6079b16611
fix: invalid behavior on sid/alternative in 5.3.4/99.5.4.5.1 ( #237 )
2024-04-09 17:12:31 +02:00
f7cdf438d4
build(deps): bump metcalfc/changelog-generator from 4.2.0 to 4.3.1 ( #234 )
...
Bumps [metcalfc/changelog-generator](https://github.com/metcalfc/changelog-generator ) from 4.2.0 to 4.3.1.
- [Release notes](https://github.com/metcalfc/changelog-generator/releases )
- [Changelog](https://github.com/metcalfc/changelog-generator/blob/main/release-notes.png )
- [Commits](https://github.com/metcalfc/changelog-generator/compare/v4.2.0...v4.3.1 )
---
updated-dependencies:
- dependency-name: metcalfc/changelog-generator
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>
2024-03-05 09:33:10 +01:00
43fc23ee40
fix: catch cidr network in ssh keys ( #236 )
...
Co-authored-by: Ismaël Tanguy <ismael.tanguy@ovhcloud.com>
2024-02-22 17:55:03 +01:00
3bd4078e70
fix: allow set-hardening-level option usage ( #232 )
...
Was broken since 2020, fixes #230
2024-02-01 17:09:35 +01:00
a45aa40ce4
bump to 4.1.4
2024-01-18 09:16:00 +00:00
730ab47437
allow multiple users in 5.2.18 ( #228 )
...
* allow multiple exception users for 99.5.2.4
* move clean up part of previous commit
* split clean up part of previous commit
* add tests for multiple allowed and denied ssh users
* fix script to correctly set multiple allowed and denied ssh users
* add cleanup resolved check to 5.2.18
* apply shellfmt to 5.2.18
---------
Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>
2024-01-10 17:07:02 +01:00
5313799193
Allow multiple exception users to be defined for 99.5.2.4_ssh_keys_from ( #221 )
...
* allow multiple exception users for 99.5.2.4
2023-12-27 13:42:10 +01:00
73616af4eb
Syslog-ng fixes and enhancements ( #226 )
...
* syslog-ng : fix remote host test and enhance Regex
fixes #124
* enh: add test for 4.2.1.6
2023-12-27 10:27:06 +01:00
c391723fe5
fix: Allow --only option to be called multiple times ( #225 )
...
--only option was affected with a grep bug since 2017.
the regex was not able to parse more than the first passed argument.
fixes #224
2023-12-26 17:08:53 +01:00
71019a5512
fix: update Readme to clarify project usage ( #223 )
...
fixes : #219
2023-12-26 09:57:15 +01:00
fb4df82fc4
fix: typo in README. Update example of --audit usage ( #222 )
...
fixes #220
fixes #217
2023-12-26 09:19:55 +01:00
c75244e3b2
bump to 4.1.3
2023-11-28 10:34:12 +00:00
de295b3a77
Adapt all scripts to yescrypt ( #216 )
...
* Revert "fix: clean obsolete check 99.5.4.5.1, now handled by 5.3.4 (#215 )"
This reverts commit 670c8c62f5
2023-11-21 17:43:31 +01:00
693487c3a5
build(deps): bump metcalfc/changelog-generator from 4.1.0 to 4.2.0 ( #214 )
...
Bumps [metcalfc/changelog-generator](https://github.com/metcalfc/changelog-generator ) from 4.1.0 to 4.2.0.
- [Release notes](https://github.com/metcalfc/changelog-generator/releases )
- [Changelog](https://github.com/metcalfc/changelog-generator/blob/main/release-notes.png )
- [Commits](https://github.com/metcalfc/changelog-generator/compare/v4.1.0...v4.2.0 )
---
updated-dependencies:
- dependency-name: metcalfc/changelog-generator
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>
2023-11-14 15:44:50 +01:00
670c8c62f5
fix: clean obsolete check 99.5.4.5.1, now handled by 5.3.4 ( #215 )
...
Fixes #209
2023-11-14 12:03:58 +01:00
0eb2e2ffde
enh: remove ssh system sandbox check ( #213 )
...
UsePrivilegeSeparation option is deprecated.
Since the oldest supported Debian distribution is Buster (10), we can safely remove this check
Fixes #212
2023-11-13 08:53:12 +01:00
d6c334182e
build(deps): bump luizm/action-sh-checker from 0.7.0 to 0.8.0 ( #210 )
...
Bumps [luizm/action-sh-checker](https://github.com/luizm/action-sh-checker ) from 0.7.0 to 0.8.0.
- [Release notes](https://github.com/luizm/action-sh-checker/releases )
- [Commits](https://github.com/luizm/action-sh-checker/compare/v0.7.0...v0.8.0 )
---
updated-dependencies:
- dependency-name: luizm/action-sh-checker
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-11-10 15:05:25 +01:00
2188577fc9
feat: advertise Debian 12 compatibility in readme
2023-10-02 13:34:09 +00:00
0f59f73297
bump to 4.1.2
2023-10-02 13:17:31 +00:00
f888ce0d39
fix: root_dir is still /opt/cis-hardening for the moment ( #208 )
2023-10-02 14:50:52 +02:00
f6aa306127
bump to 4.1.1
2023-09-29 14:38:52 +00:00
ceea343ad9
fix: debian12 functional test pass is now mandatory ( #207 )
2023-09-29 16:34:25 +02:00
2e53dfb573
feat: Officialize Debian 12 support ( #206 )
...
* feat: Officialize Debian 12 support
Functional tests now pass
CIS Benchmark PDF for Debian 12 is not out yet, but the hardening points checked
are still relevant in Debian 12.
OVHcloud is now using it in critical production, hence making it officially supported
---------
Co-authored-by: ThibaultDewailly <ThibaultDewailly@users.noreply.github.com>
2023-09-29 16:20:34 +02:00
08aff5d3fc
Update the README to reflect on changes made in PR#204 ( #205 )
2023-09-29 09:21:40 +02:00
32886d3a3d
Replace CIS_ROOT_DIR by a more flexible system ( #204 )
...
* Replace CIS_ROOT_DIR by a more flexible system
* Try to adapt the logic change to the functional tests
2023-09-25 14:24:01 +02:00
5370ec2ef6
feat: add nftables to firewall software allow list ( #203 )
...
* feat: add nftables to firewall software allow list
fixes #191
* fix: enhance 3.5.4.1.1_net_fw_default_policy_drop.sh iptables output check, disable associated test
2023-09-07 14:36:08 +02:00
9d3fb18e6b
build(deps): bump actions/checkout from 3 to 4 ( #202 )
...
Bumps [actions/checkout](https://github.com/actions/checkout ) from 3 to 4.
- [Release notes](https://github.com/actions/checkout/releases )
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md )
- [Commits](https://github.com/actions/checkout/compare/v3...v4 )
---
updated-dependencies:
- dependency-name: actions/checkout
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-09-05 17:07:12 +02:00
6e79fcd00a
fix: correct debian version check on 5.2.15 configuration generation ( #199 )
...
fixes #196
2023-09-01 08:34:28 +02:00
27edec6d5f
fix: chore, debug logs print correctly now ( #197 )
2023-08-31 14:40:27 +02:00
f2cc14c383
fix: chore debian manual update ( #198 )
...
* fix: chore debian manual update
fixes #182
* Regenerate man pages (Github action)
---------
Co-authored-by: ThibaultDewailly <ThibaultDewailly@users.noreply.github.com>
2023-08-31 14:34:59 +02:00
46377fc255
build(deps): bump dev-drprasad/delete-tag-and-release ( #184 )
...
Bumps [dev-drprasad/delete-tag-and-release](https://github.com/dev-drprasad/delete-tag-and-release ) from 0.2.1 to 1.0.1.
- [Release notes](https://github.com/dev-drprasad/delete-tag-and-release/releases )
- [Commits](https://github.com/dev-drprasad/delete-tag-and-release/compare/v0.2.1...v1.0.1 )
---
updated-dependencies:
- dependency-name: dev-drprasad/delete-tag-and-release
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>
2023-08-30 10:32:29 +02:00
a468b29036
fix: added `systemd-timesyncd` to use_time_sync script ( #189 ) ( #190 )
...
Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>
2023-08-30 10:28:03 +02:00
db9ff8a7fd
Update warn messages on 2.2.15_mta_localhost.sh ( #193 )
...
warn messages had typo netsat as it should be netstat
2023-08-30 10:23:27 +02:00
6135c3d0e5
fix: enhance test 99.1.3 speed for large /etc/sudoers.d folders ( #188 )
...
Signed-off-by: Stephane Lesimple <stephane.lesimple@corp.ovh.com>
2023-07-18 17:28:35 +02:00
a6ad528087
feat: Add experimental debian12 functionnal tests ( #187 )
...
Signed-off-by: Tarik Megzari <tarik.megzari@ovhcloud.com>
Co-authored-by: Tarik Megzari <tarik.megzari@ovhcloud.com>
2023-07-10 10:52:17 +02:00
bc98bedf73
bump to 4.0-1
2023-07-10 07:21:13 +00:00
873ef8827d
fix: 99.1.3_acc_sudoers_no_all: fix a race condition ( #186 )
...
On systems where /etc/sudoers.d might be updated often by some automated means, this
check might raise a critical when a previously present file (during the ls) is no longer
present (during its attempted read), so before raising a critical, re-check that it
does exists first.
2023-07-03 17:05:45 +02:00
bd27cd0dae
fix: change auditd file rule remediation ( #179 )
...
Fixes #165
2023-05-05 12:32:22 +02:00
f28ffc244c
fix: correct debian package compression override ( #181 )
2023-05-02 18:06:59 +02:00
19ce790a27
fix: ensure mountpoints are properly detected ( #177 )
...
Fixes #155
When real entries are present in fstab, system startup or runtime mountpoints are now properly detected
Add a supplementary check in case of partition not present in fstab
2023-05-02 18:01:53 +02:00
47cf86237b
fix: correct search in 5.4.5_default_timeout in apply mode ( #178 )
...
fixes #116
2023-05-02 17:57:35 +02:00
ccd9c1a7aa
fix: force xz compression during .deb build ( #180 )
...
zst compression is only available on Debian 12, since the release is built on Ubuntu latest, this was breaking release.
Fixes #175
2023-05-02 15:24:32 +02:00
04457e7df2
feat: official Debian 11 compatibility ( #176 )
...
Introduce Debian 11 compatibility
Based on CIS_Debian_Linux_11_Benchmark_v1.0.0
After review, here are the notable changes :
- Harden /var/log more (noexec,nodev,nosuid)
- Harden /var/log/audit more (noexec,nodev,nosuid)
- Harden /home more (nosuid)
- Disable cramfs
- Fix 5.3.4_acc_pam_sha512.sh
- Deprecate Debian 9 and remove useless docker images
NB : more audit log rules have been introduced and will be inserted in the checks later
Fix #158
2023-05-02 14:16:19 +02:00
05521d5961
Bump luizm/action-sh-checker from 0.5.0 to 0.7.0 ( #171 )
...
Bumps [luizm/action-sh-checker](https://github.com/luizm/action-sh-checker ) from 0.5.0 to 0.7.0.
- [Release notes](https://github.com/luizm/action-sh-checker/releases )
- [Commits](https://github.com/luizm/action-sh-checker/compare/v0.5.0...v0.7.0 )
---
updated-dependencies:
- dependency-name: luizm/action-sh-checker
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-04-26 10:20:11 +02:00
06525f06f9
bump to 3.8-1
2023-03-23 10:03:37 +00:00
d5c1c63971
Bump luizm/action-sh-checker from 0.4.0 to 0.5.0 ( #161 )
...
Bumps [luizm/action-sh-checker](https://github.com/luizm/action-sh-checker ) from 0.4.0 to 0.5.0.
- [Release notes](https://github.com/luizm/action-sh-checker/releases )
- [Commits](https://github.com/luizm/action-sh-checker/compare/v0.4.0...v0.5.0 )
---
updated-dependencies:
- dependency-name: luizm/action-sh-checker
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>
2023-03-23 10:56:12 +01:00
7d93ddeb86
Bump metcalfc/changelog-generator from 3.0.0 to 4.1.0 ( #169 )
...
Bumps [metcalfc/changelog-generator](https://github.com/metcalfc/changelog-generator ) from 3.0.0 to 4.1.0.
- [Release notes](https://github.com/metcalfc/changelog-generator/releases )
- [Changelog](https://github.com/metcalfc/changelog-generator/blob/main/release-notes.png )
- [Commits](https://github.com/metcalfc/changelog-generator/compare/v3.0.0...v4.1.0 )
---
updated-dependencies:
- dependency-name: metcalfc/changelog-generator
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>
2023-03-23 10:50:46 +01:00
a35ecab377
Bump dev-drprasad/delete-tag-and-release from 0.2.0 to 0.2.1 ( #170 )
...
Bumps [dev-drprasad/delete-tag-and-release](https://github.com/dev-drprasad/delete-tag-and-release ) from 0.2.0 to 0.2.1.
- [Release notes](https://github.com/dev-drprasad/delete-tag-and-release/releases )
- [Commits](https://github.com/dev-drprasad/delete-tag-and-release/compare/v0.2.0...v0.2.1 )
---
updated-dependencies:
- dependency-name: dev-drprasad/delete-tag-and-release
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-03-23 10:47:09 +01:00
dc952b90df
fix: timeout of 99.1.3 ( #168 )
...
The 99.1.3_acc_sudoers_no_all.sh script can sometimes timeout
on servers where /etc/sudoers.d/ has thousands of files.
This patch makes it run roughly 5x faster, as tested on a
server with 1500 files in sudoers.d/.
Closes #167 .
Signed-off-by: Stephane Lesimple <stephane.lesimple@corp.ovh.com>
Signed-off-by: Stephane Lesimple <stephane.lesimple@corp.ovh.com>
2022-12-22 09:47:35 +01:00
82a217032d
fix(6.2.9): Start from UID 1000 for home ownership check ( #164 )
...
Rename 6.2.3 and 6.2.9 checks to be more accurate
Remove home existence check from 6.2.9 as it's handled by 6.2.3
Update tests accordingly
Fixes #163
Signed-off-by: Tarik Megzari <tarik.megzari@corp.ovh.com>
Signed-off-by: Tarik Megzari <tarik.megzari@corp.ovh.com>
2022-09-30 10:28:48 +02:00
Hugo COURTIAL
