Commit Graph

557 Commits

Author SHA1 Message Date
damcav35
be33848d81 Damcava35/set version (#257)
* feat: add "--set-version" option

This feature will allow to chose a specific cis version to run, like debian 11 or debian 12

* chore: configure current repository as a version

And use it as default version.

To this end, the scripts in bin/hardening have been made generic by removing the associated recommendation number.
Only impact is if you are used to execute scripts directly from bin/hardening.
In this case, please use the "bin/hardening.sh" wrapper as intended.

I had to rename 2.3.1_disable_nis.sh to uninstall_nis.sh, as it was conflicting with 2.3.1_disable_nis.sh

Also, there was a doublon between 1.1.1.8_disable_cramfs.sh and 99.1.1.1_disable_cramfs.sh ; the former was kept

* chore: remove CIS recommendation numbers from bin/hardening scripts

* fix: some tests are failing

find_ungrouped_files.sh and find_unowned_files.sh tests can not be executed multiple times:
- test repository is not cleaned
- configuration is updated multiple times

Those tests are also failing, because:
- the sed to change the status in the configuration was also changing the test folder path.
- missing /proc in EXCLUDED paths
- the EXCLUDED configuration doesn't have the correct format for egrep

---------

Co-authored-by: Damien Cavagnini <damien.cavagnini@corp.ovh.com>
2025-07-01 08:41:55 +02:00
damcav35
99bc575714 Damcava35/test pre commit (#256)
* chore: make linter happy for existing code

* fix: add missing test 2.1.2_disable_bsd_intetd.sh

* feat: add basic pre commit

Ensure a check has a corresponding test

---------

Co-authored-by: Damien Cavagnini <damien.cavagnini@corp.ovh.com>
2025-06-23 10:23:43 +02:00
dependabot[bot]
9a225c6157 build(deps): bump dev-drprasad/delete-tag-and-release from 1.0.1 to 1.1 (#238)
Bumps [dev-drprasad/delete-tag-and-release](https://github.com/dev-drprasad/delete-tag-and-release) from 1.0.1 to 1.1.
- [Release notes](https://github.com/dev-drprasad/delete-tag-and-release/releases)
- [Commits](https://github.com/dev-drprasad/delete-tag-and-release/compare/v1.0.1...v1.1)

---
updated-dependencies:
- dependency-name: dev-drprasad/delete-tag-and-release
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-09-10 17:47:36 +02:00
Hugo COURTIAL
6079b16611 fix: invalid behavior on sid/alternative in 5.3.4/99.5.4.5.1 (#237) 2024-04-09 17:12:31 +02:00
dependabot[bot]
f7cdf438d4 build(deps): bump metcalfc/changelog-generator from 4.2.0 to 4.3.1 (#234)
Bumps [metcalfc/changelog-generator](https://github.com/metcalfc/changelog-generator) from 4.2.0 to 4.3.1.
- [Release notes](https://github.com/metcalfc/changelog-generator/releases)
- [Changelog](https://github.com/metcalfc/changelog-generator/blob/main/release-notes.png)
- [Commits](https://github.com/metcalfc/changelog-generator/compare/v4.2.0...v4.3.1)

---
updated-dependencies:
- dependency-name: metcalfc/changelog-generator
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>
2024-03-05 09:33:10 +01:00
Isma399
43fc23ee40 fix: catch cidr network in ssh keys (#236)
Co-authored-by: Ismaël Tanguy <ismael.tanguy@ovhcloud.com>
2024-02-22 17:55:03 +01:00
GoldenKiwi
3bd4078e70 fix: allow set-hardening-level option usage (#232)
Was broken since 2020, fixes #230
2024-02-01 17:09:35 +01:00
thibault.dewailly
a45aa40ce4 bump to 4.1.4 v4.1-4 2024-01-18 09:16:00 +00:00
lgaida
730ab47437 allow multiple users in 5.2.18 (#228)
* allow multiple exception users for 99.5.2.4

* move clean up part of previous commit

* split clean up part of previous commit

* add tests for multiple allowed and denied ssh users

* fix script to correctly set multiple allowed and denied ssh users

* add cleanup resolved check to 5.2.18

* apply shellfmt to 5.2.18

---------

Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>
2024-01-10 17:07:02 +01:00
lgaida
5313799193 Allow multiple exception users to be defined for 99.5.2.4_ssh_keys_from (#221)
* allow multiple exception users for 99.5.2.4
2023-12-27 13:42:10 +01:00
GoldenKiwi
73616af4eb Syslog-ng fixes and enhancements (#226)
* syslog-ng : fix remote host test and enhance Regex

fixes #124

* enh: add test for 4.2.1.6
2023-12-27 10:27:06 +01:00
GoldenKiwi
c391723fe5 fix: Allow --only option to be called multiple times (#225)
--only option was affected with a grep bug since 2017.
the regex was not able to parse more than the first passed argument.

fixes #224
2023-12-26 17:08:53 +01:00
GoldenKiwi
71019a5512 fix: update Readme to clarify project usage (#223)
fixes: #219
2023-12-26 09:57:15 +01:00
GoldenKiwi
fb4df82fc4 fix: typo in README. Update example of --audit usage (#222)
fixes #220
fixes #217
2023-12-26 09:19:55 +01:00
thibault.dewailly
c75244e3b2 bump to 4.1.3 v4.1-3 2023-11-28 10:34:12 +00:00
Stéphane Lesimple
de295b3a77 Adapt all scripts to yescrypt (#216)
* Revert "fix: clean obsolete check 99.5.4.5.1, now handled by 5.3.4 (#215)"

This reverts commit 670c8c62f5.

We still want to verify the preexisting hashes in /etc/shadow,
even if the PAM configuration is correct for new passwords (5.3.4).

* Adapt 5.3.4, 99.5.4.5.1 and 99.5.4.5.2 to yescrypt
2023-11-21 17:43:31 +01:00
dependabot[bot]
693487c3a5 build(deps): bump metcalfc/changelog-generator from 4.1.0 to 4.2.0 (#214)
Bumps [metcalfc/changelog-generator](https://github.com/metcalfc/changelog-generator) from 4.1.0 to 4.2.0.
- [Release notes](https://github.com/metcalfc/changelog-generator/releases)
- [Changelog](https://github.com/metcalfc/changelog-generator/blob/main/release-notes.png)
- [Commits](https://github.com/metcalfc/changelog-generator/compare/v4.1.0...v4.2.0)

---
updated-dependencies:
- dependency-name: metcalfc/changelog-generator
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>
2023-11-14 15:44:50 +01:00
GoldenKiwi
670c8c62f5 fix: clean obsolete check 99.5.4.5.1, now handled by 5.3.4 (#215)
Fixes #209
2023-11-14 12:03:58 +01:00
GoldenKiwi
0eb2e2ffde enh: remove ssh system sandbox check (#213)
UsePrivilegeSeparation option is deprecated.
Since the oldest supported Debian distribution is Buster (10), we can safely remove this check

Fixes #212
2023-11-13 08:53:12 +01:00
dependabot[bot]
d6c334182e build(deps): bump luizm/action-sh-checker from 0.7.0 to 0.8.0 (#210)
Bumps [luizm/action-sh-checker](https://github.com/luizm/action-sh-checker) from 0.7.0 to 0.8.0.
- [Release notes](https://github.com/luizm/action-sh-checker/releases)
- [Commits](https://github.com/luizm/action-sh-checker/compare/v0.7.0...v0.8.0)

---
updated-dependencies:
- dependency-name: luizm/action-sh-checker
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-11-10 15:05:25 +01:00
thibault.dewailly
2188577fc9 feat: advertise Debian 12 compatibility in readme 2023-10-02 13:34:09 +00:00
thibault.dewailly
0f59f73297 bump to 4.1.2 v4.1-2 2023-10-02 13:17:31 +00:00
GoldenKiwi
f888ce0d39 fix: root_dir is still /opt/cis-hardening for the moment (#208) 2023-10-02 14:50:52 +02:00
thibault.dewailly
f6aa306127 bump to 4.1.1 v4.1-1 2023-09-29 14:38:52 +00:00
GoldenKiwi
ceea343ad9 fix: debian12 functional test pass is now mandatory (#207) 2023-09-29 16:34:25 +02:00
GoldenKiwi
2e53dfb573 feat: Officialize Debian 12 support (#206)
* feat: Officialize Debian 12 support

Functional tests now pass
CIS Benchmark PDF for Debian 12 is not out yet, but the hardening points checked
are still relevant in Debian 12.
OVHcloud is now using it in critical production, hence making it officially supported

---------

Co-authored-by: ThibaultDewailly <ThibaultDewailly@users.noreply.github.com>
2023-09-29 16:20:34 +02:00
P-EB
08aff5d3fc Update the README to reflect on changes made in PR#204 (#205) 2023-09-29 09:21:40 +02:00
P-EB
32886d3a3d Replace CIS_ROOT_DIR by a more flexible system (#204)
* Replace CIS_ROOT_DIR by a more flexible system

* Try to adapt the logic change to the functional tests
2023-09-25 14:24:01 +02:00
GoldenKiwi
5370ec2ef6 feat: add nftables to firewall software allow list (#203)
* feat: add nftables to firewall software allow list

fixes #191

* fix: enhance 3.5.4.1.1_net_fw_default_policy_drop.sh iptables output check, disable associated test
2023-09-07 14:36:08 +02:00
dependabot[bot]
9d3fb18e6b build(deps): bump actions/checkout from 3 to 4 (#202)
Bumps [actions/checkout](https://github.com/actions/checkout) from 3 to 4.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/v3...v4)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-09-05 17:07:12 +02:00
GoldenKiwi
6e79fcd00a fix: correct debian version check on 5.2.15 configuration generation (#199)
fixes #196
2023-09-01 08:34:28 +02:00
GoldenKiwi
27edec6d5f fix: chore, debug logs print correctly now (#197) 2023-08-31 14:40:27 +02:00
GoldenKiwi
f2cc14c383 fix: chore debian manual update (#198)
* fix: chore debian manual update

fixes #182

* Regenerate man pages (Github action)

---------

Co-authored-by: ThibaultDewailly <ThibaultDewailly@users.noreply.github.com>
2023-08-31 14:34:59 +02:00
dependabot[bot]
46377fc255 build(deps): bump dev-drprasad/delete-tag-and-release (#184)
Bumps [dev-drprasad/delete-tag-and-release](https://github.com/dev-drprasad/delete-tag-and-release) from 0.2.1 to 1.0.1.
- [Release notes](https://github.com/dev-drprasad/delete-tag-and-release/releases)
- [Commits](https://github.com/dev-drprasad/delete-tag-and-release/compare/v0.2.1...v1.0.1)

---
updated-dependencies:
- dependency-name: dev-drprasad/delete-tag-and-release
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>
2023-08-30 10:32:29 +02:00
Joseph
a468b29036 fix: added systemd-timesyncd to use_time_sync script (#189) (#190)
Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>
2023-08-30 10:28:03 +02:00
JugeHuge
db9ff8a7fd Update warn messages on 2.2.15_mta_localhost.sh (#193)
warn messages had typo netsat as it should be netstat
2023-08-30 10:23:27 +02:00
Stéphane Lesimple
6135c3d0e5 fix: enhance test 99.1.3 speed for large /etc/sudoers.d folders (#188)
Signed-off-by: Stephane Lesimple <stephane.lesimple@corp.ovh.com>
2023-07-18 17:28:35 +02:00
Tarik Megzari
a6ad528087 feat: Add experimental debian12 functionnal tests (#187)
Signed-off-by: Tarik Megzari <tarik.megzari@ovhcloud.com>
Co-authored-by: Tarik Megzari <tarik.megzari@ovhcloud.com>
2023-07-10 10:52:17 +02:00
thibault.dewailly
bc98bedf73 bump to 4.0-1 v4.0-1 2023-07-10 07:21:13 +00:00
Stéphane Lesimple
873ef8827d fix: 99.1.3_acc_sudoers_no_all: fix a race condition (#186)
On systems where /etc/sudoers.d might be updated often by some automated means, this
check might raise a critical when a previously present file (during the ls) is no longer
present (during its attempted read), so before raising a critical, re-check that it
does exists first.
2023-07-03 17:05:45 +02:00
GoldenKiwi
bd27cd0dae fix: change auditd file rule remediation (#179)
Fixes #165
2023-05-05 12:32:22 +02:00
GoldenKiwi
f28ffc244c fix: correct debian package compression override (#181) 2023-05-02 18:06:59 +02:00
GoldenKiwi
19ce790a27 fix: ensure mountpoints are properly detected (#177)
Fixes #155
When real entries are present in fstab, system startup or runtime mountpoints are now properly detected
Add a supplementary check in case of partition not present in fstab
2023-05-02 18:01:53 +02:00
GoldenKiwi
47cf86237b fix: correct search in 5.4.5_default_timeout in apply mode (#178)
fixes #116
2023-05-02 17:57:35 +02:00
GoldenKiwi
ccd9c1a7aa fix: force xz compression during .deb build (#180)
zst compression is only available on Debian 12, since the release is built on Ubuntu latest, this was breaking release.
Fixes #175
2023-05-02 15:24:32 +02:00
GoldenKiwi
04457e7df2 feat: official Debian 11 compatibility (#176)
Introduce Debian 11 compatibility
Based on CIS_Debian_Linux_11_Benchmark_v1.0.0

After review, here are the notable changes :
 - Harden /var/log more (noexec,nodev,nosuid)
 - Harden /var/log/audit more (noexec,nodev,nosuid)
 - Harden /home more (nosuid)
 - Disable cramfs
 - Fix 5.3.4_acc_pam_sha512.sh
 - Deprecate Debian 9 and remove useless docker images

NB : more audit log rules have been introduced and will be inserted in the checks later
Fix #158
2023-05-02 14:16:19 +02:00
dependabot[bot]
05521d5961 Bump luizm/action-sh-checker from 0.5.0 to 0.7.0 (#171)
Bumps [luizm/action-sh-checker](https://github.com/luizm/action-sh-checker) from 0.5.0 to 0.7.0.
- [Release notes](https://github.com/luizm/action-sh-checker/releases)
- [Commits](https://github.com/luizm/action-sh-checker/compare/v0.5.0...v0.7.0)

---
updated-dependencies:
- dependency-name: luizm/action-sh-checker
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-04-26 10:20:11 +02:00
thibault.dewailly
06525f06f9 bump to 3.8-1 v3.8-1 2023-03-23 10:03:37 +00:00
dependabot[bot]
d5c1c63971 Bump luizm/action-sh-checker from 0.4.0 to 0.5.0 (#161)
Bumps [luizm/action-sh-checker](https://github.com/luizm/action-sh-checker) from 0.4.0 to 0.5.0.
- [Release notes](https://github.com/luizm/action-sh-checker/releases)
- [Commits](https://github.com/luizm/action-sh-checker/compare/v0.4.0...v0.5.0)

---
updated-dependencies:
- dependency-name: luizm/action-sh-checker
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>
2023-03-23 10:56:12 +01:00
dependabot[bot]
7d93ddeb86 Bump metcalfc/changelog-generator from 3.0.0 to 4.1.0 (#169)
Bumps [metcalfc/changelog-generator](https://github.com/metcalfc/changelog-generator) from 3.0.0 to 4.1.0.
- [Release notes](https://github.com/metcalfc/changelog-generator/releases)
- [Changelog](https://github.com/metcalfc/changelog-generator/blob/main/release-notes.png)
- [Commits](https://github.com/metcalfc/changelog-generator/compare/v3.0.0...v4.1.0)

---
updated-dependencies:
- dependency-name: metcalfc/changelog-generator
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>
2023-03-23 10:50:46 +01:00