Commit Graph

259 Commits

Author SHA1 Message Date
Charles Herlin
13c88c7da2 FIX: tests return value that was always 255
Return values tells the number of failed tests up to 254
255 being the return value for runtime errors
2019-01-23 12:54:33 +01:00
Charles Herlin
9ba0361be0 FIX: quotes in find command, misinterpreted shellcheck advice 2019-01-23 16:55:48 +01:00
Charles Herlin
71b70a2b8c FEAT: Add sudo_wrapper to catch unauthorized sudo commands
As for now, if a sudo command was not allowed, check might sometimes
pass, resulting compliant state even if it actually is not.
Sudo wrapper first checks wether command is allowed before running it,
otherwise issues a crit message, setting check as not compliant

Fix script to make sudo_wrapper work, split "find" lines
Fix quotes in $@ and $* when running sudo command

Fixed quotes and curly braces with shellcheck report
2018-03-16 12:06:56 +01:00
Charles Herlin
176fb96fa4 FEAT: automate shellcheck test with docker
IMP: search for all .sh files to shellcheck
If no file is passed as argument, shellchek will be run on all
.sh files

Fix dockerfile location and expand full shellcheck options
2019-01-17 12:39:15 +01:00
Charles Herlin
c51a8ee9b8 FIX: sed that was too greedy
Used to sed 's!/usr/bin/su!!' /usr/bin/sudo leaving only "do"
that lead to misinterpreting result

Change algorithm to avoid partial sed in the result list
Now the not compliant list is built out of the find results
instead of items being removed from them.
Allow better control of grep inside this list.

Chore: apply shellcheck recommendations
2019-01-02 13:02:02 +01:00
Charles Herlin
e72c7aae15 Add missing /usr/bin/su 2019-01-03 11:21:51 +01:00
Charles Herlin
8e6618eedf FIX: add /usr/bin/* path for suid/guid allowed binaries
Debian is still migrating /bin to /usr/bin so I added both path to the
allowed ones

 * mount
 * umount
 * ping
 * ping6
 * unix_chkpwd
2019-01-02 17:03:29 +01:00
Charles Herlin
67df4da781 Adding batch mode to output just one line of text (no colors) in order to be parsed by computer tools
Adding DESCRIPTION field in tests and [INFO] DESCRIPTION in main
Update README with --batch mode info
Add --batch mode in hardening.sh

Change summary to make it oneliner when batch mode
AUDIT_SUMMARY PASSED_CHECKS:95 RUN_CHECKS:191 TOTAL_CHECKS_AVAIL:191 CONFORMITY_PERCENTAGE:49.74
2017-10-31 17:44:15 +01:00
Charles Herlin
8a7f9ddad5 Change from CIS reco and only warn (no crit) if logfile does not exist 2018-03-22 18:17:17 +01:00
Charles Herlin
863adc9c84 IMP(test): Add feature to run functional tests in docker instance
Add usecase in basename
Add test files for checks with find command
Always show logs
FIX: run void script to generate config and avoid sed failure
Update README with functional test description
Add skeleton for functional test
Add argument to launch only specific test suite
Add support for debian8 and compulsory mention of debian version at
launch
Improve README
Simplify test file syntax to avoid copy/paste mistake
Add script that runs tests on all debian targets
Improve run_all_target script with nowait and nodel options
Add dockerfile for Buster pre-version
Chore: Use getopt for options and reviewed code by shellcheck
Add trap to ensure cleanup on exit/interrupt
Remove quotes that lead to `less` misinterpretation of the filenames
Set `local` for variables inside `test_audit` func
Move functional assertion functions to dedicated file
Add cleanup for logs and containers
Improve cleanup, and now exits
Apply shellcheck recommendations
FIX: allow script to be run from anywhere (dirname $0)

 Changes to be committed:
	modified:   README.md
	new file:   src/skel.test
	new file:   tests/docker/Dockerfile.debian10_20181226
	new file:   tests/docker/Dockerfile.debian8
	new file:   tests/docker/Dockerfile.debian9
	new file:   tests/docker_build_and_run_tests.sh
	new file:   tests/hardening/12.10_find_suid_files.sh
	new file:   tests/hardening/12.11_find_sgid_files.sh
	new file:   tests/hardening/12.7_find_world_writable_file.sh
	new file:   tests/hardening/12.8_find_unowned_files.sh
	new file:   tests/hardening/12.9_find_ungrouped_files.sh
	new file:   tests/hardening/2.17_sticky_bit_world_writable_folder.sh
	new file:   tests/launch_tests.sh
	new file:   tests/lib.sh
	new file:   tests/run_all_targets.sh
2018-12-24 14:12:59 +01:00
Charles Herlin
4fc79c133f Improve --only option to perform only specified test and no other lookalike test number
Before modification "--only 8.2.1" performed tests 8.2.1 and 2.1
2018-03-15 12:03:10 +01:00
Charles Herlin
7077554bca Redirect stderr to avoid printing "no such file" error 2018-03-19 18:06:47 +01:00
Charles Herlin
76abf8da36 resolve #SOC-30 Also check /etc/security/limits.d/ for core dump limit 2018-02-12 15:37:12 +01:00
Charles Herlin
51f589923d Fix SOC-28, add test if file exist, if not issue error 2018-02-09 13:49:38 +01:00
Charles Herlin
b1f85d3f99 Add sudo management in main and utils
* perform readonly checks as a regular user
    * sudo -n is used for checks requiring root privileges
    * increase accountability by providing log of individual access to sensitive files
2017-11-09 15:45:42 +01:00
Julien Delayen
a3937b3183 changelog: Update to 1.1-1
- Add hardening templating and several enhancements
- CIS_ROOT_DIR management
- Update ciphers list in 9.3.11 with latest chacha20 and gcm ciphers
- Debian packaging clean up

Signed-off-by: Julien Delayen <julien.delayen@corp.ovh.com>
2018-02-02 09:40:58 +01:00
Julien Delayen
423e454b62 debian: Remove useless {shlibs:Depends}
This fixes the following issue:

Depends field of package cis-hardening:
unknown substitution variable ${shlibs:Depends}

Signed-off-by: Julien Delayen <julien.delayen@corp.ovh.com>
2017-12-14 14:24:21 +01:00
Julien Delayen
b5939dffbe debian: Fix lintian warning
The following error is highlighted by lintian:
depends-on-essential-package-without-using-version: bash

bash is always present and does not need to be specified
in debian/control.

See: https://lintian.debian.org/tags/depends-on-essential-package-without-using-version.html

Signed-off-by: Julien Delayen <julien.delayen@corp.ovh.com>
2017-12-14 14:17:27 +01:00
Julien Delayen
1a9c92b345 debian: Remove auto-generated files from conffiles
The policy for configuration files having changed,
the files are not present in the package anymore.
Remove them from debian/conffiles.

Signed-off-by: Julien Delayen <julien.delayen@corp.ovh.com>
2017-12-14 14:10:45 +01:00
Thibault Dewailly
6977eb5064 Merge pull request #31 in IAAS/cis-hardening from dev/cherlin/update-cis-scripts to master
* commit 'f97fbb47f701fd81a6dcdabb1d2e961943386eb5':
  Update ciphers list in 9.3.11 with latest chacha20 and gcm ciphers
2017-12-05 11:38:15 +01:00
Thibault Dewailly
12fe049eba Merge pull request #28 in IAAS/cis-hardening from dev/cherlin/cis-root-dir-in-env to master
* commit '5b11b1628a690e0bbd9d34cd5b83dbe74ac6fba7':
  Expand tabs to 4 spaces and trim trailing spaces
  Remove unnecessary CIS_ROOT_DIR empty assignation
  Applying batch edit to all hardening/*.sh scripts for new CIS_ROOT_DIR management
  Changing CIS_ROOT_DIR management in env in bin/hardening.sh
  Change src/skel to allow setting CIS_ROOT_DIR in env and not just sourcing /etc/default/cis-hardening. Making the whole lib more versatile.
2017-12-05 11:32:45 +01:00
Charles Herlin
02f0e30df1 Expand tabs to 4 spaces and trim trailing spaces 2017-11-17 15:13:27 +01:00
Charles Herlin
ae6fbf2d86 Update ciphers list in 9.3.11 with latest chacha20 and gcm ciphers 2017-11-10 14:48:51 +01:00
Charles Herlin
d2a8b2cb28 Remove unnecessary CIS_ROOT_DIR empty assignation 2017-10-25 17:44:56 +02:00
Charles Herlin
5b2404dab8 Applying batch edit to all hardening/*.sh scripts for new CIS_ROOT_DIR management 2017-10-25 14:50:39 +02:00
Charles Herlin
119d532a7f Changing CIS_ROOT_DIR management in env in bin/hardening.sh 2017-10-25 14:48:54 +02:00
Charles Herlin
161ffa56a7 Change src/skel to allow setting CIS_ROOT_DIR in env and not just sourcing /etc/default/cis-hardening. Making the whole lib more versatile. 2017-10-23 14:50:11 +02:00
Thibault Dewailly
3b7a2b8216 Merge pull request #12 from speed47/dev/enhancements
Hardening Classification
subs enhancements as well as bug fixes
2017-09-28 13:22:59 +02:00
Kevin Tanguy
40e57a5cb2 Merge pull request #27 in IAAS/cis-hardening from dev/thibault.dewailly/fixwildcards to master
* commit 'a4dc5bdaf5ec7f4d1c49533608b279d7101e23cd':
  No more wildcards in file list to be more resilient
2017-06-15 10:43:31 +02:00
thibault.dewailly
481485a0d7 No more wildcards in file list to be more resilient 2017-06-13 15:36:06 +02:00
Thibault Dewailly
fae0c5a64b Merge pull request #26 in IAAS/cis-hardening from dev/kevin.tanguy/packagebump to master
* commit '11ab51679bcb5cac893a190d1db22aebdc56ece0':
  Debian package revision bump 1.0-11
2017-06-08 09:41:43 +02:00
kevin.tanguy
72999b8b5d Debian package revision bump 1.0-11 2017-06-05 16:36:25 +02:00
Thibault Dewailly
2ef500298b Merge pull request #11 from speed47/dev/fix_does_pattern_exist_in_file
handle ENOENT properly in does_pattern_exist_in_file()
2017-05-19 18:30:21 +02:00
Thibault Dewailly
a1f970e737 Merge pull request #10 from speed47/dev/beautifyprint
set a fixed-size prefix for logger
2017-05-19 17:20:47 +02:00
Stéphane Lesimple
676b17c54f add hardening templating and several enhancements 2017-05-18 18:40:09 +02:00
Stéphane Lesimple
3e0187094a handle ENOENT properly in does_pattern_exist_in_file\(\) 2017-05-18 18:31:24 +02:00
Stéphane Lesimple
cca0310d64 set a fixed-size prefix for logger 2017-05-18 18:27:02 +02:00
Thibault Dewailly
233d1245fc Merge pull request #9 from Joorem/10.1.3-fix-option-name
[10.1.3] set the good value for $OPTIONS
2017-05-04 09:28:42 +02:00
Jérôme Le Gal
46dbe8a6bc [10.1.3] set the good value for $OPTIONS 2017-05-03 23:08:48 +02:00
Kevin Tanguy
a46490b2d8 Merge pull request #25 in IAAS/cis-hardening from dev/thibault.dewailly/fixShadowParsing to master
* commit '0f11b08ffb593285f745e3e249f3aaf83a6f5362':
  [Debian 8] Fixed comments for debian 8 compliance
  [10.2] Fixed result parsing in case of spaces in passwd list
2017-03-14 16:19:33 +01:00
thibault.dewailly
3e1df0cdf9 [Debian 8] Fixed comments for debian 8 compliance 2017-03-10 17:46:39 +01:00
thibault.dewailly
0c053eef56 [10.2] Fixed result parsing in case of spaces in passwd list 2017-03-10 17:26:55 +01:00
thibault.dewailly
eb7bf7fece Merge branch 'master' of github.com:ovh/debian-cis 2016-07-04 11:45:41 +02:00
Thibault Dewailly
e93b9f89f4 Merge pull request #7 from MatthieuDestrez/fixPermitEmptyPassword
fixed option name in 9.3.9_disable_sshd_permitemptypasswords.sh, was …
2016-07-04 11:44:40 +02:00
Matthieu Destrez
f5cb5ddf97 fixed option name in 9.3.9_disable_sshd_permitemptypasswords.sh, was PermitRootLogin instead of PermitEmptyPassword 2016-06-29 15:12:21 +02:00
Thibault Dewailly
45f529a392 Merge pull request #24 in IAAS/cis-hardening from dev/kevin.tanguy/wheezy to master
* commit '39950ab163b5e45d6271194a2e81a8dedb31aa3d':
  Debian package revision bump 1.0-10
2016-05-18 09:44:02 +02:00
Kevin Tanguy
4705846c60 Debian package revision bump 1.0-10 2016-05-18 09:06:14 +02:00
Thibault Dewailly
3209a4c302 Merge pull request #5 from jeremydenoun/fix-echo
Script output should be usefull with pipe or redirection
2016-05-17 13:28:37 +02:00
jeremydenoun
53626bd926 Remove test on _logger() function
the original line contain test that can hide echo if we launch script with pipe or IO redirection
2016-05-14 20:39:32 +02:00
Thibault Dewailly
7578c2bbfb Merge pull request #23 in IAAS/cis-hardening from dev/kevin.tanguy/wheezy to master
* commit '84a5d0e0d8270b68e2c534c38b0ef34f62754a31':
  Debian package revision bump 1.0-9
2016-05-03 13:24:15 +02:00