Current "is_kernel_option_enabled" function is doing many things, like checking for a kernel option AND checking a kernel module state AND checking if it is disabled
We split it in different functions:
- is_kernel_monolithic
- is_kernel_option_enabled -> check for a kernel configuration in the running kernel
- is_kernel_module_loaded -> check if a module is currently loaded
- is_kernel_module_available -> check if a module is configured in all available kernel configs
- is_kernel_module_disabled -> check if a kernel module is disabled in the modprobe configuration
Also:
- update its behaviour to debian 12 CIS recommendation, to check if a module is "available in ANY installed kernel"
- fix "disable_usb_storage" to look for correct module name once loaded : issue #249
- the associated checks now check separately if the module is loaded, and if it is configured
- for checks about kernel module presence, the "apply" function now manages to disable the module in the modprobe configuration (if kernel not monolithic) (but still wont unload it)
Co-authored-by: Damien Cavagnini <damien.cavagnini@corp.ovh.com>
fix issue #251 : https://github.com/ovh/debian-cis/issues/251
the 'is_ipv6_enabled' function was doing some 'crit' actions, which is not the expected behaviour: we don't want to fail if ipv6 is enabled, it is just an infor that checks are going to use.
Also, it was overriding the SYSCTL_PARAMS that could have been defined in the checks.
Co-authored-by: Damien Cavagnini <damien.cavagnini@corp.ovh.com>
Update record_mac_edit.sh to be compliant with debian11 and debian12 CIS recommendations.
fix issue #195
Co-authored-by: Damien Cavagnini <damien.cavagnini@corp.ovh.com>
"--only" was broken, it did not match correctly a script passed in only
Previously we were checking the numerotation number, we now are using the full script name.
Ex: 1.1.1.1_disable_freevxfs.sh
Previously: (broken) look up for 1\.1\.1\.1, which could also match 1.1.1.1.1.1.1.1_foo.sh
Now: look up for 1.1.1.1_disable_freevxfs.sh
Usage example:
previously:
```
bin/hardening.sh --audit --only 1.1.10_var_tmp_noexec.sh --only 1.1.11.1_var_log_noexec.sh
Total Available Checks : 0
Total Runned Checks : 0
Total Passed Checks : [ 0/0 ]
Total Failed Checks : [ 0/0 ]
Enabled Checks Percentage : 0 %
Conformity Percentage : N.A %
```
now:
```
bin/hardening.sh --audit --only 1.1.10_var_tmp_noexec.sh --only 1.1.11.1_var_log_noexec.sh
hardening [INFO] Treating /opt/debian-cis/versions/default/1.1.10_var_tmp_noexec.sh
1.1.10_var_tmp_noexec [INFO] Working on 1.1.10_var_tmp_noexec
1.1.10_var_tmp_noexec [INFO] [DESCRIPTION] /var/tmp partition with noexec option.
1.1.10_var_tmp_noexec [INFO] Checking Configuration
1.1.10_var_tmp_noexec [INFO] Performing audit
1.1.10_var_tmp_noexec [INFO] Verifying that /var/tmp is a partition
1.1.10_var_tmp_noexec [ OK ] /var/tmp is a partition
1.1.10_var_tmp_noexec [ OK ] /var/tmp has noexec in fstab
1.1.10_var_tmp_noexec [ OK ] /var/tmp mounted with noexec
1.1.10_var_tmp_noexec [ OK ] Check Passed
hardening [INFO] Treating /opt/debian-cis/versions/default/1.1.11.1_var_log_noexec.sh
1.1.11.1_var_log_noexec [INFO] Working on 1.1.11.1_var_log_noexec
1.1.11.1_var_log_noexec [INFO] [DESCRIPTION] /var/log partition with noexec option.
1.1.11.1_var_log_noexec [INFO] Checking Configuration
1.1.11.1_var_log_noexec [INFO] Performing audit
1.1.11.1_var_log_noexec [INFO] Verifying that /var/log is a partition
1.1.11.1_var_log_noexec [ OK ] /var/log is a partition
1.1.11.1_var_log_noexec [ KO ] /var/log has no option noexec in fstab!
1.1.11.1_var_log_noexec [ KO ] Check Failed
Total Available Checks : 2
Total Runned Checks : 2
Total Passed Checks : [ 1/2 ]
Total Failed Checks : [ 1/2 ]
Enabled Checks Percentage : 100.00 %
Conformity Percentage : 50.00 %
```
Co-authored-by: Damien Cavagnini <damien.cavagnini@corp.ovh.com>
* feat: add "--set-version" option
This feature will allow to chose a specific cis version to run, like debian 11 or debian 12
* chore: configure current repository as a version
And use it as default version.
To this end, the scripts in bin/hardening have been made generic by removing the associated recommendation number.
Only impact is if you are used to execute scripts directly from bin/hardening.
In this case, please use the "bin/hardening.sh" wrapper as intended.
I had to rename 2.3.1_disable_nis.sh to uninstall_nis.sh, as it was conflicting with 2.3.1_disable_nis.sh
Also, there was a doublon between 1.1.1.8_disable_cramfs.sh and 99.1.1.1_disable_cramfs.sh ; the former was kept
* chore: remove CIS recommendation numbers from bin/hardening scripts
* fix: some tests are failing
find_ungrouped_files.sh and find_unowned_files.sh tests can not be executed multiple times:
- test repository is not cleaned
- configuration is updated multiple times
Those tests are also failing, because:
- the sed to change the status in the configuration was also changing the test folder path.
- missing /proc in EXCLUDED paths
- the EXCLUDED configuration doesn't have the correct format for egrep
---------
Co-authored-by: Damien Cavagnini <damien.cavagnini@corp.ovh.com>
* chore: make linter happy for existing code
* fix: add missing test 2.1.2_disable_bsd_intetd.sh
* feat: add basic pre commit
Ensure a check has a corresponding test
---------
Co-authored-by: Damien Cavagnini <damien.cavagnini@corp.ovh.com>
* allow multiple exception users for 99.5.2.4
* move clean up part of previous commit
* split clean up part of previous commit
* add tests for multiple allowed and denied ssh users
* fix script to correctly set multiple allowed and denied ssh users
* add cleanup resolved check to 5.2.18
* apply shellfmt to 5.2.18
---------
Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>
* Revert "fix: clean obsolete check 99.5.4.5.1, now handled by 5.3.4 (#215)"
This reverts commit 670c8c62f5.
We still want to verify the preexisting hashes in /etc/shadow,
even if the PAM configuration is correct for new passwords (5.3.4).
* Adapt 5.3.4, 99.5.4.5.1 and 99.5.4.5.2 to yescrypt
* feat: Officialize Debian 12 support
Functional tests now pass
CIS Benchmark PDF for Debian 12 is not out yet, but the hardening points checked
are still relevant in Debian 12.
OVHcloud is now using it in critical production, hence making it officially supported
---------
Co-authored-by: ThibaultDewailly <ThibaultDewailly@users.noreply.github.com>
On systems where /etc/sudoers.d might be updated often by some automated means, this
check might raise a critical when a previously present file (during the ls) is no longer
present (during its attempted read), so before raising a critical, re-check that it
does exists first.
Fixes#155
When real entries are present in fstab, system startup or runtime mountpoints are now properly detected
Add a supplementary check in case of partition not present in fstab
