* allow multiple exception users for 99.5.2.4
* move clean up part of previous commit
* split clean up part of previous commit
* add tests for multiple allowed and denied ssh users
* fix script to correctly set multiple allowed and denied ssh users
* add cleanup resolved check to 5.2.18
* apply shellfmt to 5.2.18
---------
Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>
* Revert "fix: clean obsolete check 99.5.4.5.1, now handled by 5.3.4 (#215)"
This reverts commit 670c8c62f5.
We still want to verify the preexisting hashes in /etc/shadow,
even if the PAM configuration is correct for new passwords (5.3.4).
* Adapt 5.3.4, 99.5.4.5.1 and 99.5.4.5.2 to yescrypt
On systems where /etc/sudoers.d might be updated often by some automated means, this
check might raise a critical when a previously present file (during the ls) is no longer
present (during its attempted read), so before raising a critical, re-check that it
does exists first.
Introduce Debian 11 compatibility
Based on CIS_Debian_Linux_11_Benchmark_v1.0.0
After review, here are the notable changes :
- Harden /var/log more (noexec,nodev,nosuid)
- Harden /var/log/audit more (noexec,nodev,nosuid)
- Harden /home more (nosuid)
- Disable cramfs
- Fix 5.3.4_acc_pam_sha512.sh
- Deprecate Debian 9 and remove useless docker images
NB : more audit log rules have been introduced and will be inserted in the checks later
Fix#158
The 99.1.3_acc_sudoers_no_all.sh script can sometimes timeout
on servers where /etc/sudoers.d/ has thousands of files.
This patch makes it run roughly 5x faster, as tested on a
server with 1500 files in sudoers.d/.
Closes#167.
Signed-off-by: Stephane Lesimple <stephane.lesimple@corp.ovh.com>
Signed-off-by: Stephane Lesimple <stephane.lesimple@corp.ovh.com>
Rename 6.2.3 and 6.2.9 checks to be more accurate
Remove home existence check from 6.2.9 as it's handled by 6.2.3
Update tests accordingly
Fixes#163
Signed-off-by: Tarik Megzari <tarik.megzari@corp.ovh.com>
Signed-off-by: Tarik Megzari <tarik.megzari@corp.ovh.com>
When the tested server has its iptables heavily manipulated (e.g Kubernetes)
The lock aquirement can sometimes fail, hence generating false positives
The command will retry 10 times with a 1 second interval
* fix: add filter to hfs
* fix is_kernel_option_enabled check
as the module in question could have dependencies which have been blacklisted as well we need to make sure that the comparison only checks for the module in question - the last line in the output.
Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>
Modify some checks to make it pass when ipv6 is diabled
fix#50
modified: bin/hardening/3.1.1_disable_ipv6.sh
modified: bin/hardening/3.3.1_disable_source_routed_packets.sh
modified: bin/hardening/3.3.9_disable_ipv6_router_advertisement.sh
modified: lib/utils.sh
Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>
