elie/debian-cis
1
0
Fork 0
mirror of https://github.com/ovh/debian-cis.git synced 2025-07-16 22:02:17 +02:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: elie:damcava35/test_pre_commit
Branches Tags
elie:master elie:damcava35/deb12_scripts_2 elie:damcava35/update_lib elie:damcava35/new_scripts elie:damcava35/issue_249 elie:damcava35/drop_debian10 elie:damcava35/is_ip_v6_enabled elie:damcava35/issue_195 elie:damcava35/fix_only elie:damcava35/fix_packaging elie:damcava35/set_version elie:damcava35/test_pre_commit elie:dev/thibault.dewailly/deb12 elie:dependabot/github_actions/luizm/action-sh-checker-0.9.0 elie:dev/thibault.dewailly/set_hardening_level elie:dev/thibault.dewailly/syslogng_remotecheck
elie:latest elie:v4.1-5 elie:v4.1-4 elie:v4.1-3 elie:v4.1-2 elie:v4.1-1 elie:v4.0-1 elie:v3.8-1 elie:v3.7-1 elie:v3.6-1 elie:v3.5-1 elie:v3.4-1 elie:v3.3-1 elie:v3.2-2 elie:v3.2-1 elie:v3.2-0 elie:v3.1-6 elie:v3.1-5 elie:v3.1-4 elie:v3.1-3 elie:v3.1-2 elie:v3.1-1 elie:v3.1-0 elie:v3.0-1 elie:v3.0 elie:v2.1-6 elie:v2.1-5 elie:v2.1-4 elie:v2.1-3 elie:v2.1-2 elie:v2.1-1 elie:v2.0-6 elie:v2.0-5 elie:v2.0-4 elie:v1.3-4 elie:v1.3-3 elie:v1.3-2 elie:v1.3 elie:v1.2-1 elie:v1.1-1
..
compare: elie:dev/thibault.dewailly/deb12
Branches Tags
elie:damcava35/deb12_scripts_2 elie:damcava35/update_lib elie:damcava35/new_scripts elie:master elie:damcava35/issue_249 elie:damcava35/drop_debian10 elie:damcava35/is_ip_v6_enabled elie:damcava35/issue_195 elie:damcava35/fix_only elie:damcava35/fix_packaging elie:damcava35/set_version elie:damcava35/test_pre_commit elie:dev/thibault.dewailly/deb12 elie:dependabot/github_actions/luizm/action-sh-checker-0.9.0 elie:dev/thibault.dewailly/set_hardening_level elie:dev/thibault.dewailly/syslogng_remotecheck
elie:latest elie:v4.1-5 elie:v4.1-4 elie:v4.1-3 elie:v4.1-2 elie:v4.1-1 elie:v4.0-1 elie:v3.8-1 elie:v3.7-1 elie:v3.6-1 elie:v3.5-1 elie:v3.4-1 elie:v3.3-1 elie:v3.2-2 elie:v3.2-1 elie:v3.2-0 elie:v3.1-6 elie:v3.1-5 elie:v3.1-4 elie:v3.1-3 elie:v3.1-2 elie:v3.1-1 elie:v3.1-0 elie:v3.0-1 elie:v3.0 elie:v2.1-6 elie:v2.1-5 elie:v2.1-4 elie:v2.1-3 elie:v2.1-2 elie:v2.1-1 elie:v2.0-6 elie:v2.0-5 elie:v2.0-4 elie:v1.3-4 elie:v1.3-3 elie:v1.3-2 elie:v1.3 elie:v1.2-1 elie:v1.1-1

5 Commits
damcava35/ ... dev/thibau

Author SHA1 Message Date
thibault.dewailly
00e0a875c2 fix: add tinyproxy in HTTP proxies 2024-12-24 09:57:14 +00:00
thibault.dewailly
38bf8c4bc0 feat: add tftp check 2024-12-24 09:54:51 +00:00
thibault.dewailly
68f2c640b1 feat: enhance NIS check 2024-12-24 09:53:03 +00:00
thibault.dewailly
7fa2d5f516 feat: add dnsmasq on DNS packages denylist 2024-12-24 09:17:02 +00:00
thibault.dewailly
679df5b9cf feat: add restrict_ptrace_scope 2024-12-24 09:13:16 +00:00
15 changed files with 186 additions and 59 deletions
Expand all files Collapse all files

10
.pre-commit-config.yaml
View File

@ -1,10 +0,0 @@
repos:
- repo: local
hooks:
- id: check_has_test
name: check_has_test.sh
description: Ensure a check has a corresponding test
entry: hooks/check_has_test.sh
language: script
pass_filenames: true
files: "^bin/hardening/"

71
bin/hardening/1.6.5_restrict_ptrace_scope.sh Executable file
View File

@ -0,0 +1,71 @@
#!/bin/bash
# run-shellcheck
#
# CIS Debian Hardening
#
#
# 1.6.2 Ensure ptrace_scope is restricted
#
set -e # One error, it's over
set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=2
# shellcheck disable=2034
DESCRIPTION="Ensure ptrace_scope is restricted."
SYSCTL_PARAM='kernel.yama.ptrace_scope'
SYSCTL_EXP_RESULT=2
# This function will be called if the script status is on enabled / audit mode
audit() {
has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
if [ "$FNRET" != 0 ]; then
crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT"
elif [ "$FNRET" = 255 ]; then
warn "$SYSCTL_PARAM does not exist -- Typo?"
else
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
fi
}
# This function will be called if the script status is on enabled mode
apply() {
has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
if [ "$FNRET" != 0 ]; then
warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
set_sysctl_param "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
elif [ "$FNRET" = 255 ]; then
warn "$SYSCTL_PARAM does not exist -- Typo?"
else
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
fi
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_LIB_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_LIB_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
# shellcheck source=../../lib/main.sh
. "${CIS_LIB_DIR}"/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
exit 128
fi

2
bin/hardening/2.2.13_disable_http_proxy.sh
View File

@ -19,7 +19,7 @@ DESCRIPTION="Ensure HTTP-proxy is not enabled."
# shellcheck disable=2034 # shellcheck disable=2034
HARDENING_EXCEPTION=http HARDENING_EXCEPTION=http
PACKAGES='squid3 squid' PACKAGES='squid3 squid tinyproxy'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {

2
bin/hardening/2.2.17_disable_nis.sh
View File

@ -17,7 +17,7 @@ HARDENING_LEVEL=3
# shellcheck disable=2034 # shellcheck disable=2034
DESCRIPTION="Disable NIS Server." DESCRIPTION="Disable NIS Server."
PACKAGES='nis' PACKAGES='nis ypserv'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {

73
bin/hardening/2.2.18_disable_tftp.sh Executable file
View File

@ -0,0 +1,73 @@
#!/bin/bash
# run-shellcheck
#
# CIS Debian Hardening
#
#
# 2.2.18 Ensure TFTP server is not enabled (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=3
# shellcheck disable=2034
DESCRIPTION="Ensure Trivial File Transfer Protocol server is not enabled."
# shellcheck disable=2034
HARDENING_EXCEPTION=tftp
PACKAGES='tftpd tftpd-hpa'
# This function will be called if the script status is on enabled / audit mode
audit() {
for PACKAGE in $PACKAGES; do
is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then
crit "$PACKAGE is installed!"
else
ok "$PACKAGE is absent"
fi
done
}
# This function will be called if the script status is on enabled mode
apply() {
for PACKAGE in $PACKAGES; do
is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then
crit "$PACKAGE is installed, purging it"
apt-get purge "$PACKAGE" -y
apt-get autoremove -y
else
ok "$PACKAGE is absent"
fi
done
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_LIB_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_LIB_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
# shellcheck source=../../lib/main.sh
. "${CIS_LIB_DIR}"/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
exit 128
fi

2
bin/hardening/2.2.8_disable_dns_server.sh
View File

@ -19,7 +19,7 @@ DESCRIPTION="Ensure Domain Name System (dns) server is not enabled."
# shellcheck disable=2034 # shellcheck disable=2034
HARDENING_EXCEPTION=dns HARDENING_EXCEPTION=dns
PACKAGES='bind9 unbound' PACKAGES='bind9 unbound dnsmasq'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {

7
bin/hardening/2.3.1_disable_nis.sh
View File

@ -17,21 +17,23 @@ HARDENING_LEVEL=3
# shellcheck disable=2034 # shellcheck disable=2034
DESCRIPTION="Ensure that Network Information Service is not installed. Recommended alternative : LDAP." DESCRIPTION="Ensure that Network Information Service is not installed. Recommended alternative : LDAP."
PACKAGE='nis' PACKAGES='nis ypbind-mt'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
for PACKAGE in $PACKAGES; do
is_pkg_installed "$PACKAGE" is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
crit "$PACKAGE is installed!" crit "$PACKAGE is installed!"
else else
ok "$PACKAGE is absent" ok "$PACKAGE is absent"
fi fi
: done
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply() { apply() {
for PACKAGE in $PACKAGES; do
is_pkg_installed "$PACKAGE" is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
crit "$PACKAGE is installed, purging it" crit "$PACKAGE is installed, purging it"
@ -40,6 +42,7 @@ apply() {
else else
ok "$PACKAGE is absent" ok "$PACKAGE is absent"
fi fi
done
} }
# This function will check config parameters required # This function will check config parameters required

2
bin/hardening/99.1.1.23_disable_usb_devices.sh
View File

@ -26,8 +26,6 @@ FILE='/etc/udev/rules.d/10-CIS_99.2_usb_devices.sh'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
SEARCH_RES=0 SEARCH_RES=0
# if SC2086 is fixed (double quotes) instead of skipped, then shellcheck will complain that double quotes will prevent the loop (SC2066)
# shellcheck disable=SC2086
for FILE_SEARCHED in $FILES_TO_SEARCH; do for FILE_SEARCHED in $FILES_TO_SEARCH; do
if [ "$SEARCH_RES" = 1 ]; then break; fi if [ "$SEARCH_RES" = 1 ]; then break; fi
if $SUDO_CMD test -d "$FILE_SEARCHED"; then if $SUDO_CMD test -d "$FILE_SEARCHED"; then

21
hooks/check_has_test.sh
View File

@ -1,21 +0,0 @@
#!/bin/bash
test_path="tests/hardening"
failure=0
failed_checks=""
for check in "$@"; do
base_name=$(basename "$check")
if [ ! -f $test_path/"$base_name" ]; then
failure=1
failed_checks="$failed_checks $base_name"
fi
done
if [ $failure -ne 0 ]; then
for check in $failed_checks; do
echo "missing file $test_path/$check"
done
fi
exit $failure

2
lib/common.sh
View File

@ -148,5 +148,5 @@ div() {
fi fi
local _r=$(($1$_n / $2)) local _r=$(($1$_n / $2))
_r=${_r:0:-$_d}.${_r: -$_d} _r=${_r:0:-$_d}.${_r: -$_d}
echo "$_r" echo $_r
} }

2
lib/utils.sh
View File

@ -11,7 +11,6 @@ has_sysctl_param_expected_result() {
local SYSCTL_PARAM=$1 local SYSCTL_PARAM=$1
local EXP_RESULT=$2 local EXP_RESULT=$2
# shellcheck disable=SC2319
if [ "$($SUDO_CMD sysctl "$SYSCTL_PARAM" 2>/dev/null)" = "$SYSCTL_PARAM = $EXP_RESULT" ]; then if [ "$($SUDO_CMD sysctl "$SYSCTL_PARAM" 2>/dev/null)" = "$SYSCTL_PARAM = $EXP_RESULT" ]; then
FNRET=0 FNRET=0
elif [ "$?" = 255 ]; then elif [ "$?" = 255 ]; then
@ -36,7 +35,6 @@ set_sysctl_param() {
local SYSCTL_PARAM=$1 local SYSCTL_PARAM=$1
local VALUE=$2 local VALUE=$2
debug "Setting $SYSCTL_PARAM to $VALUE" debug "Setting $SYSCTL_PARAM to $VALUE"
# shellcheck disable=SC2319
if [ "$(sysctl -w "$SYSCTL_PARAM"="$VALUE" 2>/dev/null)" = "$SYSCTL_PARAM = $VALUE" ]; then if [ "$(sysctl -w "$SYSCTL_PARAM"="$VALUE" 2>/dev/null)" = "$SYSCTL_PARAM = $VALUE" ]; then
FNRET=0 FNRET=0
elif [ $? = 255 ]; then elif [ $? = 255 ]; then

3
shellcheck/launch_shellcheck.sh
View File

@ -14,8 +14,7 @@ fi
for f in $files; do for f in $files; do
if head "$f" | grep -qE "^# run-shellcheck$"; then if head "$f" | grep -qE "^# run-shellcheck$"; then
printf "\e[1;36mRunning shellcheck on: %s \e[0m\n" "$f" printf "\e[1;36mRunning shellcheck on: %s \e[0m\n" "$f"
# SC2317: command unreachable, sometimes has a hard time reaching the command in a function if ! /usr/bin/shellcheck --color=always --shell=bash -x --source-path=SCRIPTDIR "$f"; then
if ! /usr/bin/shellcheck --exclude=SC2317 --color=always --shell=bash -x --source-path=SCRIPTDIR "$f"; then
retval=$((retval + 1)) retval=$((retval + 1))
fi fi
fi fi

0
tests/hardening/2.1.2_disable_bsd_inetd.sh → tests/hardening/1.6.5_restrict_ptrace_scope.sh
View File

16
tests/hardening/2.2.18_disable_tftp.sh Normal file
View File

@ -0,0 +1,16 @@
# shellcheck shell=bash
# run-shellcheck
test_audit() {
describe Running on blank host
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
##################################################################
# For this test, we only check that it runs properly on a blank #
# host, and we check root/sudo consistency. But, we don't test #
# the apply function because it can't be automated or it is very #
# long to test and not very useful. #
##################################################################
}

4
tests/launch_tests.sh
View File

@ -13,7 +13,7 @@ cleanup_and_exit() {
if [ "$totalerrors" -eq 255 ]; then if [ "$totalerrors" -eq 255 ]; then
fatal "RUNTIME ERROR" fatal "RUNTIME ERROR"
fi fi
exit "$totalerrors" exit $totalerrors
} }
trap "cleanup_and_exit" EXIT HUP INT trap "cleanup_and_exit" EXIT HUP INT
@ -125,7 +125,7 @@ play_consistency_tests() {
ok "$name logs are identical" ok "$name logs are identical"
fi fi
if [ 1 -eq "$consist_test" ]; then if [ 1 -eq $consist_test ]; then
nbfailedconsist=$((nbfailedconsist + 1)) nbfailedconsist=$((nbfailedconsist + 1))
listfailedconsist="$listfailedconsist $(make_usecase_name "$usecase" consist)" listfailedconsist="$listfailedconsist $(make_usecase_name "$usecase" consist)"
fi fi