debian-cis/tests/hardening/99.5.4.5.1_acc_logindefs_sha512.sh

# shellcheck shell=bash
# run-shellcheck
test_audit() {
    describe Running on blank host
    register_test retvalshouldbe 0
    register_test contain "ENCRYPT_METHOD SHA512 is present in /etc/login.defs"
    # shellcheck disable=2154
    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all

    cp /etc/login.defs /tmp/login.defs.bak
    describe Line as comment
    sed -i 's/\(ENCRYPT_METHOD SHA512\)/# \1/' /etc/login.defs
    register_test retvalshouldbe 1
    register_test contain "SHA512 is not present"
    run commented /opt/debian-cis/bin/hardening/"${script}".sh --audit-all

    rm /etc/login.defs
    describe Fail: missing conf file
    register_test retvalshouldbe 1
    register_test contain "/etc/login.defs is not readable"
    run missconffile /opt/debian-cis/bin/hardening/"${script}".sh --audit-all

    cp /tmp/login.defs.bak /etc/login.defs
    sed -ir 's/ENCRYPT_METHOD[[:space:]]\+SHA512/ENCRYPT_METHOD MD5/' /etc/login.defs
    describe Fail: wrong hash function configuration
    register_test retvalshouldbe 1
    register_test contain "SHA512 is not present"
    run wrongconf /opt/debian-cis/bin/hardening/"${script}".sh --audit-all

    describe Correcting situation
    sed -i 's/disabled/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
    /opt/debian-cis/bin/hardening/"${script}".sh || true

    describe Checking resolved state
    mv /tmp/login.defs.bak /etc/login.defs
    register_test retvalshouldbe 0
    run sha512pass /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
}
IMP(shellcheck): add prefix to define shell (SC2148) 2020-11-27 09:22:47 +01:00			`# shellcheck shell=bash`
Migrate generic checks from secaudit to cis-hardening new file: 99.3.1_acc_shadow_sha512.sh new file: 99.3.2_acc_sudoers_no_all.sh new file: 99.4_net_fw_default_policy_drop.sh new file: 99.5.1_ssh_auth_pubk_only.sh new file: 99.5.2.1_ssh_cry_kex.sh new file: 99.5.2.2_ssh_cry_mac.sh new file: 99.5.2.3_ssh_cry_rekey.sh new file: 99.5.3_ssh_disable_features.sh new file: 99.5.4_ssh_keys_from.sh new file: 99.5.5_ssh_strict_modes.sh new file: 99.5.6_ssh_sys_accept_env.sh new file: 99.5.7_ssh_sys_no_legacy.sh new file: 99.5.8_ssh_sys_sandbox.sh new file: 99.5.9_ssh_log_level.sh Fix descriptions in comment section for 99.* secaudit checks Remove duplicated legacy services that are already taken care of by vanilla cis Enable custom configuration of checks in config-file, no more hard coded conf Add test to disable check if debian version is too old Add excused IPs while checking "from" field of authorized_keys Escaping dots in IPs Manage Kex for different debian versions Add tests for generic checks and add apply for ssh config Apply shellcheck recommendations on audit/hardening scripts Update script to check for allowed IPs only, remove bastion related Fill `apply` func for ssh config related scripts Add and update tests scenarii Disable shellcheck test for external source 1091 As of today, the entire project is not shellcheck compliant, I prefer disabling the test that warns about not finding external source (that arent compliant). I will enable it again when the project library will be shellchecked https://github.com/koalaman/shellcheck/wiki/SC1091 Refactor password policy check with one check by feature Previous file will now only look for bad passwords in /etc/shadow I added two checks that look for the compliant configuration lines in conf files /etc/logins.defs and /etc/pam.d/common-passwords FIX: merge chained sed and fix regex FIX: update regex to capture more output FIX: fix pattern to ignore commented lines, add apply Also add tests to ensure that commented lines are not detected as valid configuration CHORE: cleanup test situation with file and users removal IMP: add case insensitive option when looking for patterns in files CHORE: removed duplicated line in test file 2017-12-20 15:14:30 +01:00			`# run-shellcheck`
			`test_audit() {`
			`describe Running on blank host`
			`register_test retvalshouldbe 0`
			`register_test contain "ENCRYPT_METHOD SHA512 is present in /etc/login.defs"`
			`# shellcheck disable=2154`
			`run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all`

			`cp /etc/login.defs /tmp/login.defs.bak`
			`describe Line as comment`
			`sed -i 's/\(ENCRYPT_METHOD SHA512\)/# \1/' /etc/login.defs`
			`register_test retvalshouldbe 1`
			`register_test contain "SHA512 is not present"`
			`run commented /opt/debian-cis/bin/hardening/"${script}".sh --audit-all`

			`rm /etc/login.defs`
			`describe Fail: missing conf file`
			`register_test retvalshouldbe 1`
			`register_test contain "/etc/login.defs is not readable"`
			`run missconffile /opt/debian-cis/bin/hardening/"${script}".sh --audit-all`

			`cp /tmp/login.defs.bak /etc/login.defs`
			`sed -ir 's/ENCRYPT_METHOD[[:space:]]\+SHA512/ENCRYPT_METHOD MD5/' /etc/login.defs`
			`describe Fail: wrong hash function configuration`
			`register_test retvalshouldbe 1`
			`register_test contain "SHA512 is not present"`
			`run wrongconf /opt/debian-cis/bin/hardening/"${script}".sh --audit-all`

			`describe Correcting situation`
			`sed -i 's/disabled/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg`
			`/opt/debian-cis/bin/hardening/"${script}".sh \|\| true`

			`describe Checking resolved state`
			`mv /tmp/login.defs.bak /etc/login.defs`
			`register_test retvalshouldbe 0`
			`run sha512pass /opt/debian-cis/bin/hardening/"${script}".sh --audit-all`
			`}`