Update changelog (#99)

* IMP(5.2.23): accept lower value as valid

* IMP(5.2.7): accept lower value as valid

bin/hardening/1.1.21_sticky_bit_world_writable_folder.sh

@@ -23,6 +23,19 @@ audit() {
     FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}')
     # shellcheck disable=SC2086
     RESULT=$($SUDO_CMD find $FS_NAMES -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null)
+    IFS_BAK=$IFS
+    IFS=$'\n'
+    for LINE in $RESULT; do
+        debug "line : $LINE"
+        if echo "$EXCEPTIONS" | grep -q "$LINE"; then
+            debug "$LINE is confirmed as an exception"
+            # shellcheck disable=SC2001
+            RESULT=$(sed "s!$LINE!!" <<<"$RESULT")
+        else
+            debug "$LINE not found in exceptions"
+        fi
+    done
+    IFS=$IFS_BAK
     if [ -n "$RESULT" ]; then
         crit "Some world writable directories are not on sticky bit mode!"
         # shellcheck disable=SC2001
@@ -36,17 +49,41 @@ audit() {
 # This function will be called if the script status is on enabled mode
 apply() {
     RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null)
+    IFS_BAK=$IFS
+    IFS=$'\n'
+    for LINE in $RESULT; do
+        debug "line : $LINE"
+        if echo "$EXCEPTIONS" | grep -q "$ACCOUNT"; then
+            debug "$ACCOUNT is confirmed as an exception"
+            # shellcheck disable=SC2001
+            RESULT=$(sed "s!$LINE!!" <<<"$RESULT")
+        else
+            debug "$ACCOUNT not found in exceptions"
+        fi
+    done
+    IFS=$IFS_BAK
     if [ -n "$RESULT" ]; then
+        warn "Setting sticky bit on world writable directories"
         df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type d -perm -0002 2>/dev/null | xargs chmod a+t
     else
         ok "All world writable directories have a sticky bit, nothing to apply"
     fi
 }
 
+# This function will create the config file for this check with default values
+create_config() {
+    cat <<EOF
+status=audit
+# Put here your exceptions separated by spaces
+EXCEPTIONS=""
+EOF
+}
+
 # This function will check config parameters required
 check_config() {
-    # No param for this function
-    :
+    if [ -z "$EXCEPTIONS" ]; then
+        EXCEPTIONS="@"
+    fi
 }
 
 # Source Root Dir Parameter

bin/hardening/2.2.1.2_configure_systemd-timesyncd.sh

@@ -21,8 +21,8 @@ SERVICE_NAME="systemd-timesyncd"
 
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    is_service_enabled "$SERVICE_NAME"
-    if [ "$FNRET" = 0 ]; then
+    status=$(systemctl is-enabled "$SERVICE_NAME")
+    if [ "$status" = "enabled" ]; then
         ok "$SERVICE_NAME is enabled"
     else
         crit "$SERVICE_NAME is disabled"

bin/hardening/4.1.11_record_privileged_commands.sh

@@ -17,8 +17,9 @@ HARDENING_LEVEL=4
 # shellcheck disable=2034
 DESCRIPTION="Collect use of privileged commands."
 
+SUDO_CMD='sudo -n'
 # Find all files with setuid or setgid set
-AUDIT_PARAMS=$(find / -xdev \( -perm -4000 -o -perm -2000 \) -type f |
+AUDIT_PARAMS=$($SUDO_CMD find / -xdev \( -perm -4000 -o -perm -2000 \) -type f |
     awk '{print "-a always,exit -F path=" $1 " -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged" }')
 FILE='/etc/audit/audit.rules'
 

bin/hardening/5.2.23_limit_ssh_max_sessions.sh

@@ -36,7 +36,17 @@ audit() {
             if [ "$FNRET" = 0 ]; then
                 ok "$PATTERN is present in $FILE"
             else
-                crit "$PATTERN is not present in $FILE"
+                does_pattern_exist_in_file_nocase "$FILE" "^${SSH_PARAM}"
+                if [ "$FNRET" != 0 ]; then
+                    crit "$PATTERN is not present in $FILE"
+                else
+                    VALUE=$($SUDO_CMD grep -i "^${SSH_PARAM}" "$FILE" | tr -s ' ' | cut -d' ' -f2)
+                    if [ "$VALUE" -gt "$SSH_VALUE" ]; then
+                        crit "$VALUE is higher than recommended $SSH_VALUE for $SSH_PARAM"
+                    else
+                        ok "$VALUE is lower than recommended $SSH_VALUE for $SSH_PARAM"
+                    fi
+                fi
             fi
         done
     fi
@@ -64,8 +74,13 @@ apply() {
             if [ "$FNRET" != 0 ]; then
                 add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
             else
-                info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing"
-                replace_in_file "$FILE" "^${SSH_PARAM}[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
+                VALUE=$(grep -i "^${SSH_PARAM}" "$FILE" | tr -s ' ' | cut -d' ' -f2)
+                if [ "$VALUE" -gt "$SSH_VALUE" ]; then
+                    warn "$VALUE is higher than recommended $SSH_VALUE for $SSH_PARAM, replacing it"
+                    replace_in_file "$FILE" "^${SSH_PARAM}[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
+                else
+                    ok "$VALUE is lower than recommended $SSH_VALUE for $SSH_PARAM"
+                fi
             fi
             /etc/init.d/ssh reload
         fi

bin/hardening/5.2.7_sshd_maxauthtries.sh

@@ -36,7 +36,17 @@ audit() {
             if [ "$FNRET" = 0 ]; then
                 ok "$PATTERN is present in $FILE"
             else
-                crit "$PATTERN is not present in $FILE"
+                does_pattern_exist_in_file_nocase "$FILE" "^${SSH_PARAM}"
+                if [ "$FNRET" != 0 ]; then
+                    crit "$PATTERN is not present in $FILE"
+                else
+                    VALUE=$($SUDO_CMD grep -i "^${SSH_PARAM}" "$FILE" | tr -s ' ' | cut -d' ' -f2)
+                    if [ "$VALUE" -gt "$SSH_VALUE" ]; then
+                        crit "$VALUE is higher than recommended $SSH_VALUE for $SSH_PARAM"
+                    else
+                        ok "$VALUE is lower than recommended $SSH_VALUE for $SSH_PARAM"
+                    fi
+                fi
             fi
         done
     fi
@@ -59,13 +69,18 @@ apply() {
         if [ "$FNRET" = 0 ]; then
             ok "$PATTERN is present in $FILE"
         else
-            warn "$PATTERN is not present in $FILE, adding it"
+            warn "$PATTERN is not present in $FILE"
             does_pattern_exist_in_file_nocase "$FILE" "^${SSH_PARAM}"
             if [ "$FNRET" != 0 ]; then
                 add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
             else
-                info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing"
-                replace_in_file "$FILE" "^${SSH_PARAM}[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
+                VALUE=$(grep -i "^${SSH_PARAM}" "$FILE" | tr -s ' ' | cut -d' ' -f2)
+                if [ "$VALUE" -gt "$SSH_VALUE" ]; then
+                    warn "$VALUE is higher than recommended $SSH_VALUE for $SSH_PARAM, replacing it"
+                    replace_in_file "$FILE" "^${SSH_PARAM}[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
+                else
+                    ok "$VALUE is lower than recommended $SSH_VALUE for $SSH_PARAM"
+                fi
             fi
             /etc/init.d/ssh reload
         fi

bin/hardening/6.1.10_find_world_writable_file.sh

@@ -23,6 +23,19 @@ audit() {
     FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}')
     # shellcheck disable=SC2086
     RESULT=$($SUDO_CMD find $FS_NAMES -xdev -type f -perm -0002 -print 2>/dev/null)
+    IFS_BAK=$IFS
+    IFS=$'\n'
+    for LINE in $RESULT; do
+        debug "line : $LINE"
+        if echo "$EXCEPTIONS" | grep -q "$LINE"; then
+            debug "$LINE is confirmed as an exception"
+            # shellcheck disable=SC2001
+            RESULT=$(sed "s!$LINE!!" <<<"$RESULT")
+        else
+            debug "$LINE not found in exceptions"
+        fi
+    done
+    IFS=$IFS_BAK
     if [ -n "$RESULT" ]; then
         crit "Some world writable files are present"
         # shellcheck disable=SC2001
@@ -36,6 +49,19 @@ audit() {
 # This function will be called if the script status is on enabled mode
 apply() {
     RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type f -perm -0002 -print 2>/dev/null)
+    IFS_BAK=$IFS
+    IFS=$'\n'
+    for LINE in $RESULT; do
+        debug "line : $LINE"
+        if echo "$EXCEPTIONS" | grep -q "$ACCOUNT"; then
+            debug "$ACCOUNT is confirmed as an exception"
+            # shellcheck disable=SC2001
+            RESULT=$(sed "s!$LINE!!" <<<"$RESULT")
+        else
+            debug "$ACCOUNT not found in exceptions"
+        fi
+    done
+    IFS=$IFS_BAK
     if [ -n "$RESULT" ]; then
         warn "chmoding o-w all files in the system"
         df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type f -perm -0002 -print 2>/dev/null | xargs chmod o-w
@@ -44,10 +70,20 @@ apply() {
     fi
 }
 
+# This function will create the config file for this check with default values
+create_config() {
+    cat <<EOF
+status=audit
+# Put here your exceptions separated by spaces
+EXCEPTIONS=""
+EOF
+}
+
 # This function will check config parameters required
 check_config() {
-    # No param for this function
-    :
+    if [ -z "$EXCEPTIONS" ]; then
+        EXCEPTIONS="@"
+    fi
 }
 
 # Source Root Dir Parameter

cisharden.sudoers

@@ -20,6 +20,10 @@ Cmnd_Alias SCL_CMD =    /bin/grep ,\
                         /sbin/sysctl -a,\
                         /bin/dmesg "",\
                         /bin/netstat,\
+                        /usr/sbin/lsmod,\
+                        /sbin/lsmod,\
+                        /sbin/modprobe,\
+                        /usr/sbin/modprobe -n -v*,\
                         /usr/sbin/apparmor_status
 
 cisharden ALL = (root) NOPASSWD: SCL_CMD

debian/changelog

@@ -1,3 +1,18 @@
+cis-hardening (3.1-4) unstable; urgency=medium
+
+  * Add test to check stderr is empty
+  * Fix 2.2.1.2 audit and apply
+  * Accept lower values as valid 5.2.7 and 5.2.23
+  * Add dir exceptions in 1.1.21 and 6.1.10
+
+ -- Thibault Ayanides <thibault.ayanides@ovhcloud.com>  Thu, 06 May 2021 10:07:22 +0200
+
+cis-hardening (3.1-3) unstable; urgency=medium
+
+  * Fix 4.1.11 permissions
+
+ -- Thibault Ayanides <thibault.ayanides@ovhcloud.com>  Mon, 12 Apr 2021 12:17:16 +0200
+
 cis-hardening (3.1-2) unstable; urgency=medium
 
   * Fix case for sshd pattern searching

tests/hardening/5.2.23_limit_ssh_max_sessions.sh

@@ -7,6 +7,22 @@ test_audit() {
     # shellcheck disable=2154
     run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 
+    echo "maxsessions 1" >>/etc/ssh/sshd_config
+
+    describe Running restrictive
+    register_test retvalshouldbe 0
+    register_test contain "[ OK ] 1 is lower than recommended 10"
+    run restrictive /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
+
+    # delete last line
+    sed -i '$ d' /etc/ssh/sshd_config
+    echo "maxsessions 15" >>/etc/ssh/sshd_config
+
+    describe Running too permissive
+    register_test retvalshouldbe 1
+    register_test contain "[ KO ] 15 is higher than recommended 10"
+    run permissive /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
+
     describe Correcting situation
     # `apply` performs a service reload after each change in the config file
     # the service needs to be started for the reload to succeed

tests/hardening/5.2.7_sshd_maxauthtries.sh

@@ -7,6 +7,22 @@ test_audit() {
     # shellcheck disable=2154
     run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 
+    echo "MaxAuthTries 2" >>/etc/ssh/sshd_config
+
+    describe Running restrictive
+    register_test retvalshouldbe 0
+    register_test contain "[ OK ] 2 is lower than recommended 4"
+    run restrictive /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
+
+    # delete last line
+    sed -i '$ d' /etc/ssh/sshd_config
+    echo "MaxAuthTries 6" >>/etc/ssh/sshd_config
+
+    describe Running too permissive
+    register_test retvalshouldbe 1
+    register_test contain "[ KO ] 6 is higher than recommended 4"
+    run permissive /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
+
     describe Correcting situation
     # `apply` performs a service reload after each change in the config file
     # the service needs to be started for the reload to succeed

tests/launch_tests.sh

@@ -131,12 +131,12 @@ play_consistency_tests() {
     fi
 }
 
-# Actually runs one signel audit script
+# Actually runs one single audit script
 _run() {
     usecase_name=$1
     shift
     printf "\033[34m*** [%03d] %s \033[0m(%s)\n" "$testno" "$usecase_name" "$*"
-    bash -c "$*" >"$outdir/$usecase_name.log" && true
+    bash -c "$*" >"$outdir/$usecase_name.log" 2>"$outdir/${usecase_name}_err.log" && true
     echo $? >"$outdir/$usecase_name.retval"
     ret=$(<"$outdir"/"$usecase_name".retval)
     get_stdout
@@ -188,15 +188,25 @@ for test_file in $tests_list; do
     echo ""
 done
 
+stderrunexpected=""
+for file in "$outdir"/*_err.log; do
+    if [ -s "$file" ]; then
+        stderrunexpected="$stderrunexpected $(basename "$file")"
+    fi
+done
+
 printf "\033[1;36m###\n### %s \033[0m\n" "Test report"
-if [ $((nbfailedret + nbfailedgrep + nbfailedconsist)) -eq 0 ]; then
+if [ $((nbfailedret + nbfailedgrep + nbfailedconsist)) -eq 0 ] && [ -z "$stderrunexpected" ]; then
     echo -e "\033[42m\033[30mAll tests succeeded :)\033[0m"
+    echo -e "\033[42m\033[30mStderr is empty :)\033[0m"
+
 else
     (
         echo -e "\033[41mOne or more tests failed :(\033[0m"
         echo -e "- $nbfailedret unexpected return values ${listfailedret}"
         echo -e "- $nbfailedgrep unexpected text values $listfailedgrep"
         echo -e "- $nbfailedconsist root/sudo consistency $listfailedconsist"
+        echo -e "- stderr detected on $stderrunexpected"
     ) | tee "$outdir"/summary
 fi
 echo