Commit Graph

185 Commits

Author SHA1 Message Date
Charles Herlin
f2ae6cc24a FIX(99.2): add missing $SUDO_CMD 2019-02-15 16:56:54 +01:00
Charles Herlin
f5ba729129 FIX(sudoers): add missing test 2019-02-15 16:45:03 +01:00
Charles Herlin
2e083ad8d6 FIX(test): catch return values when retval differs to avoid runtime error 2019-02-15 16:44:32 +01:00
Charles Herlin
84047928b1 Add test stub for all audit checks, to tests root/sudo consistency 2019-02-15 10:43:46 +01:00
Charles Herlin
b8bd75d2ad Rename dismiss_test to skip_tests since test won't even run in this case 2019-02-15 10:43:46 +01:00
Charles Herlin
ddfee23c80 dismiss_count will still report failed root/sudo consistency failure
Add comment to dismiss_tests
2019-02-15 10:43:46 +01:00
kevin.tanguy
5139cf0f8b properly purge remaining config files on purge 2019-02-15 10:14:30 +01:00
Charles Herlin
5f2803693e Change default status to audit for file with custom create_config 2019-02-14 14:33:21 +01:00
Charles Herlin
d6172ad89e Change default status disabled -> audit when no conf file 2019-02-14 14:25:57 +01:00
Charles Herlin
1a6ef92c99 FIX package name in example-cron.d-entry 2019-02-14 13:27:02 +01:00
Charles Herlin
edcaaeab4c Improve user management in test cases 2019-02-14 12:21:10 +01:00
Charles Herlin
7ad0df963c IMP: enhance scripts that check duplicate UID
Add exception handling in 13.14_check_duplicate_uid
Clarifies output message and explicitly displays found exceptions
Add tests
Apply shellcheck recommendation

modified:   bin/hardening/13.14_check_duplicate_uid.sh
modified:   bin/hardening/13.5_find_0_uid_non_root_account.sh
new file:   tests/hardening/13.14_check_duplicate_uid.sh
new file:   tests/hardening/13.5_find_0_uid_non_root_account.sh
2019-02-14 12:21:10 +01:00
Charles Herlin
7e3ee2eb93 FIX: usage if no RUN_MODE, fix only that used to run too many checks
If no RUN_MODE passed as arguments, display usage and exits

Fix --only option to run only specific check
Found bug that used to run 2.2 and 2.24 when launching --only 2.24
2019-02-13 17:17:06 +01:00
kevin.tanguy
2421d96ae2 changelog: Update to 1.2-1 (go cds go) 2019-02-12 14:32:06 +01:00
Charles Herlin
d2bbf754ac Migrate generic checks from secaudit to cis-hardening
new file:   99.3.1_acc_shadow_sha512.sh
new file:   99.3.2_acc_sudoers_no_all.sh
new file:   99.4_net_fw_default_policy_drop.sh
new file:   99.5.1_ssh_auth_pubk_only.sh
new file:   99.5.2.1_ssh_cry_kex.sh
new file:   99.5.2.2_ssh_cry_mac.sh
new file:   99.5.2.3_ssh_cry_rekey.sh
new file:   99.5.3_ssh_disable_features.sh
new file:   99.5.4_ssh_keys_from.sh
new file:   99.5.5_ssh_strict_modes.sh
new file:   99.5.6_ssh_sys_accept_env.sh
new file:   99.5.7_ssh_sys_no_legacy.sh
new file:   99.5.8_ssh_sys_sandbox.sh
new file:   99.5.9_ssh_log_level.sh

Fix descriptions in comment section for 99.* secaudit checks

Remove duplicated legacy services that are already taken care of by vanilla cis

Enable custom configuration of checks in config-file, no more hard coded conf
Add test to disable check if debian version is too old
Add excused IPs while checking "from" field of authorized_keys
Escaping dots in IPs
Manage Kex for different debian versions
Add tests for generic checks and add apply for ssh config
Apply shellcheck recommendations on audit/hardening scripts
Update script to check for allowed IPs only, remove bastion related
Fill `apply` func for ssh config related scripts
Add and update tests scenarii

Disable shellcheck test for external source 1091

As of today, the entire project is not shellcheck compliant, I prefer
disabling the test that warns about not finding external source (that
arent compliant). I will enable it again when the project library will
be shellchecked
https://github.com/koalaman/shellcheck/wiki/SC1091

Refactor password policy check with one check by feature

Previous file will now only look for bad passwords in /etc/shadow
I added two checks that look for the compliant configuration lines in
conf files /etc/logins.defs and /etc/pam.d/common-passwords

FIX: merge chained sed and fix regex

FIX: update regex to capture more output
FIX: fix pattern to ignore commented lines, add apply

Also add tests to ensure that commented lines are not detected as valid
configuration

CHORE: cleanup test situation with file and users removal
IMP: add case insensitive option when looking for patterns in files
CHORE: removed duplicated line in test file
2019-02-11 18:05:03 +01:00
Charles Herlin
9290f0cc91 Add crontab 2019-02-11 10:55:02 +01:00
Charles Herlin
7690b57ea9 FIX: add becho to send batch output to syslog too
becho stands for batch echo
formats the log line for syslog

Also logs audit summary into syslog (in batch mode only)
2019-02-07 11:41:12 +01:00
Charles Herlin
25eb91c411 Update debian 7/8/9 in help files and remove in generic scripts 2019-02-06 15:19:14 +01:00
Charles Herlin
a6a09c5a5d IMP: sort find result by name and version to ease reading 2019-02-01 09:42:12 +01:00
Charles Herlin
35e7c32426 FIX: remove "exernal-sources" option when running shellcheck
This option caused some checks to be ignored
2019-01-30 17:48:07 +01:00
Charles Herlin
fb918b1b98 Add shellcheck recommendation 2019-01-30 12:38:39 +01:00
Charles Herlin
497e1d2095 FIX: add way of completely skipping test that bugged with jessie
Tests are stored in a bash indexed array.
Bash on debian8 does not support arrays declaration and if there was no
registered tests, the array variable was seen as undefined.
With this way of completely dismissing the test suite, the problem is
fixed
2019-01-30 11:06:49 +01:00
Charles Herlin
1a75cbfe76 Fix typo in test skeleton and add shellcheck comment 2019-01-25 14:16:47 +01:00
Charles Herlin
d2b20640a6 FIX: bug crashing for undeclared variable when consitency
checks failed
2019-01-25 10:33:38 +01:00
Charles Herlin
5f7cb58dd4 IMP: tests readability and runtime error handling
Change describe display to add underline in order to make it more
noticeable in a stream of logs
Add a `fatal` message when catching a runtime error (until
`$totalerrors` has not been modified yet)
2019-01-24 15:53:09 +01:00
Charles Herlin
d2e456b7d8 IMP: new tag in file to tell that the script should pass shellcheck
The `# run-shellchek` tag must be placed in the first 10 lines of the
file
2019-01-24 11:45:31 +01:00
Charles Herlin
e4c5a57fbf FIX: tests return value that was always 255
Return values tells the number of failed tests up to 254
255 being the return value for runtime errors
2019-01-24 11:19:51 +01:00
Charles Herlin
bfbd410b19 FIX: quotes in find command, misinterpreted shellcheck advice 2019-01-23 16:55:48 +01:00
Charles Herlin
ec6b79e3c7 FEAT: Add sudo_wrapper to catch unauthorized sudo commands
As for now, if a sudo command was not allowed, check might sometimes
pass, resulting compliant state even if it actually is not.
Sudo wrapper first checks wether command is allowed before running it,
otherwise issues a crit message, setting check as not compliant

Fix script to make sudo_wrapper work, split "find" lines
Fix quotes in $@ and $* when running sudo command

Fixed quotes and curly braces with shellcheck report
2019-01-23 15:56:27 +01:00
Charles Herlin
70cb310c54 FEAT: automate shellcheck test with docker
IMP: search for all .sh files to shellcheck
If no file is passed as argument, shellchek will be run on all
.sh files

Fix dockerfile location and expand full shellcheck options
2019-01-23 15:40:21 +01:00
Charles Herlin
001323f448 FIX: sed that was too greedy
Used to sed 's!/usr/bin/su!!' /usr/bin/sudo leaving only "do"
that lead to misinterpreting result

Change algorithm to avoid partial sed in the result list
Now the not compliant list is built out of the find results
instead of items being removed from them.
Allow better control of grep inside this list.

Chore: apply shellcheck recommendations
2019-01-23 13:49:29 +01:00
Charles Herlin
ed0c07d319 Add missing /usr/bin/su 2019-01-21 17:27:09 +01:00
Charles Herlin
03b6f1857a FIX: add /usr/bin/* path for suid/guid allowed binaries
Debian is still migrating /bin to /usr/bin so I added both path to the
allowed ones

 * mount
 * umount
 * ping
 * ping6
 * unix_chkpwd
2019-01-21 17:27:09 +01:00
Charles Herlin
106412149d Adding batch mode to output just one line of text (no colors) in order to be parsed by computer tools
Adding DESCRIPTION field in tests and [INFO] DESCRIPTION in main
Update README with --batch mode info
Add --batch mode in hardening.sh

Change summary to make it oneliner when batch mode
AUDIT_SUMMARY PASSED_CHECKS:95 RUN_CHECKS:191 TOTAL_CHECKS_AVAIL:191 CONFORMITY_PERCENTAGE:49.74
2019-01-21 17:20:18 +01:00
Charles Herlin
91642474f7 Change from CIS reco and only warn (no crit) if logfile does not exist 2019-01-21 17:20:00 +01:00
Charles Herlin
18693200dc IMP(test): Add feature to run functional tests in docker instance
Add usecase in basename
Add test files for checks with find command
Always show logs
FIX: run void script to generate config and avoid sed failure
Update README with functional test description
Add skeleton for functional test
Add argument to launch only specific test suite
Add support for debian8 and compulsory mention of debian version at
launch
Improve README
Simplify test file syntax to avoid copy/paste mistake
Add script that runs tests on all debian targets
Improve run_all_target script with nowait and nodel options
Add dockerfile for Buster pre-version
Chore: Use getopt for options and reviewed code by shellcheck
Add trap to ensure cleanup on exit/interrupt
Remove quotes that lead to `less` misinterpretation of the filenames
Set `local` for variables inside `test_audit` func
Move functional assertion functions to dedicated file
Add cleanup for logs and containers
Improve cleanup, and now exits
Apply shellcheck recommendations
FIX: allow script to be run from anywhere (dirname $0)

 Changes to be committed:
	modified:   README.md
	new file:   src/skel.test
	new file:   tests/docker/Dockerfile.debian10_20181226
	new file:   tests/docker/Dockerfile.debian8
	new file:   tests/docker/Dockerfile.debian9
	new file:   tests/docker_build_and_run_tests.sh
	new file:   tests/hardening/12.10_find_suid_files.sh
	new file:   tests/hardening/12.11_find_sgid_files.sh
	new file:   tests/hardening/12.7_find_world_writable_file.sh
	new file:   tests/hardening/12.8_find_unowned_files.sh
	new file:   tests/hardening/12.9_find_ungrouped_files.sh
	new file:   tests/hardening/2.17_sticky_bit_world_writable_folder.sh
	new file:   tests/launch_tests.sh
	new file:   tests/lib.sh
	new file:   tests/run_all_targets.sh
2019-01-21 16:48:45 +01:00
Charles Herlin
843ce3efc3 Improve --only option to perform only specified test and no other lookalike test number
Before modification "--only 8.2.1" performed tests 8.2.1 and 2.1
2018-03-28 14:36:17 +02:00
Charles Herlin
d60922ab9d Redirect stderr to avoid printing "no such file" error 2018-03-19 18:06:47 +01:00
Charles Herlin
39246bc175 resolve #SOC-30 Also check /etc/security/limits.d/ for core dump limit 2018-03-15 09:50:05 +01:00
Charles Herlin
47857774b4 Fix SOC-28, add test if file exist, if not issue error 2018-03-14 14:04:02 +01:00
Charles Herlin
b41df080cf Add sudo management in main and utils
* perform readonly checks as a regular user
    * sudo -n is used for checks requiring root privileges
    * increase accountability by providing log of individual access to sensitive files
2018-03-13 10:38:25 +01:00
Julien Delayen
b5a952e0f0 changelog: Update to 1.1-1
- Add hardening templating and several enhancements
- CIS_ROOT_DIR management
- Update ciphers list in 9.3.11 with latest chacha20 and gcm ciphers
- Debian packaging clean up

Signed-off-by: Julien Delayen <julien.delayen@corp.ovh.com>
2018-02-02 11:54:10 +01:00
Julien Delayen
b0141494a9 debian: Remove useless {shlibs:Depends}
This fixes the following issue:

Depends field of package cis-hardening:
unknown substitution variable ${shlibs:Depends}

Signed-off-by: Julien Delayen <julien.delayen@corp.ovh.com>
2017-12-14 14:51:45 +01:00
Julien Delayen
f21259c79d debian: Fix lintian warning
The following error is highlighted by lintian:
depends-on-essential-package-without-using-version: bash

bash is always present and does not need to be specified
in debian/control.

See: https://lintian.debian.org/tags/depends-on-essential-package-without-using-version.html

Signed-off-by: Julien Delayen <julien.delayen@corp.ovh.com>
2017-12-14 14:51:45 +01:00
Julien Delayen
fe167d29c7 debian: Remove auto-generated files from conffiles
The policy for configuration files having changed,
the files are not present in the package anymore.
Remove them from debian/conffiles.

Signed-off-by: Julien Delayen <julien.delayen@corp.ovh.com>
2017-12-14 14:51:30 +01:00
Thibault Dewailly
321063fe7c Merge pull request #31 in IAAS/cis-hardening from dev/cherlin/update-cis-scripts to master
* commit 'f97fbb47f701fd81a6dcdabb1d2e961943386eb5':
  Update ciphers list in 9.3.11 with latest chacha20 and gcm ciphers
2017-12-05 11:38:15 +01:00
Thibault Dewailly
73c640f4d1 Merge pull request #28 in IAAS/cis-hardening from dev/cherlin/cis-root-dir-in-env to master
* commit '5b11b1628a690e0bbd9d34cd5b83dbe74ac6fba7':
  Expand tabs to 4 spaces and trim trailing spaces
  Remove unnecessary CIS_ROOT_DIR empty assignation
  Applying batch edit to all hardening/*.sh scripts for new CIS_ROOT_DIR management
  Changing CIS_ROOT_DIR management in env in bin/hardening.sh
  Change src/skel to allow setting CIS_ROOT_DIR in env and not just sourcing /etc/default/cis-hardening. Making the whole lib more versatile.
2017-12-05 11:32:45 +01:00
Charles Herlin
5b11b1628a Expand tabs to 4 spaces and trim trailing spaces 2017-11-17 15:13:27 +01:00
Charles Herlin
f97fbb47f7 Update ciphers list in 9.3.11 with latest chacha20 and gcm ciphers 2017-11-10 14:48:51 +01:00
Charles Herlin
725aaa39e5 Remove unnecessary CIS_ROOT_DIR empty assignation 2017-10-25 17:44:56 +02:00