Commit Graph

96 Commits

Author SHA1 Message Date
Charles Herlin
106412149d Adding batch mode to output just one line of text (no colors) in order to be parsed by computer tools
Adding DESCRIPTION field in tests and [INFO] DESCRIPTION in main
Update README with --batch mode info
Add --batch mode in hardening.sh

Change summary to make it oneliner when batch mode
AUDIT_SUMMARY PASSED_CHECKS:95 RUN_CHECKS:191 TOTAL_CHECKS_AVAIL:191 CONFORMITY_PERCENTAGE:49.74
2019-01-21 17:20:18 +01:00
Charles Herlin
91642474f7 Change from CIS reco and only warn (no crit) if logfile does not exist 2019-01-21 17:20:00 +01:00
Charles Herlin
d60922ab9d Redirect stderr to avoid printing "no such file" error 2018-03-19 18:06:47 +01:00
Charles Herlin
39246bc175 resolve #SOC-30 Also check /etc/security/limits.d/ for core dump limit 2018-03-15 09:50:05 +01:00
Charles Herlin
47857774b4 Fix SOC-28, add test if file exist, if not issue error 2018-03-14 14:04:02 +01:00
Charles Herlin
b41df080cf Add sudo management in main and utils
* perform readonly checks as a regular user
    * sudo -n is used for checks requiring root privileges
    * increase accountability by providing log of individual access to sensitive files
2018-03-13 10:38:25 +01:00
Thibault Dewailly
321063fe7c Merge pull request #31 in IAAS/cis-hardening from dev/cherlin/update-cis-scripts to master
* commit 'f97fbb47f701fd81a6dcdabb1d2e961943386eb5':
  Update ciphers list in 9.3.11 with latest chacha20 and gcm ciphers
2017-12-05 11:38:15 +01:00
Charles Herlin
5b11b1628a Expand tabs to 4 spaces and trim trailing spaces 2017-11-17 15:13:27 +01:00
Charles Herlin
f97fbb47f7 Update ciphers list in 9.3.11 with latest chacha20 and gcm ciphers 2017-11-10 14:48:51 +01:00
Charles Herlin
cbfd04272b Applying batch edit to all hardening/*.sh scripts for new CIS_ROOT_DIR management 2017-10-25 14:50:39 +02:00
Thibault Dewailly
b6aba4cc88 Merge pull request #12 from speed47/dev/enhancements
Hardening Classification
subs enhancements as well as bug fixes
2017-09-28 13:22:59 +02:00
Stéphane Lesimple
dfaf4c2093 add hardening templating and several enhancements 2017-06-13 18:30:29 +02:00
thibault.dewailly
a4dc5bdaf5 No more wildcards in file list to be more resilient 2017-06-13 15:36:06 +02:00
Jérôme Le Gal
4c2107cbea [10.1.3] set the good value for $OPTIONS 2017-05-03 23:08:48 +02:00
thibault.dewailly
0f11b08ffb [Debian 8] Fixed comments for debian 8 compliance 2017-03-14 15:42:08 +01:00
thibault.dewailly
717a794e45 [10.2] Fixed result parsing in case of spaces in passwd list 2017-03-10 17:26:55 +01:00
Matthieu Destrez
1e47226bd4
fixed option name in 9.3.9_disable_sshd_permitemptypasswords.sh, was PermitRootLogin instead of PermitEmptyPassword 2016-06-29 15:12:21 +02:00
thibault.dewailly
59e3008b4c fix 99.1 Apply TMOUT Variable 2016-05-02 10:45:32 +02:00
kevin.tanguy
8bbac84f7b debian dependencies fix, rephrasing, revision bump 1.0-8. 2016-04-26 14:02:17 +02:00
thibault.dewailly
c1a45d1df1 Fixed 6.15 netstat analysis 2016-04-22 17:23:21 +02:00
Thibault Dewailly
50a502dd32 Merge pull request #4 from jedisct1/valuemsg
Rephrase confusing messages
2016-04-22 08:40:14 +02:00
thibault.dewailly
7e951c020a Fixed default file error handling and quickstart 2016-04-22 08:34:28 +02:00
thibault.dewailly
516b4dc7f9 Fixed point 9.1.8 cron rights as a chmod 600 disabled the cron.allow features (file must be world readable) 2016-04-21 18:56:10 +02:00
Frank Denis
ccd40f4369 Rephrase confusing messages 2016-04-21 18:32:36 +02:00
thibault.dewailly
799b3b5145 Fixed 8.2.4 check file exists before testing rights 2016-04-20 18:06:08 +02:00
thibault.dewailly
c5b4aa220d Added exit code to CIS_ROOT_DIR test def, optimized sed and sort 2016-04-20 18:06:08 +02:00
thibault.dewailly
a7f418d8a2 Corrected script names, added License, Completed README and corrected bug with too long logger messages 2016-04-19 13:51:28 +02:00
thibault.dewailly
e9487bfb04 Corrected default file path 2016-04-18 17:39:14 +02:00
thibault.dewailly
091eec57ee All configuration defaults to disabled README updated 2016-04-18 13:25:09 +02:00
thibault.dewailly
57121f116c 99.1_timeout_tty.sh 99.2_disable_usb_devices.sh 2016-04-18 11:16:05 +02:00
thibault.dewailly
756fce8c2e Fixed disabled features, headers and preparing main script 2016-04-17 23:19:41 +02:00
thibault.dewailly
ef14c475fe Added argument parsing and test checks 2016-04-17 23:10:47 +02:00
thibault.dewailly
e1337d76df 13.16_check_duplicate_username.sh 13.17_check_duplicate_groupname.sh 13.18_find_user_netrc_files.sh 13.19_find_user_forward_files.sh 13.20_shadow_group_empty.sh 2016-04-17 22:30:20 +02:00
thibault.dewailly
aad764bb1b 13.14_check_duplicate_uid.sh 13.15_check_duplicate_gid.sh^C 2016-04-17 19:53:47 +02:00
thibault.dewailly
a38aa6f039 13.12_users_valid_homedir.sh 13.11_find_passwd_group_inconsistencies.sh 13.13_check_user_homedir_ownership.sh 2016-04-17 18:58:25 +02:00
thibault.dewailly
fbba59cc67 13.10_find_user_rhosts_files.sh 2016-04-16 18:55:44 +02:00
thibault.dewailly
83cd95756d 13.8_check_user_dot_file_perm.sh 13.9_set_perm_on_user_netrc.sh 2016-04-16 18:32:09 +02:00
thibault.dewailly
f82a438246 13.7_check_user_dir_perm.sh 2016-04-16 18:11:53 +02:00
thibault.dewailly
b24a415dce 13.1_remove_empty_password_field.sh 13.2_remove_legacy_passwd_entries.sh 13.3_remove_legacy_shadow_entries.sh 13.4_remove_legacy_group_entries.sh 13.5_find_0_uid_non_root_account.sh 13.6_sanitize_root_path.sh 2016-04-16 17:25:48 +02:00
thibault.dewailly
dbc24bb8d7 13.1_remove_empry_password_field.sh 2016-04-16 15:10:14 +02:00
thibault.dewailly
fffd9842d6 12.11_find_sgid_files.sh 2016-04-16 12:57:24 +02:00
thibault.dewailly
d241ae57f9 12.10_find_suid_files.sh 12.1_etc_passwd_permissions.sh 12.2_etc_shadow_permissions.sh 12.3_etc_group_permissions.sh 12.4_etc_passwd_ownership.sh 12.5_etc_shadow_ownership.sh 12.6_etc_group_ownership.sh 12.7_find_world_writable_file.sh 12.8_find_unowned_files.sh 12.9_find_ungrouped_files.sh 2016-04-16 00:26:19 +02:00
thibault.dewailly
da30fa0b48 10.5_lock_inactive_user_account.sh 11.1_warning_banners.sh 11.2_remove_os_info_warning_banners.sh 11.3_graphical_warning_banners.sh 2016-04-15 23:38:48 +02:00
thibault.dewailly
dd9fac10d9 10.1.1_set_password_exp_days.sh 10.1.2_set_password_min_days_change.sh 10.1.3_set_password_exp_warning_days.sh 10.2_disable_system_accounts.sh 10.3_default_root_group.sh 10.4_default_umask.sh 9.4_secure_tty.sh 9.5_restrict_su.sh 2016-04-15 19:29:26 +02:00
thibault.dewailly
9451842e84 9.2.1_enable_cracklib.sh 9.2.2_enable_lockout_failed_password.sh 9.2.3_limit_password_reuse.sh 9.3.10_disable_sshd_setenv.sh 9.3.11_sshd_ciphers.sh 9.3.12_sshd_idle_timeout.sh 9.3.13_sshd_limit_access.sh 9.3.14_ssh_banner.sh 9.3.2_sshd_loglevel.sh 9.3.1_sshd_protocol.sh 9.3.3_sshd_conf_perm_ownership.sh 9.3.4_disable_x11_forwarding.sh 9.3.5_sshd_maxauthtries.sh 9.3.6_enable_sshd_ignorerhosts.sh 9.3.7_disable_sshd_hostbasedauthentication.sh 9.3.8_disable_root_login.sh 9.3.9_disable_sshd_permitemptypasswords.sh 2016-04-15 14:24:45 +02:00
thibault.dewailly
682d94bf9c 9.1.3_cron_hourly_perm_ownership.sh 9.1.4_cron_daily_perm_ownership.sh 9.1.5_cron_weekly_perm_ownership.sh 9.1.6_cron_monthly_perm_ownership.sh 9.1.7_cron_d_perm_ownership.sh 9.1.8_cron_users.sh 2016-04-15 10:18:23 +02:00
thibault.dewailly
9007ffdad1 9.1.1_enable_cron.sh 9.1.2_crontab_perm_ownership.sh 2016-04-14 23:26:37 +02:00
thibault.dewailly
6c9b2bbdd3 8.4_configure_logrotate.sh 2016-04-14 23:11:09 +02:00
thibault.dewailly
c8b01f7a23 8.4_conifgure_logrotate.sh 2016-04-14 23:08:52 +02:00
thibault.dewailly
f4927c2ebb 8.3.2_tripwire_cron.sh 2016-04-14 23:05:58 +02:00