Commit Graph

532 Commits

Author SHA1 Message Date
2e53dfb573 feat: Officialize Debian 12 support (#206)
* feat: Officialize Debian 12 support

Functional tests now pass
CIS Benchmark PDF for Debian 12 is not out yet, but the hardening points checked
are still relevant in Debian 12.
OVHcloud is now using it in critical production, hence making it officially supported

---------

Co-authored-by: ThibaultDewailly <ThibaultDewailly@users.noreply.github.com>
2023-09-29 16:20:34 +02:00
08aff5d3fc Update the README to reflect on changes made in PR#204 (#205) 2023-09-29 09:21:40 +02:00
32886d3a3d Replace CIS_ROOT_DIR by a more flexible system (#204)
* Replace CIS_ROOT_DIR by a more flexible system

* Try to adapt the logic change to the functional tests
2023-09-25 14:24:01 +02:00
5370ec2ef6 feat: add nftables to firewall software allow list (#203)
* feat: add nftables to firewall software allow list

fixes #191

* fix: enhance 3.5.4.1.1_net_fw_default_policy_drop.sh iptables output check, disable associated test
2023-09-07 14:36:08 +02:00
9d3fb18e6b build(deps): bump actions/checkout from 3 to 4 (#202)
Bumps [actions/checkout](https://github.com/actions/checkout) from 3 to 4.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/v3...v4)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-09-05 17:07:12 +02:00
6e79fcd00a fix: correct debian version check on 5.2.15 configuration generation (#199)
fixes #196
2023-09-01 08:34:28 +02:00
27edec6d5f fix: chore, debug logs print correctly now (#197) 2023-08-31 14:40:27 +02:00
f2cc14c383 fix: chore debian manual update (#198)
* fix: chore debian manual update

fixes #182

* Regenerate man pages (Github action)

---------

Co-authored-by: ThibaultDewailly <ThibaultDewailly@users.noreply.github.com>
2023-08-31 14:34:59 +02:00
46377fc255 build(deps): bump dev-drprasad/delete-tag-and-release (#184)
Bumps [dev-drprasad/delete-tag-and-release](https://github.com/dev-drprasad/delete-tag-and-release) from 0.2.1 to 1.0.1.
- [Release notes](https://github.com/dev-drprasad/delete-tag-and-release/releases)
- [Commits](https://github.com/dev-drprasad/delete-tag-and-release/compare/v0.2.1...v1.0.1)

---
updated-dependencies:
- dependency-name: dev-drprasad/delete-tag-and-release
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>
2023-08-30 10:32:29 +02:00
a468b29036 fix: added systemd-timesyncd to use_time_sync script (#189) (#190)
Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>
2023-08-30 10:28:03 +02:00
db9ff8a7fd Update warn messages on 2.2.15_mta_localhost.sh (#193)
warn messages had typo netsat as it should be netstat
2023-08-30 10:23:27 +02:00
6135c3d0e5 fix: enhance test 99.1.3 speed for large /etc/sudoers.d folders (#188)
Signed-off-by: Stephane Lesimple <stephane.lesimple@corp.ovh.com>
2023-07-18 17:28:35 +02:00
a6ad528087 feat: Add experimental debian12 functionnal tests (#187)
Signed-off-by: Tarik Megzari <tarik.megzari@ovhcloud.com>
Co-authored-by: Tarik Megzari <tarik.megzari@ovhcloud.com>
2023-07-10 10:52:17 +02:00
bc98bedf73 bump to 4.0-1 v4.0-1 2023-07-10 07:21:13 +00:00
873ef8827d fix: 99.1.3_acc_sudoers_no_all: fix a race condition (#186)
On systems where /etc/sudoers.d might be updated often by some automated means, this
check might raise a critical when a previously present file (during the ls) is no longer
present (during its attempted read), so before raising a critical, re-check that it
does exists first.
2023-07-03 17:05:45 +02:00
bd27cd0dae fix: change auditd file rule remediation (#179)
Fixes #165
2023-05-05 12:32:22 +02:00
f28ffc244c fix: correct debian package compression override (#181) 2023-05-02 18:06:59 +02:00
19ce790a27 fix: ensure mountpoints are properly detected (#177)
Fixes #155
When real entries are present in fstab, system startup or runtime mountpoints are now properly detected
Add a supplementary check in case of partition not present in fstab
2023-05-02 18:01:53 +02:00
47cf86237b fix: correct search in 5.4.5_default_timeout in apply mode (#178)
fixes #116
2023-05-02 17:57:35 +02:00
ccd9c1a7aa fix: force xz compression during .deb build (#180)
zst compression is only available on Debian 12, since the release is built on Ubuntu latest, this was breaking release.
Fixes #175
2023-05-02 15:24:32 +02:00
04457e7df2 feat: official Debian 11 compatibility (#176)
Introduce Debian 11 compatibility
Based on CIS_Debian_Linux_11_Benchmark_v1.0.0

After review, here are the notable changes :
 - Harden /var/log more (noexec,nodev,nosuid)
 - Harden /var/log/audit more (noexec,nodev,nosuid)
 - Harden /home more (nosuid)
 - Disable cramfs
 - Fix 5.3.4_acc_pam_sha512.sh
 - Deprecate Debian 9 and remove useless docker images

NB : more audit log rules have been introduced and will be inserted in the checks later
Fix #158
2023-05-02 14:16:19 +02:00
05521d5961 Bump luizm/action-sh-checker from 0.5.0 to 0.7.0 (#171)
Bumps [luizm/action-sh-checker](https://github.com/luizm/action-sh-checker) from 0.5.0 to 0.7.0.
- [Release notes](https://github.com/luizm/action-sh-checker/releases)
- [Commits](https://github.com/luizm/action-sh-checker/compare/v0.5.0...v0.7.0)

---
updated-dependencies:
- dependency-name: luizm/action-sh-checker
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-04-26 10:20:11 +02:00
06525f06f9 bump to 3.8-1 v3.8-1 2023-03-23 10:03:37 +00:00
d5c1c63971 Bump luizm/action-sh-checker from 0.4.0 to 0.5.0 (#161)
Bumps [luizm/action-sh-checker](https://github.com/luizm/action-sh-checker) from 0.4.0 to 0.5.0.
- [Release notes](https://github.com/luizm/action-sh-checker/releases)
- [Commits](https://github.com/luizm/action-sh-checker/compare/v0.4.0...v0.5.0)

---
updated-dependencies:
- dependency-name: luizm/action-sh-checker
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>
2023-03-23 10:56:12 +01:00
7d93ddeb86 Bump metcalfc/changelog-generator from 3.0.0 to 4.1.0 (#169)
Bumps [metcalfc/changelog-generator](https://github.com/metcalfc/changelog-generator) from 3.0.0 to 4.1.0.
- [Release notes](https://github.com/metcalfc/changelog-generator/releases)
- [Changelog](https://github.com/metcalfc/changelog-generator/blob/main/release-notes.png)
- [Commits](https://github.com/metcalfc/changelog-generator/compare/v3.0.0...v4.1.0)

---
updated-dependencies:
- dependency-name: metcalfc/changelog-generator
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>
2023-03-23 10:50:46 +01:00
a35ecab377 Bump dev-drprasad/delete-tag-and-release from 0.2.0 to 0.2.1 (#170)
Bumps [dev-drprasad/delete-tag-and-release](https://github.com/dev-drprasad/delete-tag-and-release) from 0.2.0 to 0.2.1.
- [Release notes](https://github.com/dev-drprasad/delete-tag-and-release/releases)
- [Commits](https://github.com/dev-drprasad/delete-tag-and-release/compare/v0.2.0...v0.2.1)

---
updated-dependencies:
- dependency-name: dev-drprasad/delete-tag-and-release
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-03-23 10:47:09 +01:00
dc952b90df fix: timeout of 99.1.3 (#168)
The 99.1.3_acc_sudoers_no_all.sh script can sometimes timeout
on servers where /etc/sudoers.d/ has thousands of files.
This patch makes it run roughly 5x faster, as tested on a
server with 1500 files in sudoers.d/.

Closes #167.

Signed-off-by: Stephane Lesimple <stephane.lesimple@corp.ovh.com>

Signed-off-by: Stephane Lesimple <stephane.lesimple@corp.ovh.com>
2022-12-22 09:47:35 +01:00
82a217032d fix(6.2.9): Start from UID 1000 for home ownership check (#164)
Rename 6.2.3 and 6.2.9 checks to be more accurate
Remove home existence check from 6.2.9 as it's handled by 6.2.3
Update tests accordingly
Fixes #163

Signed-off-by: Tarik Megzari <tarik.megzari@corp.ovh.com>

Signed-off-by: Tarik Megzari <tarik.megzari@corp.ovh.com>
2022-09-30 10:28:48 +02:00
e478a89bad bump to 3.7-1 (#160) v3.7-1 2022-07-04 15:37:08 +02:00
371c23cd52 feat: add FIND_IGNORE_NOSUCHFILE_ERR flag (#159)
This flag can be used to prevent find-related checks to fail because one part of filesystem disappear (ie. ephemeral directories or files)
2022-07-04 14:29:25 +02:00
ea8334d516 bump to 3.6-1 (#157)
Signed-off-by: Tarik Megzari <tarik.megzari@corp.ovh.com>
v3.6-1
2022-06-27 12:13:01 +02:00
987bb9c975 Bump luizm/action-sh-checker from 0.3.0 to 0.4.0 (#154)
Bumps [luizm/action-sh-checker](https://github.com/luizm/action-sh-checker) from 0.3.0 to 0.4.0.
- [Release notes](https://github.com/luizm/action-sh-checker/releases)
- [Commits](https://github.com/luizm/action-sh-checker/compare/v0.3.0...v0.4.0)

---
updated-dependencies:
- dependency-name: luizm/action-sh-checker
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-06-26 16:58:46 +02:00
3031bb55d1 Bump actions-ecosystem/action-get-latest-tag from 1.5.0 to 1.6.0 (#153)
Bumps [actions-ecosystem/action-get-latest-tag](https://github.com/actions-ecosystem/action-get-latest-tag) from 1.5.0 to 1.6.0.
- [Release notes](https://github.com/actions-ecosystem/action-get-latest-tag/releases)
- [Commits](https://github.com/actions-ecosystem/action-get-latest-tag/compare/v1.5.0...v1.6.0)

---
updated-dependencies:
- dependency-name: actions-ecosystem/action-get-latest-tag
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Tarik Megzari <tarik.megzari@corp.ovh.com>
2022-06-24 17:55:26 +02:00
66ccc6316a feat: Filter the filesystem to check when the list is built. (#156)
* feat: Attempt to filter-out filesystem that match exclusion regex.
2022-06-24 17:45:47 +02:00
7a3145d7f1 bump to 3.5-1 (#152)
Signed-off-by: Tarik Megzari <tarik.megzari@corp.ovh.com>
v3.5-1
2022-03-23 18:40:25 +01:00
5c072668d5 fix: add 10s wait timeout on iptables command (#151)
When the tested server has its iptables heavily manipulated (e.g Kubernetes)
The lock aquirement can sometimes fail, hence generating false positives
The command will retry 10 times with a 1 second interval
2022-03-23 16:56:38 +01:00
d1bd1eb2e7 bump to 3.4-1 (#150) v3.4-1 2022-03-18 16:49:25 +01:00
ad5c71c3ce fix: allow passwd-, group- and shadow- debian default permissions (#149) 2022-03-18 16:41:49 +01:00
33964c0a3d Bump EndBug/add-and-commit from 8.0.2 to 9 (#148)
Bumps [EndBug/add-and-commit](https://github.com/EndBug/add-and-commit) from 8.0.2 to 9.
- [Release notes](https://github.com/EndBug/add-and-commit/releases)
- [Changelog](https://github.com/EndBug/add-and-commit/blob/main/CHANGELOG.md)
- [Commits](https://github.com/EndBug/add-and-commit/compare/v8.0.2...v9)

---
updated-dependencies:
- dependency-name: EndBug/add-and-commit
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-03-14 15:36:48 +01:00
8320d0eecc CI: Fix release action (#147)
Signed-off-by: Tarik Megzari <tarik.megzari@corp.ovh.com>
v3.3-1
2022-03-03 12:02:12 +01:00
a0d33ab158 Update changelog for release 3.3-1 (#146)
Signed-off-by: Tarik Megzari <tarik.megzari@corp.ovh.com>

Co-authored-by: Tarik Megzari <tarik.megzari@corp.ovh.com>
2022-03-03 10:26:42 +01:00
a6a22084e1 missing shadowtools backup files is ok (#132)
* missing shadowtools backup files is ok

* update corresponding test cases
2022-03-02 18:05:37 +01:00
b962155a3c fix: Avoid find failures on too many files (#144)
Signed-off-by: Tarik Megzari <tarik.megzari@corp.ovh.com>

Co-authored-by: Tarik Megzari <tarik.megzari@corp.ovh.com>
Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>
2022-03-02 17:49:28 +01:00
20bf51f65b Bump actions/checkout from 2 to 3 (#145)
Bumps [actions/checkout](https://github.com/actions/checkout) from 2 to 3.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/v2...v3)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-03-02 00:14:50 +01:00
adfe28470a Bump metcalfc/changelog-generator from 1.0.0 to 3.0.0 (#133)
Bumps [metcalfc/changelog-generator](https://github.com/metcalfc/changelog-generator) from 1.0.0 to 3.0.0.
- [Release notes](https://github.com/metcalfc/changelog-generator/releases)
- [Changelog](https://github.com/metcalfc/changelog-generator/blob/main/release-notes.png)
- [Commits](https://github.com/metcalfc/changelog-generator/compare/v1.0.0...v3.0.0)

---
updated-dependencies:
- dependency-name: metcalfc/changelog-generator
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-03-01 23:48:57 +01:00
c94ee10afe Bump EndBug/add-and-commit from 7 to 8.0.2 (#142)
Bumps [EndBug/add-and-commit](https://github.com/EndBug/add-and-commit) from 7 to 8.0.2.
- [Release notes](https://github.com/EndBug/add-and-commit/releases)
- [Changelog](https://github.com/EndBug/add-and-commit/blob/main/CHANGELOG.md)
- [Commits](https://github.com/EndBug/add-and-commit/compare/v7...v8.0.2)

---
updated-dependencies:
- dependency-name: EndBug/add-and-commit
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-03-01 20:39:39 +01:00
453a72b8c8 Bump actions-ecosystem/action-get-latest-tag from 1.4.1 to 1.5.0 (#143)
Bumps [actions-ecosystem/action-get-latest-tag](https://github.com/actions-ecosystem/action-get-latest-tag) from 1.4.1 to 1.5.0.
- [Release notes](https://github.com/actions-ecosystem/action-get-latest-tag/releases)
- [Commits](https://github.com/actions-ecosystem/action-get-latest-tag/compare/v1.4.1...v1.5.0)

---
updated-dependencies:
- dependency-name: actions-ecosystem/action-get-latest-tag
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-03-01 20:28:33 +01:00
bb03764918 fix: Catch unexpected failures (#140)
Signed-off-by: Tarik Megzari <tarik.megzari@corp.ovh.com>

Co-authored-by: Tarik Megzari <tarik.megzari@corp.ovh.com>
2022-01-31 15:38:38 +01:00
17d272420a feat: Dissociate iptables pkg name from command (#137)
Signed-off-by: Tarik Megzari <tarik.megzari@corp.ovh.com>

Co-authored-by: Tarik Megzari <tarik.megzari@corp.ovh.com>
2021-12-27 15:40:55 +01:00
f1c1517bd2 Update changelog for release 3.2-2 (#135)
Signed-off-by: Tarik Megzari <tarik.megzari@corp.ovh.com>

Co-authored-by: Tarik Megzari <tarik.megzari@corp.ovh.com>
v3.2-2
2021-12-13 16:06:57 +01:00