Commit Graph

300 Commits

Author SHA1 Message Date
Sebastien BLAISOT
66c8ccf495
Fix 3.4.2 audit rule (#123)
Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>
2021-12-01 10:23:11 +01:00
Sebastien BLAISOT
b53bf1795c
Fix grub detection (#119)
Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>
2021-12-01 08:58:32 +01:00
Sebastien BLAISOT
1a874b2b35
Allow grub.cfg permission to be 600 (#121)
Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>
2021-11-30 18:47:19 +01:00
Sebastien BLAISOT
7266ec7cb4
Honor --set-log-level parameter (#127)
Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>
2021-11-30 18:42:33 +01:00
Jan Schmidle
8f855ac159
fix: kernel module detection (#129)
* fix: add filter to hfs

* fix is_kernel_option_enabled check

as the module in question could have dependencies which have been blacklisted as well we need to make sure that the comparison only checks for the module in question - the last line in the output.

Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>
2021-10-20 14:51:29 +02:00
Sebastien BLAISOT
ad192c9457
Add silent mode and json summary (#128)
Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>
2021-10-20 13:22:59 +02:00
Sebastien BLAISOT
3d2d97a727
FIX(1.7.1.4): don't abort script in case of unconfined processes (#130) 2021-10-20 13:14:36 +02:00
Sebastien BLAISOT
6e2fb1570c
FIX(2.2.1.4): Validate debian default ntp config (#118) 2021-10-15 16:19:51 +02:00
Thibault Ayanides
afed5a9dce
99.5.4.5.2: fix bug where sha512 option rounds provoke KO (#112) 2021-08-10 10:30:35 +02:00
Thibault Ayanides
9a2e3a0e0d
Fix 5.4.5 pattern search (#108)
fix #107
2021-08-09 10:49:56 +02:00
Thibault Ayanides
334d743125
fix EXCEPTIONS management (#104)
* FIX(1.1.21, 6.1.10) fix EXCEPTIONS management
* Update changelog
* Refactor test for 6.1.10-14
2021-06-02 13:47:19 +02:00
Thibault Ayanides
f4328deeb2
Fix unbound variable (#102) 2021-05-28 15:00:58 +02:00
Thibault Ayanides
9e6c9a0d8a
Accept lower values (#95)
* IMP(5.2.23): accept lower value as valid

* IMP(5.2.7): accept lower value as valid
2021-04-27 16:04:13 +02:00
Thibault Ayanides
1cade2e375
FIX(2.2.1.2): custom func not working for systemd (#90)
fix #87
2021-04-27 13:49:05 +02:00
Thibault Ayanides
cadc25c28c
Dir exceptions (#96)
* IMP(1.1.21): add EXCEPTIONS
* IMP(6.1.10): add EXCEPTIONS
2021-04-26 17:05:22 +02:00
Thibault Ayanides
f6c6e6a0a8 FIX(4.1.11): add SUDO to find suid files 2021-04-13 11:00:29 +02:00
Thibault Ayanides
d110a2aa19 Ignore case for sshd conf
fix #85
2021-04-02 09:25:41 +02:00
Thibault Ayanides
1c51e4cec4
Check that package are installed before launching check (#69)
* FIX(1.6.1,1.7.1.x): check if apparmor and grub is installed

* FIX(2.2.15): check package install

* FIX(4.2.x): check package install

* FIX(5.1.x): check crontab files exist

* FIX(5.2.1): check package install

* FIX(99.3.3.x): check conf file exist

* Remove useless SUDO_CMD

* Deal with non existant /run/shm

* Replace exit code 128 by exit code 2

fix #65

Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>
2021-03-25 14:01:57 +01:00
Thibault Ayanides
f8ac58700d
FIX(4.1.1.4): bad pattern (#67)
fix #61
2021-03-25 13:50:08 +01:00
jeremydenoun
b44fb47c3a
add log details to be more comprehensive (#49)
Co-authored-by: Jeremy Denoun <jeremy.denoun@iguanesolutions.com>
2021-02-17 12:04:11 +01:00
jeremydenoun
84ac4db90f
fix incorrect path from ls (#45)
Co-authored-by: Jeremy Denoun <jeremy.denoun@iguanesolutions.com>
2021-02-17 12:00:13 +01:00
Thibault Ayanides
40fb536d4e
Add missing HARDENING_LEVEL (#44)
Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>
2021-02-17 11:51:51 +01:00
Thibault Ayanides
d1b371f410
Add is_ipv6_disabled (#57)
Modify some checks to make it pass when ipv6 is diabled

fix #50

	modified:   bin/hardening/3.1.1_disable_ipv6.sh
	modified:   bin/hardening/3.3.1_disable_source_routed_packets.sh
	modified:   bin/hardening/3.3.9_disable_ipv6_router_advertisement.sh
	modified:   lib/utils.sh

Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>
2021-02-17 11:45:20 +01:00
Thibault Ayanides
6ab1cab3ce
IMP(5.1.8): allow more restrictive permissions (#59)
fix #52

Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>
2021-02-17 11:40:31 +01:00
Thibault Ayanides
1a7dd5893a
Use pam_faillock instead of pam_tally for bullseye (#56)
Fix #55
See https://github.com/linux-pam/linux-pam/releases/tag/v1.4.0
pam_tally is deprecated and replaced by pam_faillock

Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>
2021-02-17 11:36:58 +01:00
Thibault Ayanides
fa111bc0d0
Update mac and kex to match debian10 CIS (#60)
fix #53

Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>
2021-02-17 11:31:22 +01:00
Thibault Ayanides
460843ffb3
Fix #51 (#58) 2021-02-17 11:19:38 +01:00
Thibault Ayanides
6ae05f3fa2
Add dealing with debian 11
* ADD: add dockerfile for debian11
* FIX: fix crontab file not found on debian11 blank
* Add workflow for debian11
* FIX: fix debian version func to manage debian11
* Add dealing with unsupported version and distro
* Add 99.99 check that check if distro version is supported
* Use global var for debian major and distro

fix #26
2021-02-08 13:54:24 +01:00
jeremydenoun
0b6ea0d97e
IMP: add multiple Improvements
* add new kernel module detection (enable & listing)  with detection of monolithic kernel
* change way to detect if file system type is disabled
* add global IS_CONTAINER variable
* disable test for 3.4.x to be consistent with others
* add cli options to override configuration loglevel
2021-02-04 16:21:49 +01:00
Thibault Ayanides
ed1baa724e IMP: mark some checks as useless 2021-01-25 13:02:52 +01:00
Thibault Ayanides
bd4ddfc398 ADD(3.4.x): add checks and tests 2021-01-25 13:02:52 +01:00
Thibault Ayanides
6127f2fe67 IMP(4.2.2.x): improve dealing with default conf
The default for journald is Compress=yes and ForwardToSyslog=yes
So we check that Compress=no and ForwardToSyslog=no are not in the conf file.
2021-01-25 13:02:52 +01:00
Thibault Serti
6efefa07ac
Update shellcheck workflow
fix #34
2021-01-22 14:45:01 +01:00
jeremydenoun
0edb837f80
Remove bc dependency
Co-authored-by: Jeremy Denoun <jeremy.denoun@iguanesolutions.com>
2021-01-22 09:31:53 +01:00
jeremydenoun
1c2e171655
Fix ovh/debian-cis:#25 (#28)
Co-authored-by: Jeremy Denoun <jeremy.denoun@iguanesolutions.com>
2021-01-21 16:01:34 +01:00
Thibault Ayanides
624aba950d ADD(4.2.1.6): add new syslog-ng check 2021-01-04 14:24:35 +01:00
Thibault Ayanides
0ca73899d3 ADD(4.2.2.x): add journald checks 2021-01-04 10:10:47 +01:00
Thibault Ayanides
a5e1cb90cd ADD(4.1.1.4): add new check 2021-01-04 09:03:44 +01:00
Thibault Ayanides
b6fff5b8b6 ADD(2.2.1.2): add systemd-timesyncd 2020-12-24 16:20:12 +01:00
Thibault Ayanides
e0c6692ff2 ADD(4.1.1.1): add auditd install 2020-12-24 16:20:02 +01:00
Thibault Ayanides
e2ad0a5dcc ADD(4.4): add logrotate permissions checking 2020-12-24 10:31:47 +01:00
Thibault Ayanides
d0ab72dd26 ADD(5.2.20-23): add new sshd checks 2020-12-23 11:41:53 +01:00
Thibault Ayanides
520ab63b29 ADD(1.1.1.7): restrict FAT partitions 2020-12-23 11:05:37 +01:00
Thibault Ayanides
f626201fdd ADD(1.1.23): disable usb storage 2020-12-23 10:57:02 +01:00
Thibault Ayanides
8da1107532 ADD(1.7.x): add apparmor checks 2020-12-23 10:46:51 +01:00
Thibault Ayanides
936b84c0f2 Update documentation 2020-12-22 17:01:41 +01:00
Thibault Ayanides
9cbc3f85a9 Renum 99.x files to comply with debian10 CIS 2020-12-22 16:36:35 +01:00
Thibault Ayanides
87e242a42d Add commentaries, renum scripts 2020-12-22 15:58:10 +01:00
Thibault Ayanides
7f990b5e53 Add new checks (blank for now) 2020-12-22 14:42:45 +01:00
Thibault Ayanides
7d87619744 Renum 6.x files to comply with debian10 CIS
renamed:    bin/hardening/6.2.7_users_valid_homedir.sh -> bin/hardening/6.2.3_users_valid_homedir.sh
	renamed:    bin/hardening/6.2.3_remove_legacy_shadow_entries.sh -> bin/hardening/6.2.4_remove_legacy_shadow_entries.sh
	renamed:    bin/hardening/6.2.4_remove_legacy_group_entries.sh -> bin/hardening/6.2.5_remove_legacy_group_entries.sh
	renamed:    bin/hardening/6.2.5_find_0_uid_non_root_account.sh -> bin/hardening/6.2.6_find_0_uid_non_root_account.sh
	renamed:    bin/hardening/6.2.6_sanitize_root_path.sh -> bin/hardening/6.2.7_sanitize_root_path.sh
	renamed:    tests/hardening/6.2.7_users_valid_homedir.sh -> tests/hardening/6.2.3_users_valid_homedir.sh
	renamed:    tests/hardening/6.2.3_remove_legacy_shadow_entries.sh -> tests/hardening/6.2.4_remove_legacy_shadow_entries.sh
	renamed:    tests/hardening/6.2.4_remove_legacy_group_entries.sh -> tests/hardening/6.2.5_remove_legacy_group_entries.sh
	renamed:    tests/hardening/6.2.5_find_0_uid_non_root_account.sh -> tests/hardening/6.2.6_find_0_uid_non_root_account.sh
	renamed:    tests/hardening/6.2.6_sanitize_root_path.sh -> tests/hardening/6.2.7_sanitize_root_path.sh
2020-12-22 11:43:53 +01:00