371c23cd52
feat: add FIND_IGNORE_NOSUCHFILE_ERR flag ( #159 )
...
This flag can be used to prevent find-related checks to fail because one part of filesystem disappear (ie. ephemeral directories or files)
2022-07-04 14:29:25 +02:00
66ccc6316a
feat: Filter the filesystem to check when the list is built. ( #156 )
...
* feat: Attempt to filter-out filesystem that match exclusion regex.
2022-06-24 17:45:47 +02:00
5c072668d5
fix: add 10s wait timeout on iptables command ( #151 )
...
When the tested server has its iptables heavily manipulated (e.g Kubernetes)
The lock aquirement can sometimes fail, hence generating false positives
The command will retry 10 times with a 1 second interval
2022-03-23 16:56:38 +01:00
ad5c71c3ce
fix: allow passwd-, group- and shadow- debian default permissions ( #149 )
2022-03-18 16:41:49 +01:00
a6a22084e1
missing shadowtools backup files is ok ( #132 )
...
* missing shadowtools backup files is ok
* update corresponding test cases
2022-03-02 18:05:37 +01:00
b962155a3c
fix: Avoid find failures on too many files ( #144 )
...
Signed-off-by: Tarik Megzari <tarik.megzari@corp.ovh.com >
Co-authored-by: Tarik Megzari <tarik.megzari@corp.ovh.com >
Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com >
2022-03-02 17:49:28 +01:00
17d272420a
feat: Dissociate iptables pkg name from command ( #137 )
...
Signed-off-by: Tarik Megzari <tarik.megzari@corp.ovh.com >
Co-authored-by: Tarik Megzari <tarik.megzari@corp.ovh.com >
2021-12-27 15:40:55 +01:00
97914976c8
Skip NTP and Chrony config check if they are not installed ( #120 )
...
Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com >
2021-12-01 10:49:08 +01:00
66c8ccf495
Fix 3.4.2 audit rule ( #123 )
...
Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com >
2021-12-01 10:23:11 +01:00
b53bf1795c
Fix grub detection ( #119 )
...
Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com >
2021-12-01 08:58:32 +01:00
1a874b2b35
Allow grub.cfg permission to be 600 ( #121 )
...
Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com >
2021-11-30 18:47:19 +01:00
7266ec7cb4
Honor --set-log-level parameter ( #127 )
...
Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com >
2021-11-30 18:42:33 +01:00
8f855ac159
fix: kernel module detection ( #129 )
...
* fix: add filter to hfs
* fix is_kernel_option_enabled check
as the module in question could have dependencies which have been blacklisted as well we need to make sure that the comparison only checks for the module in question - the last line in the output.
Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com >
2021-10-20 14:51:29 +02:00
ad192c9457
Add silent mode and json summary ( #128 )
...
Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com >
2021-10-20 13:22:59 +02:00
3d2d97a727
FIX(1.7.1.4): don't abort script in case of unconfined processes ( #130 )
2021-10-20 13:14:36 +02:00
6e2fb1570c
FIX(2.2.1.4): Validate debian default ntp config ( #118 )
2021-10-15 16:19:51 +02:00
afed5a9dce
99.5.4.5.2: fix bug where sha512 option rounds provoke KO ( #112 )
2021-08-10 10:30:35 +02:00
9a2e3a0e0d
Fix 5.4.5 pattern search ( #108 )
...
fix #107
2021-08-09 10:49:56 +02:00
334d743125
fix EXCEPTIONS management ( #104 )
...
* FIX(1.1.21, 6.1.10) fix EXCEPTIONS management
* Update changelog
* Refactor test for 6.1.10-14
2021-06-02 13:47:19 +02:00
f4328deeb2
Fix unbound variable ( #102 )
2021-05-28 15:00:58 +02:00
9e6c9a0d8a
Accept lower values ( #95 )
...
* IMP(5.2.23): accept lower value as valid
* IMP(5.2.7): accept lower value as valid
2021-04-27 16:04:13 +02:00
1cade2e375
FIX(2.2.1.2): custom func not working for systemd ( #90 )
...
fix #87
2021-04-27 13:49:05 +02:00
cadc25c28c
Dir exceptions ( #96 )
...
* IMP(1.1.21): add EXCEPTIONS
* IMP(6.1.10): add EXCEPTIONS
2021-04-26 17:05:22 +02:00
f6c6e6a0a8
FIX(4.1.11): add SUDO to find suid files
2021-04-13 11:00:29 +02:00
d110a2aa19
Ignore case for sshd conf
...
fix #85
2021-04-02 09:25:41 +02:00
1c51e4cec4
Check that package are installed before launching check ( #69 )
...
* FIX(1.6.1,1.7.1.x): check if apparmor and grub is installed
* FIX(2.2.15): check package install
* FIX(4.2.x): check package install
* FIX(5.1.x): check crontab files exist
* FIX(5.2.1): check package install
* FIX(99.3.3.x): check conf file exist
* Remove useless SUDO_CMD
* Deal with non existant /run/shm
* Replace exit code 128 by exit code 2
fix #65
Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com >
2021-03-25 14:01:57 +01:00
f8ac58700d
FIX(4.1.1.4): bad pattern ( #67 )
...
fix #61
2021-03-25 13:50:08 +01:00
b44fb47c3a
add log details to be more comprehensive ( #49 )
...
Co-authored-by: Jeremy Denoun <jeremy.denoun@iguanesolutions.com >
2021-02-17 12:04:11 +01:00
84ac4db90f
fix incorrect path from ls ( #45 )
...
Co-authored-by: Jeremy Denoun <jeremy.denoun@iguanesolutions.com >
2021-02-17 12:00:13 +01:00
40fb536d4e
Add missing HARDENING_LEVEL ( #44 )
...
Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com >
2021-02-17 11:51:51 +01:00
d1b371f410
Add is_ipv6_disabled ( #57 )
...
Modify some checks to make it pass when ipv6 is diabled
fix #50
modified: bin/hardening/3.1.1_disable_ipv6.sh
modified: bin/hardening/3.3.1_disable_source_routed_packets.sh
modified: bin/hardening/3.3.9_disable_ipv6_router_advertisement.sh
modified: lib/utils.sh
Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com >
2021-02-17 11:45:20 +01:00
6ab1cab3ce
IMP(5.1.8): allow more restrictive permissions ( #59 )
...
fix #52
Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com >
2021-02-17 11:40:31 +01:00
1a7dd5893a
Use pam_faillock instead of pam_tally for bullseye ( #56 )
...
Fix #55
See https://github.com/linux-pam/linux-pam/releases/tag/v1.4.0
pam_tally is deprecated and replaced by pam_faillock
Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com >
2021-02-17 11:36:58 +01:00
fa111bc0d0
Update mac and kex to match debian10 CIS ( #60 )
...
fix #53
Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com >
2021-02-17 11:31:22 +01:00
460843ffb3
Fix #51 ( #58 )
2021-02-17 11:19:38 +01:00
6ae05f3fa2
Add dealing with debian 11
...
* ADD: add dockerfile for debian11
* FIX: fix crontab file not found on debian11 blank
* Add workflow for debian11
* FIX: fix debian version func to manage debian11
* Add dealing with unsupported version and distro
* Add 99.99 check that check if distro version is supported
* Use global var for debian major and distro
fix #26
2021-02-08 13:54:24 +01:00
0b6ea0d97e
IMP: add multiple Improvements
...
* add new kernel module detection (enable & listing) with detection of monolithic kernel
* change way to detect if file system type is disabled
* add global IS_CONTAINER variable
* disable test for 3.4.x to be consistent with others
* add cli options to override configuration loglevel
2021-02-04 16:21:49 +01:00
ed1baa724e
IMP: mark some checks as useless
2021-01-25 13:02:52 +01:00
bd4ddfc398
ADD(3.4.x): add checks and tests
2021-01-25 13:02:52 +01:00
6127f2fe67
IMP(4.2.2.x): improve dealing with default conf
...
The default for journald is Compress=yes and ForwardToSyslog=yes
So we check that Compress=no and ForwardToSyslog=no are not in the conf file.
2021-01-25 13:02:52 +01:00
6efefa07ac
Update shellcheck workflow
...
fix #34
2021-01-22 14:45:01 +01:00
0edb837f80
Remove bc dependency
...
Co-authored-by: Jeremy Denoun <jeremy.denoun@iguanesolutions.com >
2021-01-22 09:31:53 +01:00
1c2e171655
Fix ovh/debian-cis:#25 ( #28 )
...
Co-authored-by: Jeremy Denoun <jeremy.denoun@iguanesolutions.com >
2021-01-21 16:01:34 +01:00
624aba950d
ADD(4.2.1.6): add new syslog-ng check
2021-01-04 14:24:35 +01:00
0ca73899d3
ADD(4.2.2.x): add journald checks
2021-01-04 10:10:47 +01:00
a5e1cb90cd
ADD(4.1.1.4): add new check
2021-01-04 09:03:44 +01:00
b6fff5b8b6
ADD(2.2.1.2): add systemd-timesyncd
2020-12-24 16:20:12 +01:00
e0c6692ff2
ADD(4.1.1.1): add auditd install
2020-12-24 16:20:02 +01:00
e2ad0a5dcc
ADD(4.4): add logrotate permissions checking
2020-12-24 10:31:47 +01:00
d0ab72dd26
ADD(5.2.20-23): add new sshd checks
2020-12-23 11:41:53 +01:00
