elie/debian-cis
1
0
Fork 0
mirror of https://github.com/ovh/debian-cis.git synced 2025-07-16 05:42:17 +02:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: elie:dev/thibault.dewailly/syslogng_remotecheck
Branches Tags
elie:master elie:damcava35/deb12_scripts_2 elie:damcava35/update_lib elie:damcava35/new_scripts elie:damcava35/issue_249 elie:damcava35/drop_debian10 elie:damcava35/is_ip_v6_enabled elie:damcava35/issue_195 elie:damcava35/fix_only elie:damcava35/fix_packaging elie:damcava35/set_version elie:damcava35/test_pre_commit elie:dev/thibault.dewailly/deb12 elie:dependabot/github_actions/luizm/action-sh-checker-0.9.0 elie:dev/thibault.dewailly/set_hardening_level elie:dev/thibault.dewailly/syslogng_remotecheck
elie:latest elie:v4.1-5 elie:v4.1-4 elie:v4.1-3 elie:v4.1-2 elie:v4.1-1 elie:v4.0-1 elie:v3.8-1 elie:v3.7-1 elie:v3.6-1 elie:v3.5-1 elie:v3.4-1 elie:v3.3-1 elie:v3.2-2 elie:v3.2-1 elie:v3.2-0 elie:v3.1-6 elie:v3.1-5 elie:v3.1-4 elie:v3.1-3 elie:v3.1-2 elie:v3.1-1 elie:v3.1-0 elie:v3.0-1 elie:v3.0 elie:v2.1-6 elie:v2.1-5 elie:v2.1-4 elie:v2.1-3 elie:v2.1-2 elie:v2.1-1 elie:v2.0-6 elie:v2.0-5 elie:v2.0-4 elie:v1.3-4 elie:v1.3-3 elie:v1.3-2 elie:v1.3 elie:v1.2-1 elie:v1.1-1
..
compare: elie:v4.1-4
Branches Tags
elie:damcava35/deb12_scripts_2 elie:damcava35/update_lib elie:damcava35/new_scripts elie:master elie:damcava35/issue_249 elie:damcava35/drop_debian10 elie:damcava35/is_ip_v6_enabled elie:damcava35/issue_195 elie:damcava35/fix_only elie:damcava35/fix_packaging elie:damcava35/set_version elie:damcava35/test_pre_commit elie:dev/thibault.dewailly/deb12 elie:dependabot/github_actions/luizm/action-sh-checker-0.9.0 elie:dev/thibault.dewailly/set_hardening_level elie:dev/thibault.dewailly/syslogng_remotecheck
elie:latest elie:v4.1-5 elie:v4.1-4 elie:v4.1-3 elie:v4.1-2 elie:v4.1-1 elie:v4.0-1 elie:v3.8-1 elie:v3.7-1 elie:v3.6-1 elie:v3.5-1 elie:v3.4-1 elie:v3.3-1 elie:v3.2-2 elie:v3.2-1 elie:v3.2-0 elie:v3.1-6 elie:v3.1-5 elie:v3.1-4 elie:v3.1-3 elie:v3.1-2 elie:v3.1-1 elie:v3.1-0 elie:v3.0-1 elie:v3.0 elie:v2.1-6 elie:v2.1-5 elie:v2.1-4 elie:v2.1-3 elie:v2.1-2 elie:v2.1-1 elie:v2.0-6 elie:v2.0-5 elie:v2.0-4 elie:v1.3-4 elie:v1.3-3 elie:v1.3-2 elie:v1.3 elie:v1.2-1 elie:v1.1-1

4 Commits
dev/thibau ... v4.1-4

Author SHA1 Message Date
thibault.dewailly
a45aa40ce4 bump to 4.1.4 2024-01-18 09:16:00 +00:00
lgaida
730ab47437 allow multiple users in 5.2.18 (#228) 
* allow multiple exception users for 99.5.2.4

* move clean up part of previous commit

* split clean up part of previous commit

* add tests for multiple allowed and denied ssh users

* fix script to correctly set multiple allowed and denied ssh users

* add cleanup resolved check to 5.2.18

* apply shellfmt to 5.2.18

---------

Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>
 2024-01-10 17:07:02 +01:00
lgaida
5313799193 Allow multiple exception users to be defined for 99.5.2.4_ssh_keys_from (#221) 
* allow multiple exception users for 99.5.2.4
 2023-12-27 13:42:10 +01:00
GoldenKiwi
73616af4eb Syslog-ng fixes and enhancements (#226) 
* syslog-ng : fix remote host test and enhance Regex

fixes #124

* enh: add test for 4.2.1.6
 2023-12-27 10:27:06 +01:00
5 changed files with 146 additions and 8 deletions
Expand all files Collapse all files

6
bin/hardening/5.2.18_sshd_limit_access.sh
View File

@ -22,13 +22,13 @@ FILE='/etc/ssh/sshd_config'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
OPTIONS="AllowUsers='$ALLOWED_USERS' AllowGroups='$ALLOWED_GROUPS' DenyUsers='$DENIED_USERS' DenyGroups='$DENIED_GROUPS'" OPTIONS=("AllowUsers='$ALLOWED_USERS'" "AllowGroups='$ALLOWED_GROUPS'" "DenyUsers='$DENIED_USERS'" "DenyGroups='$DENIED_GROUPS'")
is_pkg_installed "$PACKAGE" is_pkg_installed "$PACKAGE"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
ok "$PACKAGE is not installed!" ok "$PACKAGE is not installed!"
else else
ok "$PACKAGE is installed" ok "$PACKAGE is installed"
for SSH_OPTION in $OPTIONS; do for SSH_OPTION in "${OPTIONS[@]}"; do
SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1) SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2) SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
# shellcheck disable=SC2001 # shellcheck disable=SC2001
@ -53,7 +53,7 @@ apply() {
crit "$PACKAGE is absent, installing it" crit "$PACKAGE is absent, installing it"
apt_install "$PACKAGE" apt_install "$PACKAGE"
fi fi
for SSH_OPTION in $OPTIONS; do for SSH_OPTION in "${OPTIONS[@]}"; do
SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1) SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2) SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
# shellcheck disable=SC2001 # shellcheck disable=SC2001

9
bin/hardening/99.5.2.4_ssh_keys_from.sh
View File

@ -26,7 +26,7 @@ AUTHKEYFILE_PATTERN_DEFAULT=".ssh/authorized_keys .ssh/authorized_keys2"
ALLOWED_IPS="" ALLOWED_IPS=""
USERS_TO_CHECK="" USERS_TO_CHECK=""
EXCEPTION_USER="" EXCEPTION_USERS=""
ALLOWED_NOLOGIN_SHELLS="/bin/false /usr/sbin/nologin" ALLOWED_NOLOGIN_SHELLS="/bin/false /usr/sbin/nologin"
@ -137,7 +137,10 @@ audit() {
continue continue
else else
info "User $user has a valid shell ($shell)." info "User $user has a valid shell ($shell)."
if [ "$user" = "root" ] && [ "$user" != "$EXCEPTION_USER" ]; then if grep -qw "$user" <<<"$EXCEPTION_USERS"; then
info "User $user is named in EXEPTION_USERS and is thus skipped from check."
continue
elif [ "$user" = "root" ]; then
check_dir /root check_dir /root
continue continue
elif $SUDO_CMD [ ! -d /home/"$user" ]; then elif $SUDO_CMD [ ! -d /home/"$user" ]; then
@ -164,7 +167,7 @@ status=audit
# Put authorized IPs you want to allow in "from" field of authorized_keys # Put authorized IPs you want to allow in "from" field of authorized_keys
ALLOWED_IPS="" ALLOWED_IPS=""
USERS_TO_CHECK="" USERS_TO_CHECK=""
EXCEPTION_USER="" EXCEPTION_USERS=""
EOF EOF
} }

11
debian/changelog vendored
View File

@ -1,3 +1,14 @@
cis-hardening (4.1-4) unstable; urgency=medium
* allow multiple users in 5.2.18 (#228)
* Allow multiple exception users to be defined for 99.5.2.4_ssh_keys_from (#221)
* Syslog-ng fixes and enhancements (#226)
* fix: Allow --only option to be called multiple times (#225)
* fix: update Readme to clarify project usage (#223)
* fix: typo in README. Update example of --audit usage (#222)
-- Thibault Dewailly <thibault.dewailly@ovhcloud.com> Thu, 18 Jan 2024 09:13:15 +0000
cis-hardening (4.1-3) unstable; urgency=medium cis-hardening (4.1-3) unstable; urgency=medium
* Adapt all scripts to yescrypt (#216) * Adapt all scripts to yescrypt (#216)

105
tests/hardening/5.2.18_sshd_limit_access.sh
View File

@ -22,4 +22,109 @@ test_audit() {
register_test contain "^DenyUsers[[:space:]]*nobody is present in /etc/ssh/sshd_config" register_test contain "^DenyUsers[[:space:]]*nobody is present in /etc/ssh/sshd_config"
register_test contain "^DenyGroups[[:space:]]*nobody is present in /etc/ssh/sshd_config" register_test contain "^DenyGroups[[:space:]]*nobody is present in /etc/ssh/sshd_config"
run resolved "${CIS_CHECKS_DIR}/${script}.sh" --audit-all run resolved "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
describe Check and report mismatch for allowed user
useradd -s /bin/bash johnallow
sed -i "s/ALLOWED_USERS=''/ALLOWED_USERS='johnallow'/" "${CIS_CONF_DIR}/conf.d/${script}.cfg"
register_test retvalshouldbe 1
register_test contain "^AllowUsers[[:space:]]*johnallow is not present in /etc/ssh/sshd_config"
register_test contain "^AllowGroups[[:space:]]** is present in /etc/ssh/sshd_config"
register_test contain "^DenyUsers[[:space:]]*nobody is present in /etc/ssh/sshd_config"
register_test contain "^DenyGroups[[:space:]]*nobody is present in /etc/ssh/sshd_config"
run allowed_user_mismatch "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
describe Correctly apply allowed user
# the previous test checked that ALLOWED_USERS is set but not correctly applied in sshd_config so we apply it now
"${CIS_CHECKS_DIR}/${script}.sh" || true
# and check again that the fix was correctly applied
register_test retvalshouldbe 0
register_test contain "^AllowUsers[[:space:]]*johnallow is present in /etc/ssh/sshd_config"
register_test contain "^AllowGroups[[:space:]]** is present in /etc/ssh/sshd_config"
register_test contain "^DenyUsers[[:space:]]*nobody is present in /etc/ssh/sshd_config"
register_test contain "^DenyGroups[[:space:]]*nobody is present in /etc/ssh/sshd_config"
run fix_user_mismatch "${CIS_CHECKS_DIR}/${script}.sh" --apply-all
describe Check and report mismatch for multiple allowed users
useradd -s /bin/bash janeallow
sed -i "s/johnallow/johnallow janeallow/" "${CIS_CONF_DIR}/conf.d/${script}.cfg"
register_test retvalshouldbe 1
register_test contain "^AllowUsers[[:space:]]*johnallow janeallow is not present in /etc/ssh/sshd_config"
register_test contain "^AllowGroups[[:space:]]** is present in /etc/ssh/sshd_config"
register_test contain "^DenyUsers[[:space:]]*nobody is present in /etc/ssh/sshd_config"
register_test contain "^DenyGroups[[:space:]]*nobody is present in /etc/ssh/sshd_config"
run multi_allowed_user_mismatch "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
describe Correctly apply multiple allowed users
# the previous test checked that ALLOWED_USERS is set but not correctly applied in sshd_config so we apply it now
"${CIS_CHECKS_DIR}/${script}.sh" || true
# and check again that the fix was correctly applied
tail -n 5 /etc/ssh/sshd_config
register_test retvalshouldbe 0
register_test contain "^AllowUsers[[:space:]]*johnallow janeallow is present in /etc/ssh/sshd_config"
register_test contain "^AllowGroups[[:space:]]** is present in /etc/ssh/sshd_config"
register_test contain "^DenyUsers[[:space:]]*nobody is present in /etc/ssh/sshd_config"
register_test contain "^DenyGroups[[:space:]]*nobody is present in /etc/ssh/sshd_config"
run fix_multi_allowed_user_mismatch "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
# reset allowed users to default before continuing
sed -i "s/ALLOWED_USERS='johnallow janeallow'/ALLOWED_USERS=''/" "${CIS_CONF_DIR}/conf.d/${script}.cfg"
describe Check and report mismatch for denied user
useradd -s /bin/bash peterdeny
sed -i "s/DENIED_USERS=''/DENIED_USERS='peterdeny'/" "${CIS_CONF_DIR}/conf.d/${script}.cfg"
register_test retvalshouldbe 1
register_test contain "^AllowUsers[[:space:]]** is present in /etc/ssh/sshd_config"
register_test contain "^AllowGroups[[:space:]]** is present in /etc/ssh/sshd_config"
register_test contain "^DenyUsers[[:space:]]*peterdeny is not present in /etc/ssh/sshd_config"
register_test contain "^DenyGroups[[:space:]]*nobody is present in /etc/ssh/sshd_config"
run denied_user_mismatch "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
describe Correctly apply denied user
# the previous test checked that DENIED_USERS is set but not correctly applied in sshd_config so we apply it now
"${CIS_CHECKS_DIR}/${script}.sh" || true
# and check again that the fix was correctly applied
register_test retvalshouldbe 0
register_test contain "^AllowUsers[[:space:]]** is present in /etc/ssh/sshd_config"
register_test contain "^AllowGroups[[:space:]]** is present in /etc/ssh/sshd_config"
register_test contain "^DenyUsers[[:space:]]*peterdeny is present in /etc/ssh/sshd_config"
register_test contain "^DenyGroups[[:space:]]*nobody is present in /etc/ssh/sshd_config"
run fix_denied_user_mismatch "${CIS_CHECKS_DIR}/${script}.sh" --apply-all
describe Check and report mismatch for multiple denied users
useradd -s /bin/bash marrydeny
sed -i "s/peterdeny/peterdeny marrydeny/" "${CIS_CONF_DIR}/conf.d/${script}.cfg"
register_test retvalshouldbe 1
register_test contain "^AllowUsers[[:space:]]** is present in /etc/ssh/sshd_config"
register_test contain "^AllowGroups[[:space:]]** is present in /etc/ssh/sshd_config"
register_test contain "^DenyUsers[[:space:]]*peterdeny marrydeny is not present in /etc/ssh/sshd_config"
register_test contain "^DenyGroups[[:space:]]*nobody is present in /etc/ssh/sshd_config"
run multi_denied_user_mismatch "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
describe Correctly apply multiple denied users
# the previous test checked that DENIED_USERS is set but not correctly applied in sshd_config so we apply it now
"${CIS_CHECKS_DIR}/${script}.sh" || true
# and check again that the fix was correctly applied
register_test retvalshouldbe 0
register_test contain "^AllowUsers[[:space:]]** is present in /etc/ssh/sshd_config"
register_test contain "^AllowGroups[[:space:]]** is present in /etc/ssh/sshd_config"
register_test contain "^DenyUsers[[:space:]]*peterdeny marrydeny is present in /etc/ssh/sshd_config"
register_test contain "^DenyGroups[[:space:]]*nobody is present in /etc/ssh/sshd_config"
run fix_multi_denied_user_mismatch "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
# reset to prevent other test from possibly failing in the future
sed -i "s/DENIED_USERS='peterdeny marrydeny'/DENIED_USERS=''/" "${CIS_CONF_DIR}/conf.d/${script}.cfg"
"${CIS_CHECKS_DIR}/${script}.sh" || true
describe Checking resolved state
register_test retvalshouldbe 0
register_test contain "^AllowUsers[[:space:]]** is present in /etc/ssh/sshd_config"
register_test contain "^AllowGroups[[:space:]]** is present in /etc/ssh/sshd_config"
register_test contain "^DenyUsers[[:space:]]*nobody is present in /etc/ssh/sshd_config"
register_test contain "^DenyGroups[[:space:]]*nobody is present in /etc/ssh/sshd_config"
run cleanup_resolved "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
# Cleanup
userdel johnallow
userdel janeallow
userdel peterdeny
userdel marrydeny
} }

23
tests/hardening/99.5.2.4_ssh_keys_from.sh
View File

@ -2,7 +2,7 @@
# run-shellcheck # run-shellcheck
test_audit() { test_audit() {
# shellcheck disable=2154 # shellcheck disable=2154
echo 'EXCEPTION_USER="root"' >>"${CIS_CONF_DIR}/conf.d/${script}.cfg" echo 'EXCEPTION_USERS=""' >>"${CIS_CONF_DIR}/conf.d/${script}.cfg"
skip_tests skip_tests
# shellcheck disable=2154 # shellcheck disable=2154
@ -12,12 +12,29 @@ test_audit() {
describe Running on blank host describe Running on blank host
register_test retvalshouldbe 0 register_test retvalshouldbe 0
dismiss_count_for_test dismiss_count_for_test
register_test contain "[INFO] User root has a valid shell"
register_test contain "[WARN] secaudit has a valid shell but no authorized_keys file" register_test contain "[WARN] secaudit has a valid shell but no authorized_keys file"
register_test contain "[INFO] User jeantestuser has a valid shell" register_test contain "[INFO] User jeantestuser has a valid shell"
register_test contain "[INFO] User jeantestuser has no home directory" register_test contain "[INFO] User jeantestuser has no home directory"
# shellcheck disable=2154 # shellcheck disable=2154
run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
mkdir -p /root/.ssh
ssh-keygen -N "" -t ed25519 -f /tmp/rootkey1
cat /tmp/rootkey1.pub >>/root/.ssh/authorized_keys
describe Check /root is used for root user instead of home by placing key without from field
register_test retvalshouldbe 1
run rootcheck "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
echo 'EXCEPTION_USERS="root exceptiontestuser"' >>"${CIS_CONF_DIR}/conf.d/${script}.cfg"
useradd -s /bin/bash exceptiontestuser
describe Check multiple exception users are skipped
register_test retvalshouldbe 0
register_test contain "[INFO] User root is named in EXEPTION_USERS and is thus skipped from check."
register_test contain "[INFO] User exceptiontestuser is named in EXEPTION_USERS and is thus skipped from check."
# shellcheck disable=2154
run exceptionusers "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
mkdir -p /home/secaudit/.ssh mkdir -p /home/secaudit/.ssh
touch /home/secaudit/.ssh/authorized_keys2 touch /home/secaudit/.ssh/authorized_keys2
describe empty authorized keys file describe empty authorized keys file
@ -74,7 +91,9 @@ test_audit() {
run checkuser "${CIS_CHECKS_DIR}/${script}.sh" --audit-all run checkuser "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
# Cleanup # Cleanup
userdel exceptiontestuser
userdel jeantestuser userdel jeantestuser
userdel -r jeantest2 userdel -r jeantest2
rm -f /tmp/key1 /tmp/key1.pub rm -f /tmp/key1 /tmp/key1.pub /tmp/rootkey1.pub
rm -rf /root/.ssh
} }