- configure_systemd-timesync.sh: use "is_service_enabled" instead of calling systemctl
- disable_automounting.sh: use "manage_service" instead of "update-rc.d"
- enable_auditd.sh: use "manage_service" instead of "update-rc.d"
- enable_cron.sh: use "manage_service" instead of "update-rc.d"
- enable_syslog-ng.sh: use "manage_service" instead of "update-rc.d"
Current "is_kernel_option_enabled" function is doing many things, like checking for a kernel option AND checking a kernel module state AND checking if it is disabled
We split it in different functions:
- is_kernel_monolithic
- is_kernel_option_enabled -> check for a kernel configuration in the running kernel
- is_kernel_module_loaded -> check if a module is currently loaded
- is_kernel_module_available -> check if a module is configured in all available kernel configs
- is_kernel_module_disabled -> check if a kernel module is disabled in the modprobe configuration
Also:
- update its behaviour to debian 12 CIS recommendation, to check if a module is "available in ANY installed kernel"
- fix "disable_usb_storage" to look for correct module name once loaded : issue #249
- the associated checks now check separately if the module is loaded, and if it is configured
- for checks about kernel module presence, the "apply" function now manages to disable the module in the modprobe configuration (if kernel not monolithic) (but still wont unload it)
Co-authored-by: Damien Cavagnini <damien.cavagnini@corp.ovh.com>
Update record_mac_edit.sh to be compliant with debian11 and debian12 CIS recommendations.
fix issue #195
Co-authored-by: Damien Cavagnini <damien.cavagnini@corp.ovh.com>
"--only" was broken, it did not match correctly a script passed in only
Previously we were checking the numerotation number, we now are using the full script name.
Ex: 1.1.1.1_disable_freevxfs.sh
Previously: (broken) look up for 1\.1\.1\.1, which could also match 1.1.1.1.1.1.1.1_foo.sh
Now: look up for 1.1.1.1_disable_freevxfs.sh
Usage example:
previously:
```
bin/hardening.sh --audit --only 1.1.10_var_tmp_noexec.sh --only 1.1.11.1_var_log_noexec.sh
Total Available Checks : 0
Total Runned Checks : 0
Total Passed Checks : [ 0/0 ]
Total Failed Checks : [ 0/0 ]
Enabled Checks Percentage : 0 %
Conformity Percentage : N.A %
```
now:
```
bin/hardening.sh --audit --only 1.1.10_var_tmp_noexec.sh --only 1.1.11.1_var_log_noexec.sh
hardening [INFO] Treating /opt/debian-cis/versions/default/1.1.10_var_tmp_noexec.sh
1.1.10_var_tmp_noexec [INFO] Working on 1.1.10_var_tmp_noexec
1.1.10_var_tmp_noexec [INFO] [DESCRIPTION] /var/tmp partition with noexec option.
1.1.10_var_tmp_noexec [INFO] Checking Configuration
1.1.10_var_tmp_noexec [INFO] Performing audit
1.1.10_var_tmp_noexec [INFO] Verifying that /var/tmp is a partition
1.1.10_var_tmp_noexec [ OK ] /var/tmp is a partition
1.1.10_var_tmp_noexec [ OK ] /var/tmp has noexec in fstab
1.1.10_var_tmp_noexec [ OK ] /var/tmp mounted with noexec
1.1.10_var_tmp_noexec [ OK ] Check Passed
hardening [INFO] Treating /opt/debian-cis/versions/default/1.1.11.1_var_log_noexec.sh
1.1.11.1_var_log_noexec [INFO] Working on 1.1.11.1_var_log_noexec
1.1.11.1_var_log_noexec [INFO] [DESCRIPTION] /var/log partition with noexec option.
1.1.11.1_var_log_noexec [INFO] Checking Configuration
1.1.11.1_var_log_noexec [INFO] Performing audit
1.1.11.1_var_log_noexec [INFO] Verifying that /var/log is a partition
1.1.11.1_var_log_noexec [ OK ] /var/log is a partition
1.1.11.1_var_log_noexec [ KO ] /var/log has no option noexec in fstab!
1.1.11.1_var_log_noexec [ KO ] Check Failed
Total Available Checks : 2
Total Runned Checks : 2
Total Passed Checks : [ 1/2 ]
Total Failed Checks : [ 1/2 ]
Enabled Checks Percentage : 100.00 %
Conformity Percentage : 50.00 %
```
Co-authored-by: Damien Cavagnini <damien.cavagnini@corp.ovh.com>
* feat: add "--set-version" option
This feature will allow to chose a specific cis version to run, like debian 11 or debian 12
* chore: configure current repository as a version
And use it as default version.
To this end, the scripts in bin/hardening have been made generic by removing the associated recommendation number.
Only impact is if you are used to execute scripts directly from bin/hardening.
In this case, please use the "bin/hardening.sh" wrapper as intended.
I had to rename 2.3.1_disable_nis.sh to uninstall_nis.sh, as it was conflicting with 2.3.1_disable_nis.sh
Also, there was a doublon between 1.1.1.8_disable_cramfs.sh and 99.1.1.1_disable_cramfs.sh ; the former was kept
* chore: remove CIS recommendation numbers from bin/hardening scripts
* fix: some tests are failing
find_ungrouped_files.sh and find_unowned_files.sh tests can not be executed multiple times:
- test repository is not cleaned
- configuration is updated multiple times
Those tests are also failing, because:
- the sed to change the status in the configuration was also changing the test folder path.
- missing /proc in EXCLUDED paths
- the EXCLUDED configuration doesn't have the correct format for egrep
---------
Co-authored-by: Damien Cavagnini <damien.cavagnini@corp.ovh.com>
* chore: make linter happy for existing code
* fix: add missing test 2.1.2_disable_bsd_intetd.sh
* feat: add basic pre commit
Ensure a check has a corresponding test
---------
Co-authored-by: Damien Cavagnini <damien.cavagnini@corp.ovh.com>
* allow multiple exception users for 99.5.2.4
* move clean up part of previous commit
* split clean up part of previous commit
* add tests for multiple allowed and denied ssh users
* fix script to correctly set multiple allowed and denied ssh users
* add cleanup resolved check to 5.2.18
* apply shellfmt to 5.2.18
---------
Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>
* Revert "fix: clean obsolete check 99.5.4.5.1, now handled by 5.3.4 (#215)"
This reverts commit 670c8c62f5.
We still want to verify the preexisting hashes in /etc/shadow,
even if the PAM configuration is correct for new passwords (5.3.4).
* Adapt 5.3.4, 99.5.4.5.1 and 99.5.4.5.2 to yescrypt
On systems where /etc/sudoers.d might be updated often by some automated means, this
check might raise a critical when a previously present file (during the ls) is no longer
present (during its attempted read), so before raising a critical, re-check that it
does exists first.
Introduce Debian 11 compatibility
Based on CIS_Debian_Linux_11_Benchmark_v1.0.0
After review, here are the notable changes :
- Harden /var/log more (noexec,nodev,nosuid)
- Harden /var/log/audit more (noexec,nodev,nosuid)
- Harden /home more (nosuid)
- Disable cramfs
- Fix 5.3.4_acc_pam_sha512.sh
- Deprecate Debian 9 and remove useless docker images
NB : more audit log rules have been introduced and will be inserted in the checks later
Fix#158
The 99.1.3_acc_sudoers_no_all.sh script can sometimes timeout
on servers where /etc/sudoers.d/ has thousands of files.
This patch makes it run roughly 5x faster, as tested on a
server with 1500 files in sudoers.d/.
Closes#167.
Signed-off-by: Stephane Lesimple <stephane.lesimple@corp.ovh.com>
Signed-off-by: Stephane Lesimple <stephane.lesimple@corp.ovh.com>
Rename 6.2.3 and 6.2.9 checks to be more accurate
Remove home existence check from 6.2.9 as it's handled by 6.2.3
Update tests accordingly
Fixes#163
Signed-off-by: Tarik Megzari <tarik.megzari@corp.ovh.com>
Signed-off-by: Tarik Megzari <tarik.megzari@corp.ovh.com>
When the tested server has its iptables heavily manipulated (e.g Kubernetes)
The lock aquirement can sometimes fail, hence generating false positives
The command will retry 10 times with a 1 second interval
* fix: add filter to hfs
* fix is_kernel_option_enabled check
as the module in question could have dependencies which have been blacklisted as well we need to make sure that the comparison only checks for the module in question - the last line in the output.
Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>
