CI: Fix release action (#147 )

Signed-off-by: Tarik Megzari <tarik.megzari@corp.ovh.com>
Update changelog for release 3.3-1 (#146 )
2025-07-15 21:32:17 +02:00 · 2022-03-03 12:02:12 +01:00 · 2022-03-03 10:26:42 +01:00 · 2022-03-02 18:05:37 +01:00 · 2022-03-02 17:49:28 +01:00 · 2022-03-02 00:14:50 +01:00
28 changed files with 235 additions and 139 deletions
--- a/.github/workflows/compile-manual.yml
+++ b/.github/workflows/compile-manual.yml
@ -7,10 +7,10 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repo
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
      - name: Produce debian man
        run: 'docker run --rm --volume "`pwd`:/data" --user `id -u`:`id -g` pandoc/latex:2.6 MANUAL.md -s -t man > debian/cis-hardening.8'
-      - uses: EndBug/add-and-commit@v7
+      - uses: EndBug/add-and-commit@v8.0.2
        with:
          add: 'debian/cis-hardening.8'
          message: 'Regenerate man pages (Github action)'
--- a/.github/workflows/functionnal-tests.yml
+++ b/.github/workflows/functionnal-tests.yml
@ -8,20 +8,20 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repo
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
      - name: Run the tests debian9
        run: ./tests/docker_build_and_run_tests.sh debian9
  functionnal-tests-docker-debian10:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repo
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
      - name: Run the tests debian10
        run: ./tests/docker_build_and_run_tests.sh debian10
  functionnal-tests-docker-debian11:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repo
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
      - name: Run the tests debian11
        run: ./tests/docker_build_and_run_tests.sh debian11
--- a/.github/workflows/pre-release.yml
+++ b/.github/workflows/pre-release.yml
@ -11,7 +11,7 @@ jobs:
    steps:
      # CHECKOUT CODE
      - name: Checkout code
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
      # BUILD THE .DEB PACKAGE
      - name: Build
        run: |
@ -29,12 +29,12 @@ jobs:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      # GET LATEST VERSION TAG
      - name: Get latest version tag
-        uses: actions-ecosystem/action-get-latest-tag@v1.4.1
+        uses: actions-ecosystem/action-get-latest-tag@v1.5.0
        id: get-latest-tag
      # GENERATE CHANGELOG CORRESPONDING TO COMMIT BETWEEN HEAD AND COMPUTED LAST TAG
      - name: Generate changelog
        id: changelog
-        uses: metcalfc/changelog-generator@v1.0.0
+        uses: metcalfc/changelog-generator@v3.0.0
        with:
          myToken: ${{ secrets.GITHUB_TOKEN }}
          head-ref: ${{ github.sha }}
--- a/.github/workflows/shellcheck_and_shellfmt.yml
+++ b/.github/workflows/shellcheck_and_shellfmt.yml
@ -8,7 +8,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repo
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
      - name: Run the sh-checker
        uses: luizm/action-sh-checker@v0.3.0
        env:
@ -24,6 +24,6 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repo
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
      - name: Run shellcheck
        run: ./shellcheck/docker_build_and_run_shellcheck.sh
--- a/.github/workflows/tagged-release.yml
+++ b/.github/workflows/tagged-release.yml
@ -7,8 +7,6 @@ on:
 jobs:
  build:
    name: Create Release
-    # only runs on master
-    if: github.event.base_ref == 'refs/heads/master'
    runs-on: ubuntu-latest
    steps:
      # GET VERSION TAG
@ -17,7 +15,7 @@ jobs:
        run: echo ::set-output name=tag::${GITHUB_REF#refs/*/}
      # CHECKOUT CODE
      - name: Checkout code
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
        with:
          ref: ${{ steps.vars.outputs.tag }}
      # GENERATE CHANGELOG CORRESPONDING TO ENTRY IN DEBIAN/CHANGELOG
--- a/bin/hardening/1.1.21_sticky_bit_world_writable_folder.sh
+++ b/bin/hardening/1.1.21_sticky_bit_world_writable_folder.sh
@ -25,10 +25,10 @@ audit() {
    FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}')
    if [ -n "$EXCEPTIONS" ]; then
        # shellcheck disable=SC2086
-        RESULT=$($SUDO_CMD find $FS_NAMES -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -regextype 'egrep' ! -regex $EXCEPTIONS -print 2>/dev/null)
+        RESULT=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -type d \( -perm -0002 -a ! -perm -1000 \) -regextype 'egrep' ! -regex $EXCEPTIONS -print 2>/dev/null)
    else
        # shellcheck disable=SC2086
-        RESULT=$($SUDO_CMD find $FS_NAMES -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null)
+        RESULT=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null)
    fi

    if [ -n "$RESULT" ]; then
@ -45,14 +45,14 @@ audit() {
 apply() {
    if [ -n "$EXCEPTIONS" ]; then
        # shellcheck disable=SC2086
-        RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -regextype 'egrep' ! -regex $EXCEPTIONS -print 2>/dev/null)
+        RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -ignore_readdir_race -type d \( -perm -0002 -a ! -perm -1000 \) -regextype 'egrep' ! -regex $EXCEPTIONS -print 2>/dev/null)
    else
-        RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null)
+        RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -ignore_readdir_race -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null)
    fi

    if [ -n "$RESULT" ]; then
        warn "Setting sticky bit on world writable directories"
-        df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type d -perm -0002 2>/dev/null | xargs chmod a+t
+        df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -ignore_readdir_race -type d -perm -0002 2>/dev/null | xargs chmod a+t
    else
        ok "All world writable directories have a sticky bit, nothing to apply"
    fi
--- a/bin/hardening/3.5.4.1.1_net_fw_default_policy_drop.sh
+++ b/bin/hardening/3.5.4.1.1_net_fw_default_policy_drop.sh
@ -20,6 +20,7 @@ DESCRIPTION="Check iptables firewall default policy for DROP on INPUT and FORWAR
 PACKAGE="iptables"
 FW_CHAINS="INPUT FORWARD"
 FW_POLICY="DROP"
+FW_CMD="iptables"

 # This function will be called if the script status is on enabled / audit mode
 audit() {
@ -27,9 +28,9 @@ audit() {
    if [ "$FNRET" != 0 ]; then
        crit "$PACKAGE is not installed!"
    else
-        ipt=$($SUDO_CMD "$PACKAGE" -nL 2>/dev/null || true)
+        ipt=$($SUDO_CMD "$FW_CMD" -nL 2>/dev/null || true)
        if [[ -z "$ipt" ]]; then
-            crit "Empty return from $PACKAGE command. Aborting..."
+            crit "Empty return from $FW_CMD command. Aborting..."
            return
        fi
        for chain in $FW_CHAINS; do
--- a/bin/hardening/4.1.11_record_privileged_commands.sh
+++ b/bin/hardening/4.1.11_record_privileged_commands.sh
@ -19,7 +19,7 @@ DESCRIPTION="Collect use of privileged commands."

 SUDO_CMD='sudo -n'
 # Find all files with setuid or setgid set
-AUDIT_PARAMS=$($SUDO_CMD find / -xdev \( -perm -4000 -o -perm -2000 \) -type f |
+AUDIT_PARAMS=$($SUDO_CMD find / -xdev -ignore_readdir_race \( -perm -4000 -o -perm -2000 \) -type f |
    awk '{print "-a always,exit -F path=" $1 " -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged" }')
 FILE='/etc/audit/audit.rules'

--- a/bin/hardening/6.1.10_find_world_writable_file.sh
+++ b/bin/hardening/6.1.10_find_world_writable_file.sh
@ -26,10 +26,10 @@ audit() {

    if [ -n "$EXCLUDED" ]; then
        # shellcheck disable=SC2086
-        RESULT=$($SUDO_CMD find $FS_NAMES -xdev -type f -perm -0002 -regextype 'egrep' ! -regex $EXCLUDED -print 2>/dev/null)
+        RESULT=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -type f -perm -0002 -regextype 'egrep' ! -regex $EXCLUDED -print 2>/dev/null)
    else
        # shellcheck disable=SC2086
-        RESULT=$($SUDO_CMD find $FS_NAMES -xdev -type f -perm -0002 -print 2>/dev/null)
+        RESULT=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -type f -perm -0002 -print 2>/dev/null)
    fi

    if [ -n "$RESULT" ]; then
@ -46,14 +46,14 @@ audit() {
 apply() {
    if [ -n "$EXCLUDED" ]; then
        # shellcheck disable=SC2086
-        RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type f -perm -0002 -regextype 'egrep' ! -regex $EXCLUDED -print 2>/dev/null)
+        RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -ignore_readdir_race -type f -perm -0002 -regextype 'egrep' ! -regex $EXCLUDED -print 2>/dev/null)
    else
-        RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type f -perm -0002 -print 2>/dev/null)
+        RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -ignore_readdir_race -type f -perm -0002 -print 2>/dev/null)
    fi

    if [ -n "$RESULT" ]; then
        warn "chmoding o-w all files in the system"
-        df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type f -perm -0002 -print 2>/dev/null | xargs chmod o-w
+        df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -ignore_readdir_race -type f -perm -0002 -print 2>/dev/null | xargs chmod o-w
    else
        ok "No world writable files found, nothing to apply"
    fi
--- a/bin/hardening/6.1.11_find_unowned_files.sh
+++ b/bin/hardening/6.1.11_find_unowned_files.sh
@ -26,10 +26,10 @@ audit() {
    FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}')
    if [ -n "$EXCLUDED" ]; then
        # shellcheck disable=SC2086
-        RESULT=$($SUDO_CMD find $FS_NAMES -xdev -nouser -regextype 'egrep' ! -regex $EXCLUDED -print 2>/dev/null)
+        RESULT=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -nouser -regextype 'egrep' ! -regex $EXCLUDED -print 2>/dev/null)
    else
        # shellcheck disable=SC2086
-        RESULT=$($SUDO_CMD find $FS_NAMES -xdev -nouser -print 2>/dev/null)
+        RESULT=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -nouser -print 2>/dev/null)
    fi
    if [ -n "$RESULT" ]; then
        crit "Some unowned files are present"
@ -45,13 +45,13 @@ audit() {
 apply() {
    if [ -n "$EXCLUDED" ]; then
        # shellcheck disable=SC2086
-        RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -nouser -regextype 'egrep' ! -regex $EXCLUDED -ls 2>/dev/null)
+        RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -ignore_readdir_race -nouser -regextype 'egrep' ! -regex $EXCLUDED -ls 2>/dev/null)
    else
-        RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -nouser -ls 2>/dev/null)
+        RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -ignore_readdir_race -nouser -ls 2>/dev/null)
    fi
    if [ -n "$RESULT" ]; then
        warn "Applying chown on all unowned files in the system"
-        df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -nouser -print 2>/dev/null | xargs chown "$USER"
+        df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -ignore_readdir_race -nouser -print 2>/dev/null | xargs chown "$USER"
    else
        ok "No unowned files found, nothing to apply"
    fi
--- a/bin/hardening/6.1.12_find_ungrouped_files.sh
+++ b/bin/hardening/6.1.12_find_ungrouped_files.sh
@ -26,10 +26,10 @@ audit() {
    FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}')
    if [ -n "$EXCLUDED" ]; then
        # shellcheck disable=SC2086
-        RESULT=$($SUDO_CMD find $FS_NAMES -xdev -nogroup -regextype 'egrep' ! -regex $EXCLUDED -print 2>/dev/null)
+        RESULT=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -nogroup -regextype 'egrep' ! -regex $EXCLUDED -print 2>/dev/null)
    else
        # shellcheck disable=SC2086
-        RESULT=$($SUDO_CMD find $FS_NAMES -xdev -nogroup -print 2>/dev/null)
+        RESULT=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -nogroup -print 2>/dev/null)
    fi
    if [ -n "$RESULT" ]; then
        crit "Some ungrouped files are present"
@ -45,13 +45,13 @@ audit() {
 apply() {
    if [ -n "$EXCLUDED" ]; then
        # shellcheck disable=SC2086
-        RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -nogroup -regextype 'egrep' ! -regex $EXCLUDED -ls 2>/dev/null)
+        RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -ignore_readdir_race -nogroup -regextype 'egrep' ! -regex $EXCLUDED -ls 2>/dev/null)
    else
-        RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -nogroup -ls 2>/dev/null)
+        RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -ignore_readdir_race -nogroup -ls 2>/dev/null)
    fi
    if [ -n "$RESULT" ]; then
        warn "Applying chgrp on all ungrouped files in the system"
-        df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -nogroup -print 2>/dev/null | xargs chgrp "$GROUP"
+        df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -ignore_readdir_race -nogroup -print 2>/dev/null | xargs chgrp "$GROUP"
    else
        ok "No ungrouped files found, nothing to apply"
    fi
--- a/bin/hardening/6.1.13_find_suid_files.sh
+++ b/bin/hardening/6.1.13_find_suid_files.sh
@ -24,9 +24,9 @@ audit() {
    FS_NAMES=$(df --local -P | awk '{ if (NR!=1) print $6 }')
    # shellcheck disable=2086
    if [ -n "$IGNORED_PATH" ]; then
-        FOUND_BINARIES=$($SUDO_CMD find $FS_NAMES -xdev -type f -perm -4000 -regextype 'egrep' ! -regex $IGNORED_PATH -print)
+        FOUND_BINARIES=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -type f -perm -4000 -regextype 'egrep' ! -regex $IGNORED_PATH -print)
    else
-        FOUND_BINARIES=$($SUDO_CMD find $FS_NAMES -xdev -type f -perm -4000 -print)
+        FOUND_BINARIES=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -type f -perm -4000 -print)
    fi
    BAD_BINARIES=""
    for BINARY in $FOUND_BINARIES; do
--- a/bin/hardening/6.1.14_find_sgid_files.sh
+++ b/bin/hardening/6.1.14_find_sgid_files.sh
@ -24,9 +24,9 @@ audit() {
    FS_NAMES=$(df --local -P | awk '{ if (NR!=1) print $6 }')
    # shellcheck disable=2086
    if [ -n "$IGNORED_PATH" ]; then
-        FOUND_BINARIES=$($SUDO_CMD find $FS_NAMES -xdev -type f -perm -2000 -regextype 'egrep' ! -regex $IGNORED_PATH -print)
+        FOUND_BINARIES=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -type f -perm -2000 -regextype 'egrep' ! -regex $IGNORED_PATH -print)
    else
-        FOUND_BINARIES=$($SUDO_CMD find $FS_NAMES -xdev -type f -perm -2000 -print)
+        FOUND_BINARIES=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -type f -perm -2000 -print)
    fi
    BAD_BINARIES=""
    for BINARY in $FOUND_BINARIES; do
--- a/bin/hardening/6.1.3_etc_gshadow-_permissions.sh
+++ b/bin/hardening/6.1.3_etc_gshadow-_permissions.sh
@ -25,35 +25,45 @@ GROUPSOK='root shadow'

 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    has_file_correct_permissions "$FILE" "$PERMISSIONS"
-    if [ "$FNRET" = 0 ]; then
-        ok "$FILE has correct permissions"
+    does_file_exist "$FILE"
+    if [ "$FNRET" != 0 ]; then
+        ok "$FILE does not exist"
    else
-        crit "$FILE permissions were not set to $PERMISSIONS"
-    fi
-    has_file_one_of_ownership "$FILE" "$USER" "$GROUPSOK"
-    if [ "$FNRET" = 0 ]; then
-        ok "$FILE has correct ownership"
-    else
-        crit "$FILE ownership was not set to $USER:$GROUPSOK"
+        has_file_correct_permissions "$FILE" "$PERMISSIONS"
+        if [ "$FNRET" = 0 ]; then
+            ok "$FILE has correct permissions"
+        else
+            crit "$FILE permissions were not set to $PERMISSIONS"
+        fi
+        has_file_one_of_ownership "$FILE" "$USER" "$GROUPSOK"
+        if [ "$FNRET" = 0 ]; then
+            ok "$FILE has correct ownership"
+        else
+            crit "$FILE ownership was not set to $USER:$GROUPSOK"
+        fi
    fi
 }

 # This function will be called if the script status is on enabled mode
 apply() {
-    has_file_correct_permissions "$FILE" "$PERMISSIONS"
-    if [ "$FNRET" = 0 ]; then
-        ok "$FILE has correct permissions"
+    does_file_exist "$FILE"
+    if [ "$FNRET" != 0 ]; then
+        ok "$FILE does not exist"
    else
-        info "fixing $FILE permissions to $PERMISSIONS"
-        chmod 0"$PERMISSIONS" "$FILE"
-    fi
-    has_file_one_of_ownership "$FILE" "$USER" "$GROUPSOK"
-    if [ "$FNRET" = 0 ]; then
-        ok "$FILE has correct ownership"
-    else
-        info "fixing $FILE ownership to $USER:$GROUP"
-        chown "$USER":"$GROUP" "$FILE"
+        has_file_correct_permissions "$FILE" "$PERMISSIONS"
+        if [ "$FNRET" = 0 ]; then
+            ok "$FILE has correct permissions"
+        else
+            info "fixing $FILE permissions to $PERMISSIONS"
+            chmod 0"$PERMISSIONS" "$FILE"
+        fi
+        has_file_one_of_ownership "$FILE" "$USER" "$GROUPSOK"
+        if [ "$FNRET" = 0 ]; then
+            ok "$FILE has correct ownership"
+        else
+            info "fixing $FILE ownership to $USER:$GROUP"
+            chown "$USER":"$GROUP" "$FILE"
+        fi
    fi
 }

--- a/bin/hardening/6.1.6_etc_passwd-_permissions.sh
+++ b/bin/hardening/6.1.6_etc_passwd-_permissions.sh
@ -24,35 +24,45 @@ GROUP='root'

 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    has_file_correct_permissions "$FILE" "$PERMISSIONS"
-    if [ "$FNRET" = 0 ]; then
-        ok "$FILE has correct permissions"
+    does_file_exist "$FILE"
+    if [ "$FNRET" != 0 ]; then
+        ok "$FILE does not exist"
    else
-        crit "$FILE permissions were not set to $PERMISSIONS"
-    fi
-    has_file_correct_ownership "$FILE" "$USER" "$GROUP"
-    if [ "$FNRET" = 0 ]; then
-        ok "$FILE has correct ownership"
-    else
-        crit "$FILE ownership was not set to $USER:$GROUP"
+        has_file_correct_permissions "$FILE" "$PERMISSIONS"
+        if [ "$FNRET" = 0 ]; then
+            ok "$FILE has correct permissions"
+        else
+            crit "$FILE permissions were not set to $PERMISSIONS"
+        fi
+        has_file_correct_ownership "$FILE" "$USER" "$GROUP"
+        if [ "$FNRET" = 0 ]; then
+            ok "$FILE has correct ownership"
+        else
+            crit "$FILE ownership was not set to $USER:$GROUP"
+        fi
    fi
 }

 # This function will be called if the script status is on enabled mode
 apply() {
-    has_file_correct_permissions "$FILE" "$PERMISSIONS"
-    if [ "$FNRET" = 0 ]; then
-        ok "$FILE has correct permissions"
+    does_file_exist "$FILE"
+    if [ "$FNRET" != 0 ]; then
+        ok "$FILE does not exist"
    else
-        info "fixing $FILE permissions to $PERMISSIONS"
-        chmod 0"$PERMISSIONS" "$FILE"
-    fi
-    has_file_correct_ownership "$FILE" "$USER" "$GROUP"
-    if [ "$FNRET" = 0 ]; then
-        ok "$FILE has correct ownership"
-    else
-        info "fixing $FILE ownership to $USER:$GROUP"
-        chown "$USER":"$GROUP" "$FILE"
+        has_file_correct_permissions "$FILE" "$PERMISSIONS"
+        if [ "$FNRET" = 0 ]; then
+            ok "$FILE has correct permissions"
+        else
+            info "fixing $FILE permissions to $PERMISSIONS"
+            chmod 0"$PERMISSIONS" "$FILE"
+        fi
+        has_file_correct_ownership "$FILE" "$USER" "$GROUP"
+        if [ "$FNRET" = 0 ]; then
+            ok "$FILE has correct ownership"
+        else
+            info "fixing $FILE ownership to $USER:$GROUP"
+            chown "$USER":"$GROUP" "$FILE"
+        fi
    fi
 }

--- a/bin/hardening/6.1.7_etc_shadow-_permissions.sh
+++ b/bin/hardening/6.1.7_etc_shadow-_permissions.sh
@ -24,35 +24,45 @@ GROUP='shadow'

 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    has_file_correct_permissions "$FILE" "$PERMISSIONS"
-    if [ "$FNRET" = 0 ]; then
-        ok "$FILE has correct permissions"
+    does_file_exist "$FILE"
+    if [ "$FNRET" != 0 ]; then
+        ok "$FILE does not exist"
    else
-        crit "$FILE permissions were not set to $PERMISSIONS"
-    fi
-    has_file_correct_ownership "$FILE" "$USER" "$GROUP"
-    if [ "$FNRET" = 0 ]; then
-        ok "$FILE has correct ownership"
-    else
-        crit "$FILE ownership was not set to $USER:$GROUP"
+        has_file_correct_permissions "$FILE" "$PERMISSIONS"
+        if [ "$FNRET" = 0 ]; then
+            ok "$FILE has correct permissions"
+        else
+            crit "$FILE permissions were not set to $PERMISSIONS"
+        fi
+        has_file_correct_ownership "$FILE" "$USER" "$GROUP"
+        if [ "$FNRET" = 0 ]; then
+            ok "$FILE has correct ownership"
+        else
+            crit "$FILE ownership was not set to $USER:$GROUP"
+        fi
    fi
 }

 # This function will be called if the script status is on enabled mode
 apply() {
-    has_file_correct_permissions "$FILE" "$PERMISSIONS"
-    if [ "$FNRET" = 0 ]; then
-        ok "$FILE has correct permissions"
+    does_file_exist "$FILE"
+    if [ "$FNRET" != 0 ]; then
+        ok "$FILE does not exist"
    else
-        info "fixing $FILE permissions to $PERMISSIONS"
-        chmod 0"$PERMISSIONS" "$FILE"
-    fi
-    has_file_correct_ownership "$FILE" "$USER" "$GROUP"
-    if [ "$FNRET" = 0 ]; then
-        ok "$FILE has correct ownership"
-    else
-        info "fixing $FILE ownership to $USER:$GROUP"
-        chown "$USER":"$GROUP" "$FILE"
+        has_file_correct_permissions "$FILE" "$PERMISSIONS"
+        if [ "$FNRET" = 0 ]; then
+            ok "$FILE has correct permissions"
+        else
+            info "fixing $FILE permissions to $PERMISSIONS"
+            chmod 0"$PERMISSIONS" "$FILE"
+        fi
+        has_file_correct_ownership "$FILE" "$USER" "$GROUP"
+        if [ "$FNRET" = 0 ]; then
+            ok "$FILE has correct ownership"
+        else
+            info "fixing $FILE ownership to $USER:$GROUP"
+            chown "$USER":"$GROUP" "$FILE"
+        fi
    fi
 }

--- a/bin/hardening/6.1.8_etc_group-_permissions.sh
+++ b/bin/hardening/6.1.8_etc_group-_permissions.sh
@ -24,35 +24,45 @@ GROUP='root'

 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    has_file_correct_permissions "$FILE" "$PERMISSIONS"
-    if [ "$FNRET" = 0 ]; then
-        ok "$FILE has correct permissions"
+    does_file_exist "$FILE"
+    if [ "$FNRET" != 0 ]; then
+        ok "$FILE does not exist"
    else
-        crit "$FILE permissions were not set to $PERMISSIONS"
-    fi
-    has_file_correct_ownership "$FILE" "$USER" "$GROUP"
-    if [ "$FNRET" = 0 ]; then
-        ok "$FILE has correct ownership"
-    else
-        crit "$FILE ownership was not set to $USER:$GROUP"
+        has_file_correct_permissions "$FILE" "$PERMISSIONS"
+        if [ "$FNRET" = 0 ]; then
+            ok "$FILE has correct permissions"
+        else
+            crit "$FILE permissions were not set to $PERMISSIONS"
+        fi
+        has_file_correct_ownership "$FILE" "$USER" "$GROUP"
+        if [ "$FNRET" = 0 ]; then
+            ok "$FILE has correct ownership"
+        else
+            crit "$FILE ownership was not set to $USER:$GROUP"
+        fi
    fi
 }

 # This function will be called if the script status is on enabled mode
 apply() {
-    has_file_correct_permissions "$FILE" "$PERMISSIONS"
-    if [ "$FNRET" = 0 ]; then
-        ok "$FILE has correct permissions"
+    does_file_exist "$FILE"
+    if [ "$FNRET" != 0 ]; then
+        ok "$FILE does not exist"
    else
-        info "fixing $FILE permissions to $PERMISSIONS"
-        chmod 0"$PERMISSIONS" "$FILE"
-    fi
-    has_file_correct_ownership "$FILE" "$USER" "$GROUP"
-    if [ "$FNRET" = 0 ]; then
-        ok "$FILE has correct ownership"
-    else
-        info "fixing $FILE ownership to $USER:$GROUP"
-        chown "$USER":"$GROUP" "$FILE"
+        has_file_correct_permissions "$FILE" "$PERMISSIONS"
+        if [ "$FNRET" = 0 ]; then
+            ok "$FILE has correct permissions"
+        else
+            info "fixing $FILE permissions to $PERMISSIONS"
+            chmod 0"$PERMISSIONS" "$FILE"
+        fi
+        has_file_correct_ownership "$FILE" "$USER" "$GROUP"
+        if [ "$FNRET" = 0 ]; then
+            ok "$FILE has correct ownership"
+        else
+            info "fixing $FILE ownership to $USER:$GROUP"
+            chown "$USER":"$GROUP" "$FILE"
+        fi
    fi
 }

--- a/debian/changelog
+++ b/debian/changelog
@ -1,3 +1,18 @@
+cis-hardening (3.3-1) unstable; urgency=medium
+
+  * fix: missing shadowtools backup files is ok (#132)
+  * feat: Dissociate iptables pkg name from command (#137)
+  * fix: Catch unexpected failures (#140)
+  * fix: Avoid find failures on too many files (#144)
+
+ -- Tarik Megzari <tarik.megzari@corp.ovh.com>  Wed, 02 Mar 2022 13:25:33 +0100
+
+cis-hardening (3.2-2) unstable; urgency=medium
+
+  * Fix empty fstab test 
+
+ -- Tarik Megzari <tarik.megzari@corp.ovh.com>  Wed, 08 Dec 2021 13:59:49 +0100
+
 cis-hardening (3.2-1) unstable; urgency=medium

  - Skip NTP and Chrony config check if they are not installed (#120)
--- a/lib/common.sh
+++ b/lib/common.sh
@ -103,6 +103,20 @@ debug() {
    if [ "$MACHINE_LOG_LEVEL" -ge 5 ]; then _logger "$GRAY" "[DBG ] $*"; fi
 }

+exception() {
+    # Trap exit code is the same as the trapped one unless we call an explicit exit
+    TRAP_CODE=$?
+    if [ "$ACTIONS_DONE" -ne 1 ]; then
+        if [ "$BATCH_MODE" -eq 1 ]; then
+            BATCH_OUTPUT="KO $SCRIPT_NAME $BATCH_OUTPUT KO{Unexpected exit code: $TRAP_CODE}"
+            becho "$BATCH_OUTPUT"
+        else
+            crit "Check failed with unexpected exit code: $TRAP_CODE"
+        fi
+        exit 1 # Means critical status
+    fi
+}
+
 #
 # sudo wrapper
 # issue crit state if not allowed to perform sudo
--- a/lib/main.sh
+++ b/lib/main.sh
@ -11,6 +11,7 @@ status=""
 forcedstatus=""
 SUDO_CMD=""
 SAVED_LOGLEVEL=""
+ACTIONS_DONE=0

 if [ -n "${LOGLEVEL:-}" ]; then
    SAVED_LOGLEVEL=$LOGLEVEL
@ -111,6 +112,9 @@ if [ -z "$status" ]; then
    exit 2
 fi

+# We want to trap unexpected failures in check scripts
+trap exception EXIT
+
 case $status in
 enabled | true)
    info "Checking Configuration"
@ -128,6 +132,7 @@ audit)
    ;;
 disabled | false)
    info "$SCRIPT_NAME is disabled, ignoring"
+    ACTIONS_DONE=1
    exit 2 # Means unknown status
    ;;
 *)
@ -135,6 +140,8 @@ disabled | false)
    ;;
 esac

+ACTIONS_DONE=1
+
 if [ "$CRITICAL_ERRORS_NUMBER" -eq 0 ]; then
    if [ "$BATCH_MODE" -eq 1 ]; then
        BATCH_OUTPUT="OK $SCRIPT_NAME $BATCH_OUTPUT"
--- a/lib/utils.sh
+++ b/lib/utils.sh
@ -415,9 +415,9 @@ is_kernel_option_enabled() {
 is_a_partition() {
    local PARTITION=$1
    FNRET=128
-    if [ ! -f /etc/fstab ] || [ -n "$(sed '/^#/d' /etc/fstab)" ]; then
+    if [ ! -f /etc/fstab ] || [ -z "$(sed '/^#/d' /etc/fstab)" ]; then
        debug "/etc/fstab not found or empty, searching mountpoint"
-        if mountpoint "$PARTITION" | grep -qE ".*is a mountpoint.*"; then
+        if mountpoint -q "$PARTITION"; then
            FNRET=0
        fi
    else
@ -448,8 +448,8 @@ is_mounted() {
 has_mount_option() {
    local PARTITION=$1
    local OPTION=$2
-    if [ ! -f /etc/fstab ] || [ -n "$(sed '/^#/d' /etc/fstab)" ]; then
-        debug "/etc/fstab not found or empty, readin current mount options"
+    if [ ! -f /etc/fstab ] || [ -z "$(sed '/^#/d' /etc/fstab)" ]; then
+        debug "/etc/fstab not found or empty, reading current mount options"
        has_mounted_option "$PARTITION" "$OPTION"
    else
        if grep "[[:space:]]${PARTITION}[[:space:]]" /etc/fstab | grep -vE "^#" | awk '{print $4}' | grep -q "bind"; then
--- a/tests/hardening/1.1.15_run_shm_nodev.sh
+++ b/tests/hardening/1.1.15_run_shm_nodev.sh
@ -2,15 +2,14 @@
 # run-shellcheck
 test_audit() {
    describe Running on blank host
-    register_test retvalshouldbe 1
-    dismiss_count_for_test
+    register_test retvalshouldbe 0
    # shellcheck disable=2154
    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all

    ln -s /dev/shm /run/shm

    describe Partition symlink
-    register_test retvalshouldbe 1
+    register_test retvalshouldbe 0
    run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all

    # Cleanup
--- a/tests/hardening/1.1.16_run_shm_nosuid.sh
+++ b/tests/hardening/1.1.16_run_shm_nosuid.sh
@ -3,14 +3,13 @@
 test_audit() {
    describe Running on blank host
    register_test retvalshouldbe 0
-    dismiss_count_for_test
    # shellcheck disable=2154
    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all

    ln -s /dev/shm /run/shm

    describe Partition symlink
-    register_test retvalshouldbe 1
+    register_test retvalshouldbe 0
    run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all

    # Cleanup
--- a/tests/hardening/1.1.17_run_shm_noexec.sh
+++ b/tests/hardening/1.1.17_run_shm_noexec.sh
@ -3,14 +3,13 @@
 test_audit() {
    describe Running on blank host
    register_test retvalshouldbe 0
-    dismiss_count_for_test
    # shellcheck disable=2154
    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all

    ln -s /dev/shm /run/shm

    describe Partition symlink
-    register_test retvalshouldbe 1
+    register_test retvalshouldbe 0
    run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all

    # Cleanup
--- a/tests/hardening/6.1.3_etc_gshadow-_permissions.sh
+++ b/tests/hardening/6.1.3_etc_gshadow-_permissions.sh
@ -37,6 +37,12 @@ test_audit() {
    register_test contain "has correct ownership"
    run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all

+    describe Missing File should be OK as well
+    rm "$test_file"
+    register_test retvalshouldbe 0
+    register_test contain "does not exist"
+    run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
+
    # Cleanup
    userdel "$test_user"
 }
--- a/tests/hardening/6.1.6_etc_passwd-_permissions.sh
+++ b/tests/hardening/6.1.6_etc_passwd-_permissions.sh
@ -37,6 +37,12 @@ test_audit() {
    register_test contain "has correct ownership"
    run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all

+    describe Missing File should be OK as well
+    rm "$test_file"
+    register_test retvalshouldbe 0
+    register_test contain "does not exist"
+    run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
+
    # Cleanup
    userdel "$test_user"
 }
--- a/tests/hardening/6.1.7_etc_shadow-_permissions.sh
+++ b/tests/hardening/6.1.7_etc_shadow-_permissions.sh
@ -37,6 +37,12 @@ test_audit() {
    register_test contain "has correct ownership"
    run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all

+    describe Missing File should be OK as well
+    rm "$test_file"
+    register_test retvalshouldbe 0
+    register_test contain "does not exist"
+    run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
+
    # Cleanup
    userdel "$test_user"
 }
--- a/tests/hardening/6.1.8_etc_group-_permissions.sh
+++ b/tests/hardening/6.1.8_etc_group-_permissions.sh
@ -37,6 +37,12 @@ test_audit() {
    register_test contain "has correct ownership"
    run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all

+    describe Missing File should be OK as well
+    rm "$test_file"
+    register_test retvalshouldbe 0
+    register_test contain "does not exist"
+    run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
+
    # Cleanup
    userdel "$test_user"
 }
Author	SHA1	Message	Date
Tarik Megzari	8320d0eecc	CI: Fix release action (#147 ) Signed-off-by: Tarik Megzari <tarik.megzari@corp.ovh.com>	2022-03-03 12:02:12 +01:00
Tarik Megzari	a0d33ab158	Update changelog for release 3.3-1 (#146 ) Signed-off-by: Tarik Megzari <tarik.megzari@corp.ovh.com> Co-authored-by: Tarik Megzari <tarik.megzari@corp.ovh.com>	2022-03-03 10:26:42 +01:00
Jan Schmidle	a6a22084e1	missing shadowtools backup files is ok (#132 ) * missing shadowtools backup files is ok * update corresponding test cases	2022-03-02 18:05:37 +01:00
Tarik Megzari	b962155a3c	fix: Avoid find failures on too many files (#144 ) Signed-off-by: Tarik Megzari <tarik.megzari@corp.ovh.com> Co-authored-by: Tarik Megzari <tarik.megzari@corp.ovh.com> Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>	2022-03-02 17:49:28 +01:00
dependabot[bot]	20bf51f65b	Bump actions/checkout from 2 to 3 (#145 ) Bumps [actions/checkout](https://github.com/actions/checkout) from 2 to 3. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/v2...v3) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2022-03-02 00:14:50 +01:00
dependabot[bot]	adfe28470a	Bump metcalfc/changelog-generator from 1.0.0 to 3.0.0 (#133 ) Bumps [metcalfc/changelog-generator](https://github.com/metcalfc/changelog-generator) from 1.0.0 to 3.0.0. - [Release notes](https://github.com/metcalfc/changelog-generator/releases) - [Changelog](https://github.com/metcalfc/changelog-generator/blob/main/release-notes.png) - [Commits](https://github.com/metcalfc/changelog-generator/compare/v1.0.0...v3.0.0) --- updated-dependencies: - dependency-name: metcalfc/changelog-generator dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2022-03-01 23:48:57 +01:00
dependabot[bot]	c94ee10afe	Bump EndBug/add-and-commit from 7 to 8.0.2 (#142 ) Bumps [EndBug/add-and-commit](https://github.com/EndBug/add-and-commit) from 7 to 8.0.2. - [Release notes](https://github.com/EndBug/add-and-commit/releases) - [Changelog](https://github.com/EndBug/add-and-commit/blob/main/CHANGELOG.md) - [Commits](https://github.com/EndBug/add-and-commit/compare/v7...v8.0.2) --- updated-dependencies: - dependency-name: EndBug/add-and-commit dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2022-03-01 20:39:39 +01:00
dependabot[bot]	453a72b8c8	Bump actions-ecosystem/action-get-latest-tag from 1.4.1 to 1.5.0 (#143 ) Bumps [actions-ecosystem/action-get-latest-tag](https://github.com/actions-ecosystem/action-get-latest-tag) from 1.4.1 to 1.5.0. - [Release notes](https://github.com/actions-ecosystem/action-get-latest-tag/releases) - [Commits](https://github.com/actions-ecosystem/action-get-latest-tag/compare/v1.4.1...v1.5.0) --- updated-dependencies: - dependency-name: actions-ecosystem/action-get-latest-tag dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2022-03-01 20:28:33 +01:00
Tarik Megzari	bb03764918	fix: Catch unexpected failures (#140 ) Signed-off-by: Tarik Megzari <tarik.megzari@corp.ovh.com> Co-authored-by: Tarik Megzari <tarik.megzari@corp.ovh.com>	2022-01-31 15:38:38 +01:00
Tarik Megzari	17d272420a	feat: Dissociate iptables pkg name from command (#137 ) Signed-off-by: Tarik Megzari <tarik.megzari@corp.ovh.com> Co-authored-by: Tarik Megzari <tarik.megzari@corp.ovh.com>	2021-12-27 15:40:55 +01:00
Tarik Megzari	f1c1517bd2	Update changelog for release 3.2-2 (#135 ) Signed-off-by: Tarik Megzari <tarik.megzari@corp.ovh.com> Co-authored-by: Tarik Megzari <tarik.megzari@corp.ovh.com>	2021-12-13 16:06:57 +01:00
tdenof	1341622335	Fix empty fstab test (#134 ) Signed-off-by: Tarik Megzari <tarik.megzari@corp.ovh.com> Co-authored-by: Thibault Dewailly <thibault.dewailly@corp.ovh.com>	2021-12-08 08:42:22 +01:00