Skip to content

Commit be33848

Browse files
damcav35Damien Cavagnini
andauthored
Damcava35/set version (#257)
* feat: add "--set-version" option This feature will allow to chose a specific cis version to run, like debian 11 or debian 12 * chore: configure current repository as a version And use it as default version. To this end, the scripts in bin/hardening have been made generic by removing the associated recommendation number. Only impact is if you are used to execute scripts directly from bin/hardening. In this case, please use the "bin/hardening.sh" wrapper as intended. I had to rename 2.3.1_disable_nis.sh to uninstall_nis.sh, as it was conflicting with 2.3.1_disable_nis.sh Also, there was a doublon between 1.1.1.8_disable_cramfs.sh and 99.1.1.1_disable_cramfs.sh ; the former was kept * chore: remove CIS recommendation numbers from bin/hardening scripts * fix: some tests are failing find_ungrouped_files.sh and find_unowned_files.sh tests can not be executed multiple times: - test repository is not cleaned - configuration is updated multiple times Those tests are also failing, because: - the sed to change the status in the configuration was also changing the test folder path. - missing /proc in EXCLUDED paths - the EXCLUDED configuration doesn't have the correct format for egrep --------- Co-authored-by: Damien Cavagnini <damien.cavagnini@corp.ovh.com>
1 parent 99bc575 commit be33848

File tree

734 files changed

+557
-339
lines changed

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

734 files changed

+557
-339
lines changed

bin/hardening.sh

Lines changed: 23 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -29,6 +29,7 @@ BATCH_MODE=''
2929
SUMMARY_JSON=''
3030
ASK_LOGLEVEL=''
3131
ALLOW_UNSUPPORTED_DISTRIBUTION=0
32+
USED_VERSION="default"
3233

3334
usage() {
3435
cat <<EOF
@@ -105,6 +106,13 @@ OPTIONS:
105106
This option sets LOGLEVEL, you can choose : info, warning, error, ok, debug or silent.
106107
Default value is : info
107108
109+
--set-version <version>
110+
This option allows to run the scripts as defined for a specific CIS debian version.
111+
Supported version are the folders listed in the "versions" folder.
112+
examples:
113+
--set-version debian_11
114+
--set-version ovh_legacy
115+
108116
--summary-json
109117
While performing system audit, this option sets LOGLEVEL to silent and
110118
only output a json summary at the end
@@ -163,6 +171,10 @@ while [[ $# -gt 0 ]]; do
163171
ASK_LOGLEVEL=$2
164172
shift
165173
;;
174+
--set-version)
175+
USED_VERSION=$2
176+
shift
177+
;;
166178
--only)
167179
TEST_LIST[${#TEST_LIST[@]}]="$2"
168180
shift
@@ -217,9 +229,20 @@ if [ "$ASK_LOGLEVEL" ]; then LOGLEVEL=$ASK_LOGLEVEL; fi
217229
# shellcheck source=../lib/constants.sh
218230
[ -r "${CIS_LIB_DIR}"/constants.sh ] && . "${CIS_LIB_DIR}"/constants.sh
219231

232+
# ensure the CIS version exists
233+
does_file_exist "$CIS_VERSIONS_DIR/$USED_VERSION"
234+
if [ "$FNRET" -ne 0 ]; then
235+
echo "$USED_VERSION is not a valid version"
236+
echo "Please use '--set-version' with one of $(ls "$CIS_VERSIONS_DIR" --hide=default -m)"
237+
exit 1
238+
fi
239+
220240
# If we're on a unsupported platform and there is no flag --allow-unsupported-distribution
221241
# print warning, otherwise quit
222242

243+
# update path for the remaining of the script
244+
CIS_CHECKS_DIR="$CIS_VERSIONS_DIR/$USED_VERSION"
245+
223246
if [ "$DISTRIBUTION" != "debian" ]; then
224247
echo "Your distribution has been identified as $DISTRIBUTION which is not debian"
225248
if [ "$ALLOW_UNSUPPORTED_DISTRIBUTION" -eq 0 ]; then

bin/hardening/99.1.1.1_disable_cramfs.sh

Lines changed: 0 additions & 68 deletions
This file was deleted.

bin/hardening/99.5.4.5.1_acc_logindefs_sha512.sh renamed to bin/hardening/acc_logindefs_sha512.sh

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -6,7 +6,7 @@
66
#
77

88
#
9-
# 99.5.4.5.1 Check that any password that will be created will use sha512crypt (or yescrypt for Debian 11+)
9+
# Check that any password that will be created will use sha512crypt (or yescrypt for Debian 11+)
1010
#
1111

1212
set -e # One error, it's over
Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -6,7 +6,7 @@
66
#
77

88
#
9-
# 5.3.4 Ensure password hashing algorithm is SHA-512 (Scored)
9+
# Ensure password hashing algorithm is SHA-512 (Scored)
1010
#
1111

1212
set -e # One error, it's over

bin/hardening/99.5.4.5.2_acc_shadow_sha512.sh renamed to bin/hardening/acc_shadow_sha512.sh

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -6,7 +6,7 @@
66
#
77

88
#
9-
# 99.5.4.5.2 Check that passwords in /etc/shadow are sha512crypt (or yescrypt for Debian 11+) hashed and salted
9+
# Check that passwords in /etc/shadow are sha512crypt (or yescrypt for Debian 11+) hashed and salted
1010
#
1111

1212
set -e # One error, it's over

bin/hardening/99.1.3_acc_sudoers_no_all.sh renamed to bin/hardening/acc_sudoers_no_all.sh

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -6,7 +6,7 @@
66
#
77

88
#
9-
# 99.1.3 Check there are no carte-blanche authorization in sudoers file(s).
9+
# Check there are no carte-blanche authorization in sudoers file(s).
1010
#
1111

1212
set -e # One error, it's over

bin/hardening/4.1.1.4_audit_backlog_limit.sh renamed to bin/hardening/audit_backlog_limit.sh

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -6,7 +6,7 @@
66
#
77

88
#
9-
# 4.1.1.4 Ensure audit_backlog_limit is sufficient (Scored)
9+
# Ensure audit_backlog_limit is sufficient (Scored)
1010
#
1111

1212
set -e # One error, it's over
Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -6,7 +6,7 @@
66
#
77

88
#
9-
# 4.1.1.3 Ensure auditing for processes that start prior to auditd is enabled (Scored)
9+
# Ensure auditing for processes that start prior to auditd is enabled (Scored)
1010
#
1111

1212
set -e # One error, it's over

bin/hardening/4.1.2.1_audit_log_storage.sh renamed to bin/hardening/audit_log_storage.sh

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -6,7 +6,7 @@
66
#
77

88
#
9-
# 4.1.2.1 Ensure audit log storage size is configured (Scored)
9+
# Ensure audit log storage size is configured (Scored)
1010
#
1111

1212
set -e # One error, it's over

bin/hardening/1.5.1_bootloader_ownership.sh renamed to bin/hardening/bootloader_ownership.sh

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -6,7 +6,7 @@
66
#
77

88
#
9-
# 1.5.1 Ensure permissions on bootloader config are configured (Scored)
9+
# Ensure permissions on bootloader config are configured (Scored)
1010
#
1111

1212
set -e # One error, it's over

0 commit comments

Comments
 (0)