"--only" was broken, it did not match correctly a script passed in only
Previously we were checking the numerotation number, we now are using the full script name.
Ex: 1.1.1.1_disable_freevxfs.sh
Previously: (broken) look up for 1\.1\.1\.1, which could also match 1.1.1.1.1.1.1.1_foo.sh
Now: look up for 1.1.1.1_disable_freevxfs.sh
Usage example:
previously:
```
bin/hardening.sh --audit --only 1.1.10_var_tmp_noexec.sh --only 1.1.11.1_var_log_noexec.sh
Total Available Checks : 0
Total Runned Checks : 0
Total Passed Checks : [ 0/0 ]
Total Failed Checks : [ 0/0 ]
Enabled Checks Percentage : 0 %
Conformity Percentage : N.A %
```
now:
```
bin/hardening.sh --audit --only 1.1.10_var_tmp_noexec.sh --only 1.1.11.1_var_log_noexec.sh
hardening [INFO] Treating /opt/debian-cis/versions/default/1.1.10_var_tmp_noexec.sh
1.1.10_var_tmp_noexec [INFO] Working on 1.1.10_var_tmp_noexec
1.1.10_var_tmp_noexec [INFO] [DESCRIPTION] /var/tmp partition with noexec option.
1.1.10_var_tmp_noexec [INFO] Checking Configuration
1.1.10_var_tmp_noexec [INFO] Performing audit
1.1.10_var_tmp_noexec [INFO] Verifying that /var/tmp is a partition
1.1.10_var_tmp_noexec [ OK ] /var/tmp is a partition
1.1.10_var_tmp_noexec [ OK ] /var/tmp has noexec in fstab
1.1.10_var_tmp_noexec [ OK ] /var/tmp mounted with noexec
1.1.10_var_tmp_noexec [ OK ] Check Passed
hardening [INFO] Treating /opt/debian-cis/versions/default/1.1.11.1_var_log_noexec.sh
1.1.11.1_var_log_noexec [INFO] Working on 1.1.11.1_var_log_noexec
1.1.11.1_var_log_noexec [INFO] [DESCRIPTION] /var/log partition with noexec option.
1.1.11.1_var_log_noexec [INFO] Checking Configuration
1.1.11.1_var_log_noexec [INFO] Performing audit
1.1.11.1_var_log_noexec [INFO] Verifying that /var/log is a partition
1.1.11.1_var_log_noexec [ OK ] /var/log is a partition
1.1.11.1_var_log_noexec [ KO ] /var/log has no option noexec in fstab!
1.1.11.1_var_log_noexec [ KO ] Check Failed
Total Available Checks : 2
Total Runned Checks : 2
Total Passed Checks : [ 1/2 ]
Total Failed Checks : [ 1/2 ]
Enabled Checks Percentage : 100.00 %
Conformity Percentage : 50.00 %
```
Co-authored-by: Damien Cavagnini <damien.cavagnini@corp.ovh.com>
* feat: add "--set-version" option
This feature will allow to chose a specific cis version to run, like debian 11 or debian 12
* chore: configure current repository as a version
And use it as default version.
To this end, the scripts in bin/hardening have been made generic by removing the associated recommendation number.
Only impact is if you are used to execute scripts directly from bin/hardening.
In this case, please use the "bin/hardening.sh" wrapper as intended.
I had to rename 2.3.1_disable_nis.sh to uninstall_nis.sh, as it was conflicting with 2.3.1_disable_nis.sh
Also, there was a doublon between 1.1.1.8_disable_cramfs.sh and 99.1.1.1_disable_cramfs.sh ; the former was kept
* chore: remove CIS recommendation numbers from bin/hardening scripts
* fix: some tests are failing
find_ungrouped_files.sh and find_unowned_files.sh tests can not be executed multiple times:
- test repository is not cleaned
- configuration is updated multiple times
Those tests are also failing, because:
- the sed to change the status in the configuration was also changing the test folder path.
- missing /proc in EXCLUDED paths
- the EXCLUDED configuration doesn't have the correct format for egrep
---------
Co-authored-by: Damien Cavagnini <damien.cavagnini@corp.ovh.com>
* chore: make linter happy for existing code
* fix: add missing test 2.1.2_disable_bsd_intetd.sh
* feat: add basic pre commit
Ensure a check has a corresponding test
---------
Co-authored-by: Damien Cavagnini <damien.cavagnini@corp.ovh.com>
* allow multiple exception users for 99.5.2.4
* move clean up part of previous commit
* split clean up part of previous commit
* add tests for multiple allowed and denied ssh users
* fix script to correctly set multiple allowed and denied ssh users
* add cleanup resolved check to 5.2.18
* apply shellfmt to 5.2.18
---------
Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>
* Revert "fix: clean obsolete check 99.5.4.5.1, now handled by 5.3.4 (#215)"
This reverts commit 670c8c62f5.
We still want to verify the preexisting hashes in /etc/shadow,
even if the PAM configuration is correct for new passwords (5.3.4).
* Adapt 5.3.4, 99.5.4.5.1 and 99.5.4.5.2 to yescrypt
* feat: Officialize Debian 12 support
Functional tests now pass
CIS Benchmark PDF for Debian 12 is not out yet, but the hardening points checked
are still relevant in Debian 12.
OVHcloud is now using it in critical production, hence making it officially supported
---------
Co-authored-by: ThibaultDewailly <ThibaultDewailly@users.noreply.github.com>
On systems where /etc/sudoers.d might be updated often by some automated means, this
check might raise a critical when a previously present file (during the ls) is no longer
present (during its attempted read), so before raising a critical, re-check that it
does exists first.
Fixes#155
When real entries are present in fstab, system startup or runtime mountpoints are now properly detected
Add a supplementary check in case of partition not present in fstab
Introduce Debian 11 compatibility
Based on CIS_Debian_Linux_11_Benchmark_v1.0.0
After review, here are the notable changes :
- Harden /var/log more (noexec,nodev,nosuid)
- Harden /var/log/audit more (noexec,nodev,nosuid)
- Harden /home more (nosuid)
- Disable cramfs
- Fix 5.3.4_acc_pam_sha512.sh
- Deprecate Debian 9 and remove useless docker images
NB : more audit log rules have been introduced and will be inserted in the checks later
Fix#158
