Renamed some checks, add new checks that check permissions and ownership on /etc/passwd, /etc/shadow, ...
Add new function in utils that checks that check that the file ownership is one of the authrized ownership.
renamed: bin/hardening/6.1.5_etc_passwd_permissions.sh -> bin/hardening/6.1.2_etc_passwd_permissions.sh
new file: bin/hardening/6.1.3_etc_gshadow-_permissions.sh
renamed: bin/hardening/6.1.6_etc_shadow_permissions.sh -> bin/hardening/6.1.4_etc_shadow_permissions.sh
renamed: bin/hardening/6.1.7_etc_group_permissions.sh -> bin/hardening/6.1.5_etc_group_permissions.sh
new file: bin/hardening/6.1.6_etc_passwd-_permissions.sh
new file: bin/hardening/6.1.7_etc_shadow-_permissions.sh
new file: bin/hardening/6.1.8_etc_group-_permissions.sh
new file: bin/hardening/6.1.9_etc_gshadow_permissions.sh
modified: lib/utils.sh
renamed: tests/hardening/6.1.5_etc_passwd_permissions.sh -> tests/hardening/6.1.2_etc_passwd_permissions.sh
new file: tests/hardening/6.1.3_etc_gshadow-_permissions.sh
renamed: tests/hardening/6.1.6_etc_shadow_permissions.sh -> tests/hardening/6.1.4_etc_shadow_permissions.sh
renamed: tests/hardening/6.1.7_etc_group_permissions.sh -> tests/hardening/6.1.5_etc_group_permissions.sh
new file: tests/hardening/6.1.6_etc_passwd-_permissions.sh
new file: tests/hardening/6.1.7_etc_shadow-_permissions.sh
new file: tests/hardening/6.1.8_etc_group-_permissions.sh
new file: tests/hardening/6.1.9_etc_gshadow_permissions.sh
Shellcheck recommands to replace sed by shell expansions in 'simple' cases.
However, the replacement here is likely to lead to erros, so we disable this rule.
Moreover, it does'nt really add readability.
First one as root to create conf files with good owner and permissions, and then with secaudit.
Now first run with --create-config-files-only and the normally with --audit.
I added two functions in utils that checks perms and ownership for file
resulting for a certain find. It takes parameters to filter the results
if needed.
Add func to find pattern in file that spreads over multiple lines
The func will remove commented lines (that begin with '#')
and consider the file as one long line.
Thus, this is not possible to look for pattern at beginning of line
with this func ('^' and '$')
Improved pattern in 8.2.5
Add syslog-ng to installed dependencies in Dockerfiles
Fixed multifile arguments when looking for pattern that got broken
in d2bbf754 due to "nocase" and _does_pattern_exist_in_file wrapper
Please note that you can only look for pattern in ONE FILE at once
Fixed 8.2.5 and 8.3.2 with for loop on files and 'FOUND' flag
You now need to specify each and every file to look for or embed a
'find' command as follow :
`FILES="$SYSLOG_BASEDIR/syslog-ng.conf $(find $SYSLOG_BASEDIR/conf.d/)"`
Improved test files
Applied shellcheck recommendations
Add function to retrieve actual partition from symlink in lib/utils.sh
Using this func in all 3 audit scripts
Improved tests to test this func
Apply shellcheck recommendations
Trim trailing spaces
new file: 99.3.1_acc_shadow_sha512.sh
new file: 99.3.2_acc_sudoers_no_all.sh
new file: 99.4_net_fw_default_policy_drop.sh
new file: 99.5.1_ssh_auth_pubk_only.sh
new file: 99.5.2.1_ssh_cry_kex.sh
new file: 99.5.2.2_ssh_cry_mac.sh
new file: 99.5.2.3_ssh_cry_rekey.sh
new file: 99.5.3_ssh_disable_features.sh
new file: 99.5.4_ssh_keys_from.sh
new file: 99.5.5_ssh_strict_modes.sh
new file: 99.5.6_ssh_sys_accept_env.sh
new file: 99.5.7_ssh_sys_no_legacy.sh
new file: 99.5.8_ssh_sys_sandbox.sh
new file: 99.5.9_ssh_log_level.sh
Fix descriptions in comment section for 99.* secaudit checks
Remove duplicated legacy services that are already taken care of by vanilla cis
Enable custom configuration of checks in config-file, no more hard coded conf
Add test to disable check if debian version is too old
Add excused IPs while checking "from" field of authorized_keys
Escaping dots in IPs
Manage Kex for different debian versions
Add tests for generic checks and add apply for ssh config
Apply shellcheck recommendations on audit/hardening scripts
Update script to check for allowed IPs only, remove bastion related
Fill `apply` func for ssh config related scripts
Add and update tests scenarii
Disable shellcheck test for external source 1091
As of today, the entire project is not shellcheck compliant, I prefer
disabling the test that warns about not finding external source (that
arent compliant). I will enable it again when the project library will
be shellchecked
https://github.com/koalaman/shellcheck/wiki/SC1091
Refactor password policy check with one check by feature
Previous file will now only look for bad passwords in /etc/shadow
I added two checks that look for the compliant configuration lines in
conf files /etc/logins.defs and /etc/pam.d/common-passwords
FIX: merge chained sed and fix regex
FIX: update regex to capture more output
FIX: fix pattern to ignore commented lines, add apply
Also add tests to ensure that commented lines are not detected as valid
configuration
CHORE: cleanup test situation with file and users removal
IMP: add case insensitive option when looking for patterns in files
CHORE: removed duplicated line in test file
As for now, if a sudo command was not allowed, check might sometimes
pass, resulting compliant state even if it actually is not.
Sudo wrapper first checks wether command is allowed before running it,
otherwise issues a crit message, setting check as not compliant
Fix script to make sudo_wrapper work, split "find" lines
Fix quotes in $@ and $* when running sudo command
Fixed quotes and curly braces with shellcheck report
Adding DESCRIPTION field in tests and [INFO] DESCRIPTION in main
Update README with --batch mode info
Add --batch mode in hardening.sh
Change summary to make it oneliner when batch mode
AUDIT_SUMMARY PASSED_CHECKS:95 RUN_CHECKS:191 TOTAL_CHECKS_AVAIL:191 CONFORMITY_PERCENTAGE:49.74
* perform readonly checks as a regular user
* sudo -n is used for checks requiring root privileges
* increase accountability by providing log of individual access to sensitive files
