Commit Graph

46 Commits

Author SHA1 Message Date
Charles Herlin
7690b57ea9 FIX: add becho to send batch output to syslog too
becho stands for batch echo
formats the log line for syslog

Also logs audit summary into syslog (in batch mode only)
2019-02-07 11:41:12 +01:00
Charles Herlin
25eb91c411 Update debian 7/8/9 in help files and remove in generic scripts 2019-02-06 15:19:14 +01:00
Charles Herlin
ec6b79e3c7 FEAT: Add sudo_wrapper to catch unauthorized sudo commands
As for now, if a sudo command was not allowed, check might sometimes
pass, resulting compliant state even if it actually is not.
Sudo wrapper first checks wether command is allowed before running it,
otherwise issues a crit message, setting check as not compliant

Fix script to make sudo_wrapper work, split "find" lines
Fix quotes in $@ and $* when running sudo command

Fixed quotes and curly braces with shellcheck report
2019-01-23 15:56:27 +01:00
Charles Herlin
106412149d Adding batch mode to output just one line of text (no colors) in order to be parsed by computer tools
Adding DESCRIPTION field in tests and [INFO] DESCRIPTION in main
Update README with --batch mode info
Add --batch mode in hardening.sh

Change summary to make it oneliner when batch mode
AUDIT_SUMMARY PASSED_CHECKS:95 RUN_CHECKS:191 TOTAL_CHECKS_AVAIL:191 CONFORMITY_PERCENTAGE:49.74
2019-01-21 17:20:18 +01:00
Charles Herlin
b41df080cf Add sudo management in main and utils
* perform readonly checks as a regular user
    * sudo -n is used for checks requiring root privileges
    * increase accountability by providing log of individual access to sensitive files
2018-03-13 10:38:25 +01:00
Stéphane Lesimple
dfaf4c2093 add hardening templating and several enhancements 2017-06-13 18:30:29 +02:00
Thibault Dewailly
78569b5583 Merge pull request #11 from speed47/dev/fix_does_pattern_exist_in_file
handle ENOENT properly in does_pattern_exist_in_file()
2017-05-19 18:30:21 +02:00
Stéphane Lesimple
f94dff5f3f handle ENOENT properly in does_pattern_exist_in_file\(\) 2017-05-18 18:31:24 +02:00
Stéphane Lesimple
70811c258d set a fixed-size prefix for logger 2017-05-18 18:27:02 +02:00
jeremydenoun
c278e7b1ec Remove test on _logger() function
the original line contain test that can hide echo if we launch script with pipe or IO redirection
2016-05-14 20:39:32 +02:00
thibault.dewailly
1bb8c5b387 Fixed replace in file function with proper substitution 2016-05-03 11:25:37 +02:00
kevin.tanguy
8bbac84f7b debian dependencies fix, rephrasing, revision bump 1.0-8. 2016-04-26 14:02:17 +02:00
Frank Denis
ccd40f4369 Rephrase confusing messages 2016-04-21 18:32:36 +02:00
thibault.dewailly
c5b4aa220d Added exit code to CIS_ROOT_DIR test def, optimized sed and sort 2016-04-20 18:06:08 +02:00
Stéphane Lesimple
76811c8a7f add --audit-all option 2016-04-20 18:06:08 +02:00
thibault.dewailly
a7f418d8a2 Corrected script names, added License, Completed README and corrected bug with too long logger messages 2016-04-19 13:51:28 +02:00
thibault.dewailly
5e4e017653 log format correction, loglevel defaults to info 2016-04-18 14:03:20 +02:00
thibault.dewailly
091eec57ee All configuration defaults to disabled README updated 2016-04-18 13:25:09 +02:00
thibault.dewailly
756fce8c2e Fixed disabled features, headers and preparing main script 2016-04-17 23:19:41 +02:00
thibault.dewailly
ef14c475fe Added argument parsing and test checks 2016-04-17 23:10:47 +02:00
thibault.dewailly
b24a415dce 13.1_remove_empty_password_field.sh 13.2_remove_legacy_passwd_entries.sh 13.3_remove_legacy_shadow_entries.sh 13.4_remove_legacy_group_entries.sh 13.5_find_0_uid_non_root_account.sh 13.6_sanitize_root_path.sh 2016-04-16 17:25:48 +02:00
thibault.dewailly
da30fa0b48 10.5_lock_inactive_user_account.sh 11.1_warning_banners.sh 11.2_remove_os_info_warning_banners.sh 11.3_graphical_warning_banners.sh 2016-04-15 23:38:48 +02:00
thibault.dewailly
9451842e84 9.2.1_enable_cracklib.sh 9.2.2_enable_lockout_failed_password.sh 9.2.3_limit_password_reuse.sh 9.3.10_disable_sshd_setenv.sh 9.3.11_sshd_ciphers.sh 9.3.12_sshd_idle_timeout.sh 9.3.13_sshd_limit_access.sh 9.3.14_ssh_banner.sh 9.3.2_sshd_loglevel.sh 9.3.1_sshd_protocol.sh 9.3.3_sshd_conf_perm_ownership.sh 9.3.4_disable_x11_forwarding.sh 9.3.5_sshd_maxauthtries.sh 9.3.6_enable_sshd_ignorerhosts.sh 9.3.7_disable_sshd_hostbasedauthentication.sh 9.3.8_disable_root_login.sh 9.3.9_disable_sshd_permitemptypasswords.sh 2016-04-15 14:24:45 +02:00
thibault.dewailly
586d6823fa 8.2.5_syslog-ng_remote_host.sh 8.2.6_remote_syslog-ng_acl.sh 8.3.1_install_tripwire.sh 2016-04-14 22:47:34 +02:00
thibault.dewailly
45dcda4402 8.2.1_install_syslog-ng.sh 8.2.2_enable_syslog-ng.sh 8.2.3_configure_syslog-ng.sh 8.2.4_set_logfile_perm.sh 2016-04-14 17:55:14 +02:00
thibault.dewailly
75e072f304 8.1.4_record_date_time_edit.sh 8.1.5_record_user_group_edit.sh 2016-04-14 14:07:00 +02:00
thibault.dewailly
47d017908d 8.1.1.3_keep_all_audit_logs.sh 8.1.3_audit_bootloader.sh 2016-04-14 13:11:56 +02:00
thibault.dewailly
115de36b34 7.3.1_disable_ipv6_router_advertisement.sh 2016-04-13 17:41:10 +02:00
thibault.dewailly
3ac82210f0 7.1.1_disable_ip_forwarding.sh 7.1.2_disable_send_packet_redirects.sh 2016-04-13 14:54:35 +02:00
thibault.dewailly
8b8547dc7d 6.16_disable_rsync.sh 2016-04-13 14:12:57 +02:00
thibault.dewailly
a54abb2496 6.2_disable_avahi_server.sh 6.3_disable_print_server.sh 6.4_disable_dhcp.sh 6.5_configure_ntp.sh 6.6_diable_ldap.sh 6.7_disable_nfs_rpc.sh 6.8_disable_dns_server.sh 2016-04-12 11:21:36 +02:00
thibault.dewailly
3596fec2df 4.2_enable_nx_support.sh 4.3_enable_randomized_vm_placement.sh 4.4_disable_prelink.sh 4.5_enable_apparmor.sh 5.1.1_disable_nis.sh 2016-04-11 16:53:57 +02:00
thibault.dewailly
f3e537072a 4.1_restrict_core_dumps.sh 2016-04-11 14:55:42 +02:00
thibault.dewailly
7a3dc9ba87 3.2_bootloader_permissions.sh 3.3_bootloader_password.sh 2016-04-11 11:38:50 +02:00
thibault.dewailly
ce76538f64 3.1_bootloader_ownership.sh fix 2016-04-11 08:55:44 +02:00
thibault.dewailly
f1dcd7431a 3.1_bootloader_ownership.sh 2016-04-07 08:43:37 +02:00
thibault.dewailly
f3cb9bfb16 2.25_disable_automounting.sh 2016-04-07 07:46:44 +02:00
thibault.dewailly
8269600088 2.19_disable_freevxfs.sh 2.20_disable_jffs2.sh 2.21_disable_hfs.sh 2.22_disable_hfsplus.sh 2.23_disable_squashfs.sh 2.24_disable_udf.sh 2016-04-07 07:22:04 +02:00
thibault.dewailly
0861a1407d 2.18_disable_cramfs.sh 2016-04-07 06:56:14 +02:00
thibault.dewailly
0bf935bb17 2.2_tmp_nodev.sh 2016-04-04 16:14:53 +02:00
thibault.dewailly
01b03f7aeb 2.1 Tmp Partition 2016-04-04 13:40:33 +02:00
thibault.dewailly
544b9f0619 1.1 Install updates 2016-04-04 11:25:45 +02:00
thibault.dewailly
bffc14a8da skeleton 2016-04-04 08:01:37 +02:00
thibault.dewailly
d76cf94b18 hardening : building basic configuration 2016-04-01 14:36:42 +02:00
thibault.dewailly
9a5e962cd4 Added basic Configuration files and skeleton scripts 2016-04-01 09:32:17 +02:00
thibault.dewailly
754cf6fd1d Initial Commit Basic folders 2016-04-01 07:50:08 +02:00