Commit Graph

83 Commits

Author SHA1 Message Date
Thibault Ayanides
6ae05f3fa2
Add dealing with debian 11
* ADD: add dockerfile for debian11
* FIX: fix crontab file not found on debian11 blank
* Add workflow for debian11
* FIX: fix debian version func to manage debian11
* Add dealing with unsupported version and distro
* Add 99.99 check that check if distro version is supported
* Use global var for debian major and distro

fix #26
2021-02-08 13:54:24 +01:00
Thibault Ayanides
449c695415 IMP: improve partition detection in container
fix #27
2021-02-08 09:07:09 +01:00
jeremydenoun
0b6ea0d97e
IMP: add multiple Improvements
* add new kernel module detection (enable & listing)  with detection of monolithic kernel
* change way to detect if file system type is disabled
* add global IS_CONTAINER variable
* disable test for 3.4.x to be consistent with others
* add cli options to override configuration loglevel
2021-02-04 16:21:49 +01:00
jeremydenoun
dce926a536
Add default variable to avoid unbound variable
Co-authored-by: Jeremy Denoun <jeremy.denoun@iguanesolutions.com>
2021-01-22 10:02:44 +01:00
jeremydenoun
0edb837f80
Remove bc dependency
Co-authored-by: Jeremy Denoun <jeremy.denoun@iguanesolutions.com>
2021-01-22 09:31:53 +01:00
Thibault Ayanides
5c40d48f85 IMP: add utils to check perm in authorized perm 2020-12-21 10:39:44 +01:00
Thibault Ayanides
a2adf0f15c ADD(6.1.3, 6.1.6-9): add new checks
Renamed some checks, add new checks that check permissions and ownership on /etc/passwd, /etc/shadow, ...
Add new function in utils that checks that check that the file ownership is one of the authrized ownership.

	renamed:    bin/hardening/6.1.5_etc_passwd_permissions.sh -> bin/hardening/6.1.2_etc_passwd_permissions.sh
	new file:   bin/hardening/6.1.3_etc_gshadow-_permissions.sh
	renamed:    bin/hardening/6.1.6_etc_shadow_permissions.sh -> bin/hardening/6.1.4_etc_shadow_permissions.sh
	renamed:    bin/hardening/6.1.7_etc_group_permissions.sh -> bin/hardening/6.1.5_etc_group_permissions.sh
	new file:   bin/hardening/6.1.6_etc_passwd-_permissions.sh
	new file:   bin/hardening/6.1.7_etc_shadow-_permissions.sh
	new file:   bin/hardening/6.1.8_etc_group-_permissions.sh
	new file:   bin/hardening/6.1.9_etc_gshadow_permissions.sh
	modified:   lib/utils.sh
	renamed:    tests/hardening/6.1.5_etc_passwd_permissions.sh -> tests/hardening/6.1.2_etc_passwd_permissions.sh
	new file:   tests/hardening/6.1.3_etc_gshadow-_permissions.sh
	renamed:    tests/hardening/6.1.6_etc_shadow_permissions.sh -> tests/hardening/6.1.4_etc_shadow_permissions.sh
	renamed:    tests/hardening/6.1.7_etc_group_permissions.sh -> tests/hardening/6.1.5_etc_group_permissions.sh
	new file:   tests/hardening/6.1.6_etc_passwd-_permissions.sh
	new file:   tests/hardening/6.1.7_etc_shadow-_permissions.sh
	new file:   tests/hardening/6.1.8_etc_group-_permissions.sh
	new file:   tests/hardening/6.1.9_etc_gshadow_permissions.sh
2020-12-21 10:02:52 +01:00
Thibault Ayanides
3560f67e3f Update changelog 2020-12-14 16:56:09 +01:00
Thibault Ayanides
2ab1bd50dc IMP(shellcheck): use $@ insetad of $* (SC2048) 2020-12-14 13:58:50 +01:00
Thibault Ayanides
db27cfc39c FIX: move shfmt to project root 2020-12-10 10:00:07 +01:00
Thibault Ayanides
dee0ebc821 IMP(shellcheck): quote variables 2020-12-10 09:50:33 +01:00
Thibault Ayanides
16cc2bef71 IMP(shellcheck): fix harmless warnings (SC2155) 2020-12-10 08:40:36 +01:00
Thibault Ayanides
b9e129d8fe IMP(shellcheck): disable sed replacement (SC2001)
Shellcheck recommands to replace sed by shell expansions in 'simple' cases.
However, the replacement here is likely to lead to erros, so we disable this rule.
Moreover, it does'nt really add readability.
2020-12-10 08:34:57 +01:00
Thibault Ayanides
1c56bd9930 IMP(shellcheck): remove $() in if condition (SC2091) 2020-12-10 08:16:23 +01:00
Thibault Ayanides
b09b75a51e IMP(shellcheck): quote variables (SC2086) 2020-12-07 17:11:32 +01:00
Thibault Ayanides
ac66cdacd0 IMP(shellcheck): fix quote placement in awk (SC1083) 2020-12-07 15:01:22 +01:00
Thibault Ayanides
8012234096 IMP(shellcheck): fix harmless warnings 2020-12-07 14:53:10 +01:00
Thibault Ayanides
63835dd10c IMP(shellcheck): add curly bracket to var (SC1087) 2020-12-07 13:54:57 +01:00
Thibault Ayanides
addd48c4dd IMP(shellcheck): add prefix to follow scripts (SC1090) 2020-12-07 13:26:51 +01:00
Thibault Ayanides
72bb3e2b84 IMP(shellcheck): replace -a in condition by && (SC2166) 2020-12-04 15:29:19 +01:00
Thibault Ayanides
3a342b784a IMP(shfmt): add shell formatter 2020-12-04 14:08:01 +01:00
Thibault Ayanides
4add6ddc33 IMP(shellcheck): add prefix to define shell (SC2148) 2020-11-27 09:22:47 +01:00
Thibault Ayanides
cccc0881e9 IMP(shellcheck): add run-shellcheck prefix 2020-11-23 17:10:37 +01:00
Thibault Ayanides
b994ca11a7 FIX(main): fix small bug in main
The bug (introduced in 2.1-2) leaded to an error in the test that evaluates forcedstatus
2020-11-30 15:10:39 +01:00
Thibault Ayanides
d40a85085d FIX: fix issue, we had to run audit twice
First one as root to create conf files with good owner and permissions, and then with secaudit.
Now first run with --create-config-files-only and the normally with --audit.
2020-11-20 10:05:14 +01:00
Thibault Ayanides
fbd26ceefa Fix race condition on /etc/passwd, /etc/shadow and /etc/group 2020-11-16 14:09:12 +01:00
Thibault Ayanides
20f432765d FIX(5.2.2,5.2.3) find was not working properly
I removed the functions in utils and replace them with loops, so that
there is no more problems with the options arrays.
2020-10-27 12:47:11 +01:00
Thibault Ayanides
a37c5bdc4e Add functions utils
I added two functions in utils that checks perms and ownership for file
resulting for a certain find. It takes parameters to filter the results
if needed.
2020-10-05 17:01:13 +02:00
Thibault Ayanides
d6e5803252 4.2.4_logs_permissions 2020-10-05 13:17:44 +02:00
Charles Herlin
41e3402b10 FIX(batch): sed \n to space in batch echo 2019-03-19 10:38:41 +01:00
Charles Herlin
1bac756dcb FIX(nbsp): remove non breakable spaces that caused Puppet to warn 2019-03-12 09:58:35 +01:00
Charles Herlin
0a6f8bdba6 FEAT(2.6.x): retrieve actual partition in case if bind mount 2019-02-28 10:14:00 +01:00
Charles Herlin
de7dfe5956 CHORE(2.1x): use "readlink -e" instead of custom func
Removed get_partition_from_symlink()
2019-02-26 15:06:51 +01:00
Charles Herlin
80a1146af7 IMP(8.2.5): find multiline pattern in files (syslog)
Add func to find pattern in file that spreads over multiple lines
The func will remove commented lines (that begin with '#')
and consider the file as one long line.
Thus, this is not possible to look for pattern at beginning of line
with this func ('^' and '$')

Improved pattern in 8.2.5

Add syslog-ng to installed dependencies in Dockerfiles

Fixed multifile arguments when looking for pattern that got broken
in d2bbf754 due to "nocase" and _does_pattern_exist_in_file wrapper
Please note that you can only look for pattern in ONE FILE at once
Fixed 8.2.5 and 8.3.2 with for loop on files and 'FOUND' flag
You now need to specify each and every file to look for or embed a
'find' command as follow :
`FILES="$SYSLOG_BASEDIR/syslog-ng.conf $(find $SYSLOG_BASEDIR/conf.d/)"`

Improved test files
Applied shellcheck recommendations
2019-02-22 12:39:41 +01:00
Charles Herlin
7408216957 IMP(2.1x): Retrieve actual partition when symlink
Add function to retrieve actual partition from symlink in lib/utils.sh
Using this func in all 3 audit scripts

Improved tests to test this func

Apply shellcheck recommendations
Trim trailing spaces
2019-02-22 12:22:14 +01:00
Charles Herlin
5c313c8f31 Change default status disabled -> audit when no conf file 2019-02-06 15:26:41 +01:00
Charles Herlin
810fee4c8f Migrate generic checks from secaudit to cis-hardening
new file:   99.3.1_acc_shadow_sha512.sh
new file:   99.3.2_acc_sudoers_no_all.sh
new file:   99.4_net_fw_default_policy_drop.sh
new file:   99.5.1_ssh_auth_pubk_only.sh
new file:   99.5.2.1_ssh_cry_kex.sh
new file:   99.5.2.2_ssh_cry_mac.sh
new file:   99.5.2.3_ssh_cry_rekey.sh
new file:   99.5.3_ssh_disable_features.sh
new file:   99.5.4_ssh_keys_from.sh
new file:   99.5.5_ssh_strict_modes.sh
new file:   99.5.6_ssh_sys_accept_env.sh
new file:   99.5.7_ssh_sys_no_legacy.sh
new file:   99.5.8_ssh_sys_sandbox.sh
new file:   99.5.9_ssh_log_level.sh

Fix descriptions in comment section for 99.* secaudit checks

Remove duplicated legacy services that are already taken care of by vanilla cis

Enable custom configuration of checks in config-file, no more hard coded conf
Add test to disable check if debian version is too old
Add excused IPs while checking "from" field of authorized_keys
Escaping dots in IPs
Manage Kex for different debian versions
Add tests for generic checks and add apply for ssh config
Apply shellcheck recommendations on audit/hardening scripts
Update script to check for allowed IPs only, remove bastion related
Fill `apply` func for ssh config related scripts
Add and update tests scenarii

Disable shellcheck test for external source 1091

As of today, the entire project is not shellcheck compliant, I prefer
disabling the test that warns about not finding external source (that
arent compliant). I will enable it again when the project library will
be shellchecked
https://github.com/koalaman/shellcheck/wiki/SC1091

Refactor password policy check with one check by feature

Previous file will now only look for bad passwords in /etc/shadow
I added two checks that look for the compliant configuration lines in
conf files /etc/logins.defs and /etc/pam.d/common-passwords

FIX: merge chained sed and fix regex

FIX: update regex to capture more output
FIX: fix pattern to ignore commented lines, add apply

Also add tests to ensure that commented lines are not detected as valid
configuration

CHORE: cleanup test situation with file and users removal
IMP: add case insensitive option when looking for patterns in files
CHORE: removed duplicated line in test file
2017-12-20 15:14:30 +01:00
Charles Herlin
d014405e1f FIX: add becho to send batch output to syslog too
becho stands for batch echo
formats the log line for syslog

Also logs audit summary into syslog (in batch mode only)
2019-02-06 17:25:16 +01:00
Charles Herlin
6cea326921 Update debian 7/8/9 in help files and remove in generic scripts 2019-02-06 15:19:14 +01:00
Charles Herlin
71b70a2b8c FEAT: Add sudo_wrapper to catch unauthorized sudo commands
As for now, if a sudo command was not allowed, check might sometimes
pass, resulting compliant state even if it actually is not.
Sudo wrapper first checks wether command is allowed before running it,
otherwise issues a crit message, setting check as not compliant

Fix script to make sudo_wrapper work, split "find" lines
Fix quotes in $@ and $* when running sudo command

Fixed quotes and curly braces with shellcheck report
2018-03-16 12:06:56 +01:00
Charles Herlin
67df4da781 Adding batch mode to output just one line of text (no colors) in order to be parsed by computer tools
Adding DESCRIPTION field in tests and [INFO] DESCRIPTION in main
Update README with --batch mode info
Add --batch mode in hardening.sh

Change summary to make it oneliner when batch mode
AUDIT_SUMMARY PASSED_CHECKS:95 RUN_CHECKS:191 TOTAL_CHECKS_AVAIL:191 CONFORMITY_PERCENTAGE:49.74
2017-10-31 17:44:15 +01:00
Charles Herlin
b1f85d3f99 Add sudo management in main and utils
* perform readonly checks as a regular user
    * sudo -n is used for checks requiring root privileges
    * increase accountability by providing log of individual access to sensitive files
2017-11-09 15:45:42 +01:00
Stéphane Lesimple
676b17c54f add hardening templating and several enhancements 2017-05-18 18:40:09 +02:00
Thibault Dewailly
2ef500298b Merge pull request #11 from speed47/dev/fix_does_pattern_exist_in_file
handle ENOENT properly in does_pattern_exist_in_file()
2017-05-19 18:30:21 +02:00
Stéphane Lesimple
3e0187094a handle ENOENT properly in does_pattern_exist_in_file\(\) 2017-05-18 18:31:24 +02:00
Stéphane Lesimple
cca0310d64 set a fixed-size prefix for logger 2017-05-18 18:27:02 +02:00
jeremydenoun
53626bd926 Remove test on _logger() function
the original line contain test that can hide echo if we launch script with pipe or IO redirection
2016-05-14 20:39:32 +02:00
thibault.dewailly
e902c9b4c8 Fixed replace in file function with proper substitution 2016-05-03 11:25:37 +02:00
kevin.tanguy
1479332870 debian dependencies fix, rephrasing, revision bump 1.0-8. 2016-04-25 15:15:49 +02:00
Frank Denis
ed410747df Rephrase confusing messages 2016-04-21 18:32:36 +02:00