Commit Graph

542 Commits

Author SHA1 Message Date
Thibault Ayanides
40fb536d4e
Add missing HARDENING_LEVEL (#44)
Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>
2021-02-17 11:51:51 +01:00
Thibault Ayanides
d1b371f410
Add is_ipv6_disabled (#57)
Modify some checks to make it pass when ipv6 is diabled

fix #50

	modified:   bin/hardening/3.1.1_disable_ipv6.sh
	modified:   bin/hardening/3.3.1_disable_source_routed_packets.sh
	modified:   bin/hardening/3.3.9_disable_ipv6_router_advertisement.sh
	modified:   lib/utils.sh

Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>
2021-02-17 11:45:20 +01:00
Thibault Ayanides
6ab1cab3ce
IMP(5.1.8): allow more restrictive permissions (#59)
fix #52

Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>
2021-02-17 11:40:31 +01:00
Thibault Ayanides
1a7dd5893a
Use pam_faillock instead of pam_tally for bullseye (#56)
Fix #55
See https://github.com/linux-pam/linux-pam/releases/tag/v1.4.0
pam_tally is deprecated and replaced by pam_faillock

Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>
2021-02-17 11:36:58 +01:00
Thibault Ayanides
fa111bc0d0
Update mac and kex to match debian10 CIS (#60)
fix #53

Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>
2021-02-17 11:31:22 +01:00
Thibault Ayanides
460843ffb3
Fix #51 (#58) 2021-02-17 11:19:38 +01:00
jeremydenoun
896d277d95
fix #46 bug (#47)
Co-authored-by: Jeremy Denoun <jeremy.denoun@iguanesolutions.com>
2021-02-11 14:00:18 +01:00
Thibault Ayanides
6ae05f3fa2
Add dealing with debian 11
* ADD: add dockerfile for debian11
* FIX: fix crontab file not found on debian11 blank
* Add workflow for debian11
* FIX: fix debian version func to manage debian11
* Add dealing with unsupported version and distro
* Add 99.99 check that check if distro version is supported
* Use global var for debian major and distro

fix #26
2021-02-08 13:54:24 +01:00
Thibault Ayanides
449c695415 IMP: improve partition detection in container
fix #27
2021-02-08 09:07:09 +01:00
dependabot[bot]
2d6550fb13
Bump dev-drprasad/delete-tag-and-release from v0.1.2 to v0.1.3 (#41)
Bumps [dev-drprasad/delete-tag-and-release](https://github.com/dev-drprasad/delete-tag-and-release) from v0.1.2 to v0.1.3.
- [Release notes](https://github.com/dev-drprasad/delete-tag-and-release/releases)
- [Commits](https://github.com/dev-drprasad/delete-tag-and-release/compare/v0.1.2...3c280cb168f9f46f0036f47c7f57bba2ec18f61c)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2021-02-04 16:23:41 +01:00
jeremydenoun
0b6ea0d97e
IMP: add multiple Improvements
* add new kernel module detection (enable & listing)  with detection of monolithic kernel
* change way to detect if file system type is disabled
* add global IS_CONTAINER variable
* disable test for 3.4.x to be consistent with others
* add cli options to override configuration loglevel
2021-02-04 16:21:49 +01:00
dependabot[bot]
ec9e2addc2 Bump luizm/action-sh-checker from v0.1.10 to v0.1.12
Bumps [luizm/action-sh-checker](https://github.com/luizm/action-sh-checker) from v0.1.10 to v0.1.12.
- [Release notes](https://github.com/luizm/action-sh-checker/releases)
- [Commits](https://github.com/luizm/action-sh-checker/compare/v0.1.10...442951059cb22d260c6e69309ae59cb7bb2334b8)

Signed-off-by: dependabot[bot] <support@github.com>
2021-02-01 13:08:50 +01:00
Thibault Ayanides
ed1baa724e IMP: mark some checks as useless 2021-01-25 13:02:52 +01:00
Thibault Ayanides
bd4ddfc398 ADD(3.4.x): add checks and tests 2021-01-25 13:02:52 +01:00
Thibault Ayanides
5a72d986ea IMP(3.1-3.x): add comprehensive tests 2021-01-25 13:02:52 +01:00
Thibault Ayanides
c51513e083 IMP(1.8.1.4-6): add comprehensive tests 2021-01-25 13:02:52 +01:00
Thibault Ayanides
6127f2fe67 IMP(4.2.2.x): improve dealing with default conf
The default for journald is Compress=yes and ForwardToSyslog=yes
So we check that Compress=no and ForwardToSyslog=no are not in the conf file.
2021-01-25 13:02:52 +01:00
Thibault Serti
6efefa07ac
Update shellcheck workflow
fix #34
2021-01-22 14:45:01 +01:00
jeremydenoun
dce926a536
Add default variable to avoid unbound variable
Co-authored-by: Jeremy Denoun <jeremy.denoun@iguanesolutions.com>
2021-01-22 10:02:44 +01:00
jeremydenoun
0edb837f80
Remove bc dependency
Co-authored-by: Jeremy Denoun <jeremy.denoun@iguanesolutions.com>
2021-01-22 09:31:53 +01:00
jeremydenoun
1c2e171655
Fix ovh/debian-cis:#25 (#28)
Co-authored-by: Jeremy Denoun <jeremy.denoun@iguanesolutions.com>
2021-01-21 16:01:34 +01:00
dependabot[bot]
4a652a94c6 Bump EndBug/add-and-commit from v6 to v7
Bumps [EndBug/add-and-commit](https://github.com/EndBug/add-and-commit) from v6 to v7.
- [Release notes](https://github.com/EndBug/add-and-commit/releases)
- [Changelog](https://github.com/EndBug/add-and-commit/blob/master/CHANGELOG.md)
- [Commits](https://github.com/EndBug/add-and-commit/compare/v6...b3c7c1e078a023d75fb0bd326e02962575ce0519)

Signed-off-by: dependabot[bot] <support@github.com>
2021-01-18 15:52:46 +01:00
Thibault Ayanides
89780550e6 Fix badges on README 2021-01-18 15:47:41 +01:00
Thibault Ayanides
047421f2d8 Regenerate man pages (Github action) 2021-01-18 15:47:41 +01:00
Thibault Ayanides
124aeea5cc Fix debian package build via github actions 2021-01-18 15:47:41 +01:00
Thibault Ayanides
8de9817035 Update LICENSE 2021-01-18 15:47:41 +01:00
Thibault Ayanides
3217429679 Regenerate man pages (Github action) 2021-01-18 11:45:13 +01:00
Thibault Ayanides
af38e4f404 Update changelog 2021-01-18 11:45:13 +01:00
Thibault Ayanides
efb14ea0a9 Add compile manual github action 2021-01-18 11:45:13 +01:00
Thibault Ayanides
8029da6157 Add manual 2021-01-18 11:45:13 +01:00
Thibault Ayanides
4281ed330a Update compat in debian package 2021-01-18 11:45:13 +01:00
Thibault Ayanides
aa90093f24 Add dependabot action 2021-01-18 11:45:13 +01:00
Thibault Ayanides
0ab210183b Beautify README.md 2021-01-18 11:45:13 +01:00
Thibault Ayanides
8f5e3c2ef8 Bump shellcheck action version 2021-01-18 11:45:13 +01:00
Thibault Ayanides
f454b18991 Change artefact name when releasing 2021-01-18 11:45:13 +01:00
Thibault Ayanides
33b0dae4c3 Check if changelog was modfified before release 2021-01-18 11:45:13 +01:00
Thibault Ayanides
44e7ea7c63 Improve workflows 2021-01-18 11:45:13 +01:00
Thibault Ayanides
3f20f99e50 Add github actions
Add shellcheck, shellfmt, release, prerelease, functionnal tests
2021-01-14 19:31:14 +01:00
Thibault Ayanides
45ccd337b4 Update README, AUTHORS, LICENSE 2021-01-13 11:14:26 +01:00
Thibault Ayanides
624aba950d ADD(4.2.1.6): add new syslog-ng check 2021-01-04 14:24:35 +01:00
Thibault Ayanides
0ca73899d3 ADD(4.2.2.x): add journald checks 2021-01-04 10:10:47 +01:00
Thibault Ayanides
a5e1cb90cd ADD(4.1.1.4): add new check 2021-01-04 09:03:44 +01:00
Thibault Ayanides
b6fff5b8b6 ADD(2.2.1.2): add systemd-timesyncd 2020-12-24 16:20:12 +01:00
Thibault Ayanides
e0c6692ff2 ADD(4.1.1.1): add auditd install 2020-12-24 16:20:02 +01:00
Thibault Ayanides
7c69305b44 Update changelog 2021-01-04 08:20:59 +01:00
Thibault Ayanides
e2ad0a5dcc ADD(4.4): add logrotate permissions checking 2020-12-24 10:31:47 +01:00
Thibault Ayanides
d0ab72dd26 ADD(5.2.20-23): add new sshd checks 2020-12-23 11:41:53 +01:00
Thibault Ayanides
520ab63b29 ADD(1.1.1.7): restrict FAT partitions 2020-12-23 11:05:37 +01:00
Thibault Ayanides
f626201fdd ADD(1.1.23): disable usb storage 2020-12-23 10:57:02 +01:00
Thibault Ayanides
8da1107532 ADD(1.7.x): add apparmor checks 2020-12-23 10:46:51 +01:00