* add "apt_remove" in lib/utils.sh
in order to manage DEBIAN_FRONTEND
* feat: add new scripts for debian 12
- tftp_is_disabled -> 2.1.16
- network_services_listening -> 2.1.22
- use_time_sync -> 2.3.1.1
Update the existing script to check there is only one installed
- chrony_is_enabled_and_running -> 2.3.3.3
---------
Co-authored-by: damien cavagnini <damien.cavagnini@corp.ovh.com>
* update lib/utils.sh
- add 'is_pkg_a_dependency', to ensure a package is not needed by some others before removing it
-> will be used in debian 12 CIS by at least the 2.1.5 recommendation
- update 'is_service_enabled' to use 'systemd' instead of 'rc.d', as we are now only supporting debian LTS using systemd
- add 'is_using_sbin_init' to ensure we can use systemctl, in case of running on non detected container
- add 'manage_service' to enable / disable service using systemctl
* chore: update script related to systemctl / service
- configure_systemd-timesync.sh: use "is_service_enabled" instead of calling systemctl
- disable_automounting.sh: use "manage_service" instead of "update-rc.d"
- enable_auditd.sh: use "manage_service" instead of "update-rc.d"
- enable_cron.sh: use "manage_service" instead of "update-rc.d"
- enable_syslog-ng.sh: use "manage_service" instead of "update-rc.d"
---------
Co-authored-by: Damien Cavagnini <damien.cavagnini@corp.ovh.com>
Current "is_kernel_option_enabled" function is doing many things, like checking for a kernel option AND checking a kernel module state AND checking if it is disabled
We split it in different functions:
- is_kernel_monolithic
- is_kernel_option_enabled -> check for a kernel configuration in the running kernel
- is_kernel_module_loaded -> check if a module is currently loaded
- is_kernel_module_available -> check if a module is configured in all available kernel configs
- is_kernel_module_disabled -> check if a kernel module is disabled in the modprobe configuration
Also:
- update its behaviour to debian 12 CIS recommendation, to check if a module is "available in ANY installed kernel"
- fix "disable_usb_storage" to look for correct module name once loaded : issue #249
- the associated checks now check separately if the module is loaded, and if it is configured
- for checks about kernel module presence, the "apply" function now manages to disable the module in the modprobe configuration (if kernel not monolithic) (but still wont unload it)
Co-authored-by: Damien Cavagnini <damien.cavagnini@corp.ovh.com>
Update record_mac_edit.sh to be compliant with debian11 and debian12 CIS recommendations.
fix issue #195
Co-authored-by: Damien Cavagnini <damien.cavagnini@corp.ovh.com>
"--only" was broken, it did not match correctly a script passed in only
Previously we were checking the numerotation number, we now are using the full script name.
Ex: 1.1.1.1_disable_freevxfs.sh
Previously: (broken) look up for 1\.1\.1\.1, which could also match 1.1.1.1.1.1.1.1_foo.sh
Now: look up for 1.1.1.1_disable_freevxfs.sh
Usage example:
previously:
```
bin/hardening.sh --audit --only 1.1.10_var_tmp_noexec.sh --only 1.1.11.1_var_log_noexec.sh
Total Available Checks : 0
Total Runned Checks : 0
Total Passed Checks : [ 0/0 ]
Total Failed Checks : [ 0/0 ]
Enabled Checks Percentage : 0 %
Conformity Percentage : N.A %
```
now:
```
bin/hardening.sh --audit --only 1.1.10_var_tmp_noexec.sh --only 1.1.11.1_var_log_noexec.sh
hardening [INFO] Treating /opt/debian-cis/versions/default/1.1.10_var_tmp_noexec.sh
1.1.10_var_tmp_noexec [INFO] Working on 1.1.10_var_tmp_noexec
1.1.10_var_tmp_noexec [INFO] [DESCRIPTION] /var/tmp partition with noexec option.
1.1.10_var_tmp_noexec [INFO] Checking Configuration
1.1.10_var_tmp_noexec [INFO] Performing audit
1.1.10_var_tmp_noexec [INFO] Verifying that /var/tmp is a partition
1.1.10_var_tmp_noexec [ OK ] /var/tmp is a partition
1.1.10_var_tmp_noexec [ OK ] /var/tmp has noexec in fstab
1.1.10_var_tmp_noexec [ OK ] /var/tmp mounted with noexec
1.1.10_var_tmp_noexec [ OK ] Check Passed
hardening [INFO] Treating /opt/debian-cis/versions/default/1.1.11.1_var_log_noexec.sh
1.1.11.1_var_log_noexec [INFO] Working on 1.1.11.1_var_log_noexec
1.1.11.1_var_log_noexec [INFO] [DESCRIPTION] /var/log partition with noexec option.
1.1.11.1_var_log_noexec [INFO] Checking Configuration
1.1.11.1_var_log_noexec [INFO] Performing audit
1.1.11.1_var_log_noexec [INFO] Verifying that /var/log is a partition
1.1.11.1_var_log_noexec [ OK ] /var/log is a partition
1.1.11.1_var_log_noexec [ KO ] /var/log has no option noexec in fstab!
1.1.11.1_var_log_noexec [ KO ] Check Failed
Total Available Checks : 2
Total Runned Checks : 2
Total Passed Checks : [ 1/2 ]
Total Failed Checks : [ 1/2 ]
Enabled Checks Percentage : 100.00 %
Conformity Percentage : 50.00 %
```
Co-authored-by: Damien Cavagnini <damien.cavagnini@corp.ovh.com>
* feat: add "--set-version" option
This feature will allow to chose a specific cis version to run, like debian 11 or debian 12
* chore: configure current repository as a version
And use it as default version.
To this end, the scripts in bin/hardening have been made generic by removing the associated recommendation number.
Only impact is if you are used to execute scripts directly from bin/hardening.
In this case, please use the "bin/hardening.sh" wrapper as intended.
I had to rename 2.3.1_disable_nis.sh to uninstall_nis.sh, as it was conflicting with 2.3.1_disable_nis.sh
Also, there was a doublon between 1.1.1.8_disable_cramfs.sh and 99.1.1.1_disable_cramfs.sh ; the former was kept
* chore: remove CIS recommendation numbers from bin/hardening scripts
* fix: some tests are failing
find_ungrouped_files.sh and find_unowned_files.sh tests can not be executed multiple times:
- test repository is not cleaned
- configuration is updated multiple times
Those tests are also failing, because:
- the sed to change the status in the configuration was also changing the test folder path.
- missing /proc in EXCLUDED paths
- the EXCLUDED configuration doesn't have the correct format for egrep
---------
Co-authored-by: Damien Cavagnini <damien.cavagnini@corp.ovh.com>
* chore: make linter happy for existing code
* fix: add missing test 2.1.2_disable_bsd_intetd.sh
* feat: add basic pre commit
Ensure a check has a corresponding test
---------
Co-authored-by: Damien Cavagnini <damien.cavagnini@corp.ovh.com>
* allow multiple exception users for 99.5.2.4
* move clean up part of previous commit
* split clean up part of previous commit
* add tests for multiple allowed and denied ssh users
* fix script to correctly set multiple allowed and denied ssh users
* add cleanup resolved check to 5.2.18
* apply shellfmt to 5.2.18
---------
Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>
* Revert "fix: clean obsolete check 99.5.4.5.1, now handled by 5.3.4 (#215)"
This reverts commit 670c8c62f5.
We still want to verify the preexisting hashes in /etc/shadow,
even if the PAM configuration is correct for new passwords (5.3.4).
* Adapt 5.3.4, 99.5.4.5.1 and 99.5.4.5.2 to yescrypt
On systems where /etc/sudoers.d might be updated often by some automated means, this
check might raise a critical when a previously present file (during the ls) is no longer
present (during its attempted read), so before raising a critical, re-check that it
does exists first.
Introduce Debian 11 compatibility
Based on CIS_Debian_Linux_11_Benchmark_v1.0.0
After review, here are the notable changes :
- Harden /var/log more (noexec,nodev,nosuid)
- Harden /var/log/audit more (noexec,nodev,nosuid)
- Harden /home more (nosuid)
- Disable cramfs
- Fix 5.3.4_acc_pam_sha512.sh
- Deprecate Debian 9 and remove useless docker images
NB : more audit log rules have been introduced and will be inserted in the checks later
Fix#158
The 99.1.3_acc_sudoers_no_all.sh script can sometimes timeout
on servers where /etc/sudoers.d/ has thousands of files.
This patch makes it run roughly 5x faster, as tested on a
server with 1500 files in sudoers.d/.
Closes#167.
Signed-off-by: Stephane Lesimple <stephane.lesimple@corp.ovh.com>
Signed-off-by: Stephane Lesimple <stephane.lesimple@corp.ovh.com>
Rename 6.2.3 and 6.2.9 checks to be more accurate
Remove home existence check from 6.2.9 as it's handled by 6.2.3
Update tests accordingly
Fixes#163
Signed-off-by: Tarik Megzari <tarik.megzari@corp.ovh.com>
Signed-off-by: Tarik Megzari <tarik.megzari@corp.ovh.com>
When the tested server has its iptables heavily manipulated (e.g Kubernetes)
The lock aquirement can sometimes fail, hence generating false positives
The command will retry 10 times with a 1 second interval
