Commit Graph

120 Commits

Author SHA1 Message Date
Charles Herlin
0d3c8ec654 IMP(9.3.2): Add custom configuration management
Add create_config to allow user to customize their conf

Improve tests
Apply shellcheck recommendations
2019-02-22 17:29:56 +01:00
Charles Herlin
3d0b49a4f9 IMP(13.13): Add exceptions for home directories not owned by owner
Fill tests

Apply shellcheck recommendations
2019-02-22 17:29:56 +01:00
Charles Herlin
da6acb0b0c IMP(8.2.5): find multiline pattern in files (syslog)
Add func to find pattern in file that spreads over multiple lines
The func will remove commented lines (that begin with '#')
and consider the file as one long line.
Thus, this is not possible to look for pattern at beginning of line
with this func ('^' and '$')

Improved pattern in 8.2.5

Add syslog-ng to installed dependencies in Dockerfiles

Fixed multifile arguments when looking for pattern that got broken
in d2bbf754 due to "nocase" and _does_pattern_exist_in_file wrapper
Please note that you can only look for pattern in ONE FILE at once
Fixed 8.2.5 and 8.3.2 with for loop on files and 'FOUND' flag
You now need to specify each and every file to look for or embed a
'find' command as follow :
`FILES="$SYSLOG_BASEDIR/syslog-ng.conf $(find $SYSLOG_BASEDIR/conf.d/)"`

Improved test files
Applied shellcheck recommendations
2019-02-22 17:29:56 +01:00
Charles Herlin
4e1d897a64 IMP(2.1x): Retrieve actual partition when symlink
Add function to retrieve actual partition from symlink in lib/utils.sh
Using this func in all 3 audit scripts

Improved tests to test this func

Apply shellcheck recommendations
Trim trailing spaces
2019-02-22 17:29:56 +01:00
kevin.tanguy
52ad81a981 FIX CONFIG_AUDIT test 2019-02-21 14:27:38 +01:00
Charles Herlin
f2ae6cc24a FIX(99.2): add missing $SUDO_CMD 2019-02-15 16:56:54 +01:00
Charles Herlin
5f2803693e Change default status to audit for file with custom create_config 2019-02-14 14:33:21 +01:00
Charles Herlin
7ad0df963c IMP: enhance scripts that check duplicate UID
Add exception handling in 13.14_check_duplicate_uid
Clarifies output message and explicitly displays found exceptions
Add tests
Apply shellcheck recommendation

modified:   bin/hardening/13.14_check_duplicate_uid.sh
modified:   bin/hardening/13.5_find_0_uid_non_root_account.sh
new file:   tests/hardening/13.14_check_duplicate_uid.sh
new file:   tests/hardening/13.5_find_0_uid_non_root_account.sh
2019-02-14 12:21:10 +01:00
Charles Herlin
7e3ee2eb93 FIX: usage if no RUN_MODE, fix only that used to run too many checks
If no RUN_MODE passed as arguments, display usage and exits

Fix --only option to run only specific check
Found bug that used to run 2.2 and 2.24 when launching --only 2.24
2019-02-13 17:17:06 +01:00
Charles Herlin
d2bbf754ac Migrate generic checks from secaudit to cis-hardening
new file:   99.3.1_acc_shadow_sha512.sh
new file:   99.3.2_acc_sudoers_no_all.sh
new file:   99.4_net_fw_default_policy_drop.sh
new file:   99.5.1_ssh_auth_pubk_only.sh
new file:   99.5.2.1_ssh_cry_kex.sh
new file:   99.5.2.2_ssh_cry_mac.sh
new file:   99.5.2.3_ssh_cry_rekey.sh
new file:   99.5.3_ssh_disable_features.sh
new file:   99.5.4_ssh_keys_from.sh
new file:   99.5.5_ssh_strict_modes.sh
new file:   99.5.6_ssh_sys_accept_env.sh
new file:   99.5.7_ssh_sys_no_legacy.sh
new file:   99.5.8_ssh_sys_sandbox.sh
new file:   99.5.9_ssh_log_level.sh

Fix descriptions in comment section for 99.* secaudit checks

Remove duplicated legacy services that are already taken care of by vanilla cis

Enable custom configuration of checks in config-file, no more hard coded conf
Add test to disable check if debian version is too old
Add excused IPs while checking "from" field of authorized_keys
Escaping dots in IPs
Manage Kex for different debian versions
Add tests for generic checks and add apply for ssh config
Apply shellcheck recommendations on audit/hardening scripts
Update script to check for allowed IPs only, remove bastion related
Fill `apply` func for ssh config related scripts
Add and update tests scenarii

Disable shellcheck test for external source 1091

As of today, the entire project is not shellcheck compliant, I prefer
disabling the test that warns about not finding external source (that
arent compliant). I will enable it again when the project library will
be shellchecked
https://github.com/koalaman/shellcheck/wiki/SC1091

Refactor password policy check with one check by feature

Previous file will now only look for bad passwords in /etc/shadow
I added two checks that look for the compliant configuration lines in
conf files /etc/logins.defs and /etc/pam.d/common-passwords

FIX: merge chained sed and fix regex

FIX: update regex to capture more output
FIX: fix pattern to ignore commented lines, add apply

Also add tests to ensure that commented lines are not detected as valid
configuration

CHORE: cleanup test situation with file and users removal
IMP: add case insensitive option when looking for patterns in files
CHORE: removed duplicated line in test file
2019-02-11 18:05:03 +01:00
Charles Herlin
7690b57ea9 FIX: add becho to send batch output to syslog too
becho stands for batch echo
formats the log line for syslog

Also logs audit summary into syslog (in batch mode only)
2019-02-07 11:41:12 +01:00
Charles Herlin
25eb91c411 Update debian 7/8/9 in help files and remove in generic scripts 2019-02-06 15:19:14 +01:00
Charles Herlin
bfbd410b19 FIX: quotes in find command, misinterpreted shellcheck advice 2019-01-23 16:55:48 +01:00
Charles Herlin
ec6b79e3c7 FEAT: Add sudo_wrapper to catch unauthorized sudo commands
As for now, if a sudo command was not allowed, check might sometimes
pass, resulting compliant state even if it actually is not.
Sudo wrapper first checks wether command is allowed before running it,
otherwise issues a crit message, setting check as not compliant

Fix script to make sudo_wrapper work, split "find" lines
Fix quotes in $@ and $* when running sudo command

Fixed quotes and curly braces with shellcheck report
2019-01-23 15:56:27 +01:00
Charles Herlin
001323f448 FIX: sed that was too greedy
Used to sed 's!/usr/bin/su!!' /usr/bin/sudo leaving only "do"
that lead to misinterpreting result

Change algorithm to avoid partial sed in the result list
Now the not compliant list is built out of the find results
instead of items being removed from them.
Allow better control of grep inside this list.

Chore: apply shellcheck recommendations
2019-01-23 13:49:29 +01:00
Charles Herlin
ed0c07d319 Add missing /usr/bin/su 2019-01-21 17:27:09 +01:00
Charles Herlin
03b6f1857a FIX: add /usr/bin/* path for suid/guid allowed binaries
Debian is still migrating /bin to /usr/bin so I added both path to the
allowed ones

 * mount
 * umount
 * ping
 * ping6
 * unix_chkpwd
2019-01-21 17:27:09 +01:00
Charles Herlin
106412149d Adding batch mode to output just one line of text (no colors) in order to be parsed by computer tools
Adding DESCRIPTION field in tests and [INFO] DESCRIPTION in main
Update README with --batch mode info
Add --batch mode in hardening.sh

Change summary to make it oneliner when batch mode
AUDIT_SUMMARY PASSED_CHECKS:95 RUN_CHECKS:191 TOTAL_CHECKS_AVAIL:191 CONFORMITY_PERCENTAGE:49.74
2019-01-21 17:20:18 +01:00
Charles Herlin
91642474f7 Change from CIS reco and only warn (no crit) if logfile does not exist 2019-01-21 17:20:00 +01:00
Charles Herlin
843ce3efc3 Improve --only option to perform only specified test and no other lookalike test number
Before modification "--only 8.2.1" performed tests 8.2.1 and 2.1
2018-03-28 14:36:17 +02:00
Charles Herlin
d60922ab9d Redirect stderr to avoid printing "no such file" error 2018-03-19 18:06:47 +01:00
Charles Herlin
39246bc175 resolve #SOC-30 Also check /etc/security/limits.d/ for core dump limit 2018-03-15 09:50:05 +01:00
Charles Herlin
47857774b4 Fix SOC-28, add test if file exist, if not issue error 2018-03-14 14:04:02 +01:00
Charles Herlin
b41df080cf Add sudo management in main and utils
* perform readonly checks as a regular user
    * sudo -n is used for checks requiring root privileges
    * increase accountability by providing log of individual access to sensitive files
2018-03-13 10:38:25 +01:00
Thibault Dewailly
321063fe7c Merge pull request #31 in IAAS/cis-hardening from dev/cherlin/update-cis-scripts to master
* commit 'f97fbb47f701fd81a6dcdabb1d2e961943386eb5':
  Update ciphers list in 9.3.11 with latest chacha20 and gcm ciphers
2017-12-05 11:38:15 +01:00
Charles Herlin
5b11b1628a Expand tabs to 4 spaces and trim trailing spaces 2017-11-17 15:13:27 +01:00
Charles Herlin
f97fbb47f7 Update ciphers list in 9.3.11 with latest chacha20 and gcm ciphers 2017-11-10 14:48:51 +01:00
Charles Herlin
725aaa39e5 Remove unnecessary CIS_ROOT_DIR empty assignation 2017-10-25 17:44:56 +02:00
Charles Herlin
cbfd04272b Applying batch edit to all hardening/*.sh scripts for new CIS_ROOT_DIR management 2017-10-25 14:50:39 +02:00
Charles Herlin
c70d6120f8 Changing CIS_ROOT_DIR management in env in bin/hardening.sh 2017-10-25 14:48:54 +02:00
Thibault Dewailly
b6aba4cc88 Merge pull request #12 from speed47/dev/enhancements
Hardening Classification
subs enhancements as well as bug fixes
2017-09-28 13:22:59 +02:00
Stéphane Lesimple
dfaf4c2093 add hardening templating and several enhancements 2017-06-13 18:30:29 +02:00
thibault.dewailly
a4dc5bdaf5 No more wildcards in file list to be more resilient 2017-06-13 15:36:06 +02:00
Jérôme Le Gal
4c2107cbea [10.1.3] set the good value for $OPTIONS 2017-05-03 23:08:48 +02:00
thibault.dewailly
0f11b08ffb [Debian 8] Fixed comments for debian 8 compliance 2017-03-14 15:42:08 +01:00
thibault.dewailly
717a794e45 [10.2] Fixed result parsing in case of spaces in passwd list 2017-03-10 17:26:55 +01:00
Matthieu Destrez
1e47226bd4
fixed option name in 9.3.9_disable_sshd_permitemptypasswords.sh, was PermitRootLogin instead of PermitEmptyPassword 2016-06-29 15:12:21 +02:00
thibault.dewailly
3b9718239d tripwire : fixed typo on postinstall helper 2016-05-02 11:11:07 +02:00
thibault.dewailly
59e3008b4c fix 99.1 Apply TMOUT Variable 2016-05-02 10:45:32 +02:00
kevin.tanguy
8bbac84f7b debian dependencies fix, rephrasing, revision bump 1.0-8. 2016-04-26 14:02:17 +02:00
thibault.dewailly
c1a45d1df1 Fixed 6.15 netstat analysis 2016-04-22 17:23:21 +02:00
Thibault Dewailly
50a502dd32 Merge pull request #4 from jedisct1/valuemsg
Rephrase confusing messages
2016-04-22 08:40:14 +02:00
thibault.dewailly
7e951c020a Fixed default file error handling and quickstart 2016-04-22 08:34:28 +02:00
thibault.dewailly
516b4dc7f9 Fixed point 9.1.8 cron rights as a chmod 600 disabled the cron.allow features (file must be world readable) 2016-04-21 18:56:10 +02:00
Frank Denis
ccd40f4369 Rephrase confusing messages 2016-04-21 18:32:36 +02:00
thibault.dewailly
799b3b5145 Fixed 8.2.4 check file exists before testing rights 2016-04-20 18:06:08 +02:00
thibault.dewailly
c5b4aa220d Added exit code to CIS_ROOT_DIR test def, optimized sed and sort 2016-04-20 18:06:08 +02:00
Stéphane Lesimple
55f9cae65c add --audit-all-enable-passed, add info in README and help 2016-04-20 18:06:08 +02:00
Stéphane Lesimple
76811c8a7f add --audit-all option 2016-04-20 18:06:08 +02:00
thibault.dewailly
a7f418d8a2 Corrected script names, added License, Completed README and corrected bug with too long logger messages 2016-04-19 13:51:28 +02:00