debian-cis
debian-cis copied to clipboard
ovh
PCI-DSS compliant Debian 10/11/12 hardening
Bumps [luizm/action-sh-checker](https://github.com/luizm/action-sh-checker) from 0.4.0 to 0.5.0. Release notes Sourced from luizm/action-sh-checker's releases. v0.5.0 shfmt and shellcheck updated Commits edd0e45 Merge pull request #55 from ruzickap/bump-versions 66466fe Bump versions See full...
![dependabot[bot] avatar](https://avatars.githubusercontent.com/in/29110?v=4 "dependabot[bot] avatar"){kind=avatar}
cf https://www.debian.org/releases/bullseye/amd64/release-notes/ch-information.en.html#pam-default-password > The default password hash for local system accounts[ has been changed](https://tracker.debian.org/news/1226655/accepted-pam-140-3-source-into-unstable/) from SHA-512 to [yescrypt](https://www.openwall.com/yescrypt/) (see[ crypt(5)](https://manpages.debian.org//bullseye/libcrypt-dev/crypt.5.html)). ``` $ /opt/cis-hardening/bin/hardening.sh --sudo --audit --allow-unsupported-distribution --only 5.3.4 [...] hardening...
The script assumes that all mounted devices are present in `/etc/fstab` which is NOT true. For example, `/dev/shm` (same as `/run/shm`) is usually not present in `/etc/fstab`, but it is...
This PR adds 4.2.1.* checks for rsyslog for systems that use rsyslog instead of syslog-ng I have tested that having multiple tests for same paragraph number is working correctly, even...
`4.2.1.6_remote_syslog-ng_acl.sh` uses a config variable `REMOTE_HOST` to define if currently tested host is a syslog server or not. Default configuration for this script defines `REMOTE_HOST` to `"false"` in [this line](https://github.com/ovh/debian-cis/blob/6e2fb1570c1980428b2985b6550889fffc4fd7c7/bin/hardening/4.2.1.6_remote_syslog-ng_acl.sh#L97)...
In https://github.com/ovh/debian-cis/blob/master/bin/hardening/5.4.5_default_timeout.sh, it seems like it SHOULD be appending to /etc/bash.bashrc, /etc/profile, and /etc/profile.d/*.sh, but instead it only appends to $FILE, which is /etc/profile.d/CIS_99.1_timeout.sh (and doesn't check the contents of...
I have found this guide https://madaidans-insecurities.github.io/guides/linux-hardening.html made by a core developer of [Whonix ](https://www.whonix.org/). It comes back on many points already implemented but also describes many others. It could be...
It seems that docker is not always visible in `/etc/cgroups`
Hi ! I'm trying to run this script : ``` bin/hardening/1.1.1.7_restrict_fat.sh --audit-all 1.1.1.7_restrict_fat [INFO] Working on 1.1.1.7_restrict_fat 1.1.1.7_restrict_fat [INFO] [DESCRIPTION] Limit mounting of FAT filesystems. 1.1.1.7_restrict_fat [INFO] Checking Configuration 1.1.1.7_restrict_fat...
