Charles Herlin
f7f2f614aa
IMP(9.3.2): Add custom configuration management
...
Add create_config to allow user to customize their conf
Improve tests
Apply shellcheck recommendations
2019-02-22 15:40:01 +01:00
Charles Herlin
605a768fe1
IMP(13.13): Add exceptions for home directories not owned by owner
...
Fill tests
Apply shellcheck recommendations
2019-02-22 15:22:58 +01:00
Charles Herlin
80a1146af7
IMP(8.2.5): find multiline pattern in files (syslog)
...
Add func to find pattern in file that spreads over multiple lines
The func will remove commented lines (that begin with '#')
and consider the file as one long line.
Thus, this is not possible to look for pattern at beginning of line
with this func ('^' and '$')
Improved pattern in 8.2.5
Add syslog-ng to installed dependencies in Dockerfiles
Fixed multifile arguments when looking for pattern that got broken
in d2bbf754
due to "nocase" and _does_pattern_exist_in_file wrapper
Please note that you can only look for pattern in ONE FILE at once
Fixed 8.2.5 and 8.3.2 with for loop on files and 'FOUND' flag
You now need to specify each and every file to look for or embed a
'find' command as follow :
`FILES="$SYSLOG_BASEDIR/syslog-ng.conf $(find $SYSLOG_BASEDIR/conf.d/)"`
Improved test files
Applied shellcheck recommendations
2019-02-22 12:39:41 +01:00
Charles Herlin
7408216957
IMP(2.1x): Retrieve actual partition when symlink
...
Add function to retrieve actual partition from symlink in lib/utils.sh
Using this func in all 3 audit scripts
Improved tests to test this func
Apply shellcheck recommendations
Trim trailing spaces
2019-02-22 12:22:14 +01:00
kevin.tanguy
bc5809f92e
FIX CONFIG_AUDIT test
2019-02-21 11:15:48 +01:00
Charles Herlin
d18f5edfba
FIX(99.2): add missing $SUDO_CMD
2019-02-15 16:56:54 +01:00
Charles Herlin
2b2a91a564
Change default status to audit for file with custom create_config
2019-02-14 14:33:21 +01:00
Charles Herlin
1281860401
IMP: enhance scripts that check duplicate UID
...
Add exception handling in 13.14_check_duplicate_uid
Clarifies output message and explicitly displays found exceptions
Add tests
Apply shellcheck recommendation
modified: bin/hardening/13.14_check_duplicate_uid.sh
modified: bin/hardening/13.5_find_0_uid_non_root_account.sh
new file: tests/hardening/13.14_check_duplicate_uid.sh
new file: tests/hardening/13.5_find_0_uid_non_root_account.sh
2019-02-13 16:07:06 +01:00
Charles Herlin
09ae131de9
FIX: usage if no RUN_MODE, fix only that used to run too many checks
...
If no RUN_MODE passed as arguments, display usage and exits
Fix --only option to run only specific check
Found bug that used to run 2.2 and 2.24 when launching --only 2.24
2019-02-13 17:11:28 +01:00
Charles Herlin
810fee4c8f
Migrate generic checks from secaudit to cis-hardening
...
new file: 99.3.1_acc_shadow_sha512.sh
new file: 99.3.2_acc_sudoers_no_all.sh
new file: 99.4_net_fw_default_policy_drop.sh
new file: 99.5.1_ssh_auth_pubk_only.sh
new file: 99.5.2.1_ssh_cry_kex.sh
new file: 99.5.2.2_ssh_cry_mac.sh
new file: 99.5.2.3_ssh_cry_rekey.sh
new file: 99.5.3_ssh_disable_features.sh
new file: 99.5.4_ssh_keys_from.sh
new file: 99.5.5_ssh_strict_modes.sh
new file: 99.5.6_ssh_sys_accept_env.sh
new file: 99.5.7_ssh_sys_no_legacy.sh
new file: 99.5.8_ssh_sys_sandbox.sh
new file: 99.5.9_ssh_log_level.sh
Fix descriptions in comment section for 99.* secaudit checks
Remove duplicated legacy services that are already taken care of by vanilla cis
Enable custom configuration of checks in config-file, no more hard coded conf
Add test to disable check if debian version is too old
Add excused IPs while checking "from" field of authorized_keys
Escaping dots in IPs
Manage Kex for different debian versions
Add tests for generic checks and add apply for ssh config
Apply shellcheck recommendations on audit/hardening scripts
Update script to check for allowed IPs only, remove bastion related
Fill `apply` func for ssh config related scripts
Add and update tests scenarii
Disable shellcheck test for external source 1091
As of today, the entire project is not shellcheck compliant, I prefer
disabling the test that warns about not finding external source (that
arent compliant). I will enable it again when the project library will
be shellchecked
https://github.com/koalaman/shellcheck/wiki/SC1091
Refactor password policy check with one check by feature
Previous file will now only look for bad passwords in /etc/shadow
I added two checks that look for the compliant configuration lines in
conf files /etc/logins.defs and /etc/pam.d/common-passwords
FIX: merge chained sed and fix regex
FIX: update regex to capture more output
FIX: fix pattern to ignore commented lines, add apply
Also add tests to ensure that commented lines are not detected as valid
configuration
CHORE: cleanup test situation with file and users removal
IMP: add case insensitive option when looking for patterns in files
CHORE: removed duplicated line in test file
2017-12-20 15:14:30 +01:00
Charles Herlin
d014405e1f
FIX: add becho to send batch output to syslog too
...
becho stands for batch echo
formats the log line for syslog
Also logs audit summary into syslog (in batch mode only)
2019-02-06 17:25:16 +01:00
Charles Herlin
6cea326921
Update debian 7/8/9 in help files and remove in generic scripts
2019-02-06 15:19:14 +01:00
Charles Herlin
9ba0361be0
FIX: quotes in find command, misinterpreted shellcheck advice
2019-01-23 16:55:48 +01:00
Charles Herlin
71b70a2b8c
FEAT: Add sudo_wrapper to catch unauthorized sudo commands
...
As for now, if a sudo command was not allowed, check might sometimes
pass, resulting compliant state even if it actually is not.
Sudo wrapper first checks wether command is allowed before running it,
otherwise issues a crit message, setting check as not compliant
Fix script to make sudo_wrapper work, split "find" lines
Fix quotes in $@ and $* when running sudo command
Fixed quotes and curly braces with shellcheck report
2018-03-16 12:06:56 +01:00
Charles Herlin
c51a8ee9b8
FIX: sed that was too greedy
...
Used to sed 's!/usr/bin/su!!' /usr/bin/sudo leaving only "do"
that lead to misinterpreting result
Change algorithm to avoid partial sed in the result list
Now the not compliant list is built out of the find results
instead of items being removed from them.
Allow better control of grep inside this list.
Chore: apply shellcheck recommendations
2019-01-02 13:02:02 +01:00
Charles Herlin
e72c7aae15
Add missing /usr/bin/su
2019-01-03 11:21:51 +01:00
Charles Herlin
8e6618eedf
FIX: add /usr/bin/* path for suid/guid allowed binaries
...
Debian is still migrating /bin to /usr/bin so I added both path to the
allowed ones
* mount
* umount
* ping
* ping6
* unix_chkpwd
2019-01-02 17:03:29 +01:00
Charles Herlin
67df4da781
Adding batch mode to output just one line of text (no colors) in order to be parsed by computer tools
...
Adding DESCRIPTION field in tests and [INFO] DESCRIPTION in main
Update README with --batch mode info
Add --batch mode in hardening.sh
Change summary to make it oneliner when batch mode
AUDIT_SUMMARY PASSED_CHECKS:95 RUN_CHECKS:191 TOTAL_CHECKS_AVAIL:191 CONFORMITY_PERCENTAGE:49.74
2017-10-31 17:44:15 +01:00
Charles Herlin
8a7f9ddad5
Change from CIS reco and only warn (no crit) if logfile does not exist
2018-03-22 18:17:17 +01:00
Charles Herlin
4fc79c133f
Improve --only option to perform only specified test and no other lookalike test number
...
Before modification "--only 8.2.1" performed tests 8.2.1 and 2.1
2018-03-15 12:03:10 +01:00
Charles Herlin
7077554bca
Redirect stderr to avoid printing "no such file" error
2018-03-19 18:06:47 +01:00
Charles Herlin
76abf8da36
resolve #SOC-30 Also check /etc/security/limits.d/ for core dump limit
2018-02-12 15:37:12 +01:00
Charles Herlin
51f589923d
Fix SOC-28, add test if file exist, if not issue error
2018-02-09 13:49:38 +01:00
Charles Herlin
b1f85d3f99
Add sudo management in main and utils
...
* perform readonly checks as a regular user
* sudo -n is used for checks requiring root privileges
* increase accountability by providing log of individual access to sensitive files
2017-11-09 15:45:42 +01:00
Thibault Dewailly
6977eb5064
Merge pull request #31 in IAAS/cis-hardening from dev/cherlin/update-cis-scripts to master
...
* commit 'f97fbb47f701fd81a6dcdabb1d2e961943386eb5':
Update ciphers list in 9.3.11 with latest chacha20 and gcm ciphers
2017-12-05 11:38:15 +01:00
Charles Herlin
02f0e30df1
Expand tabs to 4 spaces and trim trailing spaces
2017-11-17 15:13:27 +01:00
Charles Herlin
ae6fbf2d86
Update ciphers list in 9.3.11 with latest chacha20 and gcm ciphers
2017-11-10 14:48:51 +01:00
Charles Herlin
d2a8b2cb28
Remove unnecessary CIS_ROOT_DIR empty assignation
2017-10-25 17:44:56 +02:00
Charles Herlin
5b2404dab8
Applying batch edit to all hardening/*.sh scripts for new CIS_ROOT_DIR management
2017-10-25 14:50:39 +02:00
Charles Herlin
119d532a7f
Changing CIS_ROOT_DIR management in env in bin/hardening.sh
2017-10-25 14:48:54 +02:00
Thibault Dewailly
3b7a2b8216
Merge pull request #12 from speed47/dev/enhancements
...
Hardening Classification
subs enhancements as well as bug fixes
2017-09-28 13:22:59 +02:00
thibault.dewailly
481485a0d7
No more wildcards in file list to be more resilient
2017-06-13 15:36:06 +02:00
Stéphane Lesimple
676b17c54f
add hardening templating and several enhancements
2017-05-18 18:40:09 +02:00
Jérôme Le Gal
46dbe8a6bc
[10.1.3] set the good value for $OPTIONS
2017-05-03 23:08:48 +02:00
thibault.dewailly
3e1df0cdf9
[Debian 8] Fixed comments for debian 8 compliance
2017-03-10 17:46:39 +01:00
thibault.dewailly
0c053eef56
[10.2] Fixed result parsing in case of spaces in passwd list
2017-03-10 17:26:55 +01:00
Matthieu Destrez
f5cb5ddf97
fixed option name in 9.3.9_disable_sshd_permitemptypasswords.sh, was PermitRootLogin instead of PermitEmptyPassword
2016-06-29 15:12:21 +02:00
thibault.dewailly
612e28b16f
tripwire : fixed typo on postinstall helper
2016-05-02 11:11:07 +02:00
thibault.dewailly
4867538c22
fix 99.1 Apply TMOUT Variable
2016-05-02 10:45:32 +02:00
kevin.tanguy
1479332870
debian dependencies fix, rephrasing, revision bump 1.0-8.
2016-04-25 15:15:49 +02:00
thibault.dewailly
6e366172f8
Fixed 6.15 netstat analysis
2016-04-22 16:59:52 +02:00
Thibault Dewailly
98eff3174b
Merge pull request #4 from jedisct1/valuemsg
...
Rephrase confusing messages
2016-04-22 08:40:14 +02:00
thibault.dewailly
cb3077e268
Fixed default file error handling and quickstart
2016-04-21 23:19:50 +02:00
Frank Denis
ed410747df
Rephrase confusing messages
2016-04-21 18:32:36 +02:00
thibault.dewailly
08fd72786c
Fixed point 9.1.8 cron rights as a chmod 600 disabled the cron.allow features (file must be world readable)
2016-04-21 18:15:22 +02:00
thibault.dewailly
5048099df8
Fixed 8.2.4 check file exists before testing rights
2016-04-20 14:36:55 +02:00
thibault.dewailly
3ece442743
Added exit code to CIS_ROOT_DIR test def, optimized sed and sort
2016-04-20 11:29:44 +02:00
Stéphane Lesimple
1d7865dd68
add --audit-all-enable-passed, add info in README and help
2016-04-19 20:16:47 +02:00
Stéphane Lesimple
8d84f38c97
add --audit-all option
2016-04-19 19:26:04 +02:00
thibault.dewailly
b2d3ed937e
Corrected script names, added License, Completed README and corrected bug with too long logger messages
2016-04-19 09:31:01 +02:00
thibault.dewailly
6019dd9078
Corrected default file path
2016-04-18 17:39:14 +02:00
thibault.dewailly
b1b96cf4e3
log format correction, loglevel defaults to info
2016-04-18 14:01:03 +02:00
thibault.dewailly
e79a03095c
All configuration defaults to disabled README updated
2016-04-18 13:19:46 +02:00
thibault.dewailly
7eaf124fc0
99.1_timeout_tty.sh 99.2_disable_usb_devices.sh
2016-04-18 11:16:05 +02:00
thibault.dewailly
628fe96666
Fixed disabled features, headers and preparing main script
2016-04-17 23:19:41 +02:00
thibault.dewailly
fa98efc32b
Added argument parsing and test checks
2016-04-17 23:10:47 +02:00
thibault.dewailly
f829cdacf2
13.16_check_duplicate_username.sh 13.17_check_duplicate_groupname.sh 13.18_find_user_netrc_files.sh 13.19_find_user_forward_files.sh 13.20_shadow_group_empty.sh
2016-04-17 22:30:20 +02:00
thibault.dewailly
dbeca2fba3
13.14_check_duplicate_uid.sh 13.15_check_duplicate_gid.sh^C
2016-04-17 19:53:47 +02:00
thibault.dewailly
4894b6d402
13.12_users_valid_homedir.sh 13.11_find_passwd_group_inconsistencies.sh 13.13_check_user_homedir_ownership.sh
2016-04-17 18:58:25 +02:00
thibault.dewailly
39e9c794e4
13.10_find_user_rhosts_files.sh
2016-04-16 18:55:44 +02:00
thibault.dewailly
77f01d2709
13.8_check_user_dot_file_perm.sh 13.9_set_perm_on_user_netrc.sh
2016-04-16 18:32:09 +02:00
thibault.dewailly
db91df2296
13.7_check_user_dir_perm.sh
2016-04-16 18:11:53 +02:00
thibault.dewailly
fb9bf542a1
13.1_remove_empty_password_field.sh 13.2_remove_legacy_passwd_entries.sh 13.3_remove_legacy_shadow_entries.sh 13.4_remove_legacy_group_entries.sh 13.5_find_0_uid_non_root_account.sh 13.6_sanitize_root_path.sh
2016-04-16 17:25:48 +02:00
thibault.dewailly
8c94214120
13.1_remove_empry_password_field.sh
2016-04-16 15:10:14 +02:00
thibault.dewailly
c193bd49f5
12.11_find_sgid_files.sh
2016-04-16 12:57:24 +02:00
thibault.dewailly
ac2b994306
12.10_find_suid_files.sh 12.1_etc_passwd_permissions.sh 12.2_etc_shadow_permissions.sh 12.3_etc_group_permissions.sh 12.4_etc_passwd_ownership.sh 12.5_etc_shadow_ownership.sh 12.6_etc_group_ownership.sh 12.7_find_world_writable_file.sh 12.8_find_unowned_files.sh 12.9_find_ungrouped_files.sh
2016-04-16 00:26:19 +02:00
thibault.dewailly
82a7b05a05
10.5_lock_inactive_user_account.sh 11.1_warning_banners.sh 11.2_remove_os_info_warning_banners.sh 11.3_graphical_warning_banners.sh
2016-04-15 23:38:48 +02:00
thibault.dewailly
6c72eb0a8b
10.1.1_set_password_exp_days.sh 10.1.2_set_password_min_days_change.sh 10.1.3_set_password_exp_warning_days.sh 10.2_disable_system_accounts.sh 10.3_default_root_group.sh 10.4_default_umask.sh 9.4_secure_tty.sh 9.5_restrict_su.sh
2016-04-15 19:29:26 +02:00
thibault.dewailly
823cd217a0
9.2.1_enable_cracklib.sh 9.2.2_enable_lockout_failed_password.sh 9.2.3_limit_password_reuse.sh 9.3.10_disable_sshd_setenv.sh 9.3.11_sshd_ciphers.sh 9.3.12_sshd_idle_timeout.sh 9.3.13_sshd_limit_access.sh 9.3.14_ssh_banner.sh 9.3.2_sshd_loglevel.sh 9.3.1_sshd_protocol.sh 9.3.3_sshd_conf_perm_ownership.sh 9.3.4_disable_x11_forwarding.sh 9.3.5_sshd_maxauthtries.sh 9.3.6_enable_sshd_ignorerhosts.sh 9.3.7_disable_sshd_hostbasedauthentication.sh 9.3.8_disable_root_login.sh 9.3.9_disable_sshd_permitemptypasswords.sh
2016-04-15 14:24:45 +02:00
thibault.dewailly
0407ebe362
9.1.3_cron_hourly_perm_ownership.sh 9.1.4_cron_daily_perm_ownership.sh 9.1.5_cron_weekly_perm_ownership.sh 9.1.6_cron_monthly_perm_ownership.sh 9.1.7_cron_d_perm_ownership.sh 9.1.8_cron_users.sh
2016-04-15 10:18:23 +02:00
thibault.dewailly
95d4936fbc
9.1.1_enable_cron.sh 9.1.2_crontab_perm_ownership.sh
2016-04-14 23:26:37 +02:00
thibault.dewailly
1a0be2e5b0
8.4_configure_logrotate.sh
2016-04-14 23:11:09 +02:00
thibault.dewailly
a93c6174e3
8.4_conifgure_logrotate.sh
2016-04-14 23:08:52 +02:00
thibault.dewailly
909dde9f18
8.3.2_tripwire_cron.sh
2016-04-14 23:05:58 +02:00
thibault.dewailly
d373b6f937
8.2.5_syslog-ng_remote_host.sh 8.2.6_remote_syslog-ng_acl.sh 8.3.1_install_tripwire.sh
2016-04-14 22:47:34 +02:00
thibault.dewailly
f0bff32503
8.2.1_install_syslog-ng.sh 8.2.2_enable_syslog-ng.sh 8.2.3_configure_syslog-ng.sh 8.2.4_set_logfile_perm.sh
2016-04-14 17:55:14 +02:00
thibault.dewailly
488886305f
8.1.11_record_failed_access_file.sh 8.1.12_record_privileged_commands.sh 8.1.13_record_successful_mount.sh 8.1.14_record_file_deletions.sh 8.1.15_record_sudoers_edit.sh 8.1.16_record_sudo_usage.sh 8.1.17_record_kernel_modules.sh 8.1.18_freeze_auditd_conf.sh
2016-04-14 16:44:14 +02:00
thibault.dewailly
2ad4260ffb
8.1.10_record_dac_edit.sh 8.1.6_record_network_edit.sh 8.1.7_record_mac_edit.sh 8.1.8_record_login_logout.sh 8.1.9_record_session_init.sh
2016-04-14 14:43:26 +02:00
thibault.dewailly
0ce0b23dc8
8.1.4_record_date_time_edit.sh 8.1.5_record_user_group_edit.sh
2016-04-14 14:07:00 +02:00
thibault.dewailly
127d3e9124
8.1.1.3_keep_all_audit_logs.sh 8.1.3_audit_bootloader.sh
2016-04-14 13:11:56 +02:00
thibault.dewailly
9c229574d1
8.0_enable_auditd_kernel.sh 8.1.1.2_halt_when_audit_log_full.sh 8.1.2_enable_auditd.sh
2016-04-14 10:40:31 +02:00
thibault.dewailly
1f873a14f6
7.4.1_install_tcp_wrapper.sh 7.4.2_hosts_allow.sh 7.4.3_hosts_allow_permissions.sh 7.4.4_hosts_deny.sh 7.4.5_hosts_deny_permissions.sh 7.5.1_disable_dccp.sh 7.5.2_disable_sctp.sh 7.5.3_disable_rds.sh 7.5.4_disable_tipc.sh 7.6_disable_wireless.sh 7.7_enable_firewall.sh 8.0_install_auditd.sh 8.1.1.1_audit_log_storage.sh
2016-04-13 22:51:18 +02:00
thibault.dewailly
9b3cd3e31d
7.3.3_disable_ipv6.sh
2016-04-13 21:19:26 +02:00
thibault.dewailly
11817e8c05
7.3.2_disable_ipv6_redirect.sh
2016-04-13 17:47:25 +02:00
thibault.dewailly
df51ac5bcb
7.3.1_disable_ipv6_router_advertisement.sh
2016-04-13 17:41:10 +02:00
thibault.dewailly
e81778e615
7.2.5_ignore_broadcast_requests.sh 7.2.6_enable_bad_error_message_protection.sh 7.2.7_enable_source_route_validation.sh 7.2.8_enable_tcp_syn_cookies.sh
2016-04-13 16:07:16 +02:00
thibault.dewailly
c466ae4855
7.2.1_disable_source_routed_packets.sh 7.2.2_disable_icmp_redirect.sh 7.2.3_disable_secure_icmp_redirect.sh 7.2.4_log_martian_packets.sh
2016-04-13 15:48:03 +02:00
thibault.dewailly
1843d1a67b
7.1.1_disable_ip_forwarding.sh 7.1.2_disable_send_packet_redirects.sh
2016-04-13 14:54:35 +02:00
thibault.dewailly
bec4ccd7da
6.16_disable_rsync.sh
2016-04-13 14:12:57 +02:00
thibault.dewailly
c32c985bb7
6.10_disable_http_server.sh 6.11_disable_imap_pop.sh 6.12_disable_samba.sh 6.13_diable_http_proxy.sh 6.14_disable_snmp_server.sh 6.15_mta_localhost.sh 6.9_disable_ftp.sh
2016-04-12 17:59:17 +02:00
thibault.dewailly
4d5ccf1f58
6.2_disable_avahi_server.sh 6.3_disable_print_server.sh 6.4_disable_dhcp.sh 6.5_configure_ntp.sh 6.6_diable_ldap.sh 6.7_disable_nfs_rpc.sh 6.8_disable_dns_server.sh
2016-04-12 11:21:36 +02:00
thibault.dewailly
9ee7b646bf
5.1.5_disable_talk_client.sh 5.1.6_disable_telnet_server.sh 5.1.7_disable_tftp_server.sh 5.1.8_disable_inetd.sh 5.2_disable_chargen.sh 5.3_disable_daytime.sh 5.4_disable_echo.sh 5.5_disable_discard.sh 5.6_disable_time.sh 6.1_disable_xwindow_system.sh
2016-04-12 08:31:41 +02:00
thibault.dewailly
1e8d90198d
5.1.4_disable_talk.sh
2016-04-11 17:50:06 +02:00
thibault.dewailly
a60ed7fc45
5.1.2_disable_rsh.sh 5.1.3_disable_rsh_client.sh
2016-04-11 17:42:31 +02:00
thibault.dewailly
db7b85ceed
4.2_enable_nx_support.sh 4.3_enable_randomized_vm_placement.sh 4.4_disable_prelink.sh 4.5_enable_apparmor.sh 5.1.1_disable_nis.sh
2016-04-11 16:53:57 +02:00
thibault.dewailly
1bacb6c2ff
4.1_restrict_core_dumps.sh
2016-04-11 14:55:42 +02:00
thibault.dewailly
90e4c32138
3.4_root_password.sh
2016-04-11 13:51:54 +02:00
thibault.dewailly
f2a979e24c
3.2_bootloader_permissions.sh 3.3_bootloader_password.sh
2016-04-11 11:38:50 +02:00
thibault.dewailly
d44a8eb440
3.1_bootloader_ownership.sh fix
2016-04-11 08:55:44 +02:00
thibault.dewailly
91d6ba3fdd
3.1_bootloader_ownership.sh
2016-04-07 08:43:37 +02:00