P-EB
08aff5d3fc
Update the README to reflect on changes made in PR#204 ( #205 )
2023-09-29 09:21:40 +02:00
P-EB
32886d3a3d
Replace CIS_ROOT_DIR by a more flexible system ( #204 )
...
* Replace CIS_ROOT_DIR by a more flexible system
* Try to adapt the logic change to the functional tests
2023-09-25 14:24:01 +02:00
GoldenKiwi
5370ec2ef6
feat: add nftables to firewall software allow list ( #203 )
...
* feat: add nftables to firewall software allow list
fixes #191
* fix: enhance 3.5.4.1.1_net_fw_default_policy_drop.sh iptables output check, disable associated test
2023-09-07 14:36:08 +02:00
dependabot[bot]
9d3fb18e6b
build(deps): bump actions/checkout from 3 to 4 ( #202 )
...
Bumps [actions/checkout](https://github.com/actions/checkout ) from 3 to 4.
- [Release notes](https://github.com/actions/checkout/releases )
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md )
- [Commits](https://github.com/actions/checkout/compare/v3...v4 )
---
updated-dependencies:
- dependency-name: actions/checkout
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-09-05 17:07:12 +02:00
GoldenKiwi
6e79fcd00a
fix: correct debian version check on 5.2.15 configuration generation ( #199 )
...
fixes #196
2023-09-01 08:34:28 +02:00
GoldenKiwi
27edec6d5f
fix: chore, debug logs print correctly now ( #197 )
2023-08-31 14:40:27 +02:00
GoldenKiwi
f2cc14c383
fix: chore debian manual update ( #198 )
...
* fix: chore debian manual update
fixes #182
* Regenerate man pages (Github action)
---------
Co-authored-by: ThibaultDewailly <ThibaultDewailly@users.noreply.github.com>
2023-08-31 14:34:59 +02:00
dependabot[bot]
46377fc255
build(deps): bump dev-drprasad/delete-tag-and-release ( #184 )
...
Bumps [dev-drprasad/delete-tag-and-release](https://github.com/dev-drprasad/delete-tag-and-release ) from 0.2.1 to 1.0.1.
- [Release notes](https://github.com/dev-drprasad/delete-tag-and-release/releases )
- [Commits](https://github.com/dev-drprasad/delete-tag-and-release/compare/v0.2.1...v1.0.1 )
---
updated-dependencies:
- dependency-name: dev-drprasad/delete-tag-and-release
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>
2023-08-30 10:32:29 +02:00
Joseph
a468b29036
fix: added systemd-timesyncd
to use_time_sync script ( #189 ) ( #190 )
...
Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>
2023-08-30 10:28:03 +02:00
JugeHuge
db9ff8a7fd
Update warn messages on 2.2.15_mta_localhost.sh ( #193 )
...
warn messages had typo netsat as it should be netstat
2023-08-30 10:23:27 +02:00
Stéphane Lesimple
6135c3d0e5
fix: enhance test 99.1.3 speed for large /etc/sudoers.d folders ( #188 )
...
Signed-off-by: Stephane Lesimple <stephane.lesimple@corp.ovh.com>
2023-07-18 17:28:35 +02:00
Tarik Megzari
a6ad528087
feat: Add experimental debian12 functionnal tests ( #187 )
...
Signed-off-by: Tarik Megzari <tarik.megzari@ovhcloud.com>
Co-authored-by: Tarik Megzari <tarik.megzari@ovhcloud.com>
2023-07-10 10:52:17 +02:00
thibault.dewailly
bc98bedf73
bump to 4.0-1
2023-07-10 07:21:13 +00:00
Stéphane Lesimple
873ef8827d
fix: 99.1.3_acc_sudoers_no_all: fix a race condition ( #186 )
...
On systems where /etc/sudoers.d might be updated often by some automated means, this
check might raise a critical when a previously present file (during the ls) is no longer
present (during its attempted read), so before raising a critical, re-check that it
does exists first.
2023-07-03 17:05:45 +02:00
GoldenKiwi
bd27cd0dae
fix: change auditd file rule remediation ( #179 )
...
Fixes #165
2023-05-05 12:32:22 +02:00
GoldenKiwi
f28ffc244c
fix: correct debian package compression override ( #181 )
2023-05-02 18:06:59 +02:00
GoldenKiwi
19ce790a27
fix: ensure mountpoints are properly detected ( #177 )
...
Fixes #155
When real entries are present in fstab, system startup or runtime mountpoints are now properly detected
Add a supplementary check in case of partition not present in fstab
2023-05-02 18:01:53 +02:00
GoldenKiwi
47cf86237b
fix: correct search in 5.4.5_default_timeout in apply mode ( #178 )
...
fixes #116
2023-05-02 17:57:35 +02:00
GoldenKiwi
ccd9c1a7aa
fix: force xz compression during .deb build ( #180 )
...
zst compression is only available on Debian 12, since the release is built on Ubuntu latest, this was breaking release.
Fixes #175
2023-05-02 15:24:32 +02:00
GoldenKiwi
04457e7df2
feat: official Debian 11 compatibility ( #176 )
...
Introduce Debian 11 compatibility
Based on CIS_Debian_Linux_11_Benchmark_v1.0.0
After review, here are the notable changes :
- Harden /var/log more (noexec,nodev,nosuid)
- Harden /var/log/audit more (noexec,nodev,nosuid)
- Harden /home more (nosuid)
- Disable cramfs
- Fix 5.3.4_acc_pam_sha512.sh
- Deprecate Debian 9 and remove useless docker images
NB : more audit log rules have been introduced and will be inserted in the checks later
Fix #158
2023-05-02 14:16:19 +02:00
dependabot[bot]
05521d5961
Bump luizm/action-sh-checker from 0.5.0 to 0.7.0 ( #171 )
...
Bumps [luizm/action-sh-checker](https://github.com/luizm/action-sh-checker ) from 0.5.0 to 0.7.0.
- [Release notes](https://github.com/luizm/action-sh-checker/releases )
- [Commits](https://github.com/luizm/action-sh-checker/compare/v0.5.0...v0.7.0 )
---
updated-dependencies:
- dependency-name: luizm/action-sh-checker
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-04-26 10:20:11 +02:00
thibault.dewailly
06525f06f9
bump to 3.8-1
2023-03-23 10:03:37 +00:00
dependabot[bot]
d5c1c63971
Bump luizm/action-sh-checker from 0.4.0 to 0.5.0 ( #161 )
...
Bumps [luizm/action-sh-checker](https://github.com/luizm/action-sh-checker ) from 0.4.0 to 0.5.0.
- [Release notes](https://github.com/luizm/action-sh-checker/releases )
- [Commits](https://github.com/luizm/action-sh-checker/compare/v0.4.0...v0.5.0 )
---
updated-dependencies:
- dependency-name: luizm/action-sh-checker
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>
2023-03-23 10:56:12 +01:00
dependabot[bot]
7d93ddeb86
Bump metcalfc/changelog-generator from 3.0.0 to 4.1.0 ( #169 )
...
Bumps [metcalfc/changelog-generator](https://github.com/metcalfc/changelog-generator ) from 3.0.0 to 4.1.0.
- [Release notes](https://github.com/metcalfc/changelog-generator/releases )
- [Changelog](https://github.com/metcalfc/changelog-generator/blob/main/release-notes.png )
- [Commits](https://github.com/metcalfc/changelog-generator/compare/v3.0.0...v4.1.0 )
---
updated-dependencies:
- dependency-name: metcalfc/changelog-generator
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>
2023-03-23 10:50:46 +01:00
dependabot[bot]
a35ecab377
Bump dev-drprasad/delete-tag-and-release from 0.2.0 to 0.2.1 ( #170 )
...
Bumps [dev-drprasad/delete-tag-and-release](https://github.com/dev-drprasad/delete-tag-and-release ) from 0.2.0 to 0.2.1.
- [Release notes](https://github.com/dev-drprasad/delete-tag-and-release/releases )
- [Commits](https://github.com/dev-drprasad/delete-tag-and-release/compare/v0.2.0...v0.2.1 )
---
updated-dependencies:
- dependency-name: dev-drprasad/delete-tag-and-release
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-03-23 10:47:09 +01:00
Stéphane Lesimple
dc952b90df
fix: timeout of 99.1.3 ( #168 )
...
The 99.1.3_acc_sudoers_no_all.sh script can sometimes timeout
on servers where /etc/sudoers.d/ has thousands of files.
This patch makes it run roughly 5x faster, as tested on a
server with 1500 files in sudoers.d/.
Closes #167 .
Signed-off-by: Stephane Lesimple <stephane.lesimple@corp.ovh.com>
Signed-off-by: Stephane Lesimple <stephane.lesimple@corp.ovh.com>
2022-12-22 09:47:35 +01:00
Tarik Megzari
82a217032d
fix(6.2.9): Start from UID 1000 for home ownership check ( #164 )
...
Rename 6.2.3 and 6.2.9 checks to be more accurate
Remove home existence check from 6.2.9 as it's handled by 6.2.3
Update tests accordingly
Fixes #163
Signed-off-by: Tarik Megzari <tarik.megzari@corp.ovh.com>
Signed-off-by: Tarik Megzari <tarik.megzari@corp.ovh.com>
2022-09-30 10:28:48 +02:00
ymartin-ovh
e478a89bad
bump to 3.7-1 ( #160 )
2022-07-04 15:37:08 +02:00
ymartin-ovh
371c23cd52
feat: add FIND_IGNORE_NOSUCHFILE_ERR flag ( #159 )
...
This flag can be used to prevent find-related checks to fail because one part of filesystem disappear (ie. ephemeral directories or files)
2022-07-04 14:29:25 +02:00
Tarik Megzari
ea8334d516
bump to 3.6-1 ( #157 )
...
Signed-off-by: Tarik Megzari <tarik.megzari@corp.ovh.com>
2022-06-27 12:13:01 +02:00
dependabot[bot]
987bb9c975
Bump luizm/action-sh-checker from 0.3.0 to 0.4.0 ( #154 )
...
Bumps [luizm/action-sh-checker](https://github.com/luizm/action-sh-checker ) from 0.3.0 to 0.4.0.
- [Release notes](https://github.com/luizm/action-sh-checker/releases )
- [Commits](https://github.com/luizm/action-sh-checker/compare/v0.3.0...v0.4.0 )
---
updated-dependencies:
- dependency-name: luizm/action-sh-checker
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-06-26 16:58:46 +02:00
dependabot[bot]
3031bb55d1
Bump actions-ecosystem/action-get-latest-tag from 1.5.0 to 1.6.0 ( #153 )
...
Bumps [actions-ecosystem/action-get-latest-tag](https://github.com/actions-ecosystem/action-get-latest-tag ) from 1.5.0 to 1.6.0.
- [Release notes](https://github.com/actions-ecosystem/action-get-latest-tag/releases )
- [Commits](https://github.com/actions-ecosystem/action-get-latest-tag/compare/v1.5.0...v1.6.0 )
---
updated-dependencies:
- dependency-name: actions-ecosystem/action-get-latest-tag
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Tarik Megzari <tarik.megzari@corp.ovh.com>
2022-06-24 17:55:26 +02:00
ymartin-ovh
66ccc6316a
feat: Filter the filesystem to check when the list is built. ( #156 )
...
* feat: Attempt to filter-out filesystem that match exclusion regex.
2022-06-24 17:45:47 +02:00
Tarik Megzari
7a3145d7f1
bump to 3.5-1 ( #152 )
...
Signed-off-by: Tarik Megzari <tarik.megzari@corp.ovh.com>
2022-03-23 18:40:25 +01:00
GoldenKiwi
5c072668d5
fix: add 10s wait timeout on iptables command ( #151 )
...
When the tested server has its iptables heavily manipulated (e.g Kubernetes)
The lock aquirement can sometimes fail, hence generating false positives
The command will retry 10 times with a 1 second interval
2022-03-23 16:56:38 +01:00
GoldenKiwi
d1bd1eb2e7
bump to 3.4-1 ( #150 )
2022-03-18 16:49:25 +01:00
GoldenKiwi
ad5c71c3ce
fix: allow passwd-, group- and shadow- debian default permissions ( #149 )
2022-03-18 16:41:49 +01:00
dependabot[bot]
33964c0a3d
Bump EndBug/add-and-commit from 8.0.2 to 9 ( #148 )
...
Bumps [EndBug/add-and-commit](https://github.com/EndBug/add-and-commit ) from 8.0.2 to 9.
- [Release notes](https://github.com/EndBug/add-and-commit/releases )
- [Changelog](https://github.com/EndBug/add-and-commit/blob/main/CHANGELOG.md )
- [Commits](https://github.com/EndBug/add-and-commit/compare/v8.0.2...v9 )
---
updated-dependencies:
- dependency-name: EndBug/add-and-commit
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-03-14 15:36:48 +01:00
Tarik Megzari
8320d0eecc
CI: Fix release action ( #147 )
...
Signed-off-by: Tarik Megzari <tarik.megzari@corp.ovh.com>
2022-03-03 12:02:12 +01:00
Tarik Megzari
a0d33ab158
Update changelog for release 3.3-1 ( #146 )
...
Signed-off-by: Tarik Megzari <tarik.megzari@corp.ovh.com>
Co-authored-by: Tarik Megzari <tarik.megzari@corp.ovh.com>
2022-03-03 10:26:42 +01:00
Jan Schmidle
a6a22084e1
missing shadowtools backup files is ok ( #132 )
...
* missing shadowtools backup files is ok
* update corresponding test cases
2022-03-02 18:05:37 +01:00
Tarik Megzari
b962155a3c
fix: Avoid find failures on too many files ( #144 )
...
Signed-off-by: Tarik Megzari <tarik.megzari@corp.ovh.com>
Co-authored-by: Tarik Megzari <tarik.megzari@corp.ovh.com>
Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>
2022-03-02 17:49:28 +01:00
dependabot[bot]
20bf51f65b
Bump actions/checkout from 2 to 3 ( #145 )
...
Bumps [actions/checkout](https://github.com/actions/checkout ) from 2 to 3.
- [Release notes](https://github.com/actions/checkout/releases )
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md )
- [Commits](https://github.com/actions/checkout/compare/v2...v3 )
---
updated-dependencies:
- dependency-name: actions/checkout
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-03-02 00:14:50 +01:00
dependabot[bot]
adfe28470a
Bump metcalfc/changelog-generator from 1.0.0 to 3.0.0 ( #133 )
...
Bumps [metcalfc/changelog-generator](https://github.com/metcalfc/changelog-generator ) from 1.0.0 to 3.0.0.
- [Release notes](https://github.com/metcalfc/changelog-generator/releases )
- [Changelog](https://github.com/metcalfc/changelog-generator/blob/main/release-notes.png )
- [Commits](https://github.com/metcalfc/changelog-generator/compare/v1.0.0...v3.0.0 )
---
updated-dependencies:
- dependency-name: metcalfc/changelog-generator
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-03-01 23:48:57 +01:00
dependabot[bot]
c94ee10afe
Bump EndBug/add-and-commit from 7 to 8.0.2 ( #142 )
...
Bumps [EndBug/add-and-commit](https://github.com/EndBug/add-and-commit ) from 7 to 8.0.2.
- [Release notes](https://github.com/EndBug/add-and-commit/releases )
- [Changelog](https://github.com/EndBug/add-and-commit/blob/main/CHANGELOG.md )
- [Commits](https://github.com/EndBug/add-and-commit/compare/v7...v8.0.2 )
---
updated-dependencies:
- dependency-name: EndBug/add-and-commit
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-03-01 20:39:39 +01:00
dependabot[bot]
453a72b8c8
Bump actions-ecosystem/action-get-latest-tag from 1.4.1 to 1.5.0 ( #143 )
...
Bumps [actions-ecosystem/action-get-latest-tag](https://github.com/actions-ecosystem/action-get-latest-tag ) from 1.4.1 to 1.5.0.
- [Release notes](https://github.com/actions-ecosystem/action-get-latest-tag/releases )
- [Commits](https://github.com/actions-ecosystem/action-get-latest-tag/compare/v1.4.1...v1.5.0 )
---
updated-dependencies:
- dependency-name: actions-ecosystem/action-get-latest-tag
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-03-01 20:28:33 +01:00
Tarik Megzari
bb03764918
fix: Catch unexpected failures ( #140 )
...
Signed-off-by: Tarik Megzari <tarik.megzari@corp.ovh.com>
Co-authored-by: Tarik Megzari <tarik.megzari@corp.ovh.com>
2022-01-31 15:38:38 +01:00
Tarik Megzari
17d272420a
feat: Dissociate iptables pkg name from command ( #137 )
...
Signed-off-by: Tarik Megzari <tarik.megzari@corp.ovh.com>
Co-authored-by: Tarik Megzari <tarik.megzari@corp.ovh.com>
2021-12-27 15:40:55 +01:00
Tarik Megzari
f1c1517bd2
Update changelog for release 3.2-2 ( #135 )
...
Signed-off-by: Tarik Megzari <tarik.megzari@corp.ovh.com>
Co-authored-by: Tarik Megzari <tarik.megzari@corp.ovh.com>
2021-12-13 16:06:57 +01:00
tdenof
1341622335
Fix empty fstab test ( #134 )
...
Signed-off-by: Tarik Megzari <tarik.megzari@corp.ovh.com>
Co-authored-by: Thibault Dewailly <thibault.dewailly@corp.ovh.com>
2021-12-08 08:42:22 +01:00