elie/debian-cis
1
0
Fork 0
mirror of https://github.com/ovh/debian-cis.git synced 2025-07-15 21:32:17 +02:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: elie:v4.1-4
Branches Tags
elie:master elie:damcava35/deb12_scripts_2 elie:damcava35/update_lib elie:damcava35/new_scripts elie:damcava35/issue_249 elie:damcava35/drop_debian10 elie:damcava35/is_ip_v6_enabled elie:damcava35/issue_195 elie:damcava35/fix_only elie:damcava35/fix_packaging elie:damcava35/set_version elie:damcava35/test_pre_commit elie:dev/thibault.dewailly/deb12 elie:dependabot/github_actions/luizm/action-sh-checker-0.9.0 elie:dev/thibault.dewailly/set_hardening_level elie:dev/thibault.dewailly/syslogng_remotecheck
elie:latest elie:v4.1-5 elie:v4.1-4 elie:v4.1-3 elie:v4.1-2 elie:v4.1-1 elie:v4.0-1 elie:v3.8-1 elie:v3.7-1 elie:v3.6-1 elie:v3.5-1 elie:v3.4-1 elie:v3.3-1 elie:v3.2-2 elie:v3.2-1 elie:v3.2-0 elie:v3.1-6 elie:v3.1-5 elie:v3.1-4 elie:v3.1-3 elie:v3.1-2 elie:v3.1-1 elie:v3.1-0 elie:v3.0-1 elie:v3.0 elie:v2.1-6 elie:v2.1-5 elie:v2.1-4 elie:v2.1-3 elie:v2.1-2 elie:v2.1-1 elie:v2.0-6 elie:v2.0-5 elie:v2.0-4 elie:v1.3-4 elie:v1.3-3 elie:v1.3-2 elie:v1.3 elie:v1.2-1 elie:v1.1-1
...
compare: elie:dependabot/github_actions/luizm/action-sh-checker-0.9.0
Branches Tags
elie:damcava35/deb12_scripts_2 elie:damcava35/update_lib elie:damcava35/new_scripts elie:master elie:damcava35/issue_249 elie:damcava35/drop_debian10 elie:damcava35/is_ip_v6_enabled elie:damcava35/issue_195 elie:damcava35/fix_only elie:damcava35/fix_packaging elie:damcava35/set_version elie:damcava35/test_pre_commit elie:dev/thibault.dewailly/deb12 elie:dependabot/github_actions/luizm/action-sh-checker-0.9.0 elie:dev/thibault.dewailly/set_hardening_level elie:dev/thibault.dewailly/syslogng_remotecheck
elie:latest elie:v4.1-5 elie:v4.1-4 elie:v4.1-3 elie:v4.1-2 elie:v4.1-1 elie:v4.0-1 elie:v3.8-1 elie:v3.7-1 elie:v3.6-1 elie:v3.5-1 elie:v3.4-1 elie:v3.3-1 elie:v3.2-2 elie:v3.2-1 elie:v3.2-0 elie:v3.1-6 elie:v3.1-5 elie:v3.1-4 elie:v3.1-3 elie:v3.1-2 elie:v3.1-1 elie:v3.1-0 elie:v3.0-1 elie:v3.0 elie:v2.1-6 elie:v2.1-5 elie:v2.1-4 elie:v2.1-3 elie:v2.1-2 elie:v2.1-1 elie:v2.0-6 elie:v2.0-5 elie:v2.0-4 elie:v1.3-4 elie:v1.3-3 elie:v1.3-2 elie:v1.3 elie:v1.2-1 elie:v1.1-1

6 Commits
v4.1-4 ... dependabot

Author SHA1 Message Date
dependabot[bot]
1733d1f460 build(deps): bump luizm/action-sh-checker from 0.8.0 to 0.9.0 
Bumps [luizm/action-sh-checker](https://github.com/luizm/action-sh-checker) from 0.8.0 to 0.9.0.
- [Release notes](https://github.com/luizm/action-sh-checker/releases)
- [Commits](https://github.com/luizm/action-sh-checker/compare/v0.8.0...v0.9.0)

---
updated-dependencies:
- dependency-name: luizm/action-sh-checker
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
 2024-09-16 22:28:53 +00:00
dependabot[bot]
9a225c6157 build(deps): bump dev-drprasad/delete-tag-and-release from 1.0.1 to 1.1 (#238) 
Bumps [dev-drprasad/delete-tag-and-release](https://github.com/dev-drprasad/delete-tag-and-release) from 1.0.1 to 1.1.
- [Release notes](https://github.com/dev-drprasad/delete-tag-and-release/releases)
- [Commits](https://github.com/dev-drprasad/delete-tag-and-release/compare/v1.0.1...v1.1)

---
updated-dependencies:
- dependency-name: dev-drprasad/delete-tag-and-release
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2024-09-10 17:47:36 +02:00
Hugo COURTIAL
6079b16611 fix: invalid behavior on sid/alternative in 5.3.4/99.5.4.5.1 (#237) 2024-04-09 17:12:31 +02:00
dependabot[bot]
f7cdf438d4 build(deps): bump metcalfc/changelog-generator from 4.2.0 to 4.3.1 (#234) 
Bumps [metcalfc/changelog-generator](https://github.com/metcalfc/changelog-generator) from 4.2.0 to 4.3.1.
- [Release notes](https://github.com/metcalfc/changelog-generator/releases)
- [Changelog](https://github.com/metcalfc/changelog-generator/blob/main/release-notes.png)
- [Commits](https://github.com/metcalfc/changelog-generator/compare/v4.2.0...v4.3.1)

---
updated-dependencies:
- dependency-name: metcalfc/changelog-generator
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>
 2024-03-05 09:33:10 +01:00
Isma399
43fc23ee40 fix: catch cidr network in ssh keys (#236) 
Co-authored-by: Ismaël Tanguy <ismael.tanguy@ovhcloud.com>
 2024-02-22 17:55:03 +01:00
GoldenKiwi
3bd4078e70 fix: allow set-hardening-level option usage (#232) 
Was broken since 2020, fixes #230
 2024-02-01 17:09:35 +01:00
10 changed files with 92 additions and 16 deletions
Expand all files Collapse all files

4
.github/workflows/pre-release.yml vendored
View File

@ -21,7 +21,7 @@ jobs:
find ../ -name "*.deb" -exec mv {} cis-hardening.deb \;
# DELETE THE TAG NAMED LATEST AND THE CORRESPONDING RELEASE
- name: Delete the tag latest and the release latest
uses: dev-drprasad/delete-tag-and-release@v1.0.1
uses: dev-drprasad/delete-tag-and-release@v1.1
with:
delete_release: true
tag_name: latest
@ -34,7 +34,7 @@ jobs:
# GENERATE CHANGELOG CORRESPONDING TO COMMIT BETWEEN HEAD AND COMPUTED LAST TAG
- name: Generate changelog
id: changelog
uses: metcalfc/changelog-generator@v4.2.0
uses: metcalfc/changelog-generator@v4.3.1
with:
myToken: ${{ secrets.GITHUB_TOKEN }}
head-ref: ${{ github.sha }}

2
.github/workflows/shellcheck_and_shellfmt.yml vendored
View File

@ -10,7 +10,7 @@ jobs:
- name: Checkout repo
uses: actions/checkout@v4
- name: Run the sh-checker
uses: luizm/action-sh-checker@v0.8.0
uses: luizm/action-sh-checker@v0.9.0
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Optional if sh_checker_comment is false.
SHFMT_OPTS: -l -i 4 -w # Optional: pass arguments to shfmt.

2
.github/workflows/tagged-release.yml vendored
View File

@ -33,7 +33,7 @@ jobs:
find ../ -name "*.deb" -exec mv {} cis-hardening.deb \;
# DELETE THE TAG NAMED LATEST AND THE CORRESPONDING RELEASE
- name: Delete the tag latest and the release latest
uses: dev-drprasad/delete-tag-and-release@v1.0.1
uses: dev-drprasad/delete-tag-and-release@v1.1
with:
delete_release: true
tag_name: latest

2
bin/hardening.sh
View File

@ -192,7 +192,7 @@ while [[ $# -gt 0 ]]; do
done
# if no RUN_MODE was passed, usage and quit
if [ "$AUDIT" -eq 0 ] && [ "$AUDIT_ALL" -eq 0 ] && [ "$AUDIT_ALL_ENABLE_PASSED" -eq 0 ] && [ "$APPLY" -eq 0 ] && [ "$CREATE_CONFIG" -eq 0 ]; then
if [ "$AUDIT" -eq 0 ] && [ "$AUDIT_ALL" -eq 0 ] && [ "$AUDIT_ALL_ENABLE_PASSED" -eq 0 ] && [ "$APPLY" -eq 0 ] && [ "$CREATE_CONFIG" -eq 0 ] && [ "$SET_HARDENING_LEVEL" -eq 0 ]; then
usage
fi

5
bin/hardening/5.3.4_acc_pam_sha512.sh
View File

@ -49,7 +49,7 @@ apply() {
ok "$CONF_LINE is present in $CONF_FILE"
else
warn "$CONF_LINE is not present in $CONF_FILE"
if [ "$DEB_MAJ_VER" -ge "11" ]; then
if [ "$DEB_MAJ_VER" = "sid" ] || [ "$DEB_MAJ_VER" -ge "11" ]; then
add_line_file_before_pattern "$CONF_FILE" "password [success=1 default=ignore] pam_unix.so yescrypt" "# pam-auth-update(8) for details."
else
add_line_file_before_pattern "$CONF_FILE" "password [success=1 default=ignore] pam_unix.so sha512" "# pam-auth-update(8) for details."
@ -67,12 +67,11 @@ check_config() {
# We need to call this in the subs called by main.sh when it is sourced, otherwise it would
# either be too soon (DEB_MAJ_VER not defined) or too late (test has already been run)
_set_vars_jit() {
if [ "$DEB_MAJ_VER" -ge "11" ]; then
if [ "$DEB_MAJ_VER" = "sid" ] || [ "$DEB_MAJ_VER" -ge "11" ]; then
CONF_LINE="^\s*password\s.+\s+pam_unix\.so\s+.*(sha512|yescrypt)" # https://github.com/ovh/debian-cis/issues/158
else
CONF_LINE="^\s*password\s.+\s+pam_unix\.so\s+.*sha512"
fi
unset -f _set_vars_jit
}
# Source Root Dir Parameter

2
bin/hardening/99.5.2.4_ssh_keys_from.sh
View File

@ -19,7 +19,7 @@ DESCRIPTION="Check <from> field in ssh authorized keys files for users with logi
# Regex looking for empty, hash starting lines, or 'from="127.127.127,127.127.127" ssh'
# shellcheck disable=2089
REGEX_FROM_IP="from=(?:'|\")(,?(\d{1,3}(\.\d{1,3}){3}))+(?:'|\")"
REGEX_FROM_IP="from=(?:'|\")(,?(\d{1,3}(\.\d{1,3}){3})(\/\d{1,2})?)+(?:'|\")"
REGEX_OK_LINES="(^(#|$)|($REGEX_FROM_IP))"
AUTHKEYFILE_PATTERN=""
AUTHKEYFILE_PATTERN_DEFAULT=".ssh/authorized_keys .ssh/authorized_keys2"

5
bin/hardening/99.5.4.5.1_acc_logindefs_sha512.sh
View File

@ -48,7 +48,7 @@ apply() {
if [ "$FNRET" != 0 ]; then
add_end_of_file "$CONF_FILE" "$CONF_LINE"
else
info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing"
info "Parameter $CONF_LINE is present but with the wrong value -- Fixing"
replace_in_file "$CONF_FILE" "^$(echo "$CONF_LINE" | cut -d ' ' -f1)[[:space:]]*.*" "$CONF_LINE"
fi
fi
@ -63,14 +63,13 @@ check_config() {
# We need to call this in the subs called by main.sh when it is sourced, otherwise it would
# either be too soon (DEB_MAJ_VER not defined) or too late (test has already been run)
_set_vars_jit() {
if [ "$DEB_MAJ_VER" -ge "11" ]; then
if [ "$DEB_MAJ_VER" = "sid" ] || [ "$DEB_MAJ_VER" -ge "11" ]; then
CONF_LINE_REGEX="ENCRYPT_METHOD (SHA512|yescrypt|YESCRYPT)"
CONF_LINE="ENCRYPT_METHOD YESCRYPT"
else
CONF_LINE_REGEX="ENCRYPT_METHOD SHA512"
CONF_LINE="ENCRYPT_METHOD SHA512"
fi
unset -f _set_vars_jit
}
# Source Root Dir Parameter

46
tests/hardening/5.3.4_acc_pam_sha512.sh
View File

@ -6,4 +6,50 @@ test_audit() {
register_test contain "is present in /etc/pam.d/common-password"
# shellcheck disable=2154
run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
describe Tests purposely failing
sed -i '/pam_unix.so/ s/sha512/sha256/' "/etc/pam.d/common-password" # Debian 10
sed -i '/pam_unix.so/ s/yescrypt/sha256/' "/etc/pam.d/common-password" # Debian 11+
register_test retvalshouldbe 1
register_test contain "is not present"
run noncompliant "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
describe correcting situation
sed -i 's/audit/enabled/' "${CIS_CONF_DIR}/conf.d/${script}.cfg"
"${CIS_CHECKS_DIR}/${script}.sh" --apply || true
describe Checking resolved state
register_test retvalshouldbe 0
register_test contain "is present in /etc/pam.d/common-password"
run solvedsid "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
# DEB_MAJ_VER cannot be overwritten here;
# therefore we need to trick get_debian_major_version
ORIGINAL_DEB_VER="$(cat /etc/debian_version)"
echo "sid" >/etc/debian_version
describe Running on blank host as sid
register_test retvalshouldbe 0
register_test contain "(sha512|yescrypt)"
run blanksid "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
describe Tests purposely failing as sid
sed -i '/pam_unix.so/ s/sha512/sha256/' "/etc/pam.d/common-password" # Debian 10
sed -i '/pam_unix.so/ s/yescrypt/sha256/' "/etc/pam.d/common-password" # Debian 11+
register_test retvalshouldbe 1
register_test contain "is not present"
run noncompliantsid "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
describe correcting situation as sid
sed -i 's/audit/enabled/' "${CIS_CONF_DIR}/conf.d/${script}.cfg"
"${CIS_CHECKS_DIR}/${script}.sh" --apply || true
describe Checking resolved state as sid
register_test retvalshouldbe 0
register_test contain "is present in /etc/pam.d/common-password"
run solvedsid "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
# Cleanup
echo -n "$ORIGINAL_DEB_VER" >/etc/debian_version
unset ORIGINAL_DEB_VER
}

4
tests/hardening/99.5.2.4_ssh_keys_from.sh
View File

@ -72,11 +72,11 @@ test_audit() {
run allwdfromip "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
# shellcheck disable=2016
echo 'ALLOWED_IPS="$ALLOWED_IPS 127.0.0.1,10.2.3.1"' >>"${CIS_CONF_DIR}/conf.d/${script}.cfg"
echo 'ALLOWED_IPS="$ALLOWED_IPS 127.0.0.1,10.2.3.1/8"' >>"${CIS_CONF_DIR}/conf.d/${script}.cfg"
{
echo -n 'from="10.0.1.2",command="echo bla" '
cat /tmp/key1.pub
echo -n 'command="echo bla,from="10.0.1.2,10.2.3.1"" '
echo -n 'command="echo bla,from="10.0.1.2,10.2.3.1/8"" '
cat /tmp/key1.pub
} >>/home/secaudit/.ssh/authorized_keys2
describe Key with from and command options

36
tests/hardening/99.5.4.5.1_acc_logindefs_sha512.sh
View File

@ -28,11 +28,43 @@ test_audit() {
run wrongconf "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
describe Correcting situation
sed -i 's/disabled/enabled/' "${CIS_CONF_DIR}/conf.d/${script}.cfg"
sed -i 's/audit/enabled/' "${CIS_CONF_DIR}/conf.d/${script}.cfg"
"${CIS_CHECKS_DIR}/${script}.sh" || true
describe Checking resolved state
mv /tmp/login.defs.bak /etc/login.defs
register_test retvalshouldbe 0
register_test contain "is present in /etc/login.defs"
run sha512pass "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
# DEB_MAJ_VER cannot be overwritten here;
# therefore we need to trick get_debian_major_version
ORIGINAL_DEB_VER="$(cat /etc/debian_version)"
echo "sid" >/etc/debian_version
describe Running on blank host as sid
register_test retvalshouldbe 0
register_test contain "(SHA512|yescrypt|YESCRYPT)"
# shellcheck disable=2154
run blanksid "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
cp /etc/login.defs /tmp/login.defs.bak
sed -ir 's/ENCRYPT_METHOD[[:space:]]\+.*/ENCRYPT_METHOD MD5/' /etc/login.defs
describe Fail: wrong hash function configuration as sid
register_test retvalshouldbe 1
register_test contain "(SHA512|yescrypt|YESCRYPT)"
run wrongconfsid "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
describe Correcting situation as sid
sed -i 's/audit/enabled/' "${CIS_CONF_DIR}/conf.d/${script}.cfg"
"${CIS_CHECKS_DIR}/${script}.sh" || true
describe Checking resolved state as sid
register_test retvalshouldbe 0
register_test contain "(SHA512|yescrypt|YESCRYPT)"
run sha512passsid "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
# Cleanup
echo -n "$ORIGINAL_DEB_VER" >/etc/debian_version
unset ORIGINAL_DEB_VER
}