Commit Graph

311 Commits

Author SHA1 Message Date
Isma399
43fc23ee40
fix: catch cidr network in ssh keys (#236)
Co-authored-by: Ismaël Tanguy <ismael.tanguy@ovhcloud.com>
2024-02-22 17:55:03 +01:00
lgaida
730ab47437
allow multiple users in 5.2.18 (#228)
* allow multiple exception users for 99.5.2.4

* move clean up part of previous commit

* split clean up part of previous commit

* add tests for multiple allowed and denied ssh users

* fix script to correctly set multiple allowed and denied ssh users

* add cleanup resolved check to 5.2.18

* apply shellfmt to 5.2.18

---------

Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>
2024-01-10 17:07:02 +01:00
lgaida
5313799193
Allow multiple exception users to be defined for 99.5.2.4_ssh_keys_from (#221)
* allow multiple exception users for 99.5.2.4
2023-12-27 13:42:10 +01:00
GoldenKiwi
73616af4eb
Syslog-ng fixes and enhancements (#226)
* syslog-ng : fix remote host test and enhance Regex

fixes #124

* enh: add test for 4.2.1.6
2023-12-27 10:27:06 +01:00
Stéphane Lesimple
de295b3a77
Adapt all scripts to yescrypt (#216)
* Revert "fix: clean obsolete check 99.5.4.5.1, now handled by 5.3.4 (#215)"

This reverts commit 670c8c62f5.

We still want to verify the preexisting hashes in /etc/shadow,
even if the PAM configuration is correct for new passwords (5.3.4).

* Adapt 5.3.4, 99.5.4.5.1 and 99.5.4.5.2 to yescrypt
2023-11-21 17:43:31 +01:00
GoldenKiwi
670c8c62f5
fix: clean obsolete check 99.5.4.5.1, now handled by 5.3.4 (#215)
Fixes #209
2023-11-14 12:03:58 +01:00
GoldenKiwi
0eb2e2ffde
enh: remove ssh system sandbox check (#213)
UsePrivilegeSeparation option is deprecated.
Since the oldest supported Debian distribution is Buster (10), we can safely remove this check

Fixes #212
2023-11-13 08:53:12 +01:00
P-EB
32886d3a3d
Replace CIS_ROOT_DIR by a more flexible system (#204)
* Replace CIS_ROOT_DIR by a more flexible system

* Try to adapt the logic change to the functional tests
2023-09-25 14:24:01 +02:00
GoldenKiwi
5370ec2ef6
feat: add nftables to firewall software allow list (#203)
* feat: add nftables to firewall software allow list

fixes #191

* fix: enhance 3.5.4.1.1_net_fw_default_policy_drop.sh iptables output check, disable associated test
2023-09-07 14:36:08 +02:00
GoldenKiwi
6e79fcd00a
fix: correct debian version check on 5.2.15 configuration generation (#199)
fixes #196
2023-09-01 08:34:28 +02:00
Joseph
a468b29036
fix: added systemd-timesyncd to use_time_sync script (#189) (#190)
Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>
2023-08-30 10:28:03 +02:00
JugeHuge
db9ff8a7fd
Update warn messages on 2.2.15_mta_localhost.sh (#193)
warn messages had typo netsat as it should be netstat
2023-08-30 10:23:27 +02:00
Stéphane Lesimple
6135c3d0e5
fix: enhance test 99.1.3 speed for large /etc/sudoers.d folders (#188)
Signed-off-by: Stephane Lesimple <stephane.lesimple@corp.ovh.com>
2023-07-18 17:28:35 +02:00
Stéphane Lesimple
873ef8827d
fix: 99.1.3_acc_sudoers_no_all: fix a race condition (#186)
On systems where /etc/sudoers.d might be updated often by some automated means, this
check might raise a critical when a previously present file (during the ls) is no longer
present (during its attempted read), so before raising a critical, re-check that it
does exists first.
2023-07-03 17:05:45 +02:00
GoldenKiwi
bd27cd0dae
fix: change auditd file rule remediation (#179)
Fixes #165
2023-05-05 12:32:22 +02:00
GoldenKiwi
47cf86237b
fix: correct search in 5.4.5_default_timeout in apply mode (#178)
fixes #116
2023-05-02 17:57:35 +02:00
GoldenKiwi
04457e7df2
feat: official Debian 11 compatibility (#176)
Introduce Debian 11 compatibility
Based on CIS_Debian_Linux_11_Benchmark_v1.0.0

After review, here are the notable changes :
 - Harden /var/log more (noexec,nodev,nosuid)
 - Harden /var/log/audit more (noexec,nodev,nosuid)
 - Harden /home more (nosuid)
 - Disable cramfs
 - Fix 5.3.4_acc_pam_sha512.sh
 - Deprecate Debian 9 and remove useless docker images

NB : more audit log rules have been introduced and will be inserted in the checks later
Fix #158
2023-05-02 14:16:19 +02:00
Stéphane Lesimple
dc952b90df
fix: timeout of 99.1.3 (#168)
The 99.1.3_acc_sudoers_no_all.sh script can sometimes timeout
on servers where /etc/sudoers.d/ has thousands of files.
This patch makes it run roughly 5x faster, as tested on a
server with 1500 files in sudoers.d/.

Closes #167.

Signed-off-by: Stephane Lesimple <stephane.lesimple@corp.ovh.com>

Signed-off-by: Stephane Lesimple <stephane.lesimple@corp.ovh.com>
2022-12-22 09:47:35 +01:00
Tarik Megzari
82a217032d
fix(6.2.9): Start from UID 1000 for home ownership check (#164)
Rename 6.2.3 and 6.2.9 checks to be more accurate
Remove home existence check from 6.2.9 as it's handled by 6.2.3
Update tests accordingly
Fixes #163

Signed-off-by: Tarik Megzari <tarik.megzari@corp.ovh.com>

Signed-off-by: Tarik Megzari <tarik.megzari@corp.ovh.com>
2022-09-30 10:28:48 +02:00
ymartin-ovh
371c23cd52
feat: add FIND_IGNORE_NOSUCHFILE_ERR flag (#159)
This flag can be used to prevent find-related checks to fail because one part of filesystem disappear (ie. ephemeral directories or files)
2022-07-04 14:29:25 +02:00
ymartin-ovh
66ccc6316a
feat: Filter the filesystem to check when the list is built. (#156)
* feat: Attempt to filter-out filesystem that match exclusion regex.
2022-06-24 17:45:47 +02:00
GoldenKiwi
5c072668d5
fix: add 10s wait timeout on iptables command (#151)
When the tested server has its iptables heavily manipulated (e.g Kubernetes)
The lock aquirement can sometimes fail, hence generating false positives
The command will retry 10 times with a 1 second interval
2022-03-23 16:56:38 +01:00
GoldenKiwi
ad5c71c3ce
fix: allow passwd-, group- and shadow- debian default permissions (#149) 2022-03-18 16:41:49 +01:00
Jan Schmidle
a6a22084e1
missing shadowtools backup files is ok (#132)
* missing shadowtools backup files is ok

* update corresponding test cases
2022-03-02 18:05:37 +01:00
Tarik Megzari
b962155a3c
fix: Avoid find failures on too many files (#144)
Signed-off-by: Tarik Megzari <tarik.megzari@corp.ovh.com>

Co-authored-by: Tarik Megzari <tarik.megzari@corp.ovh.com>
Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>
2022-03-02 17:49:28 +01:00
Tarik Megzari
17d272420a
feat: Dissociate iptables pkg name from command (#137)
Signed-off-by: Tarik Megzari <tarik.megzari@corp.ovh.com>

Co-authored-by: Tarik Megzari <tarik.megzari@corp.ovh.com>
2021-12-27 15:40:55 +01:00
Sebastien BLAISOT
97914976c8
Skip NTP and Chrony config check if they are not installed (#120)
Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>
2021-12-01 10:49:08 +01:00
Sebastien BLAISOT
66c8ccf495
Fix 3.4.2 audit rule (#123)
Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>
2021-12-01 10:23:11 +01:00
Sebastien BLAISOT
b53bf1795c
Fix grub detection (#119)
Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>
2021-12-01 08:58:32 +01:00
Sebastien BLAISOT
1a874b2b35
Allow grub.cfg permission to be 600 (#121)
Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>
2021-11-30 18:47:19 +01:00
Jan Schmidle
8f855ac159
fix: kernel module detection (#129)
* fix: add filter to hfs

* fix is_kernel_option_enabled check

as the module in question could have dependencies which have been blacklisted as well we need to make sure that the comparison only checks for the module in question - the last line in the output.

Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>
2021-10-20 14:51:29 +02:00
Sebastien BLAISOT
3d2d97a727
FIX(1.7.1.4): don't abort script in case of unconfined processes (#130) 2021-10-20 13:14:36 +02:00
Sebastien BLAISOT
6e2fb1570c
FIX(2.2.1.4): Validate debian default ntp config (#118) 2021-10-15 16:19:51 +02:00
Thibault Ayanides
afed5a9dce
99.5.4.5.2: fix bug where sha512 option rounds provoke KO (#112) 2021-08-10 10:30:35 +02:00
Thibault Ayanides
9a2e3a0e0d
Fix 5.4.5 pattern search (#108)
fix #107
2021-08-09 10:49:56 +02:00
Thibault Ayanides
334d743125
fix EXCEPTIONS management (#104)
* FIX(1.1.21, 6.1.10) fix EXCEPTIONS management
* Update changelog
* Refactor test for 6.1.10-14
2021-06-02 13:47:19 +02:00
Thibault Ayanides
f4328deeb2
Fix unbound variable (#102) 2021-05-28 15:00:58 +02:00
Thibault Ayanides
9e6c9a0d8a
Accept lower values (#95)
* IMP(5.2.23): accept lower value as valid

* IMP(5.2.7): accept lower value as valid
2021-04-27 16:04:13 +02:00
Thibault Ayanides
1cade2e375
FIX(2.2.1.2): custom func not working for systemd (#90)
fix #87
2021-04-27 13:49:05 +02:00
Thibault Ayanides
cadc25c28c
Dir exceptions (#96)
* IMP(1.1.21): add EXCEPTIONS
* IMP(6.1.10): add EXCEPTIONS
2021-04-26 17:05:22 +02:00
Thibault Ayanides
f6c6e6a0a8 FIX(4.1.11): add SUDO to find suid files 2021-04-13 11:00:29 +02:00
Thibault Ayanides
d110a2aa19 Ignore case for sshd conf
fix #85
2021-04-02 09:25:41 +02:00
Thibault Ayanides
1c51e4cec4
Check that package are installed before launching check (#69)
* FIX(1.6.1,1.7.1.x): check if apparmor and grub is installed

* FIX(2.2.15): check package install

* FIX(4.2.x): check package install

* FIX(5.1.x): check crontab files exist

* FIX(5.2.1): check package install

* FIX(99.3.3.x): check conf file exist

* Remove useless SUDO_CMD

* Deal with non existant /run/shm

* Replace exit code 128 by exit code 2

fix #65

Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>
2021-03-25 14:01:57 +01:00
Thibault Ayanides
f8ac58700d
FIX(4.1.1.4): bad pattern (#67)
fix #61
2021-03-25 13:50:08 +01:00
jeremydenoun
b44fb47c3a
add log details to be more comprehensive (#49)
Co-authored-by: Jeremy Denoun <jeremy.denoun@iguanesolutions.com>
2021-02-17 12:04:11 +01:00
jeremydenoun
84ac4db90f
fix incorrect path from ls (#45)
Co-authored-by: Jeremy Denoun <jeremy.denoun@iguanesolutions.com>
2021-02-17 12:00:13 +01:00
Thibault Ayanides
40fb536d4e
Add missing HARDENING_LEVEL (#44)
Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>
2021-02-17 11:51:51 +01:00
Thibault Ayanides
d1b371f410
Add is_ipv6_disabled (#57)
Modify some checks to make it pass when ipv6 is diabled

fix #50

	modified:   bin/hardening/3.1.1_disable_ipv6.sh
	modified:   bin/hardening/3.3.1_disable_source_routed_packets.sh
	modified:   bin/hardening/3.3.9_disable_ipv6_router_advertisement.sh
	modified:   lib/utils.sh

Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>
2021-02-17 11:45:20 +01:00
Thibault Ayanides
6ab1cab3ce
IMP(5.1.8): allow more restrictive permissions (#59)
fix #52

Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>
2021-02-17 11:40:31 +01:00
Thibault Ayanides
1a7dd5893a
Use pam_faillock instead of pam_tally for bullseye (#56)
Fix #55
See https://github.com/linux-pam/linux-pam/releases/tag/v1.4.0
pam_tally is deprecated and replaced by pam_faillock

Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>
2021-02-17 11:36:58 +01:00