582 Commits

Author SHA1 Message Date
damcav35
f0075600e1 feat: add debian12 scripts (#293)
- nftables_is_enabled.sh 		-> 4.2.9
- nftables_has_table.sh 		-> 4.2.4
- nftables_has_base_chains.sh 		-> 4.2.5
- nftables_rules_permanent.sh		-> 4.2.10
- nftables_default_deniy_policy.sh	-> 4.2.8

Co-authored-by: damien cavagnini <damien.cavagnini@corp.ovh.com>
latest
2025-08-22 13:38:23 +02:00
damcav35
fde8d2beeb feat: add debian12 scripts (#292)
- auditd_logs_full_halt.sh			-> 6.3.2.3
- systemd_journal_upload_remote_auth.sh		-> 6.2.1.2.2
- sudo_auth_timeout.sh 				-> 5.2.6
- libpam_modules_is_installed.sh 		-> 5.3.1.2
- ufw_not_installed_with_nftables.sh 		-> 4.2.2
- ufw_not_installed_with_iptables.sh 		-> 4.3.1.3

Co-authored-by: damien cavagnini <damien.cavagnini@corp.ovh.com>
2025-08-19 12:01:34 +02:00
damcav35
b89e608575 feat: add debian12 scripts (#291)
- aide_daliy_check				-> 6.1.2
- journald_is_enabled.sh 			-> 6.2.1.1.1
- systemd_journald_remote_is_installed.sh 	-> 6.2.1.2.1
- systemd_journal_upload_is_enabled.sh -	-> 6.2.1.2.3
- systemd_journal_remote_is_disabled.sh 	-> 6.2.1.2.4

Co-authored-by: damien cavagnini <damien.cavagnini@corp.ovh.com>
2025-08-18 16:11:37 +02:00
damcav35
605963dc3e feat: add debian12 scripts (#290)
- at_is_restricted.sh			-> 2.4.2.1
- wireless_interfaces_disabled.sh	-> 3.1.2
- bluetooth_is_disabled.sh 		-> 3.1.3
- sudo_no_nopasswd.sh 			-> 5.2.4
- aide_is_installed.sh 			-> 6.1.1

Co-authored-by: damien cavagnini <damien.cavagnini@corp.ovh.com>
2025-08-14 14:41:04 +02:00
damcav35
8aeb22fb60 Damcava35/deb12 scripts 5 (#289)
* refacto: systemd is-active / is-enabled

Manage different object types (service, socket, timer...) in a generic way.

* feat: add debian12 scripts

ufw_is_installed.sh				-> 4.1.1
iptables_persistent_is_not_installed.sh		-> 4.1.2
ufw_is_enabled					-> 4.1.3
nftables_not_installed_with_iptables.sh		-> 4.3.1.2
libpam_runtime_is_version 			-> 5.3.1.1

---------

Co-authored-by: damien cavagnini <damien.cavagnini@corp.ovh.com>
2025-08-14 12:25:25 +02:00
damcav35
94f110d9b3 Damcava35/deb12 scripts 4 (#287)
* fix: ipv6 may be enabled on a single interface

* feat: add new checks for debian12

systemd_timesyncd_is_enabled_and_running.sh	-> 2.3.2.2
rpcbind_is_disabled.sh				-> 2.1.12
ftp_client_not_installed.sh			-> 2.2.6
chrony_with_chrony_user.sh			-> 2.3.3.2
ipv6_is_enabled.sh				-> 3.1.1

---------

Co-authored-by: damien cavagnini <damien.cavagnini@corp.ovh.com>
Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>
2025-08-12 14:42:37 +02:00
dependabot[bot]
f85f1f25e7 build(deps): bump actions/checkout from 4 to 5 (#288)
Bumps [actions/checkout](https://github.com/actions/checkout) from 4 to 5.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/v4...v5)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: '5'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-08-12 14:02:48 +02:00
damcav35
8e89f79b8c fix: quickstart README (#286)
issue #270

Co-authored-by: damien cavagnini <damien.cavagnini@corp.ovh.com>
2025-08-08 08:36:05 +02:00
damcav35
1926758707 fix: --set-hardening-level is messing with configuration files (#285)
fix issue #275

Co-authored-by: damien cavagnini <damien.cavagnini@corp.ovh.com>
2025-08-07 17:03:09 +02:00
Edmund Lodewijks
4b4faf62b3 Fix typo 'paswword' to 'password' in password_last_change_past.sh (#280)
Fix typo 'paswword' to 'password' in password_last_change_past.sh

Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>
2025-08-07 16:10:08 +02:00
damcav35
6b1ce6787d fix: issue #283 (#284)
Use a more simple and generic way to ensure systemctl is present

Co-authored-by: damien cavagnini <damien.cavagnini@corp.ovh.com>
2025-08-07 16:08:51 +02:00
dependabot[bot]
fe8f0bd0b4 build(deps): bump metcalfc/changelog-generator from 4.3.1 to 4.6.2 (#281)
Bumps [metcalfc/changelog-generator](https://github.com/metcalfc/changelog-generator) from 4.3.1 to 4.6.2.
- [Release notes](https://github.com/metcalfc/changelog-generator/releases)
- [Changelog](https://github.com/metcalfc/changelog-generator/blob/main/release-notes.png)
- [Commits](https://github.com/metcalfc/changelog-generator/compare/v4.3.1...v4.6.2)

---
updated-dependencies:
- dependency-name: metcalfc/changelog-generator
  dependency-version: 4.6.2
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-08-07 10:54:32 +02:00
damcav35
b0e46dd658 Damcava35/deb12 scripts 3 (#279)
* add "apt_remove" in lib/utils.sh

in order to manage DEBIAN_FRONTEND

* feat: add new scripts for debian 12

- tftp_is_disabled              ->      2.1.16
- network_services_listening    ->      2.1.22
- use_time_sync                 ->      2.3.1.1
Update the existing script to check there is only one installed

- chrony_is_enabled_and_running ->      2.3.3.3

---------

Co-authored-by: damien cavagnini <damien.cavagnini@corp.ovh.com>
2025-08-06 16:50:52 +02:00
damcav35
4b9e7d0b33 chore: add new scripts for debian 12 (#278)
- package_manager_is_configured         -> 1.2.1.2
- ptrace_scope_is_restricted            -> 1.5.2
- gdm_is_removed.sh                     -> 1.7.1
- dnsmasq_is_disabled.sh                -> 2.1.5

Co-authored-by: Damien Cavagnini <damien.cavagnini@corp.ovh.com>
2025-08-06 15:03:51 +02:00
dependabot[bot]
28d38e5f82 build(deps): bump luizm/action-sh-checker from 0.8.0 to 0.9.0 (#243)
Bumps [luizm/action-sh-checker](https://github.com/luizm/action-sh-checker) from 0.8.0 to 0.9.0.
- [Release notes](https://github.com/luizm/action-sh-checker/releases)
- [Commits](https://github.com/luizm/action-sh-checker/compare/v0.8.0...v0.9.0)

---
updated-dependencies:
- dependency-name: luizm/action-sh-checker
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>
2025-08-06 11:42:38 +02:00
damcav35
a9d2e76cdb Damcava35/update lib (#277)
* update lib/utils.sh

- add 'is_pkg_a_dependency', to ensure a package is not needed by some others before removing it
-> will be used in debian 12 CIS by at least the 2.1.5 recommendation

- update 'is_service_enabled' to use 'systemd' instead of 'rc.d', as we are now only supporting debian LTS using systemd
- add 'is_using_sbin_init' to ensure we can use systemctl, in case of running on non detected container
- add 'manage_service' to enable / disable service using systemctl

* chore: update script related to systemctl / service

- configure_systemd-timesync.sh:        use "is_service_enabled" instead of calling systemctl
- disable_automounting.sh:              use "manage_service" instead of "update-rc.d"
- enable_auditd.sh:                     use "manage_service" instead of "update-rc.d"
- enable_cron.sh:                       use "manage_service" instead of "update-rc.d"
- enable_syslog-ng.sh:                  use "manage_service" instead of "update-rc.d"

---------

Co-authored-by: Damien Cavagnini <damien.cavagnini@corp.ovh.com>
2025-08-06 11:13:49 +02:00
damcav35
80b73b73b9 Damcava35/new scripts (#265)
* adding new scripts for debian12

- "users_homedir_is_configured.sh" is a concatenation of different existing scripts:
        - [users_homedir_exist.sh](https://github.com/ovh/debian-cis/blob/master/bin/hardening/users_homedir_exist.sh)
        - [users_homedir_ownership.sh](https://github.com/ovh/debian-cis/blob/master/bin/hardening/users_homedir_ownership.sh)
        - [check_user_dir_perm.sh](https://github.com/ovh/debian-cis/blob/master/bin/hardening/check_user_dir_perm.sh)
And so is its test
It will be mapped as 7.2.9 for debian 12

- The following scripts are a split from [5.3.1_enable_pwquality.sh](https://github.com/ovh/debian-cis/blob/master/bin/hardening/enable_pwquality.sh):
        - enable_libpam_pwquality.sh    -> will be mapped as 5.3.2.3
        - install_libpam_pwquality.sh   -> will be mapped as 5.3.1.3
        - password_complexity.sh        -> will be mapped as 5.3.3.2.3
        - password_min_length.sh        -> will be mapped as 5.3.3.2.2

The others are scripts are new.
They will be mapped as follow for debian 12 CIS :

- apt_gpg_is_configured.sh                      -> 1.2.1.1
- dev_shm_separate_partition.sh                 -> 1.2.2.1
- install_iptables.sh                           -> 4.3.1.1
- install_nftables.sh                           -> 4.2.1
- password_consecutive_characters.sh            -> 5.3.3.2.4
- password_max_sequential_characters.sh         -> 5.3.3.2.5

* chore: rename some scripts

- password configuration related scripts : ensure they start as "password_" like others checks

---------

Co-authored-by: Damien Cavagnini <damien.cavagnini@corp.ovh.com>
2025-08-06 10:49:21 +02:00
damcav35
fbeac63e34 fix: shellcheck precommit (#276)
Co-authored-by: damien cavagnini <damien.cavagnini@corp.ovh.com>
2025-07-30 15:03:29 +02:00
damcav35
c9f9137e59 feat: add some precommit (#274)
- ensure correct formatting with shfmt
- ensure correct syntax with shellcheck

Co-authored-by: damien cavagnini <damien.cavagnini@corp.ovh.com>
2025-07-22 11:14:41 +02:00
damcav35
51bc5825d6 refactor: is_kernel_option_enabled (#267)
Current "is_kernel_option_enabled" function is doing many things, like checking for a kernel option AND checking a kernel module state AND checking if it is disabled
We split it in different functions:
        - is_kernel_monolithic
        - is_kernel_option_enabled -> check for a kernel configuration in the running kernel
        - is_kernel_module_loaded -> check if a module is currently loaded
        - is_kernel_module_available -> check if a module is configured in all available kernel configs
        - is_kernel_module_disabled   -> check if a kernel module is disabled in the modprobe configuration

Also:

- update its behaviour to debian 12 CIS recommendation, to check if a module is "available in ANY installed kernel"
- fix "disable_usb_storage" to look for correct module name once loaded : issue #249
- the associated checks now check separately if the module is loaded, and if it is configured
- for checks about kernel module presence, the "apply" function now manages to disable the module in the modprobe configuration (if kernel not monolithic) (but still wont unload it)

Co-authored-by: Damien Cavagnini <damien.cavagnini@corp.ovh.com>
2025-07-11 11:20:59 +02:00
damcav35
ab0dba9f95 chore: drop debian 10 and below support (#264)
Currently, the only LTS Debian are 11 and 12
We only support CIS for LTS debian

Co-authored-by: Damien Cavagnini <damien.cavagnini@corp.ovh.com>
v4.1-5
2025-07-04 14:18:56 +02:00
damcav35
f2c6f36b94 fix: ipv6_is_enabled related checks (#263)
fix issue #251 : https://github.com/ovh/debian-cis/issues/251

the 'is_ipv6_enabled' function was doing some 'crit' actions, which is not the expected behaviour: we don't want to fail if ipv6 is enabled, it is just an infor that checks are going to use.

Also, it was overriding the SYSCTL_PARAMS that could have been defined in the checks.

Co-authored-by: Damien Cavagnini <damien.cavagnini@corp.ovh.com>
2025-07-04 09:08:50 +02:00
damcav35
6123a56653 fix: update record_mac_edit.sh to use apparmor instead of selinux (#262)
Update record_mac_edit.sh to be compliant with debian11 and debian12 CIS recommendations.

fix issue #195

Co-authored-by: Damien Cavagnini <damien.cavagnini@corp.ovh.com>
2025-07-03 09:27:09 +02:00
damcav35
99e6694261 fix: "--only" option in "hardening.sh" (#261)
"--only" was broken, it did not match correctly a script passed in only

Previously we were checking the numerotation number, we now are using the full script name.

Ex: 1.1.1.1_disable_freevxfs.sh

Previously: (broken) look up for 1\.1\.1\.1, which could also match 1.1.1.1.1.1.1.1_foo.sh
Now: look up for 1.1.1.1_disable_freevxfs.sh

Usage example:
previously:
```
bin/hardening.sh --audit --only 1.1.10_var_tmp_noexec.sh --only 1.1.11.1_var_log_noexec.sh
      Total Available Checks : 0
         Total Runned Checks : 0
         Total Passed Checks : [     0/0 ]
         Total Failed Checks : [     0/0 ]
   Enabled Checks Percentage : 0 %
       Conformity Percentage : N.A %
```

now:
```
bin/hardening.sh --audit --only 1.1.10_var_tmp_noexec.sh --only 1.1.11.1_var_log_noexec.sh
hardening                 [INFO] Treating /opt/debian-cis/versions/default/1.1.10_var_tmp_noexec.sh
1.1.10_var_tmp_noexec     [INFO] Working on 1.1.10_var_tmp_noexec
1.1.10_var_tmp_noexec     [INFO] [DESCRIPTION] /var/tmp partition with noexec option.
1.1.10_var_tmp_noexec     [INFO] Checking Configuration
1.1.10_var_tmp_noexec     [INFO] Performing audit
1.1.10_var_tmp_noexec     [INFO] Verifying that /var/tmp is a partition
1.1.10_var_tmp_noexec     [ OK ] /var/tmp is a partition
1.1.10_var_tmp_noexec     [ OK ] /var/tmp has noexec in fstab
1.1.10_var_tmp_noexec     [ OK ] /var/tmp mounted with noexec
1.1.10_var_tmp_noexec     [ OK ] Check Passed
hardening                 [INFO] Treating /opt/debian-cis/versions/default/1.1.11.1_var_log_noexec.sh
1.1.11.1_var_log_noexec   [INFO] Working on 1.1.11.1_var_log_noexec
1.1.11.1_var_log_noexec   [INFO] [DESCRIPTION] /var/log partition with noexec option.
1.1.11.1_var_log_noexec   [INFO] Checking Configuration
1.1.11.1_var_log_noexec   [INFO] Performing audit
1.1.11.1_var_log_noexec   [INFO] Verifying that /var/log is a partition
1.1.11.1_var_log_noexec   [ OK ] /var/log is a partition
1.1.11.1_var_log_noexec   [ KO ] /var/log has no option noexec in fstab!
1.1.11.1_var_log_noexec   [ KO ] Check Failed
      Total Available Checks : 2
         Total Runned Checks : 2
         Total Passed Checks : [     1/2 ]
         Total Failed Checks : [     1/2 ]
   Enabled Checks Percentage : 100.00 %
       Conformity Percentage : 50.00 %
```

Co-authored-by: Damien Cavagnini <damien.cavagnini@corp.ovh.com>
2025-07-02 14:22:20 +02:00
damcav35
231db2bf93 fix: debian package does not include "versions" (#260)
Related to #259: https://github.com/ovh/debian-cis/issues/259

Co-authored-by: Damien Cavagnini <damien.cavagnini@corp.ovh.com>
2025-07-01 13:55:26 +02:00
damcav35
be33848d81 Damcava35/set version (#257)
* feat: add "--set-version" option

This feature will allow to chose a specific cis version to run, like debian 11 or debian 12

* chore: configure current repository as a version

And use it as default version.

To this end, the scripts in bin/hardening have been made generic by removing the associated recommendation number.
Only impact is if you are used to execute scripts directly from bin/hardening.
In this case, please use the "bin/hardening.sh" wrapper as intended.

I had to rename 2.3.1_disable_nis.sh to uninstall_nis.sh, as it was conflicting with 2.3.1_disable_nis.sh

Also, there was a doublon between 1.1.1.8_disable_cramfs.sh and 99.1.1.1_disable_cramfs.sh ; the former was kept

* chore: remove CIS recommendation numbers from bin/hardening scripts

* fix: some tests are failing

find_ungrouped_files.sh and find_unowned_files.sh tests can not be executed multiple times:
- test repository is not cleaned
- configuration is updated multiple times

Those tests are also failing, because:
- the sed to change the status in the configuration was also changing the test folder path.
- missing /proc in EXCLUDED paths
- the EXCLUDED configuration doesn't have the correct format for egrep

---------

Co-authored-by: Damien Cavagnini <damien.cavagnini@corp.ovh.com>
2025-07-01 08:41:55 +02:00
damcav35
99bc575714 Damcava35/test pre commit (#256)
* chore: make linter happy for existing code

* fix: add missing test 2.1.2_disable_bsd_intetd.sh

* feat: add basic pre commit

Ensure a check has a corresponding test

---------

Co-authored-by: Damien Cavagnini <damien.cavagnini@corp.ovh.com>
2025-06-23 10:23:43 +02:00
dependabot[bot]
9a225c6157 build(deps): bump dev-drprasad/delete-tag-and-release from 1.0.1 to 1.1 (#238)
Bumps [dev-drprasad/delete-tag-and-release](https://github.com/dev-drprasad/delete-tag-and-release) from 1.0.1 to 1.1.
- [Release notes](https://github.com/dev-drprasad/delete-tag-and-release/releases)
- [Commits](https://github.com/dev-drprasad/delete-tag-and-release/compare/v1.0.1...v1.1)

---
updated-dependencies:
- dependency-name: dev-drprasad/delete-tag-and-release
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-09-10 17:47:36 +02:00
Hugo COURTIAL
6079b16611 fix: invalid behavior on sid/alternative in 5.3.4/99.5.4.5.1 (#237) 2024-04-09 17:12:31 +02:00
dependabot[bot]
f7cdf438d4 build(deps): bump metcalfc/changelog-generator from 4.2.0 to 4.3.1 (#234)
Bumps [metcalfc/changelog-generator](https://github.com/metcalfc/changelog-generator) from 4.2.0 to 4.3.1.
- [Release notes](https://github.com/metcalfc/changelog-generator/releases)
- [Changelog](https://github.com/metcalfc/changelog-generator/blob/main/release-notes.png)
- [Commits](https://github.com/metcalfc/changelog-generator/compare/v4.2.0...v4.3.1)

---
updated-dependencies:
- dependency-name: metcalfc/changelog-generator
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>
2024-03-05 09:33:10 +01:00
Isma399
43fc23ee40 fix: catch cidr network in ssh keys (#236)
Co-authored-by: Ismaël Tanguy <ismael.tanguy@ovhcloud.com>
2024-02-22 17:55:03 +01:00
GoldenKiwi
3bd4078e70 fix: allow set-hardening-level option usage (#232)
Was broken since 2020, fixes #230
2024-02-01 17:09:35 +01:00
thibault.dewailly
a45aa40ce4 bump to 4.1.4 v4.1-4 2024-01-18 09:16:00 +00:00
lgaida
730ab47437 allow multiple users in 5.2.18 (#228)
* allow multiple exception users for 99.5.2.4

* move clean up part of previous commit

* split clean up part of previous commit

* add tests for multiple allowed and denied ssh users

* fix script to correctly set multiple allowed and denied ssh users

* add cleanup resolved check to 5.2.18

* apply shellfmt to 5.2.18

---------

Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>
2024-01-10 17:07:02 +01:00
lgaida
5313799193 Allow multiple exception users to be defined for 99.5.2.4_ssh_keys_from (#221)
* allow multiple exception users for 99.5.2.4
2023-12-27 13:42:10 +01:00
GoldenKiwi
73616af4eb Syslog-ng fixes and enhancements (#226)
* syslog-ng : fix remote host test and enhance Regex

fixes #124

* enh: add test for 4.2.1.6
2023-12-27 10:27:06 +01:00
GoldenKiwi
c391723fe5 fix: Allow --only option to be called multiple times (#225)
--only option was affected with a grep bug since 2017.
the regex was not able to parse more than the first passed argument.

fixes #224
2023-12-26 17:08:53 +01:00
GoldenKiwi
71019a5512 fix: update Readme to clarify project usage (#223)
fixes: #219
2023-12-26 09:57:15 +01:00
GoldenKiwi
fb4df82fc4 fix: typo in README. Update example of --audit usage (#222)
fixes #220
fixes #217
2023-12-26 09:19:55 +01:00
thibault.dewailly
c75244e3b2 bump to 4.1.3 v4.1-3 2023-11-28 10:34:12 +00:00
Stéphane Lesimple
de295b3a77 Adapt all scripts to yescrypt (#216)
* Revert "fix: clean obsolete check 99.5.4.5.1, now handled by 5.3.4 (#215)"

This reverts commit 670c8c62f5.

We still want to verify the preexisting hashes in /etc/shadow,
even if the PAM configuration is correct for new passwords (5.3.4).

* Adapt 5.3.4, 99.5.4.5.1 and 99.5.4.5.2 to yescrypt
2023-11-21 17:43:31 +01:00
dependabot[bot]
693487c3a5 build(deps): bump metcalfc/changelog-generator from 4.1.0 to 4.2.0 (#214)
Bumps [metcalfc/changelog-generator](https://github.com/metcalfc/changelog-generator) from 4.1.0 to 4.2.0.
- [Release notes](https://github.com/metcalfc/changelog-generator/releases)
- [Changelog](https://github.com/metcalfc/changelog-generator/blob/main/release-notes.png)
- [Commits](https://github.com/metcalfc/changelog-generator/compare/v4.1.0...v4.2.0)

---
updated-dependencies:
- dependency-name: metcalfc/changelog-generator
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>
2023-11-14 15:44:50 +01:00
GoldenKiwi
670c8c62f5 fix: clean obsolete check 99.5.4.5.1, now handled by 5.3.4 (#215)
Fixes #209
2023-11-14 12:03:58 +01:00
GoldenKiwi
0eb2e2ffde enh: remove ssh system sandbox check (#213)
UsePrivilegeSeparation option is deprecated.
Since the oldest supported Debian distribution is Buster (10), we can safely remove this check

Fixes #212
2023-11-13 08:53:12 +01:00
dependabot[bot]
d6c334182e build(deps): bump luizm/action-sh-checker from 0.7.0 to 0.8.0 (#210)
Bumps [luizm/action-sh-checker](https://github.com/luizm/action-sh-checker) from 0.7.0 to 0.8.0.
- [Release notes](https://github.com/luizm/action-sh-checker/releases)
- [Commits](https://github.com/luizm/action-sh-checker/compare/v0.7.0...v0.8.0)

---
updated-dependencies:
- dependency-name: luizm/action-sh-checker
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-11-10 15:05:25 +01:00
thibault.dewailly
2188577fc9 feat: advertise Debian 12 compatibility in readme 2023-10-02 13:34:09 +00:00
thibault.dewailly
0f59f73297 bump to 4.1.2 v4.1-2 2023-10-02 13:17:31 +00:00
GoldenKiwi
f888ce0d39 fix: root_dir is still /opt/cis-hardening for the moment (#208) 2023-10-02 14:50:52 +02:00
thibault.dewailly
f6aa306127 bump to 4.1.1 v4.1-1 2023-09-29 14:38:52 +00:00
GoldenKiwi
ceea343ad9 fix: debian12 functional test pass is now mandatory (#207) 2023-09-29 16:34:25 +02:00