debian-cis/tests/hardening/99.5.4.5.2_acc_shadow_sha512.sh

41 lines
1.4 KiB
Bash
Raw Permalink Normal View History

# shellcheck shell=bash
# run-shellcheck
test_audit() {
describe Running on blank host
register_test retvalshouldbe 0
register_test contain "There is no password in /etc/shadow"
dismiss_count_for_test
# shellcheck disable=2154
run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
cp -a /etc/shadow /tmp/shadow.bak
sed -i 's/secaudit:!/secaudit:mypassword/' /etc/shadow
describe Fail: Found unsecure password
register_test retvalshouldbe 1
register_test contain "User secaudit has a password that is not"
run unsecpasswd "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
sed -i 's/secaudit:mypassword/secaudit:!!/' /etc/shadow
describe Fail: Found disabled password
register_test retvalshouldbe 0
register_test contain "User secaudit has a disabled password"
run lockedpasswd "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
mv /tmp/shadow.bak /etc/shadow
chpasswd -c SHA512 <<EOF
secaudit:mypassword
EOF
describe Pass: Found properly hashed password
register_test retvalshouldbe 0
register_test contain "User secaudit has suitable"
run sha512pass "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
chpasswd -c SHA512 -s 1000 <<EOF
secaudit:mypassword
EOF
describe Pass: Found properly hashed password with custom round number
register_test retvalshouldbe 0
register_test contain "User secaudit has suitable"
run sha512pass "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
}