elie/debian-cis
1
0
Fork 0
mirror of https://github.com/ovh/debian-cis.git synced 2025-07-16 22:02:17 +02:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: elie:v3.3-1
Branches Tags
elie:master elie:damcava35/deb12_scripts_2 elie:damcava35/update_lib elie:damcava35/new_scripts elie:damcava35/issue_249 elie:damcava35/drop_debian10 elie:damcava35/is_ip_v6_enabled elie:damcava35/issue_195 elie:damcava35/fix_only elie:damcava35/fix_packaging elie:damcava35/set_version elie:damcava35/test_pre_commit elie:dev/thibault.dewailly/deb12 elie:dependabot/github_actions/luizm/action-sh-checker-0.9.0 elie:dev/thibault.dewailly/set_hardening_level elie:dev/thibault.dewailly/syslogng_remotecheck
elie:latest elie:v4.1-5 elie:v4.1-4 elie:v4.1-3 elie:v4.1-2 elie:v4.1-1 elie:v4.0-1 elie:v3.8-1 elie:v3.7-1 elie:v3.6-1 elie:v3.5-1 elie:v3.4-1 elie:v3.3-1 elie:v3.2-2 elie:v3.2-1 elie:v3.2-0 elie:v3.1-6 elie:v3.1-5 elie:v3.1-4 elie:v3.1-3 elie:v3.1-2 elie:v3.1-1 elie:v3.1-0 elie:v3.0-1 elie:v3.0 elie:v2.1-6 elie:v2.1-5 elie:v2.1-4 elie:v2.1-3 elie:v2.1-2 elie:v2.1-1 elie:v2.0-6 elie:v2.0-5 elie:v2.0-4 elie:v1.3-4 elie:v1.3-3 elie:v1.3-2 elie:v1.3 elie:v1.2-1 elie:v1.1-1
...
compare: elie:v3.7-1
Branches Tags
elie:damcava35/deb12_scripts_2 elie:damcava35/update_lib elie:damcava35/new_scripts elie:master elie:damcava35/issue_249 elie:damcava35/drop_debian10 elie:damcava35/is_ip_v6_enabled elie:damcava35/issue_195 elie:damcava35/fix_only elie:damcava35/fix_packaging elie:damcava35/set_version elie:damcava35/test_pre_commit elie:dev/thibault.dewailly/deb12 elie:dependabot/github_actions/luizm/action-sh-checker-0.9.0 elie:dev/thibault.dewailly/set_hardening_level elie:dev/thibault.dewailly/syslogng_remotecheck
elie:latest elie:v4.1-5 elie:v4.1-4 elie:v4.1-3 elie:v4.1-2 elie:v4.1-1 elie:v4.0-1 elie:v3.8-1 elie:v3.7-1 elie:v3.6-1 elie:v3.5-1 elie:v3.4-1 elie:v3.3-1 elie:v3.2-2 elie:v3.2-1 elie:v3.2-0 elie:v3.1-6 elie:v3.1-5 elie:v3.1-4 elie:v3.1-3 elie:v3.1-2 elie:v3.1-1 elie:v3.1-0 elie:v3.0-1 elie:v3.0 elie:v2.1-6 elie:v2.1-5 elie:v2.1-4 elie:v2.1-3 elie:v2.1-2 elie:v2.1-1 elie:v2.0-6 elie:v2.0-5 elie:v2.0-4 elie:v1.3-4 elie:v1.3-3 elie:v1.3-2 elie:v1.3 elie:v1.2-1 elie:v1.1-1

11 Commits
v3.3-1 ... v3.7-1

Author SHA1 Message Date
ymartin-ovh
e478a89bad bump to 3.7-1 (#160) 2022-07-04 15:37:08 +02:00
ymartin-ovh
371c23cd52 feat: add FIND_IGNORE_NOSUCHFILE_ERR flag (#159) 
This flag can be used to prevent find-related checks to fail because one part of filesystem disappear (ie. ephemeral directories or files)
 2022-07-04 14:29:25 +02:00
Tarik Megzari
ea8334d516 bump to 3.6-1 (#157) 
Signed-off-by: Tarik Megzari <tarik.megzari@corp.ovh.com>
 2022-06-27 12:13:01 +02:00
dependabot[bot]
987bb9c975 Bump luizm/action-sh-checker from 0.3.0 to 0.4.0 (#154) 
Bumps [luizm/action-sh-checker](https://github.com/luizm/action-sh-checker) from 0.3.0 to 0.4.0.
- [Release notes](https://github.com/luizm/action-sh-checker/releases)
- [Commits](https://github.com/luizm/action-sh-checker/compare/v0.3.0...v0.4.0)

---
updated-dependencies:
- dependency-name: luizm/action-sh-checker
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2022-06-26 16:58:46 +02:00
dependabot[bot]
3031bb55d1 Bump actions-ecosystem/action-get-latest-tag from 1.5.0 to 1.6.0 (#153) 
Bumps [actions-ecosystem/action-get-latest-tag](https://github.com/actions-ecosystem/action-get-latest-tag) from 1.5.0 to 1.6.0.
- [Release notes](https://github.com/actions-ecosystem/action-get-latest-tag/releases)
- [Commits](https://github.com/actions-ecosystem/action-get-latest-tag/compare/v1.5.0...v1.6.0)

---
updated-dependencies:
- dependency-name: actions-ecosystem/action-get-latest-tag
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Tarik Megzari <tarik.megzari@corp.ovh.com>
 2022-06-24 17:55:26 +02:00
ymartin-ovh
66ccc6316a feat: Filter the filesystem to check when the list is built. (#156) 
* feat: Attempt to filter-out filesystem that match exclusion regex.
 2022-06-24 17:45:47 +02:00
Tarik Megzari
7a3145d7f1 bump to 3.5-1 (#152) 
Signed-off-by: Tarik Megzari <tarik.megzari@corp.ovh.com>
 2022-03-23 18:40:25 +01:00
GoldenKiwi
5c072668d5 fix: add 10s wait timeout on iptables command (#151) 
When the tested server has its iptables heavily manipulated (e.g Kubernetes)
The lock aquirement can sometimes fail, hence generating false positives
The command will retry 10 times with a 1 second interval
 2022-03-23 16:56:38 +01:00
GoldenKiwi
d1bd1eb2e7 bump to 3.4-1 (#150) 2022-03-18 16:49:25 +01:00
GoldenKiwi
ad5c71c3ce fix: allow passwd-, group- and shadow- debian default permissions (#149) 2022-03-18 16:41:49 +01:00
dependabot[bot]
33964c0a3d Bump EndBug/add-and-commit from 8.0.2 to 9 (#148) 
Bumps [EndBug/add-and-commit](https://github.com/EndBug/add-and-commit) from 8.0.2 to 9.
- [Release notes](https://github.com/EndBug/add-and-commit/releases)
- [Changelog](https://github.com/EndBug/add-and-commit/blob/main/CHANGELOG.md)
- [Commits](https://github.com/EndBug/add-and-commit/compare/v8.0.2...v9)

---
updated-dependencies:
- dependency-name: EndBug/add-and-commit
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2022-03-14 15:36:48 +01:00
25 changed files with 191 additions and 25 deletions
Expand all files Collapse all files

2
.github/workflows/compile-manual.yml vendored
View File

@ -10,7 +10,7 @@ jobs:
uses: actions/checkout@v3 uses: actions/checkout@v3
- name: Produce debian man - name: Produce debian man
run: 'docker run --rm --volume "`pwd`:/data" --user `id -u`:`id -g` pandoc/latex:2.6 MANUAL.md -s -t man > debian/cis-hardening.8' run: 'docker run --rm --volume "`pwd`:/data" --user `id -u`:`id -g` pandoc/latex:2.6 MANUAL.md -s -t man > debian/cis-hardening.8'
- uses: EndBug/add-and-commit@v8.0.2 - uses: EndBug/add-and-commit@v9
with: with:
add: 'debian/cis-hardening.8' add: 'debian/cis-hardening.8'
message: 'Regenerate man pages (Github action)' message: 'Regenerate man pages (Github action)'

2
.github/workflows/pre-release.yml vendored
View File

@ -29,7 +29,7 @@ jobs:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
# GET LATEST VERSION TAG # GET LATEST VERSION TAG
- name: Get latest version tag - name: Get latest version tag
uses: actions-ecosystem/action-get-latest-tag@v1.5.0 uses: actions-ecosystem/action-get-latest-tag@v1.6.0
id: get-latest-tag id: get-latest-tag
# GENERATE CHANGELOG CORRESPONDING TO COMMIT BETWEEN HEAD AND COMPUTED LAST TAG # GENERATE CHANGELOG CORRESPONDING TO COMMIT BETWEEN HEAD AND COMPUTED LAST TAG
- name: Generate changelog - name: Generate changelog

2
.github/workflows/shellcheck_and_shellfmt.yml vendored
View File

@ -10,7 +10,7 @@ jobs:
- name: Checkout repo - name: Checkout repo
uses: actions/checkout@v3 uses: actions/checkout@v3
- name: Run the sh-checker - name: Run the sh-checker
uses: luizm/action-sh-checker@v0.3.0 uses: luizm/action-sh-checker@v0.4.0
env: env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Optional if sh_checker_comment is false. GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Optional if sh_checker_comment is false.
SHFMT_OPTS: -l -i 4 -w # Optional: pass arguments to shfmt. SHFMT_OPTS: -l -i 4 -w # Optional: pass arguments to shfmt.

16
bin/hardening/1.1.21_sticky_bit_world_writable_folder.sh
View File

@ -19,16 +19,28 @@ DESCRIPTION="Set sticky bit on world writable directories to prevent users from
EXCEPTIONS='' EXCEPTIONS=''
# find emits following error if directory or file disappear during
# tree traversal: find: /tmp/xxx: No such file or directory
FIND_IGNORE_NOSUCHFILE_ERR=false
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
info "Checking if setuid is set on world writable Directories" info "Checking if setuid is set on world writable Directories"
FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}')
if [ -n "$EXCEPTIONS" ]; then if [ -n "$EXCEPTIONS" ]; then
# maybe EXCEPTIONS allow us to filter out some FS
FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}' | grep -vE "$EXCEPTIONS")
[ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set +e
# shellcheck disable=SC2086 # shellcheck disable=SC2086
RESULT=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -type d \( -perm -0002 -a ! -perm -1000 \) -regextype 'egrep' ! -regex $EXCEPTIONS -print 2>/dev/null) RESULT=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -type d \( -perm -0002 -a ! -perm -1000 \) -regextype 'egrep' ! -regex $EXCEPTIONS -print 2>/dev/null)
[ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set -e
else else
FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}')
[ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set +e
# shellcheck disable=SC2086 # shellcheck disable=SC2086
RESULT=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null) RESULT=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null)
[ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set -e
fi fi
if [ -n "$RESULT" ]; then if [ -n "$RESULT" ]; then
@ -45,7 +57,7 @@ audit() {
apply() { apply() {
if [ -n "$EXCEPTIONS" ]; then if [ -n "$EXCEPTIONS" ]; then
# shellcheck disable=SC2086 # shellcheck disable=SC2086
RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -ignore_readdir_race -type d \( -perm -0002 -a ! -perm -1000 \) -regextype 'egrep' ! -regex $EXCEPTIONS -print 2>/dev/null) RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | grep -vE "$EXCEPTIONS" | xargs -I '{}' find '{}' -xdev -ignore_readdir_race -type d \( -perm -0002 -a ! -perm -1000 \) -regextype 'egrep' ! -regex "$EXCEPTIONS" -print 2>/dev/null)
else else
RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -ignore_readdir_race -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null) RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -ignore_readdir_race -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null)
fi fi

3
bin/hardening/3.5.4.1.1_net_fw_default_policy_drop.sh
View File

@ -21,6 +21,7 @@ PACKAGE="iptables"
FW_CHAINS="INPUT FORWARD" FW_CHAINS="INPUT FORWARD"
FW_POLICY="DROP" FW_POLICY="DROP"
FW_CMD="iptables" FW_CMD="iptables"
FW_TIMEOUT="10"
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
@ -28,7 +29,7 @@ audit() {
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$PACKAGE is not installed!" crit "$PACKAGE is not installed!"
else else
ipt=$($SUDO_CMD "$FW_CMD" -nL 2>/dev/null || true) ipt=$($SUDO_CMD "$FW_CMD" -w "$FW_TIMEOUT" -nL 2>/dev/null || true)
if [[ -z "$ipt" ]]; then if [[ -z "$ipt" ]]; then
crit "Empty return from $FW_CMD command. Aborting..." crit "Empty return from $FW_CMD command. Aborting..."
return return

17
bin/hardening/6.1.10_find_world_writable_file.sh
View File

@ -19,17 +19,28 @@ DESCRIPTION="Ensure no world writable files exist"
EXCLUDED='' EXCLUDED=''
# find emits following error if directory or file disappear during
# tree traversal: find: /tmp/xxx: No such file or directory
FIND_IGNORE_NOSUCHFILE_ERR=false
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
info "Checking if there are world writable files" info "Checking if there are world writable files"
FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}')
if [ -n "$EXCLUDED" ]; then if [ -n "$EXCLUDED" ]; then
# maybe EXCLUDED allow us to filter out some FS
FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}' | grep -vE "$EXCLUDED")
[ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set +e
# shellcheck disable=SC2086 # shellcheck disable=SC2086
RESULT=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -type f -perm -0002 -regextype 'egrep' ! -regex $EXCLUDED -print 2>/dev/null) RESULT=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -type f -perm -0002 -regextype 'egrep' ! -regex $EXCLUDED -print 2>/dev/null)
[ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set -e
else else
FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}')
[ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set +e
# shellcheck disable=SC2086 # shellcheck disable=SC2086
RESULT=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -type f -perm -0002 -print 2>/dev/null) RESULT=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -type f -perm -0002 -print 2>/dev/null)
[ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set -e
fi fi
if [ -n "$RESULT" ]; then if [ -n "$RESULT" ]; then
@ -46,7 +57,7 @@ audit() {
apply() { apply() {
if [ -n "$EXCLUDED" ]; then if [ -n "$EXCLUDED" ]; then
# shellcheck disable=SC2086 # shellcheck disable=SC2086
RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -ignore_readdir_race -type f -perm -0002 -regextype 'egrep' ! -regex $EXCLUDED -print 2>/dev/null) RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | grep -vE "$EXCLUDED" | xargs -I '{}' find '{}' -xdev -ignore_readdir_race -type f -perm -0002 -regextype 'egrep' ! -regex "$EXCLUDED" -print 2>/dev/null)
else else
RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -ignore_readdir_race -type f -perm -0002 -print 2>/dev/null) RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -ignore_readdir_race -type f -perm -0002 -print 2>/dev/null)
fi fi

17
bin/hardening/6.1.11_find_unowned_files.sh
View File

@ -20,17 +20,30 @@ DESCRIPTION="Ensure no unowned files or directories exist."
USER='root' USER='root'
EXCLUDED='' EXCLUDED=''
# find emits following error if directory or file disappear during
# tree traversal: find: /tmp/xxx: No such file or directory
FIND_IGNORE_NOSUCHFILE_ERR=false
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
info "Checking if there are unowned files" info "Checking if there are unowned files"
FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}')
if [ -n "$EXCLUDED" ]; then if [ -n "$EXCLUDED" ]; then
# maybe EXCLUDED allow us to filter out some FS
FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}' | grep -vE "$EXCLUDED")
[ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set +e
# shellcheck disable=SC2086 # shellcheck disable=SC2086
RESULT=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -nouser -regextype 'egrep' ! -regex $EXCLUDED -print 2>/dev/null) RESULT=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -nouser -regextype 'egrep' ! -regex $EXCLUDED -print 2>/dev/null)
[ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set -e
else else
FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}')
[ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set +e
# shellcheck disable=SC2086 # shellcheck disable=SC2086
RESULT=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -nouser -print 2>/dev/null) RESULT=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -nouser -print 2>/dev/null)
[ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set -e
fi fi
if [ -n "$RESULT" ]; then if [ -n "$RESULT" ]; then
crit "Some unowned files are present" crit "Some unowned files are present"
# shellcheck disable=SC2001 # shellcheck disable=SC2001
@ -45,7 +58,7 @@ audit() {
apply() { apply() {
if [ -n "$EXCLUDED" ]; then if [ -n "$EXCLUDED" ]; then
# shellcheck disable=SC2086 # shellcheck disable=SC2086
RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -ignore_readdir_race -nouser -regextype 'egrep' ! -regex $EXCLUDED -ls 2>/dev/null) RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | grep -vE "$EXCLUDED" | xargs -I '{}' find '{}' -xdev -ignore_readdir_race -nouser -regextype 'egrep' ! -regex "$EXCLUDED" -ls 2>/dev/null)
else else
RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -ignore_readdir_race -nouser -ls 2>/dev/null) RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -ignore_readdir_race -nouser -ls 2>/dev/null)
fi fi

18
bin/hardening/6.1.12_find_ungrouped_files.sh
View File

@ -20,17 +20,31 @@ DESCRIPTION="Ensure no ungrouped files or directories exist"
GROUP='root' GROUP='root'
EXCLUDED='' EXCLUDED=''
# find emits following error if directory or file disappear during
# tree traversal: find: /tmp/xxx: No such file or directory
FIND_IGNORE_NOSUCHFILE_ERR=false
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
info "Checking if there are ungrouped files" info "Checking if there are ungrouped files"
FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}')
if [ -n "$EXCLUDED" ]; then if [ -n "$EXCLUDED" ]; then
# maybe EXCLUDED allow us to filter out some FS
FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}' | grep -vE "$EXCLUDED")
[ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set +e
# shellcheck disable=SC2086 # shellcheck disable=SC2086
RESULT=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -nogroup -regextype 'egrep' ! -regex $EXCLUDED -print 2>/dev/null) RESULT=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -nogroup -regextype 'egrep' ! -regex $EXCLUDED -print 2>/dev/null)
[ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set -e
else else
FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}')
[ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set +e
# shellcheck disable=SC2086 # shellcheck disable=SC2086
RESULT=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -nogroup -print 2>/dev/null) RESULT=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -nogroup -print 2>/dev/null)
[ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set -e
fi fi
if [ -n "$RESULT" ]; then if [ -n "$RESULT" ]; then
crit "Some ungrouped files are present" crit "Some ungrouped files are present"
# shellcheck disable=SC2001 # shellcheck disable=SC2001
@ -45,7 +59,7 @@ audit() {
apply() { apply() {
if [ -n "$EXCLUDED" ]; then if [ -n "$EXCLUDED" ]; then
# shellcheck disable=SC2086 # shellcheck disable=SC2086
RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -ignore_readdir_race -nogroup -regextype 'egrep' ! -regex $EXCLUDED -ls 2>/dev/null) RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | grep -vE "$EXCLUDED" | xargs -I '{}' find '{}' -xdev -ignore_readdir_race -nogroup -regextype 'egrep' ! -regex "$EXCLUDED" -ls 2>/dev/null)
else else
RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -ignore_readdir_race -nogroup -ls 2>/dev/null) RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -ignore_readdir_race -nogroup -ls 2>/dev/null)
fi fi

18
bin/hardening/6.1.13_find_suid_files.sh
View File

@ -18,16 +18,30 @@ HARDENING_LEVEL=2
DESCRIPTION="Find SUID system executables." DESCRIPTION="Find SUID system executables."
IGNORED_PATH='' IGNORED_PATH=''
# find emits following error if directory or file disappear during
# tree traversal: find: /tmp/xxx: No such file or directory
FIND_IGNORE_NOSUCHFILE_ERR=false
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
info "Checking if there are suid files" info "Checking if there are suid files"
FS_NAMES=$(df --local -P | awk '{ if (NR!=1) print $6 }')
# shellcheck disable=2086
if [ -n "$IGNORED_PATH" ]; then if [ -n "$IGNORED_PATH" ]; then
# maybe IGNORED_PATH allow us to filter out some FS
FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}' | grep -vE "$IGNORED_PATH")
[ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set +e
# shellcheck disable=2086
FOUND_BINARIES=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -type f -perm -4000 -regextype 'egrep' ! -regex $IGNORED_PATH -print) FOUND_BINARIES=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -type f -perm -4000 -regextype 'egrep' ! -regex $IGNORED_PATH -print)
[ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set -e
else else
FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}')
[ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set +e
# shellcheck disable=2086
FOUND_BINARIES=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -type f -perm -4000 -print) FOUND_BINARIES=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -type f -perm -4000 -print)
[ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set -e
fi fi
BAD_BINARIES="" BAD_BINARIES=""
for BINARY in $FOUND_BINARIES; do for BINARY in $FOUND_BINARIES; do
if grep -qw "$BINARY" <<<"$EXCEPTIONS"; then if grep -qw "$BINARY" <<<"$EXCEPTIONS"; then

19
bin/hardening/6.1.14_find_sgid_files.sh
View File

@ -18,16 +18,31 @@ HARDENING_LEVEL=2
DESCRIPTION="Find SGID system executables." DESCRIPTION="Find SGID system executables."
IGNORED_PATH='' IGNORED_PATH=''
# find emits following error if directory or file disappear during
# tree traversal: find: /tmp/xxx: No such file or directory
FIND_IGNORE_NOSUCHFILE_ERR=false
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
info "Checking if there are sgid files" info "Checking if there are sgid files"
FS_NAMES=$(df --local -P | awk '{ if (NR!=1) print $6 }')
# shellcheck disable=2086
if [ -n "$IGNORED_PATH" ]; then if [ -n "$IGNORED_PATH" ]; then
# maybe IGNORED_PATH allow us to filter out some FS
FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}' | grep -vE "$IGNORED_PATH")
[ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set +e
# shellcheck disable=2086
FOUND_BINARIES=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -type f -perm -2000 -regextype 'egrep' ! -regex $IGNORED_PATH -print) FOUND_BINARIES=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -type f -perm -2000 -regextype 'egrep' ! -regex $IGNORED_PATH -print)
[ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set -e
else else
FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}')
[ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set +e
# shellcheck disable=2086
FOUND_BINARIES=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -type f -perm -2000 -print) FOUND_BINARIES=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -type f -perm -2000 -print)
[ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set -e
fi fi
BAD_BINARIES="" BAD_BINARIES=""
for BINARY in $FOUND_BINARIES; do for BINARY in $FOUND_BINARIES; do
if grep -qw "$BINARY" <<<"$EXCEPTIONS"; then if grep -qw "$BINARY" <<<"$EXCEPTIONS"; then

3
bin/hardening/6.1.6_etc_passwd-_permissions.sh
View File

@ -19,6 +19,7 @@ DESCRIPTION="Check 600 permissions and root:root ownership on /etc/passwd-"
FILE='/etc/passwd-' FILE='/etc/passwd-'
PERMISSIONS='600' PERMISSIONS='600'
PERMISSIONSOK='644 640 600'
USER='root' USER='root'
GROUP='root' GROUP='root'
@ -28,7 +29,7 @@ audit() {
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
ok "$FILE does not exist" ok "$FILE does not exist"
else else
has_file_correct_permissions "$FILE" "$PERMISSIONS" has_file_one_of_permissions "$FILE" "$PERMISSIONSOK"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions" ok "$FILE has correct permissions"
else else

3
bin/hardening/6.1.7_etc_shadow-_permissions.sh
View File

@ -19,6 +19,7 @@ DESCRIPTION="Check 600 permissions and root:shadow ownership on /etc/shadow-"
FILE='/etc/shadow-' FILE='/etc/shadow-'
PERMISSIONS='600' PERMISSIONS='600'
PERMISSIONSOK='640 600'
USER='root' USER='root'
GROUP='shadow' GROUP='shadow'
@ -28,7 +29,7 @@ audit() {
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
ok "$FILE does not exist" ok "$FILE does not exist"
else else
has_file_correct_permissions "$FILE" "$PERMISSIONS" has_file_one_of_permissions "$FILE" "$PERMISSIONSOK"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions" ok "$FILE has correct permissions"
else else

3
bin/hardening/6.1.8_etc_group-_permissions.sh
View File

@ -19,6 +19,7 @@ DESCRIPTION="Check 600 permissions and root:root ownership on /etc/group-"
FILE='/etc/group-' FILE='/etc/group-'
PERMISSIONS='600' PERMISSIONS='600'
PERMISSIONSOK='644 640 600'
USER='root' USER='root'
GROUP='root' GROUP='root'
@ -28,7 +29,7 @@ audit() {
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
ok "$FILE does not exist" ok "$FILE does not exist"
else else
has_file_correct_permissions "$FILE" "$PERMISSIONS" has_file_one_of_permissions "$FILE" "$PERMISSIONSOK"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions" ok "$FILE has correct permissions"
else else

4
bin/hardening/99.5.2.4_ssh_keys_from.sh
View File

@ -109,7 +109,7 @@ audit() {
crit "/etc/ssh/sshd_config is not readable." crit "/etc/ssh/sshd_config is not readable."
else else
ret=$($SUDO_CMD grep -iP "^AuthorizedKeysFile" /etc/ssh/sshd_config || echo '#KO') ret=$($SUDO_CMD grep -iP "^AuthorizedKeysFile" /etc/ssh/sshd_config || echo '#KO')
if [ "x$ret" = "x#KO" ]; then if [ "$ret" = "#KO" ]; then
debug "No AuthorizedKeysFile defined in sshd_config." debug "No AuthorizedKeysFile defined in sshd_config."
else else
AUTHKEYFILE_PATTERN=$(echo "$ret" | sed 's/AuthorizedKeysFile//i' | sed 's#%h/##' | tr -s "[:space:]") AUTHKEYFILE_PATTERN=$(echo "$ret" | sed 's/AuthorizedKeysFile//i' | sed 's#%h/##' | tr -s "[:space:]")
@ -137,7 +137,7 @@ audit() {
continue continue
else else
info "User $user has a valid shell ($shell)." info "User $user has a valid shell ($shell)."
if [ "x$user" = "xroot" ] && [ "$user" != "$EXCEPTION_USER" ]; then if [ "$user" = "root" ] && [ "$user" != "$EXCEPTION_USER" ]; then
check_dir /root check_dir /root
continue continue
elif $SUDO_CMD [ ! -d /home/"$user" ]; then elif $SUDO_CMD [ ! -d /home/"$user" ]; then

24
debian/changelog vendored
View File

@ -1,3 +1,27 @@
cis-hardening (3.7-1) unstable; urgency=medium
* feat: add FIND_IGNORE_NOSUCHFILE_ERR flag (#159)
-- Yannick Martin <yannick.martin@ovhcloud.com> Mon, 04 Jul 2022 14:34:03 +0200
cis-hardening (3.6-1) unstable; urgency=medium
* feat: Filter the filesystem to check when the list is built. (#156)
-- Tarik Megzari <tarik.megzari@corp.ovh.com> Fri, 24 Jun 2022 15:49:00 +0000
cis-hardening (3.5-1) unstable; urgency=medium
* fix: add 10s wait timeout on iptables command (#151)
-- Tarik Megzari <tarik.megzari@corp.ovh.com> Wed, 23 Mar 2022 17:28:08 +0100
cis-hardening (3.4-1) unstable; urgency=medium
* fix: allow passwd-, group- and shadow- debian default permissions (#149)
-- Thibault Dewailly <thibault.dewailly@ovhcloud.com> Fri, 18 Mar 2022 15:43:24 +0000
cis-hardening (3.3-1) unstable; urgency=medium cis-hardening (3.3-1) unstable; urgency=medium
* fix: missing shadowtools backup files is ok (#132) * fix: missing shadowtools backup files is ok (#132)

4
lib/utils.sh
View File

@ -349,10 +349,10 @@ is_kernel_option_enabled() {
fi fi
ANSWER=$(cut -d = -f 2 <<<"$RESULT") ANSWER=$(cut -d = -f 2 <<<"$RESULT")
if [ "x$ANSWER" = "xy" ]; then if [ "$ANSWER" = "y" ]; then
debug "Kernel option $KERNEL_OPTION enabled" debug "Kernel option $KERNEL_OPTION enabled"
FNRET=0 FNRET=0
elif [ "x$ANSWER" = "xn" ]; then elif [ "$ANSWER" = "n" ]; then
debug "Kernel option $KERNEL_OPTION disabled" debug "Kernel option $KERNEL_OPTION disabled"
FNRET=1 FNRET=1
else else

6
tests/hardening/1.1.21_sticky_bit_world_writable_folder.sh
View File

@ -23,6 +23,12 @@ test_audit() {
register_test contain "Some world writable directories are not on sticky bit mode" register_test contain "Some world writable directories are not on sticky bit mode"
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe Tests failing with find ignore flag
echo 'FIND_IGNORE_NOSUCHFILE_ERR=true' >>/opt/debian-cis/etc/conf.d/"${script}".cfg
register_test retvalshouldbe 1
register_test contain "Some world writable directories are not on sticky bit mode"
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe correcting situation describe correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true /opt/debian-cis/bin/hardening/"${script}".sh --apply || true

10
tests/hardening/6.1.10_find_world_writable_file.sh
View File

@ -5,7 +5,9 @@ test_audit() {
# shellcheck disable=2154 # shellcheck disable=2154
/opt/debian-cis/bin/hardening/"${script}".sh || true /opt/debian-cis/bin/hardening/"${script}".sh || true
# shellcheck disable=2016 # shellcheck disable=2016
echo 'EXCLUDED="$EXCLUDED ^/dev/.*"' >>/opt/debian-cis/etc/conf.d/"${script}".cfg echo 'EXCLUDED="$EXCLUDED ^/home/secaudit/thisfileisignored.*|^/dev/.*"' >>/opt/debian-cis/etc/conf.d/"${script}".cfg
touch /home/secaudit/thisfileisignored
chmod 777 /home/secaudit/thisfileisignored
describe Running on blank host describe Running on blank host
register_test retvalshouldbe 0 register_test retvalshouldbe 0
@ -21,6 +23,12 @@ test_audit() {
register_test contain "Some world writable files are present" register_test contain "Some world writable files are present"
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe Tests failing with find ignore flag
echo 'FIND_IGNORE_NOSUCHFILE_ERR=true' >>/opt/debian-cis/etc/conf.d/"${script}".cfg
register_test retvalshouldbe 1
register_test contain "Some world writable files are present"
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe correcting situation describe correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true /opt/debian-cis/bin/hardening/"${script}".sh --apply || true

6
tests/hardening/6.1.11_find_unowned_files.sh
View File

@ -24,6 +24,12 @@ test_audit() {
register_test contain "Some unowned files are present" register_test contain "Some unowned files are present"
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe Tests failing with find ignore flag
echo 'FIND_IGNORE_NOSUCHFILE_ERR=true' >>/opt/debian-cis/etc/conf.d/"${script}".cfg
register_test retvalshouldbe 1
register_test contain "Some unowned files are present"
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe correcting situation describe correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh || true /opt/debian-cis/bin/hardening/"${script}".sh || true

6
tests/hardening/6.1.12_find_ungrouped_files.sh
View File

@ -24,6 +24,12 @@ test_audit() {
register_test contain "Some ungrouped files are present" register_test contain "Some ungrouped files are present"
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe Tests failing with find ignore flag
echo 'FIND_IGNORE_NOSUCHFILE_ERR=true' >>/opt/debian-cis/etc/conf.d/"${script}".cfg
register_test retvalshouldbe 1
register_test contain "Some ungrouped files are present"
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe correcting situation describe correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true /opt/debian-cis/bin/hardening/"${script}".sh --apply || true

6
tests/hardening/6.1.13_find_suid_files.sh
View File

@ -21,6 +21,12 @@ test_audit() {
register_test contain "$targetfile" register_test contain "$targetfile"
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe Tests failing with find ignore flag
echo 'FIND_IGNORE_NOSUCHFILE_ERR=true' >>/opt/debian-cis/etc/conf.d/"${script}".cfg
register_test retvalshouldbe 1
register_test contain "Some suid files are present"
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe correcting situation describe correcting situation
chmod 700 $targetfile chmod 700 $targetfile

6
tests/hardening/6.1.14_find_sgid_files.sh
View File

@ -22,6 +22,12 @@ test_audit() {
register_test contain "$targetfile" register_test contain "$targetfile"
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe Tests failing with find ignore flag
echo 'FIND_IGNORE_NOSUCHFILE_ERR=true' >>/opt/debian-cis/etc/conf.d/"${script}".cfg
register_test retvalshouldbe 1
register_test contain "Some sgid files are present"
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe correcting situation describe correcting situation
chmod 700 $targetfile chmod 700 $targetfile

7
tests/hardening/6.1.6_etc_passwd-_permissions.sh
View File

@ -10,6 +10,13 @@ test_audit() {
local test_user="testetcpasswd-user" local test_user="testetcpasswd-user"
local test_file="/etc/passwd-" local test_file="/etc/passwd-"
describe Debian default right shall be accepted
chmod 644 "$test_file"
chown root:root "$test_file"
register_test retvalshouldbe 0
register_test contain "has correct permissions"
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe Tests purposely failing describe Tests purposely failing
chmod 777 "$test_file" chmod 777 "$test_file"
register_test retvalshouldbe 1 register_test retvalshouldbe 1

7
tests/hardening/6.1.7_etc_shadow-_permissions.sh
View File

@ -10,6 +10,13 @@ test_audit() {
local test_user="testetcshadow-user" local test_user="testetcshadow-user"
local test_file="/etc/shadow-" local test_file="/etc/shadow-"
describe Debian default right shall be accepted
chmod 640 "$test_file"
chown root:shadow "$test_file"
register_test retvalshouldbe 0
register_test contain "has correct permissions"
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe Tests purposely failing describe Tests purposely failing
chmod 777 "$test_file" chmod 777 "$test_file"
register_test retvalshouldbe 1 register_test retvalshouldbe 1

7
tests/hardening/6.1.8_etc_group-_permissions.sh
View File

@ -10,6 +10,13 @@ test_audit() {
local test_user="testetcgroup--user" local test_user="testetcgroup--user"
local test_file="/etc/group-" local test_file="/etc/group-"
describe Debian default right shall be accepted
chmod 644 "$test_file"
chown root:root "$test_file"
register_test retvalshouldbe 0
register_test contain "has correct permissions"
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe Tests purposely failing describe Tests purposely failing
chmod 777 "$test_file" chmod 777 "$test_file"
register_test retvalshouldbe 1 register_test retvalshouldbe 1