Damcava35/set version (#257)

* feat: add "--set-version" option

This feature will allow to chose a specific cis version to run, like debian 11 or debian 12

* chore: configure current repository as a version

And use it as default version.

To this end, the scripts in bin/hardening have been made generic by removing the associated recommendation number.
Only impact is if you are used to execute scripts directly from bin/hardening.
In this case, please use the "bin/hardening.sh" wrapper as intended.

I had to rename 2.3.1_disable_nis.sh to uninstall_nis.sh, as it was conflicting with 2.3.1_disable_nis.sh

Also, there was a doublon between 1.1.1.8_disable_cramfs.sh and 99.1.1.1_disable_cramfs.sh ; the former was kept

* chore: remove CIS recommendation numbers from bin/hardening scripts

* fix: some tests are failing

find_ungrouped_files.sh and find_unowned_files.sh tests can not be executed multiple times:
- test repository is not cleaned
- configuration is updated multiple times

Those tests are also failing, because:
- the sed to change the status in the configuration was also changing the test folder path.
- missing /proc in EXCLUDED paths
- the EXCLUDED configuration doesn't have the correct format for egrep

---------

Co-authored-by: Damien Cavagnini <damien.cavagnini@corp.ovh.com>

Author: damcav35

bin/hardening.sh

@@ -29,6 +29,7 @@ BATCH_MODE=''
 SUMMARY_JSON=''
 ASK_LOGLEVEL=''
 ALLOW_UNSUPPORTED_DISTRIBUTION=0
+USED_VERSION="default"
 
 usage() {
     cat <<EOF
@@ -105,6 +106,13 @@ OPTIONS:
         This option sets LOGLEVEL, you can choose : info, warning, error, ok, debug or silent.
         Default value is : info
 
+    --set-version <version>
+        This option allows to run the scripts as defined for a specific CIS debian version.
+        Supported version are the folders listed in the "versions" folder.
+        examples:
+          --set-version debian_11
+          --set-version ovh_legacy
+
     --summary-json
         While performing system audit, this option sets LOGLEVEL to silent and
         only output a json summary at the end
@@ -163,6 +171,10 @@ while [[ $# -gt 0 ]]; do
         ASK_LOGLEVEL=$2
         shift
         ;;
+    --set-version)
+        USED_VERSION=$2
+        shift
+        ;;
     --only)
         TEST_LIST[${#TEST_LIST[@]}]="$2"
         shift
@@ -217,9 +229,20 @@ if [ "$ASK_LOGLEVEL" ]; then LOGLEVEL=$ASK_LOGLEVEL; fi
 # shellcheck source=../lib/constants.sh
 [ -r "${CIS_LIB_DIR}"/constants.sh ] && . "${CIS_LIB_DIR}"/constants.sh
 
+# ensure the CIS version exists
+does_file_exist "$CIS_VERSIONS_DIR/$USED_VERSION"
+if [ "$FNRET" -ne 0 ]; then
+    echo "$USED_VERSION is not a valid version"
+    echo "Please use '--set-version' with one of $(ls "$CIS_VERSIONS_DIR" --hide=default -m)"
+    exit 1
+fi
+
 # If we're on a unsupported platform and there is no flag --allow-unsupported-distribution
 # print warning, otherwise quit
 
+# update path for the remaining of the script
+CIS_CHECKS_DIR="$CIS_VERSIONS_DIR/$USED_VERSION"
+
 if [ "$DISTRIBUTION" != "debian" ]; then
     echo "Your distribution has been identified as $DISTRIBUTION which is not debian"
     if [ "$ALLOW_UNSUPPORTED_DISTRIBUTION" -eq 0 ]; then

bin/hardening/99.1.1.1_disable_cramfs.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 99.5.4.5.1 Check that any password that will be created will use sha512crypt (or yescrypt for Debian 11+)
+# Check that any password that will be created will use sha512crypt (or yescrypt for Debian 11+)
 #
 
 set -e # One error, it's over

…ening/99.5.4.5.1_acc_logindefs_sha512.sh bin/hardening/acc_logindefs_sha512.shbin/hardening/99.5.4.5.1_acc_logindefs_sha512.sh renamed to bin/hardening/acc_logindefs_sha512.sh bin/hardening/99.5.4.5.1_acc_logindefs_sha512.sh renamed to bin/hardening/acc_logindefs_sha512.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 5.3.4 Ensure password hashing algorithm is SHA-512 (Scored)
+# Ensure password hashing algorithm is SHA-512 (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/5.3.4_acc_pam_sha512.sh bin/hardening/acc_pam_sha512.shbin/hardening/5.3.4_acc_pam_sha512.sh renamed to bin/hardening/acc_pam_sha512.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 99.5.4.5.2 Check that passwords in /etc/shadow are sha512crypt (or yescrypt for Debian 11+) hashed and salted
+# Check that passwords in /etc/shadow are sha512crypt (or yescrypt for Debian 11+) hashed and salted
 #
 
 set -e # One error, it's over

…ardening/99.5.4.5.2_acc_shadow_sha512.sh bin/hardening/acc_shadow_sha512.shbin/hardening/99.5.4.5.2_acc_shadow_sha512.sh renamed to bin/hardening/acc_shadow_sha512.sh bin/hardening/99.5.4.5.2_acc_shadow_sha512.sh renamed to bin/hardening/acc_shadow_sha512.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 99.1.3 Check there are no carte-blanche authorization in sudoers file(s).
+# Check there are no carte-blanche authorization in sudoers file(s).
 #
 
 set -e # One error, it's over

…n/hardening/99.1.3_acc_sudoers_no_all.sh bin/hardening/acc_sudoers_no_all.shbin/hardening/99.1.3_acc_sudoers_no_all.sh renamed to bin/hardening/acc_sudoers_no_all.sh bin/hardening/99.1.3_acc_sudoers_no_all.sh renamed to bin/hardening/acc_sudoers_no_all.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 4.1.1.4 Ensure audit_backlog_limit is sufficient (Scored)
+# Ensure audit_backlog_limit is sufficient (Scored)
 #
 
 set -e # One error, it's over

…hardening/4.1.1.4_audit_backlog_limit.sh bin/hardening/audit_backlog_limit.shbin/hardening/4.1.1.4_audit_backlog_limit.sh renamed to bin/hardening/audit_backlog_limit.sh bin/hardening/4.1.1.4_audit_backlog_limit.sh renamed to bin/hardening/audit_backlog_limit.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 4.1.1.3 Ensure auditing for processes that start prior to auditd is enabled (Scored)
+# Ensure auditing for processes that start prior to auditd is enabled (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/4.1.1.3_audit_bootloader.sh bin/hardening/audit_bootloader.shbin/hardening/4.1.1.3_audit_bootloader.sh renamed to bin/hardening/audit_bootloader.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 4.1.2.1 Ensure audit log storage size is configured (Scored)
+# Ensure audit log storage size is configured (Scored)
 #
 
 set -e # One error, it's over

…n/hardening/4.1.2.1_audit_log_storage.sh bin/hardening/audit_log_storage.shbin/hardening/4.1.2.1_audit_log_storage.sh renamed to bin/hardening/audit_log_storage.sh bin/hardening/4.1.2.1_audit_log_storage.sh renamed to bin/hardening/audit_log_storage.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 1.5.1 Ensure permissions on bootloader config are configured (Scored)
+# Ensure permissions on bootloader config are configured (Scored)
 #
 
 set -e # One error, it's over