In test cases, changed in sed command "disabled" to "audit" to enable
apply part, following this commit
d6172ad Change default status disabled -> audit when no conf file
5f28036 - Change default status to audit for file with custom
`create_config` (Charles Herlin Thu Feb 14 14:33:21 2019 +0100)
If no RUN_MODE passed as arguments, display usage and exits
Fix --only option to run only specific check
Found bug that used to run 2.2 and 2.24 when launching --only 2.24
new file: 99.3.1_acc_shadow_sha512.sh
new file: 99.3.2_acc_sudoers_no_all.sh
new file: 99.4_net_fw_default_policy_drop.sh
new file: 99.5.1_ssh_auth_pubk_only.sh
new file: 99.5.2.1_ssh_cry_kex.sh
new file: 99.5.2.2_ssh_cry_mac.sh
new file: 99.5.2.3_ssh_cry_rekey.sh
new file: 99.5.3_ssh_disable_features.sh
new file: 99.5.4_ssh_keys_from.sh
new file: 99.5.5_ssh_strict_modes.sh
new file: 99.5.6_ssh_sys_accept_env.sh
new file: 99.5.7_ssh_sys_no_legacy.sh
new file: 99.5.8_ssh_sys_sandbox.sh
new file: 99.5.9_ssh_log_level.sh
Fix descriptions in comment section for 99.* secaudit checks
Remove duplicated legacy services that are already taken care of by vanilla cis
Enable custom configuration of checks in config-file, no more hard coded conf
Add test to disable check if debian version is too old
Add excused IPs while checking "from" field of authorized_keys
Escaping dots in IPs
Manage Kex for different debian versions
Add tests for generic checks and add apply for ssh config
Apply shellcheck recommendations on audit/hardening scripts
Update script to check for allowed IPs only, remove bastion related
Fill `apply` func for ssh config related scripts
Add and update tests scenarii
Disable shellcheck test for external source 1091
As of today, the entire project is not shellcheck compliant, I prefer
disabling the test that warns about not finding external source (that
arent compliant). I will enable it again when the project library will
be shellchecked
https://github.com/koalaman/shellcheck/wiki/SC1091
Refactor password policy check with one check by feature
Previous file will now only look for bad passwords in /etc/shadow
I added two checks that look for the compliant configuration lines in
conf files /etc/logins.defs and /etc/pam.d/common-passwords
FIX: merge chained sed and fix regex
FIX: update regex to capture more output
FIX: fix pattern to ignore commented lines, add apply
Also add tests to ensure that commented lines are not detected as valid
configuration
CHORE: cleanup test situation with file and users removal
IMP: add case insensitive option when looking for patterns in files
CHORE: removed duplicated line in test file
Tests are stored in a bash indexed array.
Bash on debian8 does not support arrays declaration and if there was no
registered tests, the array variable was seen as undefined.
With this way of completely dismissing the test suite, the problem is
fixed
Change describe display to add underline in order to make it more
noticeable in a stream of logs
Add a `fatal` message when catching a runtime error (until
`$totalerrors` has not been modified yet)
As for now, if a sudo command was not allowed, check might sometimes
pass, resulting compliant state even if it actually is not.
Sudo wrapper first checks wether command is allowed before running it,
otherwise issues a crit message, setting check as not compliant
Fix script to make sudo_wrapper work, split "find" lines
Fix quotes in $@ and $* when running sudo command
Fixed quotes and curly braces with shellcheck report
IMP: search for all .sh files to shellcheck
If no file is passed as argument, shellchek will be run on all
.sh files
Fix dockerfile location and expand full shellcheck options
Used to sed 's!/usr/bin/su!!' /usr/bin/sudo leaving only "do"
that lead to misinterpreting result
Change algorithm to avoid partial sed in the result list
Now the not compliant list is built out of the find results
instead of items being removed from them.
Allow better control of grep inside this list.
Chore: apply shellcheck recommendations
Adding DESCRIPTION field in tests and [INFO] DESCRIPTION in main
Update README with --batch mode info
Add --batch mode in hardening.sh
Change summary to make it oneliner when batch mode
AUDIT_SUMMARY PASSED_CHECKS:95 RUN_CHECKS:191 TOTAL_CHECKS_AVAIL:191 CONFORMITY_PERCENTAGE:49.74
Add usecase in basename
Add test files for checks with find command
Always show logs
FIX: run void script to generate config and avoid sed failure
Update README with functional test description
Add skeleton for functional test
Add argument to launch only specific test suite
Add support for debian8 and compulsory mention of debian version at
launch
Improve README
Simplify test file syntax to avoid copy/paste mistake
Add script that runs tests on all debian targets
Improve run_all_target script with nowait and nodel options
Add dockerfile for Buster pre-version
Chore: Use getopt for options and reviewed code by shellcheck
Add trap to ensure cleanup on exit/interrupt
Remove quotes that lead to `less` misinterpretation of the filenames
Set `local` for variables inside `test_audit` func
Move functional assertion functions to dedicated file
Add cleanup for logs and containers
Improve cleanup, and now exits
Apply shellcheck recommendations
FIX: allow script to be run from anywhere (dirname $0)
Changes to be committed:
modified: README.md
new file: src/skel.test
new file: tests/docker/Dockerfile.debian10_20181226
new file: tests/docker/Dockerfile.debian8
new file: tests/docker/Dockerfile.debian9
new file: tests/docker_build_and_run_tests.sh
new file: tests/hardening/12.10_find_suid_files.sh
new file: tests/hardening/12.11_find_sgid_files.sh
new file: tests/hardening/12.7_find_world_writable_file.sh
new file: tests/hardening/12.8_find_unowned_files.sh
new file: tests/hardening/12.9_find_ungrouped_files.sh
new file: tests/hardening/2.17_sticky_bit_world_writable_folder.sh
new file: tests/launch_tests.sh
new file: tests/lib.sh
new file: tests/run_all_targets.sh
* perform readonly checks as a regular user
* sudo -n is used for checks requiring root privileges
* increase accountability by providing log of individual access to sensitive files
- Add hardening templating and several enhancements
- CIS_ROOT_DIR management
- Update ciphers list in 9.3.11 with latest chacha20 and gcm ciphers
- Debian packaging clean up
Signed-off-by: Julien Delayen <julien.delayen@corp.ovh.com>
This fixes the following issue:
Depends field of package cis-hardening:
unknown substitution variable ${shlibs:Depends}
Signed-off-by: Julien Delayen <julien.delayen@corp.ovh.com>
