debian-cis/tests/hardening/5.3.4_acc_pam_sha512.sh

# shellcheck shell=bash
# run-shellcheck
test_audit() {
    describe Running on blank host
    register_test retvalshouldbe 0
    register_test contain "is present in /etc/pam.d/common-password"
    # shellcheck disable=2154
    run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all

    describe Tests purposely failing
    sed -i '/pam_unix.so/ s/sha512/sha256/' "/etc/pam.d/common-password"   # Debian 10
    sed -i '/pam_unix.so/ s/yescrypt/sha256/' "/etc/pam.d/common-password" # Debian 11+
    register_test retvalshouldbe 1
    register_test contain "is not present"
    run noncompliant "${CIS_CHECKS_DIR}/${script}.sh" --audit-all

    describe correcting situation
    sed -i 's/audit/enabled/' "${CIS_CONF_DIR}/conf.d/${script}.cfg"
    "${CIS_CHECKS_DIR}/${script}.sh" --apply || true

    describe Checking resolved state
    register_test retvalshouldbe 0
    register_test contain "is present in /etc/pam.d/common-password"
    run solvedsid "${CIS_CHECKS_DIR}/${script}.sh" --audit-all

    # DEB_MAJ_VER cannot be overwritten here;
    # therefore we need to trick get_debian_major_version
    ORIGINAL_DEB_VER="$(cat /etc/debian_version)"
    echo "sid" >/etc/debian_version

    describe Running on blank host as sid
    register_test retvalshouldbe 0
    register_test contain "(sha512|yescrypt)"
    run blanksid "${CIS_CHECKS_DIR}/${script}.sh" --audit-all

    describe Tests purposely failing as sid
    sed -i '/pam_unix.so/ s/sha512/sha256/' "/etc/pam.d/common-password"   # Debian 10
    sed -i '/pam_unix.so/ s/yescrypt/sha256/' "/etc/pam.d/common-password" # Debian 11+
    register_test retvalshouldbe 1
    register_test contain "is not present"
    run noncompliantsid "${CIS_CHECKS_DIR}/${script}.sh" --audit-all

    describe correcting situation as sid
    sed -i 's/audit/enabled/' "${CIS_CONF_DIR}/conf.d/${script}.cfg"
    "${CIS_CHECKS_DIR}/${script}.sh" --apply || true

    describe Checking resolved state as sid
    register_test retvalshouldbe 0
    register_test contain "is present in /etc/pam.d/common-password"
    run solvedsid "${CIS_CHECKS_DIR}/${script}.sh" --audit-all

    # Cleanup
    echo -n "$ORIGINAL_DEB_VER" >/etc/debian_version
    unset ORIGINAL_DEB_VER
}
IMP(shellcheck): add prefix to define shell (SC2148) 2020-11-27 09:22:47 +01:00			`# shellcheck shell=bash`
Migrate generic checks from secaudit to cis-hardening new file: 99.3.1_acc_shadow_sha512.sh new file: 99.3.2_acc_sudoers_no_all.sh new file: 99.4_net_fw_default_policy_drop.sh new file: 99.5.1_ssh_auth_pubk_only.sh new file: 99.5.2.1_ssh_cry_kex.sh new file: 99.5.2.2_ssh_cry_mac.sh new file: 99.5.2.3_ssh_cry_rekey.sh new file: 99.5.3_ssh_disable_features.sh new file: 99.5.4_ssh_keys_from.sh new file: 99.5.5_ssh_strict_modes.sh new file: 99.5.6_ssh_sys_accept_env.sh new file: 99.5.7_ssh_sys_no_legacy.sh new file: 99.5.8_ssh_sys_sandbox.sh new file: 99.5.9_ssh_log_level.sh Fix descriptions in comment section for 99.* secaudit checks Remove duplicated legacy services that are already taken care of by vanilla cis Enable custom configuration of checks in config-file, no more hard coded conf Add test to disable check if debian version is too old Add excused IPs while checking "from" field of authorized_keys Escaping dots in IPs Manage Kex for different debian versions Add tests for generic checks and add apply for ssh config Apply shellcheck recommendations on audit/hardening scripts Update script to check for allowed IPs only, remove bastion related Fill `apply` func for ssh config related scripts Add and update tests scenarii Disable shellcheck test for external source 1091 As of today, the entire project is not shellcheck compliant, I prefer disabling the test that warns about not finding external source (that arent compliant). I will enable it again when the project library will be shellchecked https://github.com/koalaman/shellcheck/wiki/SC1091 Refactor password policy check with one check by feature Previous file will now only look for bad passwords in /etc/shadow I added two checks that look for the compliant configuration lines in conf files /etc/logins.defs and /etc/pam.d/common-passwords FIX: merge chained sed and fix regex FIX: update regex to capture more output FIX: fix pattern to ignore commented lines, add apply Also add tests to ensure that commented lines are not detected as valid configuration CHORE: cleanup test situation with file and users removal IMP: add case insensitive option when looking for patterns in files CHORE: removed duplicated line in test file 2017-12-20 15:14:30 +01:00			`# run-shellcheck`
			`test_audit() {`
			`describe Running on blank host`
			`register_test retvalshouldbe 0`
Adapt all scripts to yescrypt (#216) * Revert "fix: clean obsolete check 99.5.4.5.1, now handled by 5.3.4 (#215)" This reverts commit 670c8c62f512afa562f6f77279341910a7f59181. We still want to verify the preexisting hashes in /etc/shadow, even if the PAM configuration is correct for new passwords (5.3.4). * Adapt 5.3.4, 99.5.4.5.1 and 99.5.4.5.2 to yescrypt 2023-11-21 17:43:31 +01:00			`register_test contain "is present in /etc/pam.d/common-password"`
Migrate generic checks from secaudit to cis-hardening new file: 99.3.1_acc_shadow_sha512.sh new file: 99.3.2_acc_sudoers_no_all.sh new file: 99.4_net_fw_default_policy_drop.sh new file: 99.5.1_ssh_auth_pubk_only.sh new file: 99.5.2.1_ssh_cry_kex.sh new file: 99.5.2.2_ssh_cry_mac.sh new file: 99.5.2.3_ssh_cry_rekey.sh new file: 99.5.3_ssh_disable_features.sh new file: 99.5.4_ssh_keys_from.sh new file: 99.5.5_ssh_strict_modes.sh new file: 99.5.6_ssh_sys_accept_env.sh new file: 99.5.7_ssh_sys_no_legacy.sh new file: 99.5.8_ssh_sys_sandbox.sh new file: 99.5.9_ssh_log_level.sh Fix descriptions in comment section for 99.* secaudit checks Remove duplicated legacy services that are already taken care of by vanilla cis Enable custom configuration of checks in config-file, no more hard coded conf Add test to disable check if debian version is too old Add excused IPs while checking "from" field of authorized_keys Escaping dots in IPs Manage Kex for different debian versions Add tests for generic checks and add apply for ssh config Apply shellcheck recommendations on audit/hardening scripts Update script to check for allowed IPs only, remove bastion related Fill `apply` func for ssh config related scripts Add and update tests scenarii Disable shellcheck test for external source 1091 As of today, the entire project is not shellcheck compliant, I prefer disabling the test that warns about not finding external source (that arent compliant). I will enable it again when the project library will be shellchecked https://github.com/koalaman/shellcheck/wiki/SC1091 Refactor password policy check with one check by feature Previous file will now only look for bad passwords in /etc/shadow I added two checks that look for the compliant configuration lines in conf files /etc/logins.defs and /etc/pam.d/common-passwords FIX: merge chained sed and fix regex FIX: update regex to capture more output FIX: fix pattern to ignore commented lines, add apply Also add tests to ensure that commented lines are not detected as valid configuration CHORE: cleanup test situation with file and users removal IMP: add case insensitive option when looking for patterns in files CHORE: removed duplicated line in test file 2017-12-20 15:14:30 +01:00			`# shellcheck disable=2154`
Replace CIS_ROOT_DIR by a more flexible system (#204) * Replace CIS_ROOT_DIR by a more flexible system * Try to adapt the logic change to the functional tests 2023-09-25 14:24:01 +02:00			`run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all`
fix: invalid behavior on sid/alternative in 5.3.4/99.5.4.5.1 (#237) 2024-04-09 17:12:31 +02:00
			`describe Tests purposely failing`
			`sed -i '/pam_unix.so/ s/sha512/sha256/' "/etc/pam.d/common-password" # Debian 10`
			`sed -i '/pam_unix.so/ s/yescrypt/sha256/' "/etc/pam.d/common-password" # Debian 11+`
			`register_test retvalshouldbe 1`
			`register_test contain "is not present"`
			`run noncompliant "${CIS_CHECKS_DIR}/${script}.sh" --audit-all`

			`describe correcting situation`
			`sed -i 's/audit/enabled/' "${CIS_CONF_DIR}/conf.d/${script}.cfg"`
			`"${CIS_CHECKS_DIR}/${script}.sh" --apply \|\| true`

			`describe Checking resolved state`
			`register_test retvalshouldbe 0`
			`register_test contain "is present in /etc/pam.d/common-password"`
			`run solvedsid "${CIS_CHECKS_DIR}/${script}.sh" --audit-all`

			`# DEB_MAJ_VER cannot be overwritten here;`
			`# therefore we need to trick get_debian_major_version`
			`ORIGINAL_DEB_VER="$(cat /etc/debian_version)"`
			`echo "sid" >/etc/debian_version`

			`describe Running on blank host as sid`
			`register_test retvalshouldbe 0`
			`register_test contain "(sha512\|yescrypt)"`
			`run blanksid "${CIS_CHECKS_DIR}/${script}.sh" --audit-all`

			`describe Tests purposely failing as sid`
			`sed -i '/pam_unix.so/ s/sha512/sha256/' "/etc/pam.d/common-password" # Debian 10`
			`sed -i '/pam_unix.so/ s/yescrypt/sha256/' "/etc/pam.d/common-password" # Debian 11+`
			`register_test retvalshouldbe 1`
			`register_test contain "is not present"`
			`run noncompliantsid "${CIS_CHECKS_DIR}/${script}.sh" --audit-all`

			`describe correcting situation as sid`
			`sed -i 's/audit/enabled/' "${CIS_CONF_DIR}/conf.d/${script}.cfg"`
			`"${CIS_CHECKS_DIR}/${script}.sh" --apply \|\| true`

			`describe Checking resolved state as sid`
			`register_test retvalshouldbe 0`
			`register_test contain "is present in /etc/pam.d/common-password"`
			`run solvedsid "${CIS_CHECKS_DIR}/${script}.sh" --audit-all`

			`# Cleanup`
			`echo -n "$ORIGINAL_DEB_VER" >/etc/debian_version`
			`unset ORIGINAL_DEB_VER`
Migrate generic checks from secaudit to cis-hardening new file: 99.3.1_acc_shadow_sha512.sh new file: 99.3.2_acc_sudoers_no_all.sh new file: 99.4_net_fw_default_policy_drop.sh new file: 99.5.1_ssh_auth_pubk_only.sh new file: 99.5.2.1_ssh_cry_kex.sh new file: 99.5.2.2_ssh_cry_mac.sh new file: 99.5.2.3_ssh_cry_rekey.sh new file: 99.5.3_ssh_disable_features.sh new file: 99.5.4_ssh_keys_from.sh new file: 99.5.5_ssh_strict_modes.sh new file: 99.5.6_ssh_sys_accept_env.sh new file: 99.5.7_ssh_sys_no_legacy.sh new file: 99.5.8_ssh_sys_sandbox.sh new file: 99.5.9_ssh_log_level.sh Fix descriptions in comment section for 99.* secaudit checks Remove duplicated legacy services that are already taken care of by vanilla cis Enable custom configuration of checks in config-file, no more hard coded conf Add test to disable check if debian version is too old Add excused IPs while checking "from" field of authorized_keys Escaping dots in IPs Manage Kex for different debian versions Add tests for generic checks and add apply for ssh config Apply shellcheck recommendations on audit/hardening scripts Update script to check for allowed IPs only, remove bastion related Fill `apply` func for ssh config related scripts Add and update tests scenarii Disable shellcheck test for external source 1091 As of today, the entire project is not shellcheck compliant, I prefer disabling the test that warns about not finding external source (that arent compliant). I will enable it again when the project library will be shellchecked https://github.com/koalaman/shellcheck/wiki/SC1091 Refactor password policy check with one check by feature Previous file will now only look for bad passwords in /etc/shadow I added two checks that look for the compliant configuration lines in conf files /etc/logins.defs and /etc/pam.d/common-passwords FIX: merge chained sed and fix regex FIX: update regex to capture more output FIX: fix pattern to ignore commented lines, add apply Also add tests to ensure that commented lines are not detected as valid configuration CHORE: cleanup test situation with file and users removal IMP: add case insensitive option when looking for patterns in files CHORE: removed duplicated line in test file 2017-12-20 15:14:30 +01:00			`}`