elie/debian-cis
1
0
Fork 0
mirror of https://github.com/ovh/debian-cis.git synced 2024-11-21 13:07:01 +01:00
Code Issues Packages Projects Releases Wiki Activity
555 Commits 4 Branches 39 Tags 2.2 MiB
master
Commit Graph

96 Commits

Author SHA1 Message Date
Charles Herlin
d014405e1f FIX: add becho to send batch output to syslog too 
becho stands for batch echo
formats the log line for syslog

Also logs audit summary into syslog (in batch mode only)
 2019-02-06 17:25:16 +01:00
Charles Herlin
6cea326921 Update debian 7/8/9 in help files and remove in generic scripts 2019-02-06 15:19:14 +01:00
Charles Herlin
71b70a2b8c FEAT: Add sudo_wrapper to catch unauthorized sudo commands 
As for now, if a sudo command was not allowed, check might sometimes
pass, resulting compliant state even if it actually is not.
Sudo wrapper first checks wether command is allowed before running it,
otherwise issues a crit message, setting check as not compliant

Fix script to make sudo_wrapper work, split "find" lines
Fix quotes in $@ and $* when running sudo command

Fixed quotes and curly braces with shellcheck report
 2018-03-16 12:06:56 +01:00
Charles Herlin
67df4da781 Adding batch mode to output just one line of text (no colors) in order to be parsed by computer tools 
Adding DESCRIPTION field in tests and [INFO] DESCRIPTION in main
Update README with --batch mode info
Add --batch mode in hardening.sh

Change summary to make it oneliner when batch mode
AUDIT_SUMMARY PASSED_CHECKS:95 RUN_CHECKS:191 TOTAL_CHECKS_AVAIL:191 CONFORMITY_PERCENTAGE:49.74
 2017-10-31 17:44:15 +01:00
Charles Herlin
b1f85d3f99 Add sudo management in main and utils 
* perform readonly checks as a regular user
    * sudo -n is used for checks requiring root privileges
    * increase accountability by providing log of individual access to sensitive files
 2017-11-09 15:45:42 +01:00
Stéphane Lesimple
676b17c54f add hardening templating and several enhancements 2017-05-18 18:40:09 +02:00
Thibault Dewailly
2ef500298b Merge pull request #11 from speed47/dev/fix_does_pattern_exist_in_file 
handle ENOENT properly in does_pattern_exist_in_file()
 2017-05-19 18:30:21 +02:00
Stéphane Lesimple
3e0187094a handle ENOENT properly in does_pattern_exist_in_file\(\) 2017-05-18 18:31:24 +02:00
Stéphane Lesimple
cca0310d64 set a fixed-size prefix for logger 2017-05-18 18:27:02 +02:00
jeremydenoun
53626bd926 Remove test on _logger() function 
the original line contain test that can hide echo if we launch script with pipe or IO redirection
 2016-05-14 20:39:32 +02:00
thibault.dewailly
e902c9b4c8 Fixed replace in file function with proper substitution 2016-05-03 11:25:37 +02:00
kevin.tanguy
1479332870 debian dependencies fix, rephrasing, revision bump 1.0-8. 2016-04-25 15:15:49 +02:00
Frank Denis
ed410747df Rephrase confusing messages 2016-04-21 18:32:36 +02:00
thibault.dewailly
3ece442743 Added exit code to CIS_ROOT_DIR test def, optimized sed and sort 2016-04-20 11:29:44 +02:00
Stéphane Lesimple
8d84f38c97 add --audit-all option 2016-04-19 19:26:04 +02:00
thibault.dewailly
b2d3ed937e Corrected script names, added License, Completed README and corrected bug with too long logger messages 2016-04-19 09:31:01 +02:00
thibault.dewailly
b1b96cf4e3 log format correction, loglevel defaults to info 2016-04-18 14:01:03 +02:00
thibault.dewailly
e79a03095c All configuration defaults to disabled README updated 2016-04-18 13:19:46 +02:00
thibault.dewailly
628fe96666 Fixed disabled features, headers and preparing main script 2016-04-17 23:19:41 +02:00
thibault.dewailly
fa98efc32b Added argument parsing and test checks 2016-04-17 23:10:47 +02:00
thibault.dewailly
fb9bf542a1 13.1_remove_empty_password_field.sh 13.2_remove_legacy_passwd_entries.sh 13.3_remove_legacy_shadow_entries.sh 13.4_remove_legacy_group_entries.sh 13.5_find_0_uid_non_root_account.sh 13.6_sanitize_root_path.sh 2016-04-16 17:25:48 +02:00
thibault.dewailly
82a7b05a05 10.5_lock_inactive_user_account.sh 11.1_warning_banners.sh 11.2_remove_os_info_warning_banners.sh 11.3_graphical_warning_banners.sh 2016-04-15 23:38:48 +02:00
thibault.dewailly
823cd217a0 9.2.1_enable_cracklib.sh 9.2.2_enable_lockout_failed_password.sh 9.2.3_limit_password_reuse.sh 9.3.10_disable_sshd_setenv.sh 9.3.11_sshd_ciphers.sh 9.3.12_sshd_idle_timeout.sh 9.3.13_sshd_limit_access.sh 9.3.14_ssh_banner.sh 9.3.2_sshd_loglevel.sh 9.3.1_sshd_protocol.sh 9.3.3_sshd_conf_perm_ownership.sh 9.3.4_disable_x11_forwarding.sh 9.3.5_sshd_maxauthtries.sh 9.3.6_enable_sshd_ignorerhosts.sh 9.3.7_disable_sshd_hostbasedauthentication.sh 9.3.8_disable_root_login.sh 9.3.9_disable_sshd_permitemptypasswords.sh 2016-04-15 14:24:45 +02:00
thibault.dewailly
d373b6f937 8.2.5_syslog-ng_remote_host.sh 8.2.6_remote_syslog-ng_acl.sh 8.3.1_install_tripwire.sh 2016-04-14 22:47:34 +02:00
thibault.dewailly
f0bff32503 8.2.1_install_syslog-ng.sh 8.2.2_enable_syslog-ng.sh 8.2.3_configure_syslog-ng.sh 8.2.4_set_logfile_perm.sh 2016-04-14 17:55:14 +02:00
thibault.dewailly
0ce0b23dc8 8.1.4_record_date_time_edit.sh 8.1.5_record_user_group_edit.sh 2016-04-14 14:07:00 +02:00
thibault.dewailly
127d3e9124 8.1.1.3_keep_all_audit_logs.sh 8.1.3_audit_bootloader.sh 2016-04-14 13:11:56 +02:00
thibault.dewailly
df51ac5bcb 7.3.1_disable_ipv6_router_advertisement.sh 2016-04-13 17:41:10 +02:00
thibault.dewailly
1843d1a67b 7.1.1_disable_ip_forwarding.sh 7.1.2_disable_send_packet_redirects.sh 2016-04-13 14:54:35 +02:00
thibault.dewailly
bec4ccd7da 6.16_disable_rsync.sh 2016-04-13 14:12:57 +02:00
thibault.dewailly
4d5ccf1f58 6.2_disable_avahi_server.sh 6.3_disable_print_server.sh 6.4_disable_dhcp.sh 6.5_configure_ntp.sh 6.6_diable_ldap.sh 6.7_disable_nfs_rpc.sh 6.8_disable_dns_server.sh 2016-04-12 11:21:36 +02:00
thibault.dewailly
db7b85ceed 4.2_enable_nx_support.sh 4.3_enable_randomized_vm_placement.sh 4.4_disable_prelink.sh 4.5_enable_apparmor.sh 5.1.1_disable_nis.sh 2016-04-11 16:53:57 +02:00
thibault.dewailly
1bacb6c2ff 4.1_restrict_core_dumps.sh 2016-04-11 14:55:42 +02:00
thibault.dewailly
f2a979e24c 3.2_bootloader_permissions.sh 3.3_bootloader_password.sh 2016-04-11 11:38:50 +02:00
thibault.dewailly
d44a8eb440 3.1_bootloader_ownership.sh fix 2016-04-11 08:55:44 +02:00
thibault.dewailly
91d6ba3fdd 3.1_bootloader_ownership.sh 2016-04-07 08:43:37 +02:00
thibault.dewailly
31454e394d 2.25_disable_automounting.sh 2016-04-07 07:46:44 +02:00
thibault.dewailly
a22c47c97d 2.19_disable_freevxfs.sh 2.20_disable_jffs2.sh 2.21_disable_hfs.sh 2.22_disable_hfsplus.sh 2.23_disable_squashfs.sh 2.24_disable_udf.sh 2016-04-07 07:22:04 +02:00
thibault.dewailly
b87e9a6f14 2.18_disable_cramfs.sh 2016-04-07 06:56:14 +02:00
thibault.dewailly
b079798e62 2.2_tmp_nodev.sh 2016-04-04 15:05:10 +02:00
thibault.dewailly
5effa3335e 2.1 Tmp Partition 2016-04-04 13:32:58 +02:00
thibault.dewailly
6aa74d6188 1.1 Install updates 2016-04-04 11:23:03 +02:00
thibault.dewailly
1a41e2f592 skeleton 2016-04-01 16:48:31 +02:00
thibault.dewailly
08da17be24 hardening : building basic configuration 2016-04-01 09:52:39 +02:00
thibault.dewailly
9a5e962cd4 Added basic Configuration files and skeleton scripts 2016-04-01 09:32:17 +02:00
thibault.dewailly
754cf6fd1d Initial Commit Basic folders 2016-04-01 07:50:08 +02:00