Commit Graph

105 Commits

Author SHA1 Message Date
Charles Herlin
e72c7aae15 Add missing /usr/bin/su 2019-01-03 11:21:51 +01:00
Charles Herlin
8e6618eedf FIX: add /usr/bin/* path for suid/guid allowed binaries
Debian is still migrating /bin to /usr/bin so I added both path to the
allowed ones

 * mount
 * umount
 * ping
 * ping6
 * unix_chkpwd
2019-01-02 17:03:29 +01:00
Charles Herlin
67df4da781 Adding batch mode to output just one line of text (no colors) in order to be parsed by computer tools
Adding DESCRIPTION field in tests and [INFO] DESCRIPTION in main
Update README with --batch mode info
Add --batch mode in hardening.sh

Change summary to make it oneliner when batch mode
AUDIT_SUMMARY PASSED_CHECKS:95 RUN_CHECKS:191 TOTAL_CHECKS_AVAIL:191 CONFORMITY_PERCENTAGE:49.74
2017-10-31 17:44:15 +01:00
Charles Herlin
8a7f9ddad5 Change from CIS reco and only warn (no crit) if logfile does not exist 2018-03-22 18:17:17 +01:00
Charles Herlin
4fc79c133f Improve --only option to perform only specified test and no other lookalike test number
Before modification "--only 8.2.1" performed tests 8.2.1 and 2.1
2018-03-15 12:03:10 +01:00
Charles Herlin
7077554bca Redirect stderr to avoid printing "no such file" error 2018-03-19 18:06:47 +01:00
Charles Herlin
76abf8da36 resolve #SOC-30 Also check /etc/security/limits.d/ for core dump limit 2018-02-12 15:37:12 +01:00
Charles Herlin
51f589923d Fix SOC-28, add test if file exist, if not issue error 2018-02-09 13:49:38 +01:00
Charles Herlin
b1f85d3f99 Add sudo management in main and utils
* perform readonly checks as a regular user
    * sudo -n is used for checks requiring root privileges
    * increase accountability by providing log of individual access to sensitive files
2017-11-09 15:45:42 +01:00
Thibault Dewailly
6977eb5064 Merge pull request #31 in IAAS/cis-hardening from dev/cherlin/update-cis-scripts to master
* commit 'f97fbb47f701fd81a6dcdabb1d2e961943386eb5':
  Update ciphers list in 9.3.11 with latest chacha20 and gcm ciphers
2017-12-05 11:38:15 +01:00
Charles Herlin
02f0e30df1 Expand tabs to 4 spaces and trim trailing spaces 2017-11-17 15:13:27 +01:00
Charles Herlin
ae6fbf2d86 Update ciphers list in 9.3.11 with latest chacha20 and gcm ciphers 2017-11-10 14:48:51 +01:00
Charles Herlin
d2a8b2cb28 Remove unnecessary CIS_ROOT_DIR empty assignation 2017-10-25 17:44:56 +02:00
Charles Herlin
5b2404dab8 Applying batch edit to all hardening/*.sh scripts for new CIS_ROOT_DIR management 2017-10-25 14:50:39 +02:00
Charles Herlin
119d532a7f Changing CIS_ROOT_DIR management in env in bin/hardening.sh 2017-10-25 14:48:54 +02:00
Thibault Dewailly
3b7a2b8216 Merge pull request #12 from speed47/dev/enhancements
Hardening Classification
subs enhancements as well as bug fixes
2017-09-28 13:22:59 +02:00
thibault.dewailly
481485a0d7 No more wildcards in file list to be more resilient 2017-06-13 15:36:06 +02:00
Stéphane Lesimple
676b17c54f add hardening templating and several enhancements 2017-05-18 18:40:09 +02:00
Jérôme Le Gal
46dbe8a6bc [10.1.3] set the good value for $OPTIONS 2017-05-03 23:08:48 +02:00
thibault.dewailly
3e1df0cdf9 [Debian 8] Fixed comments for debian 8 compliance 2017-03-10 17:46:39 +01:00
thibault.dewailly
0c053eef56 [10.2] Fixed result parsing in case of spaces in passwd list 2017-03-10 17:26:55 +01:00
Matthieu Destrez
f5cb5ddf97 fixed option name in 9.3.9_disable_sshd_permitemptypasswords.sh, was PermitRootLogin instead of PermitEmptyPassword 2016-06-29 15:12:21 +02:00
thibault.dewailly
612e28b16f tripwire : fixed typo on postinstall helper 2016-05-02 11:11:07 +02:00
thibault.dewailly
4867538c22 fix 99.1 Apply TMOUT Variable 2016-05-02 10:45:32 +02:00
kevin.tanguy
1479332870 debian dependencies fix, rephrasing, revision bump 1.0-8. 2016-04-25 15:15:49 +02:00
thibault.dewailly
6e366172f8 Fixed 6.15 netstat analysis 2016-04-22 16:59:52 +02:00
Thibault Dewailly
98eff3174b Merge pull request #4 from jedisct1/valuemsg
Rephrase confusing messages
2016-04-22 08:40:14 +02:00
thibault.dewailly
cb3077e268 Fixed default file error handling and quickstart 2016-04-21 23:19:50 +02:00
Frank Denis
ed410747df Rephrase confusing messages 2016-04-21 18:32:36 +02:00
thibault.dewailly
08fd72786c Fixed point 9.1.8 cron rights as a chmod 600 disabled the cron.allow features (file must be world readable) 2016-04-21 18:15:22 +02:00
thibault.dewailly
5048099df8 Fixed 8.2.4 check file exists before testing rights 2016-04-20 14:36:55 +02:00
thibault.dewailly
3ece442743 Added exit code to CIS_ROOT_DIR test def, optimized sed and sort 2016-04-20 11:29:44 +02:00
Stéphane Lesimple
1d7865dd68 add --audit-all-enable-passed, add info in README and help 2016-04-19 20:16:47 +02:00
Stéphane Lesimple
8d84f38c97 add --audit-all option 2016-04-19 19:26:04 +02:00
thibault.dewailly
b2d3ed937e Corrected script names, added License, Completed README and corrected bug with too long logger messages 2016-04-19 09:31:01 +02:00
thibault.dewailly
6019dd9078 Corrected default file path 2016-04-18 17:39:14 +02:00
thibault.dewailly
b1b96cf4e3 log format correction, loglevel defaults to info 2016-04-18 14:01:03 +02:00
thibault.dewailly
e79a03095c All configuration defaults to disabled README updated 2016-04-18 13:19:46 +02:00
thibault.dewailly
7eaf124fc0 99.1_timeout_tty.sh 99.2_disable_usb_devices.sh 2016-04-18 11:16:05 +02:00
thibault.dewailly
628fe96666 Fixed disabled features, headers and preparing main script 2016-04-17 23:19:41 +02:00
thibault.dewailly
fa98efc32b Added argument parsing and test checks 2016-04-17 23:10:47 +02:00
thibault.dewailly
f829cdacf2 13.16_check_duplicate_username.sh 13.17_check_duplicate_groupname.sh 13.18_find_user_netrc_files.sh 13.19_find_user_forward_files.sh 13.20_shadow_group_empty.sh 2016-04-17 22:30:20 +02:00
thibault.dewailly
dbeca2fba3 13.14_check_duplicate_uid.sh 13.15_check_duplicate_gid.sh^C 2016-04-17 19:53:47 +02:00
thibault.dewailly
4894b6d402 13.12_users_valid_homedir.sh 13.11_find_passwd_group_inconsistencies.sh 13.13_check_user_homedir_ownership.sh 2016-04-17 18:58:25 +02:00
thibault.dewailly
39e9c794e4 13.10_find_user_rhosts_files.sh 2016-04-16 18:55:44 +02:00
thibault.dewailly
77f01d2709 13.8_check_user_dot_file_perm.sh 13.9_set_perm_on_user_netrc.sh 2016-04-16 18:32:09 +02:00
thibault.dewailly
db91df2296 13.7_check_user_dir_perm.sh 2016-04-16 18:11:53 +02:00
thibault.dewailly
fb9bf542a1 13.1_remove_empty_password_field.sh 13.2_remove_legacy_passwd_entries.sh 13.3_remove_legacy_shadow_entries.sh 13.4_remove_legacy_group_entries.sh 13.5_find_0_uid_non_root_account.sh 13.6_sanitize_root_path.sh 2016-04-16 17:25:48 +02:00
thibault.dewailly
8c94214120 13.1_remove_empry_password_field.sh 2016-04-16 15:10:14 +02:00
thibault.dewailly
c193bd49f5 12.11_find_sgid_files.sh 2016-04-16 12:57:24 +02:00