all run sha512pass "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
# DEB_MAJ_VER cannot be overwritten here;
# therefore we need to trick get_debian_major_version
ORIGINAL_DEB_VER="$(cat /etc/debian_version)"
echo "sid" >/etc/debian_version
describe Running on blank host as sid
register_test retvalshouldbe 0
register_test contain "(SHA512|yescrypt|YESCRYPT)"
# shellcheck disable=2154
run blanksid "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
cp /etc/login.defs /tmp/login.defs.bak
sed -ir 's/ENCRYPT_METHOD[[:space:]]\+.*/ENCRYPT_METHOD MD5/' /etc/login.defs
describe Fail: wrong hash function configuration as sid
register_test retvalshouldbe 1
register_test contain "(SHA512|yescrypt|YESCRYPT)"
run wrongconfsid "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
describe Correcting situation as sid
sed -i 's/audit/enabled/' "${CIS_CONF_DIR}/conf.d/${script}.cfg"
"${CIS_CHECKS_DIR}/${script}.sh" || true
describe Checking resolved state as sid
register_test retvalshouldbe 0
register_test contain "(SHA512|yescrypt|YESCRYPT)"
run sha512passsid "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
# Cleanup
echo -n "$ORIGINAL_DEB_VER" >/etc/debian_version
unset ORIGINAL_DEB_VER
} }

31
tests/hardening/acc_pam_sha512.sh
View File

@ -21,35 +21,6 @@ test_audit() {
describe Checking resolved state describe Checking resolved state
register_test retvalshouldbe 0 register_test retvalshouldbe 0
register_test contain "is present in /etc/pam.d/common-password" register_test contain "is present in /etc/pam.d/common-password"
run solvedsid "${CIS_CHECKS_DIR}/${script}.sh" --audit-all run resolved "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
# DEB_MAJ_VER cannot be overwritten here;
# therefore we need to trick get_debian_major_version
ORIGINAL_DEB_VER="$(cat /etc/debian_version)"
echo "sid" >/etc/debian_version
describe Running on blank host as sid
register_test retvalshouldbe 0
register_test contain "(sha512|yescrypt)"
run blanksid "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
describe Tests purposely failing as sid
sed -i '/pam_unix.so/ s/sha512/sha256/' "/etc/pam.d/common-password" # Debian 10
sed -i '/pam_unix.so/ s/yescrypt/sha256/' "/etc/pam.d/common-password" # Debian 11+
register_test retvalshouldbe 1
register_test contain "is not present"
run noncompliantsid "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
describe correcting situation as sid
sed -i 's/audit/enabled/' "${CIS_CONF_DIR}/conf.d/${script}.cfg"
"${CIS_CHECKS_DIR}/${script}.sh" --apply || true
describe Checking resolved state as sid
register_test retvalshouldbe 0
register_test contain "is present in /etc/pam.d/common-password"
run solvedsid "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
# Cleanup
echo -n "$ORIGINAL_DEB_VER" >/etc/debian_version
unset ORIGINAL_DEB_VER
} }