25eb91c411
Update debian 7/8/9 in help files and remove in generic scripts
2019-02-06 15:19:14 +01:00
bfbd410b19
FIX: quotes in find command, misinterpreted shellcheck advice
2019-01-23 16:55:48 +01:00
ec6b79e3c7
FEAT: Add sudo_wrapper to catch unauthorized sudo commands
...
As for now, if a sudo command was not allowed, check might sometimes
pass, resulting compliant state even if it actually is not.
Sudo wrapper first checks wether command is allowed before running it,
otherwise issues a crit message, setting check as not compliant
Fix script to make sudo_wrapper work, split "find" lines
Fix quotes in $@ and $* when running sudo command
Fixed quotes and curly braces with shellcheck report
2019-01-23 15:56:27 +01:00
001323f448
FIX: sed that was too greedy
...
Used to sed 's!/usr/bin/su!!' /usr/bin/sudo leaving only "do"
that lead to misinterpreting result
Change algorithm to avoid partial sed in the result list
Now the not compliant list is built out of the find results
instead of items being removed from them.
Allow better control of grep inside this list.
Chore: apply shellcheck recommendations
2019-01-23 13:49:29 +01:00
ed0c07d319
Add missing /usr/bin/su
2019-01-21 17:27:09 +01:00
03b6f1857a
FIX: add /usr/bin/* path for suid/guid allowed binaries
...
Debian is still migrating /bin to /usr/bin so I added both path to the
allowed ones
* mount
* umount
* ping
* ping6
* unix_chkpwd
2019-01-21 17:27:09 +01:00
106412149d
Adding batch mode to output just one line of text (no colors) in order to be parsed by computer tools
...
Adding DESCRIPTION field in tests and [INFO] DESCRIPTION in main
Update README with --batch mode info
Add --batch mode in hardening.sh
Change summary to make it oneliner when batch mode
AUDIT_SUMMARY PASSED_CHECKS:95 RUN_CHECKS:191 TOTAL_CHECKS_AVAIL:191 CONFORMITY_PERCENTAGE:49.74
2019-01-21 17:20:18 +01:00
91642474f7
Change from CIS reco and only warn (no crit) if logfile does not exist
2019-01-21 17:20:00 +01:00
d60922ab9d
Redirect stderr to avoid printing "no such file" error
2018-03-19 18:06:47 +01:00
39246bc175
resolve #SOC-30 Also check /etc/security/limits.d/ for core dump limit
2018-03-15 09:50:05 +01:00
47857774b4
Fix SOC-28, add test if file exist, if not issue error
2018-03-14 14:04:02 +01:00
b41df080cf
Add sudo management in main and utils
...
* perform readonly checks as a regular user
* sudo -n is used for checks requiring root privileges
* increase accountability by providing log of individual access to sensitive files
2018-03-13 10:38:25 +01:00
321063fe7c
Merge pull request #31 in IAAS/cis-hardening from dev/cherlin/update-cis-scripts to master
...
* commit 'f97fbb47f701fd81a6dcdabb1d2e961943386eb5':
Update ciphers list in 9.3.11 with latest chacha20 and gcm ciphers
2017-12-05 11:38:15 +01:00
5b11b1628a
Expand tabs to 4 spaces and trim trailing spaces
2017-11-17 15:13:27 +01:00
f97fbb47f7
Update ciphers list in 9.3.11 with latest chacha20 and gcm ciphers
2017-11-10 14:48:51 +01:00
cbfd04272b
Applying batch edit to all hardening/*.sh scripts for new CIS_ROOT_DIR management
2017-10-25 14:50:39 +02:00
b6aba4cc88
Merge pull request #12 from speed47/dev/enhancements
...
Hardening Classification
subs enhancements as well as bug fixes
2017-09-28 13:22:59 +02:00
dfaf4c2093
add hardening templating and several enhancements
2017-06-13 18:30:29 +02:00
a4dc5bdaf5
No more wildcards in file list to be more resilient
2017-06-13 15:36:06 +02:00
4c2107cbea
[10.1.3] set the good value for $OPTIONS
2017-05-03 23:08:48 +02:00
0f11b08ffb
[Debian 8] Fixed comments for debian 8 compliance
2017-03-14 15:42:08 +01:00
717a794e45
[10.2] Fixed result parsing in case of spaces in passwd list
2017-03-10 17:26:55 +01:00
1e47226bd4
fixed option name in 9.3.9_disable_sshd_permitemptypasswords.sh, was PermitRootLogin instead of PermitEmptyPassword
2016-06-29 15:12:21 +02:00
59e3008b4c
fix 99.1 Apply TMOUT Variable
2016-05-02 10:45:32 +02:00
8bbac84f7b
debian dependencies fix, rephrasing, revision bump 1.0-8.
2016-04-26 14:02:17 +02:00
c1a45d1df1
Fixed 6.15 netstat analysis
2016-04-22 17:23:21 +02:00
50a502dd32
Merge pull request #4 from jedisct1/valuemsg
...
Rephrase confusing messages
2016-04-22 08:40:14 +02:00
7e951c020a
Fixed default file error handling and quickstart
2016-04-22 08:34:28 +02:00
516b4dc7f9
Fixed point 9.1.8 cron rights as a chmod 600 disabled the cron.allow features (file must be world readable)
2016-04-21 18:56:10 +02:00
ccd40f4369
Rephrase confusing messages
2016-04-21 18:32:36 +02:00
799b3b5145
Fixed 8.2.4 check file exists before testing rights
2016-04-20 18:06:08 +02:00
c5b4aa220d
Added exit code to CIS_ROOT_DIR test def, optimized sed and sort
2016-04-20 18:06:08 +02:00
a7f418d8a2
Corrected script names, added License, Completed README and corrected bug with too long logger messages
2016-04-19 13:51:28 +02:00
e9487bfb04
Corrected default file path
2016-04-18 17:39:14 +02:00
091eec57ee
All configuration defaults to disabled README updated
2016-04-18 13:25:09 +02:00
57121f116c
99.1_timeout_tty.sh 99.2_disable_usb_devices.sh
2016-04-18 11:16:05 +02:00
756fce8c2e
Fixed disabled features, headers and preparing main script
2016-04-17 23:19:41 +02:00
ef14c475fe
Added argument parsing and test checks
2016-04-17 23:10:47 +02:00
e1337d76df
13.16_check_duplicate_username.sh 13.17_check_duplicate_groupname.sh 13.18_find_user_netrc_files.sh 13.19_find_user_forward_files.sh 13.20_shadow_group_empty.sh
2016-04-17 22:30:20 +02:00
aad764bb1b
13.14_check_duplicate_uid.sh 13.15_check_duplicate_gid.sh^C
2016-04-17 19:53:47 +02:00
a38aa6f039
13.12_users_valid_homedir.sh 13.11_find_passwd_group_inconsistencies.sh 13.13_check_user_homedir_ownership.sh
2016-04-17 18:58:25 +02:00
fbba59cc67
13.10_find_user_rhosts_files.sh
2016-04-16 18:55:44 +02:00
83cd95756d
13.8_check_user_dot_file_perm.sh 13.9_set_perm_on_user_netrc.sh
2016-04-16 18:32:09 +02:00
f82a438246
13.7_check_user_dir_perm.sh
2016-04-16 18:11:53 +02:00
b24a415dce
13.1_remove_empty_password_field.sh 13.2_remove_legacy_passwd_entries.sh 13.3_remove_legacy_shadow_entries.sh 13.4_remove_legacy_group_entries.sh 13.5_find_0_uid_non_root_account.sh 13.6_sanitize_root_path.sh
2016-04-16 17:25:48 +02:00
dbc24bb8d7
13.1_remove_empry_password_field.sh
2016-04-16 15:10:14 +02:00
fffd9842d6
12.11_find_sgid_files.sh
2016-04-16 12:57:24 +02:00
d241ae57f9
12.10_find_suid_files.sh 12.1_etc_passwd_permissions.sh 12.2_etc_shadow_permissions.sh 12.3_etc_group_permissions.sh 12.4_etc_passwd_ownership.sh 12.5_etc_shadow_ownership.sh 12.6_etc_group_ownership.sh 12.7_find_world_writable_file.sh 12.8_find_unowned_files.sh 12.9_find_ungrouped_files.sh
2016-04-16 00:26:19 +02:00
da30fa0b48
10.5_lock_inactive_user_account.sh 11.1_warning_banners.sh 11.2_remove_os_info_warning_banners.sh 11.3_graphical_warning_banners.sh
2016-04-15 23:38:48 +02:00
dd9fac10d9
10.1.1_set_password_exp_days.sh 10.1.2_set_password_min_days_change.sh 10.1.3_set_password_exp_warning_days.sh 10.2_disable_system_accounts.sh 10.3_default_root_group.sh 10.4_default_umask.sh 9.4_secure_tty.sh 9.5_restrict_su.sh
2016-04-15 19:29:26 +02:00
