2020-12-22 14:42:45 +01:00
|
|
|
# shellcheck shell=bash
|
|
|
|
|
# run-shellcheck
|
|
|
|
|
test_audit() {
|
|
|
|
|
describe Running on blank host
|
|
|
|
|
register_test retvalshouldbe 0
|
|
|
|
|
dismiss_count_for_test
|
|
|
|
|
# shellcheck disable=2154
|
2023-09-25 14:24:01 +02:00
|
|
|
run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
|
2020-12-22 14:42:45 +01:00
|
|
|
|
2021-04-27 16:04:13 +02:00
|
|
|
echo "maxsessions 1" >>/etc/ssh/sshd_config
|
|
|
|
|
|
|
|
|
|
describe Running restrictive
|
|
|
|
|
register_test retvalshouldbe 0
|
|
|
|
|
register_test contain "[ OK ] 1 is lower than recommended 10"
|
2023-09-25 14:24:01 +02:00
|
|
|
run restrictive "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
|
2021-04-27 16:04:13 +02:00
|
|
|
|
|
|
|
|
# delete last line
|
|
|
|
|
sed -i '$ d' /etc/ssh/sshd_config
|
|
|
|
|
echo "maxsessions 15" >>/etc/ssh/sshd_config
|
|
|
|
|
|
|
|
|
|
describe Running too permissive
|
|
|
|
|
register_test retvalshouldbe 1
|
|
|
|
|
register_test contain "[ KO ] 15 is higher than recommended 10"
|
2023-09-25 14:24:01 +02:00
|
|
|
run permissive "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
|
2021-04-27 16:04:13 +02:00
|
|
|
|
2020-12-23 11:41:53 +01:00
|
|
|
describe Correcting situation
|
|
|
|
|
# `apply` performs a service reload after each change in the config file
|
|
|
|
|
# the service needs to be started for the reload to succeed
|
|
|
|
|
service ssh start
|
|
|
|
|
# if the audit script provides "apply" option, enable and run it
|
2023-09-25 14:24:01 +02:00
|
|
|
sed -i 's/audit/enabled/' "${CIS_CONF_DIR}/conf.d/${script}.cfg"
|
|
|
|
|
"${CIS_CHECKS_DIR}/${script}.sh" || true
|
2020-12-23 11:41:53 +01:00
|
|
|
|
|
|
|
|
describe Checking resolved state
|
|
|
|
|
register_test retvalshouldbe 0
|
|
|
|
|
register_test contain "[ OK ] ^maxsessions[[:space:]]*10 is present in /etc/ssh/sshd_config"
|
2023-09-25 14:24:01 +02:00
|
|
|
run resolved "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
|
2020-12-22 15:58:10 +01:00
|
|
|
}
|
