debian-cis

mirror of https://github.com/ovh/debian-cis.git synced 2024-11-22 05:27:01 +01:00

Author	SHA1	Message	Date
thibault.dewailly	0f59f73297	bump to 4.1.2	2023-10-02 13:17:31 +00:00
GoldenKiwi	f888ce0d39	fix: root_dir is still /opt/cis-hardening for the moment (#208 )	2023-10-02 14:50:52 +02:00
thibault.dewailly	f6aa306127	bump to 4.1.1	2023-09-29 14:38:52 +00:00
GoldenKiwi	ceea343ad9	fix: debian12 functional test pass is now mandatory (#207 )	2023-09-29 16:34:25 +02:00
GoldenKiwi	2e53dfb573	feat: Officialize Debian 12 support (#206 ) * feat: Officialize Debian 12 support Functional tests now pass CIS Benchmark PDF for Debian 12 is not out yet, but the hardening points checked are still relevant in Debian 12. OVHcloud is now using it in critical production, hence making it officially supported --------- Co-authored-by: ThibaultDewailly <ThibaultDewailly@users.noreply.github.com>	2023-09-29 16:20:34 +02:00
P-EB	08aff5d3fc	Update the README to reflect on changes made in PR#204 (#205 )	2023-09-29 09:21:40 +02:00
P-EB	32886d3a3d	Replace CIS_ROOT_DIR by a more flexible system (#204 ) * Replace CIS_ROOT_DIR by a more flexible system * Try to adapt the logic change to the functional tests	2023-09-25 14:24:01 +02:00
GoldenKiwi	5370ec2ef6	feat: add nftables to firewall software allow list (#203 ) * feat: add nftables to firewall software allow list fixes #191 * fix: enhance 3.5.4.1.1_net_fw_default_policy_drop.sh iptables output check, disable associated test	2023-09-07 14:36:08 +02:00
dependabot[bot]	9d3fb18e6b	build(deps): bump actions/checkout from 3 to 4 (#202 ) Bumps [actions/checkout](https://github.com/actions/checkout) from 3 to 4. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/v3...v4) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2023-09-05 17:07:12 +02:00
GoldenKiwi	6e79fcd00a	fix: correct debian version check on 5.2.15 configuration generation (#199 ) fixes #196	2023-09-01 08:34:28 +02:00
GoldenKiwi	27edec6d5f	fix: chore, debug logs print correctly now (#197 )	2023-08-31 14:40:27 +02:00
GoldenKiwi	f2cc14c383	fix: chore debian manual update (#198 ) * fix: chore debian manual update fixes #182 * Regenerate man pages (Github action) --------- Co-authored-by: ThibaultDewailly <ThibaultDewailly@users.noreply.github.com>	2023-08-31 14:34:59 +02:00
dependabot[bot]	46377fc255	build(deps): bump dev-drprasad/delete-tag-and-release (#184 ) Bumps [dev-drprasad/delete-tag-and-release](https://github.com/dev-drprasad/delete-tag-and-release) from 0.2.1 to 1.0.1. - [Release notes](https://github.com/dev-drprasad/delete-tag-and-release/releases) - [Commits](https://github.com/dev-drprasad/delete-tag-and-release/compare/v0.2.1...v1.0.1) --- updated-dependencies: - dependency-name: dev-drprasad/delete-tag-and-release dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>	2023-08-30 10:32:29 +02:00
Joseph	a468b29036	fix: added `systemd-timesyncd` to use_time_sync script (#189 ) (#190 ) Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>	2023-08-30 10:28:03 +02:00
JugeHuge	db9ff8a7fd	Update warn messages on 2.2.15_mta_localhost.sh (#193 ) warn messages had typo netsat as it should be netstat	2023-08-30 10:23:27 +02:00
Stéphane Lesimple	6135c3d0e5	fix: enhance test 99.1.3 speed for large /etc/sudoers.d folders (#188 ) Signed-off-by: Stephane Lesimple <stephane.lesimple@corp.ovh.com>	2023-07-18 17:28:35 +02:00
Tarik Megzari	a6ad528087	feat: Add experimental debian12 functionnal tests (#187 ) Signed-off-by: Tarik Megzari <tarik.megzari@ovhcloud.com> Co-authored-by: Tarik Megzari <tarik.megzari@ovhcloud.com>	2023-07-10 10:52:17 +02:00
thibault.dewailly	bc98bedf73	bump to 4.0-1	2023-07-10 07:21:13 +00:00
Stéphane Lesimple	873ef8827d	fix: 99.1.3_acc_sudoers_no_all: fix a race condition (#186 ) On systems where /etc/sudoers.d might be updated often by some automated means, this check might raise a critical when a previously present file (during the ls) is no longer present (during its attempted read), so before raising a critical, re-check that it does exists first.	2023-07-03 17:05:45 +02:00
GoldenKiwi	bd27cd0dae	fix: change auditd file rule remediation (#179 ) Fixes #165	2023-05-05 12:32:22 +02:00
GoldenKiwi	f28ffc244c	fix: correct debian package compression override (#181 )	2023-05-02 18:06:59 +02:00
GoldenKiwi	19ce790a27	fix: ensure mountpoints are properly detected (#177 ) Fixes #155 When real entries are present in fstab, system startup or runtime mountpoints are now properly detected Add a supplementary check in case of partition not present in fstab	2023-05-02 18:01:53 +02:00
GoldenKiwi	47cf86237b	fix: correct search in 5.4.5_default_timeout in apply mode (#178 ) fixes #116	2023-05-02 17:57:35 +02:00
GoldenKiwi	ccd9c1a7aa	fix: force xz compression during .deb build (#180 ) zst compression is only available on Debian 12, since the release is built on Ubuntu latest, this was breaking release. Fixes #175	2023-05-02 15:24:32 +02:00
GoldenKiwi	04457e7df2	feat: official Debian 11 compatibility (#176 ) Introduce Debian 11 compatibility Based on CIS_Debian_Linux_11_Benchmark_v1.0.0 After review, here are the notable changes : - Harden /var/log more (noexec,nodev,nosuid) - Harden /var/log/audit more (noexec,nodev,nosuid) - Harden /home more (nosuid) - Disable cramfs - Fix 5.3.4_acc_pam_sha512.sh - Deprecate Debian 9 and remove useless docker images NB : more audit log rules have been introduced and will be inserted in the checks later Fix #158	2023-05-02 14:16:19 +02:00
dependabot[bot]	05521d5961	Bump luizm/action-sh-checker from 0.5.0 to 0.7.0 (#171 ) Bumps [luizm/action-sh-checker](https://github.com/luizm/action-sh-checker) from 0.5.0 to 0.7.0. - [Release notes](https://github.com/luizm/action-sh-checker/releases) - [Commits](https://github.com/luizm/action-sh-checker/compare/v0.5.0...v0.7.0) --- updated-dependencies: - dependency-name: luizm/action-sh-checker dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2023-04-26 10:20:11 +02:00
thibault.dewailly	06525f06f9	bump to 3.8-1	2023-03-23 10:03:37 +00:00
dependabot[bot]	d5c1c63971	Bump luizm/action-sh-checker from 0.4.0 to 0.5.0 (#161 ) Bumps [luizm/action-sh-checker](https://github.com/luizm/action-sh-checker) from 0.4.0 to 0.5.0. - [Release notes](https://github.com/luizm/action-sh-checker/releases) - [Commits](https://github.com/luizm/action-sh-checker/compare/v0.4.0...v0.5.0) --- updated-dependencies: - dependency-name: luizm/action-sh-checker dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>	2023-03-23 10:56:12 +01:00
dependabot[bot]	7d93ddeb86	Bump metcalfc/changelog-generator from 3.0.0 to 4.1.0 (#169 ) Bumps [metcalfc/changelog-generator](https://github.com/metcalfc/changelog-generator) from 3.0.0 to 4.1.0. - [Release notes](https://github.com/metcalfc/changelog-generator/releases) - [Changelog](https://github.com/metcalfc/changelog-generator/blob/main/release-notes.png) - [Commits](https://github.com/metcalfc/changelog-generator/compare/v3.0.0...v4.1.0) --- updated-dependencies: - dependency-name: metcalfc/changelog-generator dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>	2023-03-23 10:50:46 +01:00
dependabot[bot]	a35ecab377	Bump dev-drprasad/delete-tag-and-release from 0.2.0 to 0.2.1 (#170 ) Bumps [dev-drprasad/delete-tag-and-release](https://github.com/dev-drprasad/delete-tag-and-release) from 0.2.0 to 0.2.1. - [Release notes](https://github.com/dev-drprasad/delete-tag-and-release/releases) - [Commits](https://github.com/dev-drprasad/delete-tag-and-release/compare/v0.2.0...v0.2.1) --- updated-dependencies: - dependency-name: dev-drprasad/delete-tag-and-release dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2023-03-23 10:47:09 +01:00
Stéphane Lesimple	dc952b90df	fix: timeout of 99.1.3 (#168 ) The 99.1.3_acc_sudoers_no_all.sh script can sometimes timeout on servers where /etc/sudoers.d/ has thousands of files. This patch makes it run roughly 5x faster, as tested on a server with 1500 files in sudoers.d/. Closes #167. Signed-off-by: Stephane Lesimple <stephane.lesimple@corp.ovh.com> Signed-off-by: Stephane Lesimple <stephane.lesimple@corp.ovh.com>	2022-12-22 09:47:35 +01:00
Tarik Megzari	82a217032d	fix(6.2.9): Start from UID 1000 for home ownership check (#164 ) Rename 6.2.3 and 6.2.9 checks to be more accurate Remove home existence check from 6.2.9 as it's handled by 6.2.3 Update tests accordingly Fixes #163 Signed-off-by: Tarik Megzari <tarik.megzari@corp.ovh.com> Signed-off-by: Tarik Megzari <tarik.megzari@corp.ovh.com>	2022-09-30 10:28:48 +02:00
ymartin-ovh	e478a89bad	bump to 3.7-1 (#160 )	2022-07-04 15:37:08 +02:00
ymartin-ovh	371c23cd52	feat: add FIND_IGNORE_NOSUCHFILE_ERR flag (#159 ) This flag can be used to prevent find-related checks to fail because one part of filesystem disappear (ie. ephemeral directories or files)	2022-07-04 14:29:25 +02:00
Tarik Megzari	ea8334d516	bump to 3.6-1 (#157 ) Signed-off-by: Tarik Megzari <tarik.megzari@corp.ovh.com>	2022-06-27 12:13:01 +02:00
dependabot[bot]	987bb9c975	Bump luizm/action-sh-checker from 0.3.0 to 0.4.0 (#154 ) Bumps [luizm/action-sh-checker](https://github.com/luizm/action-sh-checker) from 0.3.0 to 0.4.0. - [Release notes](https://github.com/luizm/action-sh-checker/releases) - [Commits](https://github.com/luizm/action-sh-checker/compare/v0.3.0...v0.4.0) --- updated-dependencies: - dependency-name: luizm/action-sh-checker dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2022-06-26 16:58:46 +02:00
dependabot[bot]	3031bb55d1	Bump actions-ecosystem/action-get-latest-tag from 1.5.0 to 1.6.0 (#153 ) Bumps [actions-ecosystem/action-get-latest-tag](https://github.com/actions-ecosystem/action-get-latest-tag) from 1.5.0 to 1.6.0. - [Release notes](https://github.com/actions-ecosystem/action-get-latest-tag/releases) - [Commits](https://github.com/actions-ecosystem/action-get-latest-tag/compare/v1.5.0...v1.6.0) --- updated-dependencies: - dependency-name: actions-ecosystem/action-get-latest-tag dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Tarik Megzari <tarik.megzari@corp.ovh.com>	2022-06-24 17:55:26 +02:00
ymartin-ovh	66ccc6316a	feat: Filter the filesystem to check when the list is built. (#156 ) * feat: Attempt to filter-out filesystem that match exclusion regex.	2022-06-24 17:45:47 +02:00
Tarik Megzari	7a3145d7f1	bump to 3.5-1 (#152 ) Signed-off-by: Tarik Megzari <tarik.megzari@corp.ovh.com>	2022-03-23 18:40:25 +01:00
GoldenKiwi	5c072668d5	fix: add 10s wait timeout on iptables command (#151 ) When the tested server has its iptables heavily manipulated (e.g Kubernetes) The lock aquirement can sometimes fail, hence generating false positives The command will retry 10 times with a 1 second interval	2022-03-23 16:56:38 +01:00
GoldenKiwi	d1bd1eb2e7	bump to 3.4-1 (#150 )	2022-03-18 16:49:25 +01:00
GoldenKiwi	ad5c71c3ce	fix: allow passwd-, group- and shadow- debian default permissions (#149 )	2022-03-18 16:41:49 +01:00
dependabot[bot]	33964c0a3d	Bump EndBug/add-and-commit from 8.0.2 to 9 (#148 ) Bumps [EndBug/add-and-commit](https://github.com/EndBug/add-and-commit) from 8.0.2 to 9. - [Release notes](https://github.com/EndBug/add-and-commit/releases) - [Changelog](https://github.com/EndBug/add-and-commit/blob/main/CHANGELOG.md) - [Commits](https://github.com/EndBug/add-and-commit/compare/v8.0.2...v9) --- updated-dependencies: - dependency-name: EndBug/add-and-commit dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2022-03-14 15:36:48 +01:00
Tarik Megzari	8320d0eecc	CI: Fix release action (#147 ) Signed-off-by: Tarik Megzari <tarik.megzari@corp.ovh.com>	2022-03-03 12:02:12 +01:00
Tarik Megzari	a0d33ab158	Update changelog for release 3.3-1 (#146 ) Signed-off-by: Tarik Megzari <tarik.megzari@corp.ovh.com> Co-authored-by: Tarik Megzari <tarik.megzari@corp.ovh.com>	2022-03-03 10:26:42 +01:00
Jan Schmidle	a6a22084e1	missing shadowtools backup files is ok (#132 ) * missing shadowtools backup files is ok * update corresponding test cases	2022-03-02 18:05:37 +01:00
Tarik Megzari	b962155a3c	fix: Avoid find failures on too many files (#144 ) Signed-off-by: Tarik Megzari <tarik.megzari@corp.ovh.com> Co-authored-by: Tarik Megzari <tarik.megzari@corp.ovh.com> Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>	2022-03-02 17:49:28 +01:00
dependabot[bot]	20bf51f65b	Bump actions/checkout from 2 to 3 (#145 ) Bumps [actions/checkout](https://github.com/actions/checkout) from 2 to 3. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/v2...v3) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2022-03-02 00:14:50 +01:00
dependabot[bot]	adfe28470a	Bump metcalfc/changelog-generator from 1.0.0 to 3.0.0 (#133 ) Bumps [metcalfc/changelog-generator](https://github.com/metcalfc/changelog-generator) from 1.0.0 to 3.0.0. - [Release notes](https://github.com/metcalfc/changelog-generator/releases) - [Changelog](https://github.com/metcalfc/changelog-generator/blob/main/release-notes.png) - [Commits](https://github.com/metcalfc/changelog-generator/compare/v1.0.0...v3.0.0) --- updated-dependencies: - dependency-name: metcalfc/changelog-generator dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2022-03-01 23:48:57 +01:00
dependabot[bot]	c94ee10afe	Bump EndBug/add-and-commit from 7 to 8.0.2 (#142 ) Bumps [EndBug/add-and-commit](https://github.com/EndBug/add-and-commit) from 7 to 8.0.2. - [Release notes](https://github.com/EndBug/add-and-commit/releases) - [Changelog](https://github.com/EndBug/add-and-commit/blob/main/CHANGELOG.md) - [Commits](https://github.com/EndBug/add-and-commit/compare/v7...v8.0.2) --- updated-dependencies: - dependency-name: EndBug/add-and-commit dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2022-03-01 20:39:39 +01:00

1 2 3 4 5 ...

536 Commits