* feat: add "--set-version" option
This feature will allow to chose a specific cis version to run, like debian 11 or debian 12
* chore: configure current repository as a version
And use it as default version.
To this end, the scripts in bin/hardening have been made generic by removing the associated recommendation number.
Only impact is if you are used to execute scripts directly from bin/hardening.
In this case, please use the "bin/hardening.sh" wrapper as intended.
I had to rename 2.3.1_disable_nis.sh to uninstall_nis.sh, as it was conflicting with 2.3.1_disable_nis.sh
Also, there was a doublon between 1.1.1.8_disable_cramfs.sh and 99.1.1.1_disable_cramfs.sh ; the former was kept
* chore: remove CIS recommendation numbers from bin/hardening scripts
* fix: some tests are failing
find_ungrouped_files.sh and find_unowned_files.sh tests can not be executed multiple times:
- test repository is not cleaned
- configuration is updated multiple times
Those tests are also failing, because:
- the sed to change the status in the configuration was also changing the test folder path.
- missing /proc in EXCLUDED paths
- the EXCLUDED configuration doesn't have the correct format for egrep
---------
Co-authored-by: Damien Cavagnini <damien.cavagnini@corp.ovh.com>
* feat: Officialize Debian 12 support
Functional tests now pass
CIS Benchmark PDF for Debian 12 is not out yet, but the hardening points checked
are still relevant in Debian 12.
OVHcloud is now using it in critical production, hence making it officially supported
---------
Co-authored-by: ThibaultDewailly <ThibaultDewailly@users.noreply.github.com>
* ADD: add dockerfile for debian11
* FIX: fix crontab file not found on debian11 blank
* Add workflow for debian11
* FIX: fix debian version func to manage debian11
* Add dealing with unsupported version and distro
* Add 99.99 check that check if distro version is supported
* Use global var for debian major and distro
fix#26
* add new kernel module detection (enable & listing) with detection of monolithic kernel
* change way to detect if file system type is disabled
* add global IS_CONTAINER variable
* disable test for 3.4.x to be consistent with others
* add cli options to override configuration loglevel
First one as root to create conf files with good owner and permissions, and then with secaudit.
Now first run with --create-config-files-only and the normally with --audit.
