* feat: Officialize Debian 12 support
Functional tests now pass
CIS Benchmark PDF for Debian 12 is not out yet, but the hardening points checked
are still relevant in Debian 12.
OVHcloud is now using it in critical production, hence making it officially supported
---------
Co-authored-by: ThibaultDewailly <ThibaultDewailly@users.noreply.github.com>
Fixes#155
When real entries are present in fstab, system startup or runtime mountpoints are now properly detected
Add a supplementary check in case of partition not present in fstab
Introduce Debian 11 compatibility
Based on CIS_Debian_Linux_11_Benchmark_v1.0.0
After review, here are the notable changes :
- Harden /var/log more (noexec,nodev,nosuid)
- Harden /var/log/audit more (noexec,nodev,nosuid)
- Harden /home more (nosuid)
- Disable cramfs
- Fix 5.3.4_acc_pam_sha512.sh
- Deprecate Debian 9 and remove useless docker images
NB : more audit log rules have been introduced and will be inserted in the checks later
Fix#158
* fix: add filter to hfs
* fix is_kernel_option_enabled check
as the module in question could have dependencies which have been blacklisted as well we need to make sure that the comparison only checks for the module in question - the last line in the output.
Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>
Modify some checks to make it pass when ipv6 is diabled
fix#50
modified: bin/hardening/3.1.1_disable_ipv6.sh
modified: bin/hardening/3.3.1_disable_source_routed_packets.sh
modified: bin/hardening/3.3.9_disable_ipv6_router_advertisement.sh
modified: lib/utils.sh
Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>
* ADD: add dockerfile for debian11
* FIX: fix crontab file not found on debian11 blank
* Add workflow for debian11
* FIX: fix debian version func to manage debian11
* Add dealing with unsupported version and distro
* Add 99.99 check that check if distro version is supported
* Use global var for debian major and distro
fix#26
* add new kernel module detection (enable & listing) with detection of monolithic kernel
* change way to detect if file system type is disabled
* add global IS_CONTAINER variable
* disable test for 3.4.x to be consistent with others
* add cli options to override configuration loglevel
Renamed some checks, add new checks that check permissions and ownership on /etc/passwd, /etc/shadow, ...
Add new function in utils that checks that check that the file ownership is one of the authrized ownership.
renamed: bin/hardening/6.1.5_etc_passwd_permissions.sh -> bin/hardening/6.1.2_etc_passwd_permissions.sh
new file: bin/hardening/6.1.3_etc_gshadow-_permissions.sh
renamed: bin/hardening/6.1.6_etc_shadow_permissions.sh -> bin/hardening/6.1.4_etc_shadow_permissions.sh
renamed: bin/hardening/6.1.7_etc_group_permissions.sh -> bin/hardening/6.1.5_etc_group_permissions.sh
new file: bin/hardening/6.1.6_etc_passwd-_permissions.sh
new file: bin/hardening/6.1.7_etc_shadow-_permissions.sh
new file: bin/hardening/6.1.8_etc_group-_permissions.sh
new file: bin/hardening/6.1.9_etc_gshadow_permissions.sh
modified: lib/utils.sh
renamed: tests/hardening/6.1.5_etc_passwd_permissions.sh -> tests/hardening/6.1.2_etc_passwd_permissions.sh
new file: tests/hardening/6.1.3_etc_gshadow-_permissions.sh
renamed: tests/hardening/6.1.6_etc_shadow_permissions.sh -> tests/hardening/6.1.4_etc_shadow_permissions.sh
renamed: tests/hardening/6.1.7_etc_group_permissions.sh -> tests/hardening/6.1.5_etc_group_permissions.sh
new file: tests/hardening/6.1.6_etc_passwd-_permissions.sh
new file: tests/hardening/6.1.7_etc_shadow-_permissions.sh
new file: tests/hardening/6.1.8_etc_group-_permissions.sh
new file: tests/hardening/6.1.9_etc_gshadow_permissions.sh
Shellcheck recommands to replace sed by shell expansions in 'simple' cases.
However, the replacement here is likely to lead to erros, so we disable this rule.
Moreover, it does'nt really add readability.
First one as root to create conf files with good owner and permissions, and then with secaudit.
Now first run with --create-config-files-only and the normally with --audit.
I added two functions in utils that checks perms and ownership for file
resulting for a certain find. It takes parameters to filter the results
if needed.
Add func to find pattern in file that spreads over multiple lines
The func will remove commented lines (that begin with '#')
and consider the file as one long line.
Thus, this is not possible to look for pattern at beginning of line
with this func ('^' and '$')
Improved pattern in 8.2.5
Add syslog-ng to installed dependencies in Dockerfiles
Fixed multifile arguments when looking for pattern that got broken
in d2bbf754 due to "nocase" and _does_pattern_exist_in_file wrapper
Please note that you can only look for pattern in ONE FILE at once
Fixed 8.2.5 and 8.3.2 with for loop on files and 'FOUND' flag
You now need to specify each and every file to look for or embed a
'find' command as follow :
`FILES="$SYSLOG_BASEDIR/syslog-ng.conf $(find $SYSLOG_BASEDIR/conf.d/)"`
Improved test files
Applied shellcheck recommendations
Add function to retrieve actual partition from symlink in lib/utils.sh
Using this func in all 3 audit scripts
Improved tests to test this func
Apply shellcheck recommendations
Trim trailing spaces
