debian-cis

mirror of https://github.com/ovh/debian-cis.git synced 2025-06-21 18:23:42 +02:00

Author	SHA1	Message	Date
Tarik Megzari	a6ad528087	feat: Add experimental debian12 functionnal tests (#187 ) Signed-off-by: Tarik Megzari <tarik.megzari@ovhcloud.com> Co-authored-by: Tarik Megzari <tarik.megzari@ovhcloud.com>	2023-07-10 10:52:17 +02:00
thibault.dewailly	bc98bedf73	bump to 4.0-1 v4.0-1	2023-07-10 07:21:13 +00:00
Stéphane Lesimple	873ef8827d	fix: 99.1.3_acc_sudoers_no_all: fix a race condition (#186 ) On systems where /etc/sudoers.d might be updated often by some automated means, this check might raise a critical when a previously present file (during the ls) is no longer present (during its attempted read), so before raising a critical, re-check that it does exists first.	2023-07-03 17:05:45 +02:00
GoldenKiwi	bd27cd0dae	fix: change auditd file rule remediation (#179 ) Fixes #165	2023-05-05 12:32:22 +02:00
GoldenKiwi	f28ffc244c	fix: correct debian package compression override (#181 )	2023-05-02 18:06:59 +02:00
GoldenKiwi	19ce790a27	fix: ensure mountpoints are properly detected (#177 ) Fixes #155 When real entries are present in fstab, system startup or runtime mountpoints are now properly detected Add a supplementary check in case of partition not present in fstab	2023-05-02 18:01:53 +02:00
GoldenKiwi	47cf86237b	fix: correct search in 5.4.5_default_timeout in apply mode (#178 ) fixes #116	2023-05-02 17:57:35 +02:00
GoldenKiwi	ccd9c1a7aa	fix: force xz compression during .deb build (#180 ) zst compression is only available on Debian 12, since the release is built on Ubuntu latest, this was breaking release. Fixes #175	2023-05-02 15:24:32 +02:00
GoldenKiwi	04457e7df2	feat: official Debian 11 compatibility (#176 ) Introduce Debian 11 compatibility Based on CIS_Debian_Linux_11_Benchmark_v1.0.0 After review, here are the notable changes : - Harden /var/log more (noexec,nodev,nosuid) - Harden /var/log/audit more (noexec,nodev,nosuid) - Harden /home more (nosuid) - Disable cramfs - Fix 5.3.4_acc_pam_sha512.sh - Deprecate Debian 9 and remove useless docker images NB : more audit log rules have been introduced and will be inserted in the checks later Fix #158	2023-05-02 14:16:19 +02:00
dependabot[bot]	05521d5961	Bump luizm/action-sh-checker from 0.5.0 to 0.7.0 (#171 ) Bumps [luizm/action-sh-checker](https://github.com/luizm/action-sh-checker) from 0.5.0 to 0.7.0. - [Release notes](https://github.com/luizm/action-sh-checker/releases) - [Commits](https://github.com/luizm/action-sh-checker/compare/v0.5.0...v0.7.0) --- updated-dependencies: - dependency-name: luizm/action-sh-checker dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2023-04-26 10:20:11 +02:00
thibault.dewailly	06525f06f9	bump to 3.8-1 v3.8-1	2023-03-23 10:03:37 +00:00
dependabot[bot]	d5c1c63971	Bump luizm/action-sh-checker from 0.4.0 to 0.5.0 (#161 ) Bumps [luizm/action-sh-checker](https://github.com/luizm/action-sh-checker) from 0.4.0 to 0.5.0. - [Release notes](https://github.com/luizm/action-sh-checker/releases) - [Commits](https://github.com/luizm/action-sh-checker/compare/v0.4.0...v0.5.0) --- updated-dependencies: - dependency-name: luizm/action-sh-checker dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>	2023-03-23 10:56:12 +01:00
dependabot[bot]	7d93ddeb86	Bump metcalfc/changelog-generator from 3.0.0 to 4.1.0 (#169 ) Bumps [metcalfc/changelog-generator](https://github.com/metcalfc/changelog-generator) from 3.0.0 to 4.1.0. - [Release notes](https://github.com/metcalfc/changelog-generator/releases) - [Changelog](https://github.com/metcalfc/changelog-generator/blob/main/release-notes.png) - [Commits](https://github.com/metcalfc/changelog-generator/compare/v3.0.0...v4.1.0) --- updated-dependencies: - dependency-name: metcalfc/changelog-generator dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>	2023-03-23 10:50:46 +01:00
dependabot[bot]	a35ecab377	Bump dev-drprasad/delete-tag-and-release from 0.2.0 to 0.2.1 (#170 ) Bumps [dev-drprasad/delete-tag-and-release](https://github.com/dev-drprasad/delete-tag-and-release) from 0.2.0 to 0.2.1. - [Release notes](https://github.com/dev-drprasad/delete-tag-and-release/releases) - [Commits](https://github.com/dev-drprasad/delete-tag-and-release/compare/v0.2.0...v0.2.1) --- updated-dependencies: - dependency-name: dev-drprasad/delete-tag-and-release dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2023-03-23 10:47:09 +01:00
Stéphane Lesimple	dc952b90df	fix: timeout of 99.1.3 (#168 ) The 99.1.3_acc_sudoers_no_all.sh script can sometimes timeout on servers where /etc/sudoers.d/ has thousands of files. This patch makes it run roughly 5x faster, as tested on a server with 1500 files in sudoers.d/. Closes #167. Signed-off-by: Stephane Lesimple <stephane.lesimple@corp.ovh.com> Signed-off-by: Stephane Lesimple <stephane.lesimple@corp.ovh.com>	2022-12-22 09:47:35 +01:00
Tarik Megzari	82a217032d	fix(6.2.9): Start from UID 1000 for home ownership check (#164 ) Rename 6.2.3 and 6.2.9 checks to be more accurate Remove home existence check from 6.2.9 as it's handled by 6.2.3 Update tests accordingly Fixes #163 Signed-off-by: Tarik Megzari <tarik.megzari@corp.ovh.com> Signed-off-by: Tarik Megzari <tarik.megzari@corp.ovh.com>	2022-09-30 10:28:48 +02:00
ymartin-ovh	e478a89bad	bump to 3.7-1 (#160 ) v3.7-1	2022-07-04 15:37:08 +02:00
ymartin-ovh	371c23cd52	feat: add FIND_IGNORE_NOSUCHFILE_ERR flag (#159 ) This flag can be used to prevent find-related checks to fail because one part of filesystem disappear (ie. ephemeral directories or files)	2022-07-04 14:29:25 +02:00
Tarik Megzari	ea8334d516	bump to 3.6-1 (#157 ) Signed-off-by: Tarik Megzari <tarik.megzari@corp.ovh.com> v3.6-1	2022-06-27 12:13:01 +02:00
dependabot[bot]	987bb9c975	Bump luizm/action-sh-checker from 0.3.0 to 0.4.0 (#154 ) Bumps [luizm/action-sh-checker](https://github.com/luizm/action-sh-checker) from 0.3.0 to 0.4.0. - [Release notes](https://github.com/luizm/action-sh-checker/releases) - [Commits](https://github.com/luizm/action-sh-checker/compare/v0.3.0...v0.4.0) --- updated-dependencies: - dependency-name: luizm/action-sh-checker dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2022-06-26 16:58:46 +02:00
dependabot[bot]	3031bb55d1	Bump actions-ecosystem/action-get-latest-tag from 1.5.0 to 1.6.0 (#153 ) Bumps [actions-ecosystem/action-get-latest-tag](https://github.com/actions-ecosystem/action-get-latest-tag) from 1.5.0 to 1.6.0. - [Release notes](https://github.com/actions-ecosystem/action-get-latest-tag/releases) - [Commits](https://github.com/actions-ecosystem/action-get-latest-tag/compare/v1.5.0...v1.6.0) --- updated-dependencies: - dependency-name: actions-ecosystem/action-get-latest-tag dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Tarik Megzari <tarik.megzari@corp.ovh.com>	2022-06-24 17:55:26 +02:00
ymartin-ovh	66ccc6316a	feat: Filter the filesystem to check when the list is built. (#156 ) * feat: Attempt to filter-out filesystem that match exclusion regex.	2022-06-24 17:45:47 +02:00
Tarik Megzari	7a3145d7f1	bump to 3.5-1 (#152 ) Signed-off-by: Tarik Megzari <tarik.megzari@corp.ovh.com> v3.5-1	2022-03-23 18:40:25 +01:00
GoldenKiwi	5c072668d5	fix: add 10s wait timeout on iptables command (#151 ) When the tested server has its iptables heavily manipulated (e.g Kubernetes) The lock aquirement can sometimes fail, hence generating false positives The command will retry 10 times with a 1 second interval	2022-03-23 16:56:38 +01:00
GoldenKiwi	d1bd1eb2e7	bump to 3.4-1 (#150 ) v3.4-1	2022-03-18 16:49:25 +01:00
GoldenKiwi	ad5c71c3ce	fix: allow passwd-, group- and shadow- debian default permissions (#149 )	2022-03-18 16:41:49 +01:00
dependabot[bot]	33964c0a3d	Bump EndBug/add-and-commit from 8.0.2 to 9 (#148 ) Bumps [EndBug/add-and-commit](https://github.com/EndBug/add-and-commit) from 8.0.2 to 9. - [Release notes](https://github.com/EndBug/add-and-commit/releases) - [Changelog](https://github.com/EndBug/add-and-commit/blob/main/CHANGELOG.md) - [Commits](https://github.com/EndBug/add-and-commit/compare/v8.0.2...v9) --- updated-dependencies: - dependency-name: EndBug/add-and-commit dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2022-03-14 15:36:48 +01:00
Tarik Megzari	8320d0eecc	CI: Fix release action (#147 ) Signed-off-by: Tarik Megzari <tarik.megzari@corp.ovh.com> v3.3-1	2022-03-03 12:02:12 +01:00
Tarik Megzari	a0d33ab158	Update changelog for release 3.3-1 (#146 ) Signed-off-by: Tarik Megzari <tarik.megzari@corp.ovh.com> Co-authored-by: Tarik Megzari <tarik.megzari@corp.ovh.com>	2022-03-03 10:26:42 +01:00
Jan Schmidle	a6a22084e1	missing shadowtools backup files is ok (#132 ) * missing shadowtools backup files is ok * update corresponding test cases	2022-03-02 18:05:37 +01:00
Tarik Megzari	b962155a3c	fix: Avoid find failures on too many files (#144 ) Signed-off-by: Tarik Megzari <tarik.megzari@corp.ovh.com> Co-authored-by: Tarik Megzari <tarik.megzari@corp.ovh.com> Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>	2022-03-02 17:49:28 +01:00
dependabot[bot]	20bf51f65b	Bump actions/checkout from 2 to 3 (#145 ) Bumps [actions/checkout](https://github.com/actions/checkout) from 2 to 3. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/v2...v3) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2022-03-02 00:14:50 +01:00
dependabot[bot]	adfe28470a	Bump metcalfc/changelog-generator from 1.0.0 to 3.0.0 (#133 ) Bumps [metcalfc/changelog-generator](https://github.com/metcalfc/changelog-generator) from 1.0.0 to 3.0.0. - [Release notes](https://github.com/metcalfc/changelog-generator/releases) - [Changelog](https://github.com/metcalfc/changelog-generator/blob/main/release-notes.png) - [Commits](https://github.com/metcalfc/changelog-generator/compare/v1.0.0...v3.0.0) --- updated-dependencies: - dependency-name: metcalfc/changelog-generator dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2022-03-01 23:48:57 +01:00
dependabot[bot]	c94ee10afe	Bump EndBug/add-and-commit from 7 to 8.0.2 (#142 ) Bumps [EndBug/add-and-commit](https://github.com/EndBug/add-and-commit) from 7 to 8.0.2. - [Release notes](https://github.com/EndBug/add-and-commit/releases) - [Changelog](https://github.com/EndBug/add-and-commit/blob/main/CHANGELOG.md) - [Commits](https://github.com/EndBug/add-and-commit/compare/v7...v8.0.2) --- updated-dependencies: - dependency-name: EndBug/add-and-commit dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2022-03-01 20:39:39 +01:00
dependabot[bot]	453a72b8c8	Bump actions-ecosystem/action-get-latest-tag from 1.4.1 to 1.5.0 (#143 ) Bumps [actions-ecosystem/action-get-latest-tag](https://github.com/actions-ecosystem/action-get-latest-tag) from 1.4.1 to 1.5.0. - [Release notes](https://github.com/actions-ecosystem/action-get-latest-tag/releases) - [Commits](https://github.com/actions-ecosystem/action-get-latest-tag/compare/v1.4.1...v1.5.0) --- updated-dependencies: - dependency-name: actions-ecosystem/action-get-latest-tag dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2022-03-01 20:28:33 +01:00
Tarik Megzari	bb03764918	fix: Catch unexpected failures (#140 ) Signed-off-by: Tarik Megzari <tarik.megzari@corp.ovh.com> Co-authored-by: Tarik Megzari <tarik.megzari@corp.ovh.com>	2022-01-31 15:38:38 +01:00
Tarik Megzari	17d272420a	feat: Dissociate iptables pkg name from command (#137 ) Signed-off-by: Tarik Megzari <tarik.megzari@corp.ovh.com> Co-authored-by: Tarik Megzari <tarik.megzari@corp.ovh.com>	2021-12-27 15:40:55 +01:00
Tarik Megzari	f1c1517bd2	Update changelog for release 3.2-2 (#135 ) Signed-off-by: Tarik Megzari <tarik.megzari@corp.ovh.com> Co-authored-by: Tarik Megzari <tarik.megzari@corp.ovh.com> v3.2-2	2021-12-13 16:06:57 +01:00
tdenof	1341622335	Fix empty fstab test (#134 ) Signed-off-by: Tarik Megzari <tarik.megzari@corp.ovh.com> Co-authored-by: Thibault Dewailly <thibault.dewailly@corp.ovh.com>	2021-12-08 08:42:22 +01:00
thibault.dewailly	c8fcfed248	Update changelog for release 3.2-1 v3.2-1	2021-12-01 11:04:56 +00:00
Sebastien BLAISOT	97914976c8	Skip NTP and Chrony config check if they are not installed (#120 ) Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com> v3.2-0	2021-12-01 10:49:08 +01:00
Sebastien BLAISOT	66c8ccf495	Fix 3.4.2 audit rule (#123 ) Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>	2021-12-01 10:23:11 +01:00
Sebastien BLAISOT	b53bf1795c	Fix grub detection (#119 ) Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>	2021-12-01 08:58:32 +01:00
Sebastien BLAISOT	1a874b2b35	Allow grub.cfg permission to be 600 (#121 ) Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>	2021-11-30 18:47:19 +01:00
Sebastien BLAISOT	7266ec7cb4	Honor --set-log-level parameter (#127 ) Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>	2021-11-30 18:42:33 +01:00
Jan Schmidle	8f855ac159	fix: kernel module detection (#129 ) * fix: add filter to hfs * fix is_kernel_option_enabled check as the module in question could have dependencies which have been blacklisted as well we need to make sure that the comparison only checks for the module in question - the last line in the output. Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>	2021-10-20 14:51:29 +02:00
Sebastien BLAISOT	ad192c9457	Add silent mode and json summary (#128 ) Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>	2021-10-20 13:22:59 +02:00
Sebastien BLAISOT	3d2d97a727	FIX(1.7.1.4): don't abort script in case of unconfined processes (#130 )	2021-10-20 13:14:36 +02:00
Sebastien BLAISOT	6e2fb1570c	FIX(2.2.1.4): Validate debian default ntp config (#118 )	2021-10-15 16:19:51 +02:00
dependabot[bot]	faf5b155e5	Bump metcalfc/changelog-generator from v0.4.4 to v1.0.0 (#81 ) Bumps [metcalfc/changelog-generator](https://github.com/metcalfc/changelog-generator) from v0.4.4 to v1.0.0. - [Release notes](https://github.com/metcalfc/changelog-generator/releases) - [Changelog](https://github.com/metcalfc/changelog-generator/blob/main/release-notes.png) - [Commits](https://github.com/metcalfc/changelog-generator/compare/v0.4.4...e5306b306fa2e34f05258789e0e5c526c1bd4352) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Thibault Ayanides <thibault.ayanides@ovhcloud.com>	2021-08-10 13:57:13 +02:00

1 2 3 4 5 ...

520 Commits