Commit Graph

45 Commits

Author SHA1 Message Date
Thibault Ayanides
8012234096 IMP(shellcheck): fix harmless warnings 2020-12-07 14:53:10 +01:00
Thibault Ayanides
63835dd10c IMP(shellcheck): add curly bracket to var (SC1087) 2020-12-07 13:54:57 +01:00
Thibault Ayanides
72bb3e2b84 IMP(shellcheck): replace -a in condition by && (SC2166) 2020-12-04 15:29:19 +01:00
Thibault Ayanides
3a342b784a IMP(shfmt): add shell formatter 2020-12-04 14:08:01 +01:00
Thibault Ayanides
4add6ddc33 IMP(shellcheck): add prefix to define shell (SC2148) 2020-11-27 09:22:47 +01:00
Thibault Ayanides
cccc0881e9 IMP(shellcheck): add run-shellcheck prefix 2020-11-23 17:10:37 +01:00
Thibault Ayanides
fbd26ceefa Fix race condition on /etc/passwd, /etc/shadow and /etc/group 2020-11-16 14:09:12 +01:00
Thibault Ayanides
20f432765d FIX(5.2.2,5.2.3) find was not working properly
I removed the functions in utils and replace them with loops, so that
there is no more problems with the options arrays.
2020-10-27 12:47:11 +01:00
Thibault Ayanides
a37c5bdc4e Add functions utils
I added two functions in utils that checks perms and ownership for file
resulting for a certain find. It takes parameters to filter the results
if needed.
2020-10-05 17:01:13 +02:00
Thibault Ayanides
d6e5803252 4.2.4_logs_permissions 2020-10-05 13:17:44 +02:00
Charles Herlin
0a6f8bdba6 FEAT(2.6.x): retrieve actual partition in case if bind mount 2019-02-28 10:14:00 +01:00
Charles Herlin
de7dfe5956 CHORE(2.1x): use "readlink -e" instead of custom func
Removed get_partition_from_symlink()
2019-02-26 15:06:51 +01:00
Charles Herlin
80a1146af7 IMP(8.2.5): find multiline pattern in files (syslog)
Add func to find pattern in file that spreads over multiple lines
The func will remove commented lines (that begin with '#')
and consider the file as one long line.
Thus, this is not possible to look for pattern at beginning of line
with this func ('^' and '$')

Improved pattern in 8.2.5

Add syslog-ng to installed dependencies in Dockerfiles

Fixed multifile arguments when looking for pattern that got broken
in d2bbf754 due to "nocase" and _does_pattern_exist_in_file wrapper
Please note that you can only look for pattern in ONE FILE at once
Fixed 8.2.5 and 8.3.2 with for loop on files and 'FOUND' flag
You now need to specify each and every file to look for or embed a
'find' command as follow :
`FILES="$SYSLOG_BASEDIR/syslog-ng.conf $(find $SYSLOG_BASEDIR/conf.d/)"`

Improved test files
Applied shellcheck recommendations
2019-02-22 12:39:41 +01:00
Charles Herlin
7408216957 IMP(2.1x): Retrieve actual partition when symlink
Add function to retrieve actual partition from symlink in lib/utils.sh
Using this func in all 3 audit scripts

Improved tests to test this func

Apply shellcheck recommendations
Trim trailing spaces
2019-02-22 12:22:14 +01:00
Charles Herlin
810fee4c8f Migrate generic checks from secaudit to cis-hardening
new file:   99.3.1_acc_shadow_sha512.sh
new file:   99.3.2_acc_sudoers_no_all.sh
new file:   99.4_net_fw_default_policy_drop.sh
new file:   99.5.1_ssh_auth_pubk_only.sh
new file:   99.5.2.1_ssh_cry_kex.sh
new file:   99.5.2.2_ssh_cry_mac.sh
new file:   99.5.2.3_ssh_cry_rekey.sh
new file:   99.5.3_ssh_disable_features.sh
new file:   99.5.4_ssh_keys_from.sh
new file:   99.5.5_ssh_strict_modes.sh
new file:   99.5.6_ssh_sys_accept_env.sh
new file:   99.5.7_ssh_sys_no_legacy.sh
new file:   99.5.8_ssh_sys_sandbox.sh
new file:   99.5.9_ssh_log_level.sh

Fix descriptions in comment section for 99.* secaudit checks

Remove duplicated legacy services that are already taken care of by vanilla cis

Enable custom configuration of checks in config-file, no more hard coded conf
Add test to disable check if debian version is too old
Add excused IPs while checking "from" field of authorized_keys
Escaping dots in IPs
Manage Kex for different debian versions
Add tests for generic checks and add apply for ssh config
Apply shellcheck recommendations on audit/hardening scripts
Update script to check for allowed IPs only, remove bastion related
Fill `apply` func for ssh config related scripts
Add and update tests scenarii

Disable shellcheck test for external source 1091

As of today, the entire project is not shellcheck compliant, I prefer
disabling the test that warns about not finding external source (that
arent compliant). I will enable it again when the project library will
be shellchecked
https://github.com/koalaman/shellcheck/wiki/SC1091

Refactor password policy check with one check by feature

Previous file will now only look for bad passwords in /etc/shadow
I added two checks that look for the compliant configuration lines in
conf files /etc/logins.defs and /etc/pam.d/common-passwords

FIX: merge chained sed and fix regex

FIX: update regex to capture more output
FIX: fix pattern to ignore commented lines, add apply

Also add tests to ensure that commented lines are not detected as valid
configuration

CHORE: cleanup test situation with file and users removal
IMP: add case insensitive option when looking for patterns in files
CHORE: removed duplicated line in test file
2017-12-20 15:14:30 +01:00
Charles Herlin
6cea326921 Update debian 7/8/9 in help files and remove in generic scripts 2019-02-06 15:19:14 +01:00
Charles Herlin
b1f85d3f99 Add sudo management in main and utils
* perform readonly checks as a regular user
    * sudo -n is used for checks requiring root privileges
    * increase accountability by providing log of individual access to sensitive files
2017-11-09 15:45:42 +01:00
Stéphane Lesimple
676b17c54f add hardening templating and several enhancements 2017-05-18 18:40:09 +02:00
Stéphane Lesimple
3e0187094a handle ENOENT properly in does_pattern_exist_in_file\(\) 2017-05-18 18:31:24 +02:00
thibault.dewailly
e902c9b4c8 Fixed replace in file function with proper substitution 2016-05-03 11:25:37 +02:00
kevin.tanguy
1479332870 debian dependencies fix, rephrasing, revision bump 1.0-8. 2016-04-25 15:15:49 +02:00
Frank Denis
ed410747df Rephrase confusing messages 2016-04-21 18:32:36 +02:00
thibault.dewailly
fb9bf542a1 13.1_remove_empty_password_field.sh 13.2_remove_legacy_passwd_entries.sh 13.3_remove_legacy_shadow_entries.sh 13.4_remove_legacy_group_entries.sh 13.5_find_0_uid_non_root_account.sh 13.6_sanitize_root_path.sh 2016-04-16 17:25:48 +02:00
thibault.dewailly
82a7b05a05 10.5_lock_inactive_user_account.sh 11.1_warning_banners.sh 11.2_remove_os_info_warning_banners.sh 11.3_graphical_warning_banners.sh 2016-04-15 23:38:48 +02:00
thibault.dewailly
823cd217a0 9.2.1_enable_cracklib.sh 9.2.2_enable_lockout_failed_password.sh 9.2.3_limit_password_reuse.sh 9.3.10_disable_sshd_setenv.sh 9.3.11_sshd_ciphers.sh 9.3.12_sshd_idle_timeout.sh 9.3.13_sshd_limit_access.sh 9.3.14_ssh_banner.sh 9.3.2_sshd_loglevel.sh 9.3.1_sshd_protocol.sh 9.3.3_sshd_conf_perm_ownership.sh 9.3.4_disable_x11_forwarding.sh 9.3.5_sshd_maxauthtries.sh 9.3.6_enable_sshd_ignorerhosts.sh 9.3.7_disable_sshd_hostbasedauthentication.sh 9.3.8_disable_root_login.sh 9.3.9_disable_sshd_permitemptypasswords.sh 2016-04-15 14:24:45 +02:00
thibault.dewailly
d373b6f937 8.2.5_syslog-ng_remote_host.sh 8.2.6_remote_syslog-ng_acl.sh 8.3.1_install_tripwire.sh 2016-04-14 22:47:34 +02:00
thibault.dewailly
f0bff32503 8.2.1_install_syslog-ng.sh 8.2.2_enable_syslog-ng.sh 8.2.3_configure_syslog-ng.sh 8.2.4_set_logfile_perm.sh 2016-04-14 17:55:14 +02:00
thibault.dewailly
0ce0b23dc8 8.1.4_record_date_time_edit.sh 8.1.5_record_user_group_edit.sh 2016-04-14 14:07:00 +02:00
thibault.dewailly
127d3e9124 8.1.1.3_keep_all_audit_logs.sh 8.1.3_audit_bootloader.sh 2016-04-14 13:11:56 +02:00
thibault.dewailly
df51ac5bcb 7.3.1_disable_ipv6_router_advertisement.sh 2016-04-13 17:41:10 +02:00
thibault.dewailly
1843d1a67b 7.1.1_disable_ip_forwarding.sh 7.1.2_disable_send_packet_redirects.sh 2016-04-13 14:54:35 +02:00
thibault.dewailly
bec4ccd7da 6.16_disable_rsync.sh 2016-04-13 14:12:57 +02:00
thibault.dewailly
4d5ccf1f58 6.2_disable_avahi_server.sh 6.3_disable_print_server.sh 6.4_disable_dhcp.sh 6.5_configure_ntp.sh 6.6_diable_ldap.sh 6.7_disable_nfs_rpc.sh 6.8_disable_dns_server.sh 2016-04-12 11:21:36 +02:00
thibault.dewailly
db7b85ceed 4.2_enable_nx_support.sh 4.3_enable_randomized_vm_placement.sh 4.4_disable_prelink.sh 4.5_enable_apparmor.sh 5.1.1_disable_nis.sh 2016-04-11 16:53:57 +02:00
thibault.dewailly
1bacb6c2ff 4.1_restrict_core_dumps.sh 2016-04-11 14:55:42 +02:00
thibault.dewailly
f2a979e24c 3.2_bootloader_permissions.sh 3.3_bootloader_password.sh 2016-04-11 11:38:50 +02:00
thibault.dewailly
d44a8eb440 3.1_bootloader_ownership.sh fix 2016-04-11 08:55:44 +02:00
thibault.dewailly
91d6ba3fdd 3.1_bootloader_ownership.sh 2016-04-07 08:43:37 +02:00
thibault.dewailly
31454e394d 2.25_disable_automounting.sh 2016-04-07 07:46:44 +02:00
thibault.dewailly
a22c47c97d 2.19_disable_freevxfs.sh 2.20_disable_jffs2.sh 2.21_disable_hfs.sh 2.22_disable_hfsplus.sh 2.23_disable_squashfs.sh 2.24_disable_udf.sh 2016-04-07 07:22:04 +02:00
thibault.dewailly
b87e9a6f14 2.18_disable_cramfs.sh 2016-04-07 06:56:14 +02:00
thibault.dewailly
b079798e62 2.2_tmp_nodev.sh 2016-04-04 15:05:10 +02:00
thibault.dewailly
5effa3335e 2.1 Tmp Partition 2016-04-04 13:32:58 +02:00
thibault.dewailly
6aa74d6188 1.1 Install updates 2016-04-04 11:23:03 +02:00
thibault.dewailly
9a5e962cd4 Added basic Configuration files and skeleton scripts 2016-04-01 09:32:17 +02:00