2020-11-27 09:22:47 +01:00
|
|
|
# shellcheck shell=bash
|
2017-12-20 15:14:30 +01:00
|
|
|
# run-shellcheck
|
|
|
|
test_audit() {
|
|
|
|
describe Running on blank host
|
|
|
|
register_test retvalshouldbe 0
|
|
|
|
register_test contain "There is no password in /etc/shadow"
|
2020-11-05 14:24:57 +01:00
|
|
|
dismiss_count_for_test
|
2017-12-20 15:14:30 +01:00
|
|
|
# shellcheck disable=2154
|
|
|
|
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
|
|
|
|
|
|
|
cp -a /etc/shadow /tmp/shadow.bak
|
|
|
|
sed -i 's/secaudit:!/secaudit:mypassword/' /etc/shadow
|
|
|
|
describe Fail: Found unsecure password
|
|
|
|
register_test retvalshouldbe 1
|
|
|
|
register_test contain "User secaudit has a password that is not SHA512 hashed"
|
|
|
|
run unsecpasswd /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
|
|
|
|
2019-08-28 11:49:01 +02:00
|
|
|
sed -i 's/secaudit:mypassword/secaudit:!!/' /etc/shadow
|
|
|
|
describe Fail: Found disabled password
|
|
|
|
register_test retvalshouldbe 0
|
|
|
|
register_test contain "User secaudit has a disabled password"
|
|
|
|
run lockedpasswd /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
|
|
|
|
2017-12-20 15:14:30 +01:00
|
|
|
mv /tmp/shadow.bak /etc/shadow
|
2020-12-04 14:08:01 +01:00
|
|
|
chpasswd <<EOF
|
2017-12-20 15:14:30 +01:00
|
|
|
secaudit:mypassword
|
|
|
|
EOF
|
|
|
|
describe Pass: Found properly hashed password
|
|
|
|
register_test retvalshouldbe 0
|
|
|
|
register_test contain "User secaudit has suitable SHA512 hashed password"
|
|
|
|
run sha512pass /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
|
|
|
}
|