2020-11-27 09:22:47 +01:00
|
|
|
# shellcheck shell=bash
|
2017-12-20 15:14:30 +01:00
|
|
|
# run-shellcheck
|
2020-12-04 14:08:01 +01:00
|
|
|
test_audit() {
|
2020-11-05 15:05:12 +01:00
|
|
|
# shellcheck disable=2154
|
2023-12-27 13:42:10 +01:00
|
|
|
echo 'EXCEPTION_USERS=""' >>"${CIS_CONF_DIR}/conf.d/${script}.cfg"
|
2020-11-05 15:05:12 +01:00
|
|
|
|
2019-02-14 17:52:45 +01:00
|
|
|
skip_tests
|
2017-12-20 15:14:30 +01:00
|
|
|
# shellcheck disable=2154
|
2023-09-25 14:24:01 +02:00
|
|
|
run genconf "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
|
2017-12-20 15:14:30 +01:00
|
|
|
|
|
|
|
|
useradd -s /bin/bash jeantestuser
|
|
|
|
|
describe Running on blank host
|
|
|
|
|
register_test retvalshouldbe 0
|
2020-11-05 15:05:12 +01:00
|
|
|
dismiss_count_for_test
|
2023-12-27 13:42:10 +01:00
|
|
|
register_test contain "[INFO] User root has a valid shell"
|
2017-12-20 15:14:30 +01:00
|
|
|
register_test contain "[WARN] secaudit has a valid shell but no authorized_keys file"
|
|
|
|
|
register_test contain "[INFO] User jeantestuser has a valid shell"
|
|
|
|
|
register_test contain "[INFO] User jeantestuser has no home directory"
|
|
|
|
|
# shellcheck disable=2154
|
2023-09-25 14:24:01 +02:00
|
|
|
run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
|
2017-12-20 15:14:30 +01:00
|
|
|
|
2023-12-27 13:42:10 +01:00
|
|
|
mkdir -p /root/.ssh
|
|
|
|
|
ssh-keygen -N "" -t ed25519 -f /tmp/rootkey1
|
|
|
|
|
cat /tmp/rootkey1.pub >>/root/.ssh/authorized_keys
|
|
|
|
|
describe Check /root is used for root user instead of home by placing key without from field
|
|
|
|
|
register_test retvalshouldbe 1
|
|
|
|
|
run rootcheck "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
|
|
|
|
|
|
|
|
|
|
echo 'EXCEPTION_USERS="root exceptiontestuser"' >>"${CIS_CONF_DIR}/conf.d/${script}.cfg"
|
|
|
|
|
useradd -s /bin/bash exceptiontestuser
|
|
|
|
|
describe Check multiple exception users are skipped
|
|
|
|
|
register_test retvalshouldbe 0
|
|
|
|
|
register_test contain "[INFO] User root is named in EXEPTION_USERS and is thus skipped from check."
|
|
|
|
|
register_test contain "[INFO] User exceptiontestuser is named in EXEPTION_USERS and is thus skipped from check."
|
|
|
|
|
# shellcheck disable=2154
|
|
|
|
|
run exceptionusers "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
|
|
|
|
|
|
2017-12-20 15:14:30 +01:00
|
|
|
mkdir -p /home/secaudit/.ssh
|
|
|
|
|
touch /home/secaudit/.ssh/authorized_keys2
|
|
|
|
|
describe empty authorized keys file
|
|
|
|
|
register_test retvalshouldbe 0
|
2023-09-25 14:24:01 +02:00
|
|
|
run emptyauthkey "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
|
2017-12-20 15:14:30 +01:00
|
|
|
|
2019-03-15 18:17:48 +01:00
|
|
|
ssh-keygen -N "" -t ed25519 -f /tmp/key1
|
2020-12-04 14:08:01 +01:00
|
|
|
cat /tmp/key1.pub >>/home/secaudit/.ssh/authorized_keys2
|
2017-12-20 15:14:30 +01:00
|
|
|
describe Key without from field
|
|
|
|
|
register_test retvalshouldbe 1
|
2023-09-25 14:24:01 +02:00
|
|
|
run keynofrom "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
|
2017-12-20 15:14:30 +01:00
|
|
|
|
2019-03-15 18:17:48 +01:00
|
|
|
{
|
2020-12-04 14:08:01 +01:00
|
|
|
echo -n 'from="127.0.0.1" '
|
|
|
|
|
cat /tmp/key1.pub
|
|
|
|
|
} >/home/secaudit/.ssh/authorized_keys2
|
2017-12-20 15:14:30 +01:00
|
|
|
describe Key with from, no ip check
|
|
|
|
|
register_test retvalshouldbe 0
|
2023-09-25 14:24:01 +02:00
|
|
|
run keyfrom "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
|
2017-12-20 15:14:30 +01:00
|
|
|
|
|
|
|
|
# shellcheck disable=2016
|
2023-09-25 14:24:01 +02:00
|
|
|
echo 'ALLOWED_IPS="$ALLOWED_IPS 127.0.0.1"' >>"${CIS_CONF_DIR}/conf.d/${script}.cfg"
|
2019-03-15 18:17:48 +01:00
|
|
|
{
|
2020-12-04 14:08:01 +01:00
|
|
|
echo -n 'from="10.0.1.2" '
|
|
|
|
|
cat /tmp/key1.pub
|
|
|
|
|
} >>/home/secaudit/.ssh/authorized_keys2
|
2017-12-20 15:14:30 +01:00
|
|
|
describe Key with from, filled allowed IPs, one bad ip
|
|
|
|
|
register_test retvalshouldbe 1
|
2023-09-25 14:24:01 +02:00
|
|
|
run badfromip "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
|
2017-12-20 15:14:30 +01:00
|
|
|
|
|
|
|
|
# shellcheck disable=2016
|
2023-09-25 14:24:01 +02:00
|
|
|
echo 'ALLOWED_IPS="$ALLOWED_IPS 10.0.1.2"' >>"${CIS_CONF_DIR}/conf.d/${script}.cfg"
|
2017-12-20 15:14:30 +01:00
|
|
|
describe Key with from, filled allowed IPs, all IPs allowed
|
|
|
|
|
register_test retvalshouldbe 0
|
2023-09-25 14:24:01 +02:00
|
|
|
run allwdfromip "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
|
2017-12-20 15:14:30 +01:00
|
|
|
|
2019-03-15 18:17:48 +01:00
|
|
|
# shellcheck disable=2016
|
2024-02-22 17:55:03 +01:00
|
|
|
echo 'ALLOWED_IPS="$ALLOWED_IPS 127.0.0.1,10.2.3.1/8"' >>"${CIS_CONF_DIR}/conf.d/${script}.cfg"
|
2019-03-15 18:17:48 +01:00
|
|
|
{
|
2020-12-04 14:08:01 +01:00
|
|
|
echo -n 'from="10.0.1.2",command="echo bla" '
|
|
|
|
|
cat /tmp/key1.pub
|
2024-02-22 17:55:03 +01:00
|
|
|
echo -n 'command="echo bla,from="10.0.1.2,10.2.3.1/8"" '
|
2020-12-04 14:08:01 +01:00
|
|
|
cat /tmp/key1.pub
|
|
|
|
|
} >>/home/secaudit/.ssh/authorized_keys2
|
2019-03-15 18:17:48 +01:00
|
|
|
describe Key with from and command options
|
|
|
|
|
register_test retvalshouldbe 0
|
2023-09-25 14:24:01 +02:00
|
|
|
run keyfromcommand "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
|
2019-03-15 18:17:48 +01:00
|
|
|
|
2019-03-05 10:49:45 +01:00
|
|
|
useradd -s /bin/bash -m jeantest2
|
|
|
|
|
# shellcheck disable=2016
|
2023-09-25 14:24:01 +02:00
|
|
|
echo 'USERS_TO_CHECK="jeantest2 secaudit"' >>"${CIS_CONF_DIR}/conf.d/${script}.cfg"
|
2019-03-05 10:49:45 +01:00
|
|
|
describe Check only specified user
|
|
|
|
|
register_test retvalshouldbe 0
|
2023-09-25 14:24:01 +02:00
|
|
|
run checkuser "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
|
2019-03-05 10:49:45 +01:00
|
|
|
|
2019-02-18 17:25:04 +01:00
|
|
|
# Cleanup
|
2023-12-27 13:42:10 +01:00
|
|
|
userdel exceptiontestuser
|
2017-12-20 15:14:30 +01:00
|
|
|
userdel jeantestuser
|
2020-11-05 10:13:14 +01:00
|
|
|
userdel -r jeantest2
|
2023-12-27 13:42:10 +01:00
|
|
|
rm -f /tmp/key1 /tmp/key1.pub /tmp/rootkey1.pub
|
|
|
|
|
rm -rf /root/.ssh
|
2017-12-20 15:14:30 +01:00
|
|
|
}
|
