Commit Graph

162 Commits

Author SHA1 Message Date
Isma399
43fc23ee40
fix: catch cidr network in ssh keys (#236)
Co-authored-by: Ismaël Tanguy <ismael.tanguy@ovhcloud.com>
2024-02-22 17:55:03 +01:00
lgaida
730ab47437
allow multiple users in 5.2.18 (#228)
* allow multiple exception users for 99.5.2.4

* move clean up part of previous commit

* split clean up part of previous commit

* add tests for multiple allowed and denied ssh users

* fix script to correctly set multiple allowed and denied ssh users

* add cleanup resolved check to 5.2.18

* apply shellfmt to 5.2.18

---------

Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>
2024-01-10 17:07:02 +01:00
lgaida
5313799193
Allow multiple exception users to be defined for 99.5.2.4_ssh_keys_from (#221)
* allow multiple exception users for 99.5.2.4
2023-12-27 13:42:10 +01:00
GoldenKiwi
73616af4eb
Syslog-ng fixes and enhancements (#226)
* syslog-ng : fix remote host test and enhance Regex

fixes #124

* enh: add test for 4.2.1.6
2023-12-27 10:27:06 +01:00
Stéphane Lesimple
de295b3a77
Adapt all scripts to yescrypt (#216)
* Revert "fix: clean obsolete check 99.5.4.5.1, now handled by 5.3.4 (#215)"

This reverts commit 670c8c62f5.

We still want to verify the preexisting hashes in /etc/shadow,
even if the PAM configuration is correct for new passwords (5.3.4).

* Adapt 5.3.4, 99.5.4.5.1 and 99.5.4.5.2 to yescrypt
2023-11-21 17:43:31 +01:00
GoldenKiwi
670c8c62f5
fix: clean obsolete check 99.5.4.5.1, now handled by 5.3.4 (#215)
Fixes #209
2023-11-14 12:03:58 +01:00
GoldenKiwi
0eb2e2ffde
enh: remove ssh system sandbox check (#213)
UsePrivilegeSeparation option is deprecated.
Since the oldest supported Debian distribution is Buster (10), we can safely remove this check

Fixes #212
2023-11-13 08:53:12 +01:00
P-EB
32886d3a3d
Replace CIS_ROOT_DIR by a more flexible system (#204)
* Replace CIS_ROOT_DIR by a more flexible system

* Try to adapt the logic change to the functional tests
2023-09-25 14:24:01 +02:00
GoldenKiwi
5370ec2ef6
feat: add nftables to firewall software allow list (#203)
* feat: add nftables to firewall software allow list

fixes #191

* fix: enhance 3.5.4.1.1_net_fw_default_policy_drop.sh iptables output check, disable associated test
2023-09-07 14:36:08 +02:00
Stéphane Lesimple
6135c3d0e5
fix: enhance test 99.1.3 speed for large /etc/sudoers.d folders (#188)
Signed-off-by: Stephane Lesimple <stephane.lesimple@corp.ovh.com>
2023-07-18 17:28:35 +02:00
GoldenKiwi
bd27cd0dae
fix: change auditd file rule remediation (#179)
Fixes #165
2023-05-05 12:32:22 +02:00
GoldenKiwi
19ce790a27
fix: ensure mountpoints are properly detected (#177)
Fixes #155
When real entries are present in fstab, system startup or runtime mountpoints are now properly detected
Add a supplementary check in case of partition not present in fstab
2023-05-02 18:01:53 +02:00
GoldenKiwi
04457e7df2
feat: official Debian 11 compatibility (#176)
Introduce Debian 11 compatibility
Based on CIS_Debian_Linux_11_Benchmark_v1.0.0

After review, here are the notable changes :
 - Harden /var/log more (noexec,nodev,nosuid)
 - Harden /var/log/audit more (noexec,nodev,nosuid)
 - Harden /home more (nosuid)
 - Disable cramfs
 - Fix 5.3.4_acc_pam_sha512.sh
 - Deprecate Debian 9 and remove useless docker images

NB : more audit log rules have been introduced and will be inserted in the checks later
Fix #158
2023-05-02 14:16:19 +02:00
Stéphane Lesimple
dc952b90df
fix: timeout of 99.1.3 (#168)
The 99.1.3_acc_sudoers_no_all.sh script can sometimes timeout
on servers where /etc/sudoers.d/ has thousands of files.
This patch makes it run roughly 5x faster, as tested on a
server with 1500 files in sudoers.d/.

Closes #167.

Signed-off-by: Stephane Lesimple <stephane.lesimple@corp.ovh.com>

Signed-off-by: Stephane Lesimple <stephane.lesimple@corp.ovh.com>
2022-12-22 09:47:35 +01:00
Tarik Megzari
82a217032d
fix(6.2.9): Start from UID 1000 for home ownership check (#164)
Rename 6.2.3 and 6.2.9 checks to be more accurate
Remove home existence check from 6.2.9 as it's handled by 6.2.3
Update tests accordingly
Fixes #163

Signed-off-by: Tarik Megzari <tarik.megzari@corp.ovh.com>

Signed-off-by: Tarik Megzari <tarik.megzari@corp.ovh.com>
2022-09-30 10:28:48 +02:00
ymartin-ovh
371c23cd52
feat: add FIND_IGNORE_NOSUCHFILE_ERR flag (#159)
This flag can be used to prevent find-related checks to fail because one part of filesystem disappear (ie. ephemeral directories or files)
2022-07-04 14:29:25 +02:00
ymartin-ovh
66ccc6316a
feat: Filter the filesystem to check when the list is built. (#156)
* feat: Attempt to filter-out filesystem that match exclusion regex.
2022-06-24 17:45:47 +02:00
GoldenKiwi
ad5c71c3ce
fix: allow passwd-, group- and shadow- debian default permissions (#149) 2022-03-18 16:41:49 +01:00
Jan Schmidle
a6a22084e1
missing shadowtools backup files is ok (#132)
* missing shadowtools backup files is ok

* update corresponding test cases
2022-03-02 18:05:37 +01:00
tdenof
1341622335
Fix empty fstab test (#134)
Signed-off-by: Tarik Megzari <tarik.megzari@corp.ovh.com>

Co-authored-by: Thibault Dewailly <thibault.dewailly@corp.ovh.com>
2021-12-08 08:42:22 +01:00
Thibault Ayanides
afed5a9dce
99.5.4.5.2: fix bug where sha512 option rounds provoke KO (#112) 2021-08-10 10:30:35 +02:00
Thibault Ayanides
334d743125
fix EXCEPTIONS management (#104)
* FIX(1.1.21, 6.1.10) fix EXCEPTIONS management
* Update changelog
* Refactor test for 6.1.10-14
2021-06-02 13:47:19 +02:00
Thibault Ayanides
9e6c9a0d8a
Accept lower values (#95)
* IMP(5.2.23): accept lower value as valid

* IMP(5.2.7): accept lower value as valid
2021-04-27 16:04:13 +02:00
Thibault Ayanides
c50f200c5c FIX(5.4.5.2): explicit sha512
fix #74
2021-03-22 15:22:50 +01:00
Thibault Ayanides
1a7dd5893a
Use pam_faillock instead of pam_tally for bullseye (#56)
Fix #55
See https://github.com/linux-pam/linux-pam/releases/tag/v1.4.0
pam_tally is deprecated and replaced by pam_faillock

Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>
2021-02-17 11:36:58 +01:00
Thibault Ayanides
fa111bc0d0
Update mac and kex to match debian10 CIS (#60)
fix #53

Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>
2021-02-17 11:31:22 +01:00
Thibault Ayanides
6ae05f3fa2
Add dealing with debian 11
* ADD: add dockerfile for debian11
* FIX: fix crontab file not found on debian11 blank
* Add workflow for debian11
* FIX: fix debian version func to manage debian11
* Add dealing with unsupported version and distro
* Add 99.99 check that check if distro version is supported
* Use global var for debian major and distro

fix #26
2021-02-08 13:54:24 +01:00
jeremydenoun
0b6ea0d97e
IMP: add multiple Improvements
* add new kernel module detection (enable & listing)  with detection of monolithic kernel
* change way to detect if file system type is disabled
* add global IS_CONTAINER variable
* disable test for 3.4.x to be consistent with others
* add cli options to override configuration loglevel
2021-02-04 16:21:49 +01:00
Thibault Ayanides
ed1baa724e IMP: mark some checks as useless 2021-01-25 13:02:52 +01:00
Thibault Ayanides
bd4ddfc398 ADD(3.4.x): add checks and tests 2021-01-25 13:02:52 +01:00
Thibault Ayanides
5a72d986ea IMP(3.1-3.x): add comprehensive tests 2021-01-25 13:02:52 +01:00
Thibault Ayanides
c51513e083 IMP(1.8.1.4-6): add comprehensive tests 2021-01-25 13:02:52 +01:00
Thibault Ayanides
6127f2fe67 IMP(4.2.2.x): improve dealing with default conf
The default for journald is Compress=yes and ForwardToSyslog=yes
So we check that Compress=no and ForwardToSyslog=no are not in the conf file.
2021-01-25 13:02:52 +01:00
Thibault Ayanides
0ca73899d3 ADD(4.2.2.x): add journald checks 2021-01-04 10:10:47 +01:00
Thibault Ayanides
a5e1cb90cd ADD(4.1.1.4): add new check 2021-01-04 09:03:44 +01:00
Thibault Ayanides
e0c6692ff2 ADD(4.1.1.1): add auditd install 2020-12-24 16:20:02 +01:00
Thibault Ayanides
e2ad0a5dcc ADD(4.4): add logrotate permissions checking 2020-12-24 10:31:47 +01:00
Thibault Ayanides
d0ab72dd26 ADD(5.2.20-23): add new sshd checks 2020-12-23 11:41:53 +01:00
Thibault Ayanides
8da1107532 ADD(1.7.x): add apparmor checks 2020-12-23 10:46:51 +01:00
Thibault Ayanides
9cbc3f85a9 Renum 99.x files to comply with debian10 CIS 2020-12-22 16:36:35 +01:00
Thibault Ayanides
87e242a42d Add commentaries, renum scripts 2020-12-22 15:58:10 +01:00
Thibault Ayanides
7f990b5e53 Add new checks (blank for now) 2020-12-22 14:42:45 +01:00
Thibault Ayanides
7d87619744 Renum 6.x files to comply with debian10 CIS
renamed:    bin/hardening/6.2.7_users_valid_homedir.sh -> bin/hardening/6.2.3_users_valid_homedir.sh
	renamed:    bin/hardening/6.2.3_remove_legacy_shadow_entries.sh -> bin/hardening/6.2.4_remove_legacy_shadow_entries.sh
	renamed:    bin/hardening/6.2.4_remove_legacy_group_entries.sh -> bin/hardening/6.2.5_remove_legacy_group_entries.sh
	renamed:    bin/hardening/6.2.5_find_0_uid_non_root_account.sh -> bin/hardening/6.2.6_find_0_uid_non_root_account.sh
	renamed:    bin/hardening/6.2.6_sanitize_root_path.sh -> bin/hardening/6.2.7_sanitize_root_path.sh
	renamed:    tests/hardening/6.2.7_users_valid_homedir.sh -> tests/hardening/6.2.3_users_valid_homedir.sh
	renamed:    tests/hardening/6.2.3_remove_legacy_shadow_entries.sh -> tests/hardening/6.2.4_remove_legacy_shadow_entries.sh
	renamed:    tests/hardening/6.2.4_remove_legacy_group_entries.sh -> tests/hardening/6.2.5_remove_legacy_group_entries.sh
	renamed:    tests/hardening/6.2.5_find_0_uid_non_root_account.sh -> tests/hardening/6.2.6_find_0_uid_non_root_account.sh
	renamed:    tests/hardening/6.2.6_sanitize_root_path.sh -> tests/hardening/6.2.7_sanitize_root_path.sh
2020-12-22 11:43:53 +01:00
Thibault Ayanides
c9e19b51e6 Renum 4.x files to comply with debian10 CIS
renamed:    bin/hardening/4.1.2_enable_auditd.sh -> bin/hardening/4.1.1.2_enable_auditd.sh
	renamed:    bin/hardening/4.1.3_audit_bootloader.sh -> bin/hardening/4.1.1.3_audit_bootloader.sh
	renamed:    bin/hardening/4.1.11_record_failed_access_file.sh -> bin/hardening/4.1.10_record_failed_access_file.sh
	renamed:    bin/hardening/4.1.12_record_privileged_commands.sh -> bin/hardening/4.1.11_record_privileged_commands.sh
	renamed:    bin/hardening/4.1.13_record_successful_mount.sh -> bin/hardening/4.1.12_record_successful_mount.sh
	renamed:    bin/hardening/4.1.14_record_file_deletions.sh -> bin/hardening/4.1.13_record_file_deletions.sh
	renamed:    bin/hardening/4.1.15_record_sudoers_edit.sh -> bin/hardening/4.1.14_record_sudoers_edit.sh
	renamed:    bin/hardening/4.1.16_record_sudo_usage.sh -> bin/hardening/4.1.15_record_sudo_usage.sh
	renamed:    bin/hardening/4.1.17_record_kernel_modules.sh -> bin/hardening/4.1.16_record_kernel_modules.sh
	renamed:    bin/hardening/4.1.18_freeze_auditd_conf.sh -> bin/hardening/4.1.17_freeze_auditd_conf.sh
	renamed:    bin/hardening/4.1.1.1_audit_log_storage.sh -> bin/hardening/4.1.2.1_audit_log_storage.sh
	renamed:    bin/hardening/4.1.1.2_halt_when_audit_log_full.sh -> bin/hardening/4.1.2.2_halt_when_audit_log_full.sh
	renamed:    bin/hardening/4.1.1.3_keep_all_audit_logs.sh -> bin/hardening/4.1.2.3_keep_all_audit_logs.sh
	renamed:    bin/hardening/4.1.4_record_date_time_edit.sh -> bin/hardening/4.1.3_record_date_time_edit.sh
	renamed:    bin/hardening/4.1.5_record_user_group_edit.sh -> bin/hardening/4.1.4_record_user_group_edit.sh
	renamed:    bin/hardening/4.1.6_record_network_edit.sh -> bin/hardening/4.1.5_record_network_edit.sh
	renamed:    bin/hardening/4.1.7_record_mac_edit.sh -> bin/hardening/4.1.6_record_mac_edit.sh
	renamed:    bin/hardening/4.1.8_record_login_logout.sh -> bin/hardening/4.1.7_record_login_logout.sh
	renamed:    bin/hardening/4.1.9_record_session_init.sh -> bin/hardening/4.1.8_record_session_init.sh
	renamed:    bin/hardening/4.1.10_record_dac_edit.sh -> bin/hardening/4.1.9_record_dac_edit.sh
	renamed:    bin/hardening/4.2.3_install_syslog-ng.sh -> bin/hardening/4.2.2.1_install_syslog-ng.sh
	renamed:    bin/hardening/4.2.2.1_enable_syslog-ng.sh -> bin/hardening/4.2.2.2_enable_syslog-ng.sh
	renamed:    bin/hardening/4.2.2.2_configure_syslog-ng.sh -> bin/hardening/4.2.2.3_configure_syslog-ng.sh
	renamed:    bin/hardening/4.2.2.3_syslog_ng_logfiles_perm.sh -> bin/hardening/4.2.2.4_syslog_ng_logfiles_perm.sh
	renamed:    bin/hardening/4.2.2.4_syslog-ng_remote_host.sh -> bin/hardening/4.2.2.5_syslog-ng_remote_host.sh
	renamed:    bin/hardening/4.2.2.5_remote_syslog-ng_acl.sh -> bin/hardening/4.2.2.6_remote_syslog-ng_acl.sh
	renamed:    bin/hardening/4.2.4_logs_permissions.sh -> bin/hardening/4.2.3_logs_permissions.sh
	renamed:    tests/hardening/4.1.2_enable_auditd.sh -> tests/hardening/4.1.1.2_enable_auditd.sh
	renamed:    tests/hardening/4.1.3_audit_bootloader.sh -> tests/hardening/4.1.1.3_audit_bootloader.sh
	renamed:    tests/hardening/4.1.11_record_failed_access_file.sh -> tests/hardening/4.1.10_record_failed_access_file.sh
	renamed:    tests/hardening/4.1.12_record_privileged_commands.sh -> tests/hardening/4.1.11_record_privileged_commands.sh
	renamed:    tests/hardening/4.1.13_record_successful_mount.sh -> tests/hardening/4.1.12_record_successful_mount.sh
	renamed:    tests/hardening/4.1.14_record_file_deletions.sh -> tests/hardening/4.1.13_record_file_deletions.sh
	renamed:    tests/hardening/4.1.15_record_sudoers_edit.sh -> tests/hardening/4.1.14_record_sudoers_edit.sh
	renamed:    tests/hardening/4.1.16_record_sudo_usage.sh -> tests/hardening/4.1.15_record_sudo_usage.sh
	renamed:    tests/hardening/4.1.17_record_kernel_modules.sh -> tests/hardening/4.1.16_record_kernel_modules.sh
	renamed:    tests/hardening/4.1.18_freeze_auditd_conf.sh -> tests/hardening/4.1.17_freeze_auditd_conf.sh
	renamed:    tests/hardening/4.1.1.1_audit_log_storage.sh -> tests/hardening/4.1.2.1_audit_log_storage.sh
	renamed:    tests/hardening/4.1.1.2_halt_when_audit_log_full.sh -> tests/hardening/4.1.2.2_halt_when_audit_log_full.sh
	renamed:    tests/hardening/4.1.1.3_keep_all_audit_logs.sh -> tests/hardening/4.1.2.3_keep_all_audit_logs.sh
	renamed:    tests/hardening/4.1.4_record_date_time_edit.sh -> tests/hardening/4.1.3_record_date_time_edit.sh
	renamed:    tests/hardening/4.1.5_record_user_group_edit.sh -> tests/hardening/4.1.4_record_user_group_edit.sh
	renamed:    tests/hardening/4.1.6_record_network_edit.sh -> tests/hardening/4.1.5_record_network_edit.sh
	renamed:    tests/hardening/4.1.7_record_mac_edit.sh -> tests/hardening/4.1.6_record_mac_edit.sh
	renamed:    tests/hardening/4.1.8_record_login_logout.sh -> tests/hardening/4.1.7_record_login_logout.sh
	renamed:    tests/hardening/4.1.9_record_session_init.sh -> tests/hardening/4.1.8_record_session_init.sh
	renamed:    tests/hardening/4.1.10_record_dac_edit.sh -> tests/hardening/4.1.9_record_dac_edit.sh
	renamed:    tests/hardening/4.2.2.1_enable_syslog-ng.sh -> tests/hardening/4.2.2.1_install_syslog-ng.sh
	renamed:    tests/hardening/4.2.2.2_configure_syslog-ng.sh -> tests/hardening/4.2.2.2_enable_syslog-ng.sh
	renamed:    tests/hardening/4.2.2.3_syslog_ng_logfiles_perm.sh -> tests/hardening/4.2.2.3_configure_syslog-ng.sh
	renamed:    tests/hardening/4.2.2.5_remote_syslog-ng_acl.sh -> tests/hardening/4.2.2.4_syslog_ng_logfiles_perm.sh
	renamed:    tests/hardening/4.2.2.4_syslog-ng_remote_host.sh -> tests/hardening/4.2.2.5_syslog-ng_remote_host.sh
	renamed:    tests/hardening/4.2.3_install_syslog-ng.sh -> tests/hardening/4.2.2.6_remote_syslog-ng_acl.sh
	renamed:    tests/hardening/4.2.4_logs_permissions.sh -> tests/hardening/4.2.3_logs_permissions.sh
2020-12-22 10:51:39 +01:00
Thibault Ayanides
7ce8ec8b89 Renum 2.x and 3.x files to comply with debian10 CIS
renamed:    bin/hardening/3.7_disable_ipv6.sh -> bin/hardening/3.1.1_disable_ipv6.sh
	renamed:    bin/hardening/3.6_disable_wireless.sh -> bin/hardening/3.1.2_disable_wireless.sh
	renamed:    bin/hardening/3.1.2_disable_send_packet_redirects.sh -> bin/hardening/3.2.1_disable_send_packet_redirects.sh
	renamed:    bin/hardening/3.1.1_disable_ip_forwarding.sh -> bin/hardening/3.2.2_disable_ip_forwarding.sh
	renamed:    bin/hardening/3.2.1_disable_source_routed_packets.sh -> bin/hardening/3.3.1_disable_source_routed_packets.sh
	renamed:    bin/hardening/3.2.2_disable_icmp_redirect.sh -> bin/hardening/3.3.2_disable_icmp_redirect.sh
	renamed:    bin/hardening/3.2.3_disable_secure_icmp_redirect.sh -> bin/hardening/3.3.3_disable_secure_icmp_redirect.sh
	renamed:    bin/hardening/3.2.4_log_martian_packets.sh -> bin/hardening/3.3.4_log_martian_packets.sh
	renamed:    bin/hardening/3.2.5_ignore_broadcast_requests.sh -> bin/hardening/3.3.5_ignore_broadcast_requests.sh
	renamed:    bin/hardening/3.2.6_enable_bad_error_message_protection.sh -> bin/hardening/3.3.6_enable_bad_error_message_protection.sh
	renamed:    bin/hardening/3.2.7_enable_source_route_validation.sh -> bin/hardening/3.3.7_enable_source_route_validation.sh
	renamed:    bin/hardening/3.2.8_enable_tcp_syn_cookies.sh -> bin/hardening/3.3.8_enable_tcp_syn_cookies.sh
	renamed:    bin/hardening/3.2.9_disable_ipv6_router_advertisement.sh -> bin/hardening/3.3.9_disable_ipv6_router_advertisement.sh
	renamed:    bin/hardening/3.5_enable_firewall.sh -> bin/hardening/3.5.1.1_enable_firewall.sh
	renamed:    bin/hardening/3.5.1.1_net_fw_default_policy_drop.sh -> bin/hardening/3.5.4.1.1_net_fw_default_policy_drop.sh
	renamed:    bin/hardening/3.3.1_install_tcp_wrapper.sh -> bin/hardening/99.3.3.1_install_tcp_wrapper.sh
	renamed:    bin/hardening/3.3.2_hosts_allow.sh -> bin/hardening/99.3.3.2_hosts_allow.sh
	renamed:    bin/hardening/3.3.3_hosts_deny.sh -> bin/hardening/99.3.3.3_hosts_deny.sh
	renamed:    bin/hardening/3.3.4_hosts_allow_permissions.sh -> bin/hardening/99.3.3.4_hosts_allow_permissions.sh
	renamed:    bin/hardening/3.3.5_hosts_deny_permissions.sh -> bin/hardening/99.3.3.5_hosts_deny_permissions.sh
	renamed:    tests/hardening/3.1.2_disable_send_packet_redirects.sh -> tests/hardening/3.1.1_disable_ipv6.sh
	renamed:    tests/hardening/3.2.1_disable_source_routed_packets.sh -> tests/hardening/3.1.2_disable_wireless.sh
	renamed:    tests/hardening/3.2.2_disable_icmp_redirect.sh -> tests/hardening/3.2.1_disable_send_packet_redirects.sh
	renamed:    tests/hardening/3.1.1_disable_ip_forwarding.sh -> tests/hardening/3.2.2_disable_ip_forwarding.sh
	renamed:    tests/hardening/3.2.3_disable_secure_icmp_redirect.sh -> tests/hardening/3.3.1_disable_source_routed_packets.sh
	renamed:    tests/hardening/3.2.4_log_martian_packets.sh -> tests/hardening/3.3.2_disable_icmp_redirect.sh
	renamed:    tests/hardening/3.2.5_ignore_broadcast_requests.sh -> tests/hardening/3.3.3_disable_secure_icmp_redirect.sh
	renamed:    tests/hardening/3.2.6_enable_bad_error_message_protection.sh -> tests/hardening/3.3.4_log_martian_packets.sh
	renamed:    tests/hardening/3.2.7_enable_source_route_validation.sh -> tests/hardening/3.3.5_ignore_broadcast_requests.sh
	renamed:    tests/hardening/3.2.8_enable_tcp_syn_cookies.sh -> tests/hardening/3.3.6_enable_bad_error_message_protection.sh
	renamed:    tests/hardening/3.2.9_disable_ipv6_router_advertisement.sh -> tests/hardening/3.3.7_enable_source_route_validation.sh
	renamed:    tests/hardening/3.3.1_install_tcp_wrapper.sh -> tests/hardening/3.3.8_enable_tcp_syn_cookies.sh
	renamed:    tests/hardening/3.3.2_hosts_allow.sh -> tests/hardening/3.3.9_disable_ipv6_router_advertisement.sh
	renamed:    tests/hardening/3.3.3_hosts_deny.sh -> tests/hardening/3.5.1.1_enable_firewall.sh
	renamed:    tests/hardening/3.3.4_hosts_allow_permissions.sh -> tests/hardening/3.5.4.1.1_net_fw_default_policy_drop.sh
	renamed:    tests/hardening/3.3.5_hosts_deny_permissions.sh -> tests/hardening/99.3.3.1_install_tcp_wrapper.sh
	renamed:    tests/hardening/3.5.1.1_net_fw_default_policy_drop.sh -> tests/hardening/99.3.3.2_hosts_allow.sh
	renamed:    tests/hardening/3.5_enable_firewall.sh -> tests/hardening/99.3.3.3_hosts_deny.sh
	renamed:    tests/hardening/3.6_disable_wireless.sh -> tests/hardening/99.3.3.4_hosts_allow_permissions.sh
	renamed:    tests/hardening/3.7_disable_ipv6.sh -> tests/hardening/99.3.3.5_hosts_deny_permissions.sh

	renamed:    bin/hardening/2.2.1.2_configure_ntp.sh -> bin/hardening/2.2.1.4_configure_ntp.sh
	renamed:    tests/hardening/2.2.1.2_configure_ntp.sh -> tests/hardening/2.2.1.4_configure_ntp.sh
2020-12-22 08:52:43 +01:00
Thibault Ayanides
2034aa7b8a Renum 1.x files to comply with debian10 CIS
renamed:    bin/hardening/1.4.1_bootloader_ownership.sh -> bin/hardening/1.5.1_bootloader_ownership.sh
	renamed:    bin/hardening/1.4.2_bootloader_password.sh -> bin/hardening/1.5.2_bootloader_password.sh
	renamed:    bin/hardening/1.4.3_root_password.sh -> bin/hardening/1.5.3_root_password.sh
	renamed:    bin/hardening/1.5.2_enable_nx_support.sh -> bin/hardening/1.6.1_enable_nx_support.sh
	renamed:    bin/hardening/1.5.3_enable_randomized_vm_placement.sh -> bin/hardening/1.6.2_enable_randomized_vm_placement.sh
	renamed:    bin/hardening/1.5.4_disable_prelink.sh -> bin/hardening/1.6.3_disable_prelink.sh
	renamed:    bin/hardening/1.5.1_restrict_core_dumps.sh -> bin/hardening/1.6.4_restrict_core_dumps.sh
	renamed:    bin/hardening/1.6.2.1_enable_apparmor.sh -> bin/hardening/1.7.2.2_enable_apparmor.sh
	renamed:    bin/hardening/1.7.1.1_remove_os_info_motd.sh -> bin/hardening/1.8.1.1_remove_os_info_motd.sh
	renamed:    bin/hardening/1.7.1.2_remove_os_info_issue.sh -> bin/hardening/1.8.1.2_remove_os_info_issue.sh
	renamed:    bin/hardening/1.7.1.3_remove_os_info_issue_net.sh -> bin/hardening/1.8.1.3_remove_os_info_issue_net.sh
	renamed:    bin/hardening/1.7.1.4_motd_perms.sh -> bin/hardening/1.8.1.4_motd_perms.sh
	renamed:    bin/hardening/1.7.1.5_etc_issue_perms.sh -> bin/hardening/1.8.1.5_etc_issue_perms.sh
	renamed:    bin/hardening/1.7.1.6_etc_issue_net_perms.sh -> bin/hardening/1.8.1.6_etc_issue_net_perms.sh
	renamed:    bin/hardening/1.7.2_graphical_warning_banners.sh -> bin/hardening/1.8.2_graphical_warning_banners.sh
	renamed:    bin/hardening/1.8_install_updates.sh -> bin/hardening/1.9_install_updates.sh
	renamed:    tests/hardening/1.4.1_bootloader_ownership.sh -> tests/hardening/1.5.1_bootloader_ownership.sh
	renamed:    tests/hardening/1.4.2_bootloader_password.sh -> tests/hardening/1.5.2_bootloader_password.sh
	renamed:    tests/hardening/1.4.3_root_password.sh -> tests/hardening/1.5.3_root_password.sh
	renamed:    tests/hardening/1.5.2_enable_nx_support.sh -> tests/hardening/1.6.1_enable_nx_support.sh
	renamed:    tests/hardening/1.5.3_enable_randomized_vm_placement.sh -> tests/hardening/1.6.2_enable_randomized_vm_placement.sh
	renamed:    tests/hardening/1.5.4_disable_prelink.sh -> tests/hardening/1.6.3_disable_prelink.sh
	renamed:    tests/hardening/1.5.1_restrict_core_dumps.sh -> tests/hardening/1.6.4_restrict_core_dumps.sh
	renamed:    tests/hardening/1.6.2.1_enable_apparmor.sh -> tests/hardening/1.7.2.2_enable_apparmor.sh
	renamed:    tests/hardening/1.7.1.1_remove_os_info_motd.sh -> tests/hardening/1.8.1.1_remove_os_info_motd.sh
	renamed:    tests/hardening/1.7.1.2_remove_os_info_issue.sh -> tests/hardening/1.8.1.2_remove_os_info_issue.sh
	renamed:    tests/hardening/1.7.1.3_remove_os_info_issue_net.sh -> tests/hardening/1.8.1.3_remove_os_info_issue_net.sh
	renamed:    tests/hardening/1.7.1.4_motd_perms.sh -> tests/hardening/1.8.1.4_motd_perms.sh
	new file:   tests/hardening/1.8.1.5_etc_issue_perms.sh
	new file:   tests/hardening/1.8.1.6_etc_issue_net_perms.sh
	renamed:    tests/hardening/1.7.2_graphical_warning_banners.sh -> tests/hardening/1.8.2_graphical_warning_banners.sh
	renamed:    tests/hardening/1.8_install_updates.sh -> tests/hardening/1.9_install_updates.sh
2020-12-21 16:09:27 +01:00
Thibault Ayanides
87bf29b5fe ADD(1.3.x): add new scripts for debian10 2020-12-21 15:52:47 +01:00
Thibault Ayanides
0204bb0942 IMP(shellcheck): fix docker shellcheck with new options 2020-12-21 11:43:02 +01:00
Thibault Ayanides
6e0b47ab8f Rename files, fix permissions of tests 2020-12-21 11:21:32 +01:00
Thibault Ayanides
a2adf0f15c ADD(6.1.3, 6.1.6-9): add new checks
Renamed some checks, add new checks that check permissions and ownership on /etc/passwd, /etc/shadow, ...
Add new function in utils that checks that check that the file ownership is one of the authrized ownership.

	renamed:    bin/hardening/6.1.5_etc_passwd_permissions.sh -> bin/hardening/6.1.2_etc_passwd_permissions.sh
	new file:   bin/hardening/6.1.3_etc_gshadow-_permissions.sh
	renamed:    bin/hardening/6.1.6_etc_shadow_permissions.sh -> bin/hardening/6.1.4_etc_shadow_permissions.sh
	renamed:    bin/hardening/6.1.7_etc_group_permissions.sh -> bin/hardening/6.1.5_etc_group_permissions.sh
	new file:   bin/hardening/6.1.6_etc_passwd-_permissions.sh
	new file:   bin/hardening/6.1.7_etc_shadow-_permissions.sh
	new file:   bin/hardening/6.1.8_etc_group-_permissions.sh
	new file:   bin/hardening/6.1.9_etc_gshadow_permissions.sh
	modified:   lib/utils.sh
	renamed:    tests/hardening/6.1.5_etc_passwd_permissions.sh -> tests/hardening/6.1.2_etc_passwd_permissions.sh
	new file:   tests/hardening/6.1.3_etc_gshadow-_permissions.sh
	renamed:    tests/hardening/6.1.6_etc_shadow_permissions.sh -> tests/hardening/6.1.4_etc_shadow_permissions.sh
	renamed:    tests/hardening/6.1.7_etc_group_permissions.sh -> tests/hardening/6.1.5_etc_group_permissions.sh
	new file:   tests/hardening/6.1.6_etc_passwd-_permissions.sh
	new file:   tests/hardening/6.1.7_etc_shadow-_permissions.sh
	new file:   tests/hardening/6.1.8_etc_group-_permissions.sh
	new file:   tests/hardening/6.1.9_etc_gshadow_permissions.sh
2020-12-21 10:02:52 +01:00