debian-cis

mirror of https://github.com/ovh/debian-cis.git synced 2024-11-22 13:37:02 +01:00

Author	SHA1	Message	Date
GoldenKiwi	6e79fcd00a	fix: correct debian version check on 5.2.15 configuration generation (#199 ) fixes #196	2023-09-01 08:34:28 +02:00
GoldenKiwi	27edec6d5f	fix: chore, debug logs print correctly now (#197 )	2023-08-31 14:40:27 +02:00
GoldenKiwi	f2cc14c383	fix: chore debian manual update (#198 ) * fix: chore debian manual update fixes #182 * Regenerate man pages (Github action) --------- Co-authored-by: ThibaultDewailly <ThibaultDewailly@users.noreply.github.com>	2023-08-31 14:34:59 +02:00
dependabot[bot]	46377fc255	build(deps): bump dev-drprasad/delete-tag-and-release (#184 ) Bumps [dev-drprasad/delete-tag-and-release](https://github.com/dev-drprasad/delete-tag-and-release) from 0.2.1 to 1.0.1. - [Release notes](https://github.com/dev-drprasad/delete-tag-and-release/releases) - [Commits](https://github.com/dev-drprasad/delete-tag-and-release/compare/v0.2.1...v1.0.1) --- updated-dependencies: - dependency-name: dev-drprasad/delete-tag-and-release dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>	2023-08-30 10:32:29 +02:00
Joseph	a468b29036	fix: added `systemd-timesyncd` to use_time_sync script (#189 ) (#190 ) Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>	2023-08-30 10:28:03 +02:00
JugeHuge	db9ff8a7fd	Update warn messages on 2.2.15_mta_localhost.sh (#193 ) warn messages had typo netsat as it should be netstat	2023-08-30 10:23:27 +02:00
Stéphane Lesimple	6135c3d0e5	fix: enhance test 99.1.3 speed for large /etc/sudoers.d folders (#188 ) Signed-off-by: Stephane Lesimple <stephane.lesimple@corp.ovh.com>	2023-07-18 17:28:35 +02:00
Tarik Megzari	a6ad528087	feat: Add experimental debian12 functionnal tests (#187 ) Signed-off-by: Tarik Megzari <tarik.megzari@ovhcloud.com> Co-authored-by: Tarik Megzari <tarik.megzari@ovhcloud.com>	2023-07-10 10:52:17 +02:00
thibault.dewailly	bc98bedf73	bump to 4.0-1	2023-07-10 07:21:13 +00:00
Stéphane Lesimple	873ef8827d	fix: 99.1.3_acc_sudoers_no_all: fix a race condition (#186 ) On systems where /etc/sudoers.d might be updated often by some automated means, this check might raise a critical when a previously present file (during the ls) is no longer present (during its attempted read), so before raising a critical, re-check that it does exists first.	2023-07-03 17:05:45 +02:00
GoldenKiwi	bd27cd0dae	fix: change auditd file rule remediation (#179 ) Fixes #165	2023-05-05 12:32:22 +02:00
GoldenKiwi	f28ffc244c	fix: correct debian package compression override (#181 )	2023-05-02 18:06:59 +02:00
GoldenKiwi	19ce790a27	fix: ensure mountpoints are properly detected (#177 ) Fixes #155 When real entries are present in fstab, system startup or runtime mountpoints are now properly detected Add a supplementary check in case of partition not present in fstab	2023-05-02 18:01:53 +02:00
GoldenKiwi	47cf86237b	fix: correct search in 5.4.5_default_timeout in apply mode (#178 ) fixes #116	2023-05-02 17:57:35 +02:00
GoldenKiwi	ccd9c1a7aa	fix: force xz compression during .deb build (#180 ) zst compression is only available on Debian 12, since the release is built on Ubuntu latest, this was breaking release. Fixes #175	2023-05-02 15:24:32 +02:00
GoldenKiwi	04457e7df2	feat: official Debian 11 compatibility (#176 ) Introduce Debian 11 compatibility Based on CIS_Debian_Linux_11_Benchmark_v1.0.0 After review, here are the notable changes : - Harden /var/log more (noexec,nodev,nosuid) - Harden /var/log/audit more (noexec,nodev,nosuid) - Harden /home more (nosuid) - Disable cramfs - Fix 5.3.4_acc_pam_sha512.sh - Deprecate Debian 9 and remove useless docker images NB : more audit log rules have been introduced and will be inserted in the checks later Fix #158	2023-05-02 14:16:19 +02:00
dependabot[bot]	05521d5961	Bump luizm/action-sh-checker from 0.5.0 to 0.7.0 (#171 ) Bumps [luizm/action-sh-checker](https://github.com/luizm/action-sh-checker) from 0.5.0 to 0.7.0. - [Release notes](https://github.com/luizm/action-sh-checker/releases) - [Commits](https://github.com/luizm/action-sh-checker/compare/v0.5.0...v0.7.0) --- updated-dependencies: - dependency-name: luizm/action-sh-checker dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2023-04-26 10:20:11 +02:00
thibault.dewailly	06525f06f9	bump to 3.8-1	2023-03-23 10:03:37 +00:00
dependabot[bot]	d5c1c63971	Bump luizm/action-sh-checker from 0.4.0 to 0.5.0 (#161 ) Bumps [luizm/action-sh-checker](https://github.com/luizm/action-sh-checker) from 0.4.0 to 0.5.0. - [Release notes](https://github.com/luizm/action-sh-checker/releases) - [Commits](https://github.com/luizm/action-sh-checker/compare/v0.4.0...v0.5.0) --- updated-dependencies: - dependency-name: luizm/action-sh-checker dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>	2023-03-23 10:56:12 +01:00
dependabot[bot]	7d93ddeb86	Bump metcalfc/changelog-generator from 3.0.0 to 4.1.0 (#169 ) Bumps [metcalfc/changelog-generator](https://github.com/metcalfc/changelog-generator) from 3.0.0 to 4.1.0. - [Release notes](https://github.com/metcalfc/changelog-generator/releases) - [Changelog](https://github.com/metcalfc/changelog-generator/blob/main/release-notes.png) - [Commits](https://github.com/metcalfc/changelog-generator/compare/v3.0.0...v4.1.0) --- updated-dependencies: - dependency-name: metcalfc/changelog-generator dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>	2023-03-23 10:50:46 +01:00
dependabot[bot]	a35ecab377	Bump dev-drprasad/delete-tag-and-release from 0.2.0 to 0.2.1 (#170 ) Bumps [dev-drprasad/delete-tag-and-release](https://github.com/dev-drprasad/delete-tag-and-release) from 0.2.0 to 0.2.1. - [Release notes](https://github.com/dev-drprasad/delete-tag-and-release/releases) - [Commits](https://github.com/dev-drprasad/delete-tag-and-release/compare/v0.2.0...v0.2.1) --- updated-dependencies: - dependency-name: dev-drprasad/delete-tag-and-release dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2023-03-23 10:47:09 +01:00
Stéphane Lesimple	dc952b90df	fix: timeout of 99.1.3 (#168 ) The 99.1.3_acc_sudoers_no_all.sh script can sometimes timeout on servers where /etc/sudoers.d/ has thousands of files. This patch makes it run roughly 5x faster, as tested on a server with 1500 files in sudoers.d/. Closes #167. Signed-off-by: Stephane Lesimple <stephane.lesimple@corp.ovh.com> Signed-off-by: Stephane Lesimple <stephane.lesimple@corp.ovh.com>	2022-12-22 09:47:35 +01:00
Tarik Megzari	82a217032d	fix(6.2.9): Start from UID 1000 for home ownership check (#164 ) Rename 6.2.3 and 6.2.9 checks to be more accurate Remove home existence check from 6.2.9 as it's handled by 6.2.3 Update tests accordingly Fixes #163 Signed-off-by: Tarik Megzari <tarik.megzari@corp.ovh.com> Signed-off-by: Tarik Megzari <tarik.megzari@corp.ovh.com>	2022-09-30 10:28:48 +02:00
ymartin-ovh	e478a89bad	bump to 3.7-1 (#160 )	2022-07-04 15:37:08 +02:00
ymartin-ovh	371c23cd52	feat: add FIND_IGNORE_NOSUCHFILE_ERR flag (#159 ) This flag can be used to prevent find-related checks to fail because one part of filesystem disappear (ie. ephemeral directories or files)	2022-07-04 14:29:25 +02:00
Tarik Megzari	ea8334d516	bump to 3.6-1 (#157 ) Signed-off-by: Tarik Megzari <tarik.megzari@corp.ovh.com>	2022-06-27 12:13:01 +02:00
dependabot[bot]	987bb9c975	Bump luizm/action-sh-checker from 0.3.0 to 0.4.0 (#154 ) Bumps [luizm/action-sh-checker](https://github.com/luizm/action-sh-checker) from 0.3.0 to 0.4.0. - [Release notes](https://github.com/luizm/action-sh-checker/releases) - [Commits](https://github.com/luizm/action-sh-checker/compare/v0.3.0...v0.4.0) --- updated-dependencies: - dependency-name: luizm/action-sh-checker dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2022-06-26 16:58:46 +02:00
dependabot[bot]	3031bb55d1	Bump actions-ecosystem/action-get-latest-tag from 1.5.0 to 1.6.0 (#153 ) Bumps [actions-ecosystem/action-get-latest-tag](https://github.com/actions-ecosystem/action-get-latest-tag) from 1.5.0 to 1.6.0. - [Release notes](https://github.com/actions-ecosystem/action-get-latest-tag/releases) - [Commits](https://github.com/actions-ecosystem/action-get-latest-tag/compare/v1.5.0...v1.6.0) --- updated-dependencies: - dependency-name: actions-ecosystem/action-get-latest-tag dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Tarik Megzari <tarik.megzari@corp.ovh.com>	2022-06-24 17:55:26 +02:00
ymartin-ovh	66ccc6316a	feat: Filter the filesystem to check when the list is built. (#156 ) * feat: Attempt to filter-out filesystem that match exclusion regex.	2022-06-24 17:45:47 +02:00
Tarik Megzari	7a3145d7f1	bump to 3.5-1 (#152 ) Signed-off-by: Tarik Megzari <tarik.megzari@corp.ovh.com>	2022-03-23 18:40:25 +01:00
GoldenKiwi	5c072668d5	fix: add 10s wait timeout on iptables command (#151 ) When the tested server has its iptables heavily manipulated (e.g Kubernetes) The lock aquirement can sometimes fail, hence generating false positives The command will retry 10 times with a 1 second interval	2022-03-23 16:56:38 +01:00
GoldenKiwi	d1bd1eb2e7	bump to 3.4-1 (#150 )	2022-03-18 16:49:25 +01:00
GoldenKiwi	ad5c71c3ce	fix: allow passwd-, group- and shadow- debian default permissions (#149 )	2022-03-18 16:41:49 +01:00
dependabot[bot]	33964c0a3d	Bump EndBug/add-and-commit from 8.0.2 to 9 (#148 ) Bumps [EndBug/add-and-commit](https://github.com/EndBug/add-and-commit) from 8.0.2 to 9. - [Release notes](https://github.com/EndBug/add-and-commit/releases) - [Changelog](https://github.com/EndBug/add-and-commit/blob/main/CHANGELOG.md) - [Commits](https://github.com/EndBug/add-and-commit/compare/v8.0.2...v9) --- updated-dependencies: - dependency-name: EndBug/add-and-commit dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2022-03-14 15:36:48 +01:00
Tarik Megzari	8320d0eecc	CI: Fix release action (#147 ) Signed-off-by: Tarik Megzari <tarik.megzari@corp.ovh.com>	2022-03-03 12:02:12 +01:00
Tarik Megzari	a0d33ab158	Update changelog for release 3.3-1 (#146 ) Signed-off-by: Tarik Megzari <tarik.megzari@corp.ovh.com> Co-authored-by: Tarik Megzari <tarik.megzari@corp.ovh.com>	2022-03-03 10:26:42 +01:00
Jan Schmidle	a6a22084e1	missing shadowtools backup files is ok (#132 ) * missing shadowtools backup files is ok * update corresponding test cases	2022-03-02 18:05:37 +01:00
Tarik Megzari	b962155a3c	fix: Avoid find failures on too many files (#144 ) Signed-off-by: Tarik Megzari <tarik.megzari@corp.ovh.com> Co-authored-by: Tarik Megzari <tarik.megzari@corp.ovh.com> Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>	2022-03-02 17:49:28 +01:00
dependabot[bot]	20bf51f65b	Bump actions/checkout from 2 to 3 (#145 ) Bumps [actions/checkout](https://github.com/actions/checkout) from 2 to 3. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/v2...v3) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2022-03-02 00:14:50 +01:00
dependabot[bot]	adfe28470a	Bump metcalfc/changelog-generator from 1.0.0 to 3.0.0 (#133 ) Bumps [metcalfc/changelog-generator](https://github.com/metcalfc/changelog-generator) from 1.0.0 to 3.0.0. - [Release notes](https://github.com/metcalfc/changelog-generator/releases) - [Changelog](https://github.com/metcalfc/changelog-generator/blob/main/release-notes.png) - [Commits](https://github.com/metcalfc/changelog-generator/compare/v1.0.0...v3.0.0) --- updated-dependencies: - dependency-name: metcalfc/changelog-generator dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2022-03-01 23:48:57 +01:00
dependabot[bot]	c94ee10afe	Bump EndBug/add-and-commit from 7 to 8.0.2 (#142 ) Bumps [EndBug/add-and-commit](https://github.com/EndBug/add-and-commit) from 7 to 8.0.2. - [Release notes](https://github.com/EndBug/add-and-commit/releases) - [Changelog](https://github.com/EndBug/add-and-commit/blob/main/CHANGELOG.md) - [Commits](https://github.com/EndBug/add-and-commit/compare/v7...v8.0.2) --- updated-dependencies: - dependency-name: EndBug/add-and-commit dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2022-03-01 20:39:39 +01:00
dependabot[bot]	453a72b8c8	Bump actions-ecosystem/action-get-latest-tag from 1.4.1 to 1.5.0 (#143 ) Bumps [actions-ecosystem/action-get-latest-tag](https://github.com/actions-ecosystem/action-get-latest-tag) from 1.4.1 to 1.5.0. - [Release notes](https://github.com/actions-ecosystem/action-get-latest-tag/releases) - [Commits](https://github.com/actions-ecosystem/action-get-latest-tag/compare/v1.4.1...v1.5.0) --- updated-dependencies: - dependency-name: actions-ecosystem/action-get-latest-tag dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2022-03-01 20:28:33 +01:00
Tarik Megzari	bb03764918	fix: Catch unexpected failures (#140 ) Signed-off-by: Tarik Megzari <tarik.megzari@corp.ovh.com> Co-authored-by: Tarik Megzari <tarik.megzari@corp.ovh.com>	2022-01-31 15:38:38 +01:00
Tarik Megzari	17d272420a	feat: Dissociate iptables pkg name from command (#137 ) Signed-off-by: Tarik Megzari <tarik.megzari@corp.ovh.com> Co-authored-by: Tarik Megzari <tarik.megzari@corp.ovh.com>	2021-12-27 15:40:55 +01:00
Tarik Megzari	f1c1517bd2	Update changelog for release 3.2-2 (#135 ) Signed-off-by: Tarik Megzari <tarik.megzari@corp.ovh.com> Co-authored-by: Tarik Megzari <tarik.megzari@corp.ovh.com>	2021-12-13 16:06:57 +01:00
tdenof	1341622335	Fix empty fstab test (#134 ) Signed-off-by: Tarik Megzari <tarik.megzari@corp.ovh.com> Co-authored-by: Thibault Dewailly <thibault.dewailly@corp.ovh.com>	2021-12-08 08:42:22 +01:00
thibault.dewailly	c8fcfed248	Update changelog for release 3.2-1	2021-12-01 11:04:56 +00:00
Sebastien BLAISOT	97914976c8	Skip NTP and Chrony config check if they are not installed (#120 ) Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>	2021-12-01 10:49:08 +01:00
Sebastien BLAISOT	66c8ccf495	Fix 3.4.2 audit rule (#123 ) Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>	2021-12-01 10:23:11 +01:00
Sebastien BLAISOT	b53bf1795c	Fix grub detection (#119 ) Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>	2021-12-01 08:58:32 +01:00

1 2 3 4 5 ...

527 Commits