Charles Herlin
68f9f56192
Renumber 7.4.x tcp wrappers
...
renamed: bin/hardening/7.4.1_install_tcp_wrapper.sh -> bin/hardening/3.3.1_install_tcp_wrapper.sh
renamed: bin/hardening/7.4.2_hosts_allow.sh -> bin/hardening/3.3.2_hosts_allow.sh
renamed: bin/hardening/7.4.4_hosts_deny.sh -> bin/hardening/3.3.3_hosts_deny.sh
renamed: bin/hardening/7.4.3_hosts_allow_permissions.sh -> bin/hardening/3.3.4_hosts_allow_permissions.sh
renamed: bin/hardening/7.4.5_hosts_deny_permissions.sh -> bin/hardening/3.3.5_hosts_deny_permissions.sh
renamed: tests/hardening/7.4.5_hosts_deny_permissions.sh -> tests/hardening/3.3.1_install_tcp_wrapper.sh
renamed: tests/hardening/7.4.4_hosts_deny.sh -> tests/hardening/3.3.2_hosts_allow.sh
renamed: tests/hardening/7.4.3_hosts_allow_permissions.sh -> tests/hardening/3.3.3_hosts_deny.sh
renamed: tests/hardening/7.4.2_hosts_allow.sh -> tests/hardening/3.3.4_hosts_allow_permissions.sh
renamed: tests/hardening/7.4.1_install_tcp_wrapper.sh -> tests/hardening/3.3.5_hosts_deny_permissions.sh
2019-08-30 17:11:03 +02:00
Charles Herlin
c5674c3627
Renumber network params 7.1.x, 7.2.x and 7.3
...
renamed: bin/hardening/7.1.1_disable_ip_forwarding.sh -> bin/hardening/3.1.1_disable_ip_forwarding.sh
renamed: bin/hardening/7.1.2_disable_send_packet_redirects.sh -> bin/hardening/3.1.2_disable_send_packet_redirects.sh
renamed: bin/hardening/7.2.1_disable_source_routed_packets.sh -> bin/hardening/3.2.1_disable_source_routed_packets.sh
renamed: bin/hardening/7.2.2_disable_icmp_redirect.sh -> bin/hardening/3.2.2_disable_icmp_redirect.sh
renamed: bin/hardening/7.2.3_disable_secure_icmp_redirect.sh -> bin/hardening/3.2.3_disable_secure_icmp_redirect.sh
renamed: bin/hardening/7.2.4_log_martian_packets.sh -> bin/hardening/3.2.4_log_martian_packets.sh
renamed: bin/hardening/7.2.5_ignore_broadcast_requests.sh -> bin/hardening/3.2.5_ignore_broadcast_requests.sh
renamed: bin/hardening/7.2.8_enable_tcp_syn_cookies.sh -> bin/hardening/3.2.8_enable_tcp_syn_cookies.sh
renamed: bin/hardening/7.3.1_disable_ipv6_router_advertisement.sh -> bin/hardening/3.2.9_disable_ipv6_router_advertisement.sh
renamed: bin/hardening/7.3.3_disable_ipv6.sh -> bin/hardening/3.7_disable_ipv6.sh
deleted: bin/hardening/7.2.6_enable_bad_error_message_protection.sh
deleted: bin/hardening/7.2.7_enable_source_route_validation.sh
deleted: bin/hardening/7.3.2_disable_ipv6_redirect.sh
renamed: tests/hardening/7.3.3_disable_ipv6.sh -> tests/hardening/3.1.1_disable_ip_forwarding.sh
renamed: tests/hardening/7.3.2_disable_ipv6_redirect.sh -> tests/hardening/3.1.2_disable_send_packet_redirects.sh
renamed: tests/hardening/7.3.1_disable_ipv6_router_advertisement.sh -> tests/hardening/3.2.1_disable_source_routed_packets.sh
renamed: tests/hardening/7.2.8_enable_tcp_syn_cookies.sh -> tests/hardening/3.2.2_disable_icmp_redirect.sh
renamed: tests/hardening/7.2.7_enable_source_route_validation.sh -> tests/hardening/3.2.3_disable_secure_icmp_redirect.sh
renamed: tests/hardening/7.2.6_enable_bad_error_message_protection.sh -> tests/hardening/3.2.4_log_martian_packets.sh
renamed: tests/hardening/7.2.5_ignore_broadcast_requests.sh -> tests/hardening/3.2.5_ignore_broadcast_requests.sh
renamed: tests/hardening/7.2.4_log_martian_packets.sh -> tests/hardening/3.2.8_enable_tcp_syn_cookies.sh
renamed: tests/hardening/7.2.3_disable_secure_icmp_redirect.sh -> tests/hardening/3.2.9_disable_ipv6_router_advertisement.sh
renamed: tests/hardening/7.2.2_disable_icmp_redirect.sh -> tests/hardening/3.7_disable_ipv6.sh
deleted: tests/hardening/7.1.1_disable_ip_forwarding.sh
deleted: tests/hardening/7.1.2_disable_send_packet_redirects.sh
deleted: tests/hardening/7.2.1_disable_source_routed_packets.sh
2019-08-30 14:14:29 +02:00
Charles Herlin
e205dc7481
Renumber special purpose services 6.x
...
new file: bin/hardening/2.2.1.1_use_time_sync.sh
renamed: bin/hardening/6.5_configure_ntp.sh -> bin/hardening/2.2.1.2_configure_ntp.sh
new file: bin/hardening/2.2.1.3_configure_chrony.sh
renamed: bin/hardening/6.10_disable_http_server.sh -> bin/hardening/2.2.10_disable_http_server.sh
renamed: bin/hardening/6.11_disable_imap_pop.sh -> bin/hardening/2.2.11_disable_imap_pop.sh
renamed: bin/hardening/6.12_disable_samba.sh -> bin/hardening/2.2.12_disable_samba.sh
renamed: bin/hardening/6.13_disable_http_proxy.sh -> bin/hardening/2.2.13_disable_http_proxy.sh
renamed: bin/hardening/6.14_disable_snmp_server.sh -> bin/hardening/2.2.14_disable_snmp_server.sh
renamed: bin/hardening/6.15_mta_localhost.sh -> bin/hardening/2.2.15_mta_localhost.sh
renamed: bin/hardening/6.16_disable_rsync.sh -> bin/hardening/2.2.16_disable_rsync.sh
renamed: bin/hardening/6.1_disable_xwindow_system.sh -> bin/hardening/2.2.2_disable_xwindow_system.sh
renamed: bin/hardening/6.2_disable_avahi_server.sh -> bin/hardening/2.2.3_disable_avahi_server.sh
renamed: bin/hardening/6.4_disable_dhcp.sh -> bin/hardening/2.2.5_disable_dhcp.sh
renamed: bin/hardening/6.6_disable_ldap.sh -> bin/hardening/2.2.6_disable_ldap.sh
renamed: bin/hardening/6.7_disable_nfs_rpc.sh -> bin/hardening/2.2.7_disable_nfs_rpc.sh
renamed: bin/hardening/6.8_disable_dns_server.sh -> bin/hardening/2.2.8_disable_dns_server.sh
renamed: bin/hardening/6.9_disable_ftp.sh -> bin/hardening/2.2.9_disable_ftp.sh
deleted: bin/hardening/6.3_disable_print_server.sh
new file: tests/hardening/2.2.1.1_use_time_sync.sh
renamed: tests/hardening/6.9_disable_ftp.sh -> tests/hardening/2.2.1.2_configure_ntp.sh
renamed: tests/hardening/6.8_disable_dns_server.sh -> tests/hardening/2.2.1.3_configure_chrony.sh
renamed: tests/hardening/6.7_disable_nfs_rpc.sh -> tests/hardening/2.2.10_disable_http_server.sh
renamed: tests/hardening/6.6_disable_ldap.sh -> tests/hardening/2.2.11_disable_imap_pop.sh
renamed: tests/hardening/6.5_configure_ntp.sh -> tests/hardening/2.2.12_disable_samba.sh
renamed: tests/hardening/6.4_disable_dhcp.sh -> tests/hardening/2.2.13_disable_http_proxy.sh
renamed: tests/hardening/6.3_disable_print_server.sh -> tests/hardening/2.2.14_disable_snmp_server.sh
renamed: tests/hardening/6.2_disable_avahi_server.sh -> tests/hardening/2.2.15_mta_localhost.sh
renamed: tests/hardening/6.1_disable_xwindow_system.sh -> tests/hardening/2.2.16_disable_rsync.sh
renamed: tests/hardening/6.16_disable_rsync.sh -> tests/hardening/2.2.2_disable_xwindow_system.sh
renamed: tests/hardening/6.15_mta_localhost.sh -> tests/hardening/2.2.3_disable_avahi_server.sh
renamed: tests/hardening/6.14_disable_snmp_server.sh -> tests/hardening/2.2.5_disable_dhcp.sh
renamed: tests/hardening/6.13_disable_http_proxy.sh -> tests/hardening/2.2.6_disable_ldap.sh
renamed: tests/hardening/6.12_disable_samba.sh -> tests/hardening/2.2.7_disable_nfs_rpc.sh
renamed: tests/hardening/6.11_disable_imap_pop.sh -> tests/hardening/2.2.8_disable_dns_server.sh
renamed: tests/hardening/6.10_disable_http_server.sh -> tests/hardening/2.2.9_disable_ftp.sh
2019-08-29 16:02:39 +02:00
Charles Herlin
fbdf3b72ed
Renumbering OS services checks and removing obsolete ones
...
new file: bin/hardening/2.1.1_disable_xinetd.sh
renamed: bin/hardening/5.1.8_disable_inetd.sh -> bin/hardening/2.1.2_disable_bsd_inetd.sh
renamed: bin/hardening/5.1.1_disable_nis.sh -> bin/hardening/2.3.1_disable_nis.sh
renamed: bin/hardening/5.1.3_disable_rsh_client.sh -> bin/hardening/2.3.2_disable_rsh_client.sh
renamed: bin/hardening/5.1.5_disable_talk_client.sh -> bin/hardening/2.3.3_disable_talk_client.sh
deleted: bin/hardening/5.1.2_disable_rsh.sh
deleted: bin/hardening/5.1.4_disable_talk.sh
deleted: bin/hardening/5.1.6_disable_telnet_server.sh
deleted: bin/hardening/5.1.7_disable_tftp_server.sh
deleted: bin/hardening/5.2_disable_chargen.sh
deleted: bin/hardening/5.3_disable_daytime.sh
deleted: bin/hardening/5.4_disable_echo.sh
deleted: bin/hardening/5.5_disable_discard.sh
deleted: bin/hardening/5.6_disable_time.sh
renamed: tests/hardening/5.6_disable_time.sh -> tests/hardening/2.1.1_disable_xinetd.sh
renamed: tests/hardening/5.5_disable_discard.sh -> tests/hardening/2.3.1_disable_nis.sh
renamed: tests/hardening/5.4_disable_echo.sh -> tests/hardening/2.3.2_disable_rsh_client.sh
renamed: tests/hardening/5.3_disable_daytime.sh -> tests/hardening/2.3.3_disable_talk_client.sh
deleted: tests/hardening/5.1.1_disable_nis.sh
deleted: tests/hardening/5.1.2_disable_rsh.sh
deleted: tests/hardening/5.1.3_disable_rsh_client.sh
deleted: tests/hardening/5.1.4_disable_talk.sh
deleted: tests/hardening/5.1.5_disable_talk_client.sh
deleted: tests/hardening/5.1.6_disable_telnet_server.sh
deleted: tests/hardening/5.1.7_disable_tftp_server.sh
deleted: tests/hardening/5.1.8_disable_inetd.sh
deleted: tests/hardening/5.2_disable_chargen.sh
2019-08-29 10:33:23 +02:00
Charles Herlin
6365f58b4c
Renumbering 4.x checks
...
renamed: 4.1_restrict_core_dumps.sh -> 1.5.1_restrict_core_dumps.sh
renamed: 4.2_enable_nx_support.sh -> 1.5.2_enable_nx_support.sh
renamed: 4.3_enable_randomized_vm_placement.sh -> 1.5.3_enable_randomized_vm_placement.sh
renamed: 4.4_disable_prelink.sh -> 1.5.4_disable_prelink.sh
renamed: ../../tests/hardening/4.4_disable_prelink.sh -> ../../tests/hardening/1.5.1_restrict_core_dumps.sh
renamed: ../../tests/hardening/4.3_enable_randomized_vm_placement.sh -> ../../tests/hardening/1.5.2_enable_nx_support.sh
renamed: ../../tests/hardening/4.2_enable_nx_support.sh -> ../../tests/hardening/1.5.3_enable_randomized_vm_placement.sh
renamed: ../../tests/hardening/4.1_restrict_core_dumps.sh -> ../../tests/hardening/1.5.4_disable_prelink.sh
2019-08-28 17:26:27 +02:00
Charles Herlin
fe25b1ba38
Renumbering of bootloader checks
...
renamed: 3.1_bootloader_ownership.sh -> 1.4.1_bootloader_ownership.sh
renamed: 3.3_bootloader_password.sh -> 1.4.2_bootloader_password.sh
renamed: 3.4_root_password.sh -> 1.4.3_root_password.sh
deleted: 3.2_bootloader_permissions.sh
renamed: ../../tests/hardening/3.4_root_password.sh -> ../../tests/hardening/1.4.1_bootloader_ownership.sh
renamed: ../../tests/hardening/3.3_bootloader_password.sh -> ../../tests/hardening/1.4.2_bootloader_password.sh
renamed: ../../tests/hardening/3.1_bootloader_ownership.sh -> ../../tests/hardening/1.4.3_root_password.sh
2019-08-28 17:19:59 +02:00
Charles Herlin
0b85d16c16
First batch of renaming to comply to comply to 8v2 and 9 pdf
...
renamed: 2.19_disable_freevxfs.sh -> 1.1.1.1_disable_freevxfs.sh
renamed: 2.20_disable_jffs2.sh -> 1.1.1.2_disable_jffs2.sh
renamed: 2.21_disable_hfs.sh -> 1.1.1.3_disable_hfs.sh
renamed: 2.22_disable_hfsplus.sh -> 1.1.1.4_disable_hfsplus.sh
renamed: 2.24_disable_udf.sh -> 1.1.1.5_disable_udf.sh
renamed: 2.7_var_log_partition.sh -> 1.1.11_var_log_partition.sh
renamed: 2.8_var_log_audit_partition.sh -> 1.1.12_var_log_audit_partition.sh
renamed: 2.9_home_partition.sh -> 1.1.13_home_partition.sh
renamed: 2.10_home_nodev.sh -> 1.1.14_home_nodev.sh
renamed: 2.14_run_shm_nodev.sh -> 1.1.15_run_shm_nodev.sh
renamed: 2.15_run_shm_nosuid.sh -> 1.1.16_run_shm_nosuid.sh
renamed: 2.16_run_shm_noexec.sh -> 1.1.17_run_shm_noexec.sh
renamed: 2.11_removable_device_nodev.sh -> 1.1.18_removable_device_nodev.sh
renamed: 2.13_removable_device_nosuid.sh -> 1.1.19_removable_device_nosuid.sh
renamed: 2.12_removable_device_noexec.sh -> 1.1.20_removable_device_noexec.sh
renamed: 2.17_sticky_bit_world_writable_folder.sh -> 1.1.21_sticky_bit_world_writable_folder.sh
renamed: 2.25_disable_automounting.sh -> 1.1.22_disable_automounting.sh
renamed: 2.1_tmp_partition.sh -> 1.1.2_tmp_partition.sh
renamed: 2.2_tmp_nodev.sh -> 1.1.3_tmp_nodev.sh
renamed: 2.3_tmp_nosuid.sh -> 1.1.4_tmp_nosuid.sh
renamed: 2.4_tmp_noexec.sh -> 1.1.5_tmp_noexec.sh
renamed: 2.5_var_partition.sh -> 1.1.6_var_partition.sh
renamed: 1.1_install_updates.sh -> 1.8_install_updates.sh
2019-08-27 15:30:47 +02:00
Thibault Ayanides
88e3a515ef
5.2.17_sshd_login_grace_time
2020-10-05 17:26:13 +02:00
Thibault Ayanides
55c1cdbdde
5.2.3_ssh_host_public_keys_perm_ownership
2020-10-05 17:05:47 +02:00
Thibault Ayanides
6f5d714b55
5.2.2_ssh_host_private_keys_perm_ownership
2020-10-05 17:05:26 +02:00
Thibault Ayanides
a37c5bdc4e
Add functions utils
...
I added two functions in utils that checks perms and ownership for file
resulting for a certain find. It takes parameters to filter the results
if needed.
2020-10-05 17:01:13 +02:00
Thibault Ayanides
d6e5803252
4.2.4_logs_permissions
2020-10-05 13:17:44 +02:00
Thibault Ayanides
922f28c200
4.2.3_install_syslog-ng
2020-09-30 17:03:10 +02:00
Benjamin MONTHOUEL
70be679567
IMP(12.8,12.9,12.10,12.11): be able to exclude some paths
...
consider exclusions in apply() functions
2020-03-31 14:22:24 +02:00
Benjamin MONTHOUEL
413277d7eb
IMP(12.8,12.9): be able to exclude some paths
2020-03-30 19:11:07 +02:00
Stéphane Lesimple
ef5c00fef5
enh: 13.12_users_valid_homedir.sh: ignore /nonexistent special home folder
2019-10-22 14:14:32 +02:00
Charles Herlin
a4969e6ba6
IMP(99.3.1): improve check with disabled passwords
2019-08-28 11:49:01 +02:00
Charles Herlin
96f3b74334
FIX(10.2): improve test to check multiple login shells
...
fix IFS bug
add test
2019-08-28 11:47:49 +02:00
kevin.tanguy
89cf484cb9
fix(99.4): do not stderr iptables warning on buster
2019-08-14 10:36:25 +02:00
Charles Herlin
71f97062d7
FIX(99.1): remove dot in files to search
...
Apply shellcheck recommendations
2019-04-04 12:18:15 +02:00
Charles Herlin
1ec77dbb56
FIX(13.15): fix code that did not show duplicated group
...
Add tests
Apply shellcheck recommendations
2019-03-28 17:51:02 +01:00
Charles Herlin
8f87d75293
FIX(99.5.4): fix regex to allow other authkey options than "from"
2019-03-15 18:17:48 +01:00
Charles Herlin
02673826a0
FIX(8.2.x): fix grep and find in audit scripts
2019-03-18 16:19:05 +01:00
Charles Herlin
d5d5a39109
FIX(nbsp): remove nbsp for missing file
2019-03-12 10:08:28 +01:00
Charles Herlin
1bac756dcb
FIX(nbsp): remove non breakable spaces that caused Puppet to warn
2019-03-12 09:58:35 +01:00
Charles Herlin
be1ad3e581
IMP(99.5.4): add conf to check only listed users
2019-03-05 10:49:45 +01:00
Charles Herlin
455e58899d
FIX(8.2.4): script crashed when touching a logfile in subdir of /var/log
...
Treating filename to check if it is in a /var/log subdirectory and
creates needed subdirectories
2019-03-01 13:08:07 +01:00
Charles Herlin
9ada868f43
IMP(8.2.4): add exceptions in check and apply
...
Apply shellcheck recommendations
2019-03-01 12:12:42 +01:00
Charles Herlin
4bddd8ee8b
IMP(8.2.5): follow symlinks in find
2019-03-01 10:00:35 +01:00
Charles Herlin
81dc308677
FIX(8.3.2): add $SUDO_CMD to find
2019-02-28 17:52:47 +01:00
Charles Herlin
db4dc4d598
FIX(8.2.5): grep: x is a directory
2019-02-28 16:41:41 +01:00
Charles Herlin
d05ffaf9d5
CHORE: replace ==
with =
that is bash syntax
2019-02-26 15:23:23 +01:00
Charles Herlin
de7dfe5956
CHORE(2.1x): use "readlink -e" instead of custom func
...
Removed get_partition_from_symlink()
2019-02-26 15:06:51 +01:00
Charles Herlin
8031c388c6
IMP(9.3.2): Comply with Debian9 guide: verbose ssh loglevel
2019-02-25 15:16:02 +01:00
Charles Herlin
7b8e359590
IMP(13.13): improve exception detection
2019-02-25 10:33:15 +01:00
Charles Herlin
f7f2f614aa
IMP(9.3.2): Add custom configuration management
...
Add create_config to allow user to customize their conf
Improve tests
Apply shellcheck recommendations
2019-02-22 15:40:01 +01:00
Charles Herlin
605a768fe1
IMP(13.13): Add exceptions for home directories not owned by owner
...
Fill tests
Apply shellcheck recommendations
2019-02-22 15:22:58 +01:00
Charles Herlin
80a1146af7
IMP(8.2.5): find multiline pattern in files (syslog)
...
Add func to find pattern in file that spreads over multiple lines
The func will remove commented lines (that begin with '#')
and consider the file as one long line.
Thus, this is not possible to look for pattern at beginning of line
with this func ('^' and '$')
Improved pattern in 8.2.5
Add syslog-ng to installed dependencies in Dockerfiles
Fixed multifile arguments when looking for pattern that got broken
in d2bbf754
due to "nocase" and _does_pattern_exist_in_file wrapper
Please note that you can only look for pattern in ONE FILE at once
Fixed 8.2.5 and 8.3.2 with for loop on files and 'FOUND' flag
You now need to specify each and every file to look for or embed a
'find' command as follow :
`FILES="$SYSLOG_BASEDIR/syslog-ng.conf $(find $SYSLOG_BASEDIR/conf.d/)"`
Improved test files
Applied shellcheck recommendations
2019-02-22 12:39:41 +01:00
Charles Herlin
7408216957
IMP(2.1x): Retrieve actual partition when symlink
...
Add function to retrieve actual partition from symlink in lib/utils.sh
Using this func in all 3 audit scripts
Improved tests to test this func
Apply shellcheck recommendations
Trim trailing spaces
2019-02-22 12:22:14 +01:00
kevin.tanguy
bc5809f92e
FIX CONFIG_AUDIT test
2019-02-21 11:15:48 +01:00
Charles Herlin
d18f5edfba
FIX(99.2): add missing $SUDO_CMD
2019-02-15 16:56:54 +01:00
Charles Herlin
2b2a91a564
Change default status to audit for file with custom create_config
2019-02-14 14:33:21 +01:00
Charles Herlin
1281860401
IMP: enhance scripts that check duplicate UID
...
Add exception handling in 13.14_check_duplicate_uid
Clarifies output message and explicitly displays found exceptions
Add tests
Apply shellcheck recommendation
modified: bin/hardening/13.14_check_duplicate_uid.sh
modified: bin/hardening/13.5_find_0_uid_non_root_account.sh
new file: tests/hardening/13.14_check_duplicate_uid.sh
new file: tests/hardening/13.5_find_0_uid_non_root_account.sh
2019-02-13 16:07:06 +01:00
Charles Herlin
810fee4c8f
Migrate generic checks from secaudit to cis-hardening
...
new file: 99.3.1_acc_shadow_sha512.sh
new file: 99.3.2_acc_sudoers_no_all.sh
new file: 99.4_net_fw_default_policy_drop.sh
new file: 99.5.1_ssh_auth_pubk_only.sh
new file: 99.5.2.1_ssh_cry_kex.sh
new file: 99.5.2.2_ssh_cry_mac.sh
new file: 99.5.2.3_ssh_cry_rekey.sh
new file: 99.5.3_ssh_disable_features.sh
new file: 99.5.4_ssh_keys_from.sh
new file: 99.5.5_ssh_strict_modes.sh
new file: 99.5.6_ssh_sys_accept_env.sh
new file: 99.5.7_ssh_sys_no_legacy.sh
new file: 99.5.8_ssh_sys_sandbox.sh
new file: 99.5.9_ssh_log_level.sh
Fix descriptions in comment section for 99.* secaudit checks
Remove duplicated legacy services that are already taken care of by vanilla cis
Enable custom configuration of checks in config-file, no more hard coded conf
Add test to disable check if debian version is too old
Add excused IPs while checking "from" field of authorized_keys
Escaping dots in IPs
Manage Kex for different debian versions
Add tests for generic checks and add apply for ssh config
Apply shellcheck recommendations on audit/hardening scripts
Update script to check for allowed IPs only, remove bastion related
Fill `apply` func for ssh config related scripts
Add and update tests scenarii
Disable shellcheck test for external source 1091
As of today, the entire project is not shellcheck compliant, I prefer
disabling the test that warns about not finding external source (that
arent compliant). I will enable it again when the project library will
be shellchecked
https://github.com/koalaman/shellcheck/wiki/SC1091
Refactor password policy check with one check by feature
Previous file will now only look for bad passwords in /etc/shadow
I added two checks that look for the compliant configuration lines in
conf files /etc/logins.defs and /etc/pam.d/common-passwords
FIX: merge chained sed and fix regex
FIX: update regex to capture more output
FIX: fix pattern to ignore commented lines, add apply
Also add tests to ensure that commented lines are not detected as valid
configuration
CHORE: cleanup test situation with file and users removal
IMP: add case insensitive option when looking for patterns in files
CHORE: removed duplicated line in test file
2017-12-20 15:14:30 +01:00
Charles Herlin
6cea326921
Update debian 7/8/9 in help files and remove in generic scripts
2019-02-06 15:19:14 +01:00
Charles Herlin
9ba0361be0
FIX: quotes in find command, misinterpreted shellcheck advice
2019-01-23 16:55:48 +01:00
Charles Herlin
71b70a2b8c
FEAT: Add sudo_wrapper to catch unauthorized sudo commands
...
As for now, if a sudo command was not allowed, check might sometimes
pass, resulting compliant state even if it actually is not.
Sudo wrapper first checks wether command is allowed before running it,
otherwise issues a crit message, setting check as not compliant
Fix script to make sudo_wrapper work, split "find" lines
Fix quotes in $@ and $* when running sudo command
Fixed quotes and curly braces with shellcheck report
2018-03-16 12:06:56 +01:00
Charles Herlin
c51a8ee9b8
FIX: sed that was too greedy
...
Used to sed 's!/usr/bin/su!!' /usr/bin/sudo leaving only "do"
that lead to misinterpreting result
Change algorithm to avoid partial sed in the result list
Now the not compliant list is built out of the find results
instead of items being removed from them.
Allow better control of grep inside this list.
Chore: apply shellcheck recommendations
2019-01-02 13:02:02 +01:00
Charles Herlin
e72c7aae15
Add missing /usr/bin/su
2019-01-03 11:21:51 +01:00
Charles Herlin
8e6618eedf
FIX: add /usr/bin/* path for suid/guid allowed binaries
...
Debian is still migrating /bin to /usr/bin so I added both path to the
allowed ones
* mount
* umount
* ping
* ping6
* unix_chkpwd
2019-01-02 17:03:29 +01:00