Commit Graph

319 Commits

Author SHA1 Message Date
6e79fcd00a fix: correct debian version check on 5.2.15 configuration generation (#199)
fixes #196
2023-09-01 08:34:28 +02:00
27edec6d5f fix: chore, debug logs print correctly now (#197) 2023-08-31 14:40:27 +02:00
a468b29036 fix: added systemd-timesyncd to use_time_sync script (#189) (#190)
Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>
2023-08-30 10:28:03 +02:00
db9ff8a7fd Update warn messages on 2.2.15_mta_localhost.sh (#193)
warn messages had typo netsat as it should be netstat
2023-08-30 10:23:27 +02:00
6135c3d0e5 fix: enhance test 99.1.3 speed for large /etc/sudoers.d folders (#188)
Signed-off-by: Stephane Lesimple <stephane.lesimple@corp.ovh.com>
2023-07-18 17:28:35 +02:00
873ef8827d fix: 99.1.3_acc_sudoers_no_all: fix a race condition (#186)
On systems where /etc/sudoers.d might be updated often by some automated means, this
check might raise a critical when a previously present file (during the ls) is no longer
present (during its attempted read), so before raising a critical, re-check that it
does exists first.
2023-07-03 17:05:45 +02:00
bd27cd0dae fix: change auditd file rule remediation (#179)
Fixes #165
2023-05-05 12:32:22 +02:00
47cf86237b fix: correct search in 5.4.5_default_timeout in apply mode (#178)
fixes #116
2023-05-02 17:57:35 +02:00
04457e7df2 feat: official Debian 11 compatibility (#176)
Introduce Debian 11 compatibility
Based on CIS_Debian_Linux_11_Benchmark_v1.0.0

After review, here are the notable changes :
 - Harden /var/log more (noexec,nodev,nosuid)
 - Harden /var/log/audit more (noexec,nodev,nosuid)
 - Harden /home more (nosuid)
 - Disable cramfs
 - Fix 5.3.4_acc_pam_sha512.sh
 - Deprecate Debian 9 and remove useless docker images

NB : more audit log rules have been introduced and will be inserted in the checks later
Fix #158
2023-05-02 14:16:19 +02:00
dc952b90df fix: timeout of 99.1.3 (#168)
The 99.1.3_acc_sudoers_no_all.sh script can sometimes timeout
on servers where /etc/sudoers.d/ has thousands of files.
This patch makes it run roughly 5x faster, as tested on a
server with 1500 files in sudoers.d/.

Closes #167.

Signed-off-by: Stephane Lesimple <stephane.lesimple@corp.ovh.com>

Signed-off-by: Stephane Lesimple <stephane.lesimple@corp.ovh.com>
2022-12-22 09:47:35 +01:00
82a217032d fix(6.2.9): Start from UID 1000 for home ownership check (#164)
Rename 6.2.3 and 6.2.9 checks to be more accurate
Remove home existence check from 6.2.9 as it's handled by 6.2.3
Update tests accordingly
Fixes #163

Signed-off-by: Tarik Megzari <tarik.megzari@corp.ovh.com>

Signed-off-by: Tarik Megzari <tarik.megzari@corp.ovh.com>
2022-09-30 10:28:48 +02:00
371c23cd52 feat: add FIND_IGNORE_NOSUCHFILE_ERR flag (#159)
This flag can be used to prevent find-related checks to fail because one part of filesystem disappear (ie. ephemeral directories or files)
2022-07-04 14:29:25 +02:00
66ccc6316a feat: Filter the filesystem to check when the list is built. (#156)
* feat: Attempt to filter-out filesystem that match exclusion regex.
2022-06-24 17:45:47 +02:00
5c072668d5 fix: add 10s wait timeout on iptables command (#151)
When the tested server has its iptables heavily manipulated (e.g Kubernetes)
The lock aquirement can sometimes fail, hence generating false positives
The command will retry 10 times with a 1 second interval
2022-03-23 16:56:38 +01:00
ad5c71c3ce fix: allow passwd-, group- and shadow- debian default permissions (#149) 2022-03-18 16:41:49 +01:00
a6a22084e1 missing shadowtools backup files is ok (#132)
* missing shadowtools backup files is ok

* update corresponding test cases
2022-03-02 18:05:37 +01:00
b962155a3c fix: Avoid find failures on too many files (#144)
Signed-off-by: Tarik Megzari <tarik.megzari@corp.ovh.com>

Co-authored-by: Tarik Megzari <tarik.megzari@corp.ovh.com>
Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>
2022-03-02 17:49:28 +01:00
17d272420a feat: Dissociate iptables pkg name from command (#137)
Signed-off-by: Tarik Megzari <tarik.megzari@corp.ovh.com>

Co-authored-by: Tarik Megzari <tarik.megzari@corp.ovh.com>
2021-12-27 15:40:55 +01:00
97914976c8 Skip NTP and Chrony config check if they are not installed (#120)
Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>
2021-12-01 10:49:08 +01:00
66c8ccf495 Fix 3.4.2 audit rule (#123)
Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>
2021-12-01 10:23:11 +01:00
b53bf1795c Fix grub detection (#119)
Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>
2021-12-01 08:58:32 +01:00
1a874b2b35 Allow grub.cfg permission to be 600 (#121)
Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>
2021-11-30 18:47:19 +01:00
7266ec7cb4 Honor --set-log-level parameter (#127)
Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>
2021-11-30 18:42:33 +01:00
8f855ac159 fix: kernel module detection (#129)
* fix: add filter to hfs

* fix is_kernel_option_enabled check

as the module in question could have dependencies which have been blacklisted as well we need to make sure that the comparison only checks for the module in question - the last line in the output.

Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>
2021-10-20 14:51:29 +02:00
ad192c9457 Add silent mode and json summary (#128)
Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>
2021-10-20 13:22:59 +02:00
3d2d97a727 FIX(1.7.1.4): don't abort script in case of unconfined processes (#130) 2021-10-20 13:14:36 +02:00
6e2fb1570c FIX(2.2.1.4): Validate debian default ntp config (#118) 2021-10-15 16:19:51 +02:00
afed5a9dce 99.5.4.5.2: fix bug where sha512 option rounds provoke KO (#112) 2021-08-10 10:30:35 +02:00
9a2e3a0e0d Fix 5.4.5 pattern search (#108)
fix #107
2021-08-09 10:49:56 +02:00
334d743125 fix EXCEPTIONS management (#104)
* FIX(1.1.21, 6.1.10) fix EXCEPTIONS management
* Update changelog
* Refactor test for 6.1.10-14
2021-06-02 13:47:19 +02:00
f4328deeb2 Fix unbound variable (#102) 2021-05-28 15:00:58 +02:00
9e6c9a0d8a Accept lower values (#95)
* IMP(5.2.23): accept lower value as valid

* IMP(5.2.7): accept lower value as valid
2021-04-27 16:04:13 +02:00
1cade2e375 FIX(2.2.1.2): custom func not working for systemd (#90)
fix #87
2021-04-27 13:49:05 +02:00
cadc25c28c Dir exceptions (#96)
* IMP(1.1.21): add EXCEPTIONS
* IMP(6.1.10): add EXCEPTIONS
2021-04-26 17:05:22 +02:00
f6c6e6a0a8 FIX(4.1.11): add SUDO to find suid files 2021-04-13 11:00:29 +02:00
d110a2aa19 Ignore case for sshd conf
fix #85
2021-04-02 09:25:41 +02:00
1c51e4cec4 Check that package are installed before launching check (#69)
* FIX(1.6.1,1.7.1.x): check if apparmor and grub is installed

* FIX(2.2.15): check package install

* FIX(4.2.x): check package install

* FIX(5.1.x): check crontab files exist

* FIX(5.2.1): check package install

* FIX(99.3.3.x): check conf file exist

* Remove useless SUDO_CMD

* Deal with non existant /run/shm

* Replace exit code 128 by exit code 2

fix #65

Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>
2021-03-25 14:01:57 +01:00
f8ac58700d FIX(4.1.1.4): bad pattern (#67)
fix #61
2021-03-25 13:50:08 +01:00
b44fb47c3a add log details to be more comprehensive (#49)
Co-authored-by: Jeremy Denoun <jeremy.denoun@iguanesolutions.com>
2021-02-17 12:04:11 +01:00
84ac4db90f fix incorrect path from ls (#45)
Co-authored-by: Jeremy Denoun <jeremy.denoun@iguanesolutions.com>
2021-02-17 12:00:13 +01:00
40fb536d4e Add missing HARDENING_LEVEL (#44)
Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>
2021-02-17 11:51:51 +01:00
d1b371f410 Add is_ipv6_disabled (#57)
Modify some checks to make it pass when ipv6 is diabled

fix #50

	modified:   bin/hardening/3.1.1_disable_ipv6.sh
	modified:   bin/hardening/3.3.1_disable_source_routed_packets.sh
	modified:   bin/hardening/3.3.9_disable_ipv6_router_advertisement.sh
	modified:   lib/utils.sh

Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>
2021-02-17 11:45:20 +01:00
6ab1cab3ce IMP(5.1.8): allow more restrictive permissions (#59)
fix #52

Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>
2021-02-17 11:40:31 +01:00
1a7dd5893a Use pam_faillock instead of pam_tally for bullseye (#56)
Fix #55
See https://github.com/linux-pam/linux-pam/releases/tag/v1.4.0
pam_tally is deprecated and replaced by pam_faillock

Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>
2021-02-17 11:36:58 +01:00
fa111bc0d0 Update mac and kex to match debian10 CIS (#60)
fix #53

Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>
2021-02-17 11:31:22 +01:00
460843ffb3 Fix #51 (#58) 2021-02-17 11:19:38 +01:00
6ae05f3fa2 Add dealing with debian 11
* ADD: add dockerfile for debian11
* FIX: fix crontab file not found on debian11 blank
* Add workflow for debian11
* FIX: fix debian version func to manage debian11
* Add dealing with unsupported version and distro
* Add 99.99 check that check if distro version is supported
* Use global var for debian major and distro

fix #26
2021-02-08 13:54:24 +01:00
0b6ea0d97e IMP: add multiple Improvements
* add new kernel module detection (enable & listing)  with detection of monolithic kernel
* change way to detect if file system type is disabled
* add global IS_CONTAINER variable
* disable test for 3.4.x to be consistent with others
* add cli options to override configuration loglevel
2021-02-04 16:21:49 +01:00
ed1baa724e IMP: mark some checks as useless 2021-01-25 13:02:52 +01:00
bd4ddfc398 ADD(3.4.x): add checks and tests 2021-01-25 13:02:52 +01:00