debian-cis/tests/hardening/5.2.18_sshd_limit_access.sh

# shellcheck shell=bash
# run-shellcheck
test_audit() {
    describe Running on blank host
    register_test retvalshouldbe 1
    register_test contain "openssh-server is installed"
    # shellcheck disable=2154
    run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all

    describe Correcting situation
    # `apply` performs a service reload after each change in the config file
    # the service needs to be started for the reload to succeed
    service ssh start
    # if the audit script provides "apply" option, enable and run it
    sed -i 's/audit/enabled/' "${CIS_CONF_DIR}/conf.d/${script}.cfg"
    "${CIS_CHECKS_DIR}/${script}.sh" || true

    describe Checking resolved state
    register_test retvalshouldbe 0
    register_test contain "^AllowUsers[[:space:]]** is present in /etc/ssh/sshd_config"
    register_test contain "^AllowGroups[[:space:]]** is present in /etc/ssh/sshd_config"
    register_test contain "^DenyUsers[[:space:]]*nobody is present in /etc/ssh/sshd_config"
    register_test contain "^DenyGroups[[:space:]]*nobody is present in /etc/ssh/sshd_config"
    run resolved "${CIS_CHECKS_DIR}/${script}.sh" --audit-all

    describe Check and report mismatch for allowed user
    useradd -s /bin/bash johnallow
    sed -i "s/ALLOWED_USERS=''/ALLOWED_USERS='johnallow'/" "${CIS_CONF_DIR}/conf.d/${script}.cfg"
    register_test retvalshouldbe 1
    register_test contain "^AllowUsers[[:space:]]*johnallow is not present in /etc/ssh/sshd_config"
    register_test contain "^AllowGroups[[:space:]]** is present in /etc/ssh/sshd_config"
    register_test contain "^DenyUsers[[:space:]]*nobody is present in /etc/ssh/sshd_config"
    register_test contain "^DenyGroups[[:space:]]*nobody is present in /etc/ssh/sshd_config"
    run allowed_user_mismatch "${CIS_CHECKS_DIR}/${script}.sh" --audit-all

    describe Correctly apply allowed user
    # the previous test checked that ALLOWED_USERS is set but not correctly applied in sshd_config so we apply it now
    "${CIS_CHECKS_DIR}/${script}.sh" || true
    # and check again that the fix was correctly applied
    register_test retvalshouldbe 0
    register_test contain "^AllowUsers[[:space:]]*johnallow is present in /etc/ssh/sshd_config"
    register_test contain "^AllowGroups[[:space:]]** is present in /etc/ssh/sshd_config"
    register_test contain "^DenyUsers[[:space:]]*nobody is present in /etc/ssh/sshd_config"
    register_test contain "^DenyGroups[[:space:]]*nobody is present in /etc/ssh/sshd_config"
    run fix_user_mismatch "${CIS_CHECKS_DIR}/${script}.sh" --apply-all

    describe Check and report mismatch for multiple allowed users
    useradd -s /bin/bash janeallow
    sed -i "s/johnallow/johnallow janeallow/" "${CIS_CONF_DIR}/conf.d/${script}.cfg"
    register_test retvalshouldbe 1
    register_test contain "^AllowUsers[[:space:]]*johnallow janeallow is not present in /etc/ssh/sshd_config"
    register_test contain "^AllowGroups[[:space:]]** is present in /etc/ssh/sshd_config"
    register_test contain "^DenyUsers[[:space:]]*nobody is present in /etc/ssh/sshd_config"
    register_test contain "^DenyGroups[[:space:]]*nobody is present in /etc/ssh/sshd_config"
    run multi_allowed_user_mismatch "${CIS_CHECKS_DIR}/${script}.sh" --audit-all

    describe Correctly apply multiple allowed users
    # the previous test checked that ALLOWED_USERS is set but not correctly applied in sshd_config so we apply it now
    "${CIS_CHECKS_DIR}/${script}.sh" || true
    # and check again that the fix was correctly applied
    tail -n 5 /etc/ssh/sshd_config
    register_test retvalshouldbe 0
    register_test contain "^AllowUsers[[:space:]]*johnallow janeallow is present in /etc/ssh/sshd_config"
    register_test contain "^AllowGroups[[:space:]]** is present in /etc/ssh/sshd_config"
    register_test contain "^DenyUsers[[:space:]]*nobody is present in /etc/ssh/sshd_config"
    register_test contain "^DenyGroups[[:space:]]*nobody is present in /etc/ssh/sshd_config"
    run fix_multi_allowed_user_mismatch "${CIS_CHECKS_DIR}/${script}.sh" --audit-all

    # reset allowed users to default before continuing
    sed -i "s/ALLOWED_USERS='johnallow janeallow'/ALLOWED_USERS=''/" "${CIS_CONF_DIR}/conf.d/${script}.cfg"

    describe Check and report mismatch for denied user
    useradd -s /bin/bash peterdeny
    sed -i "s/DENIED_USERS=''/DENIED_USERS='peterdeny'/" "${CIS_CONF_DIR}/conf.d/${script}.cfg"
    register_test retvalshouldbe 1
    register_test contain "^AllowUsers[[:space:]]** is present in /etc/ssh/sshd_config"
    register_test contain "^AllowGroups[[:space:]]** is present in /etc/ssh/sshd_config"
    register_test contain "^DenyUsers[[:space:]]*peterdeny is not present in /etc/ssh/sshd_config"
    register_test contain "^DenyGroups[[:space:]]*nobody is present in /etc/ssh/sshd_config"
    run denied_user_mismatch "${CIS_CHECKS_DIR}/${script}.sh" --audit-all

    describe Correctly apply denied user
    # the previous test checked that DENIED_USERS is set but not correctly applied in sshd_config so we apply it now
    "${CIS_CHECKS_DIR}/${script}.sh" || true
    # and check again that the fix was correctly applied
    register_test retvalshouldbe 0
    register_test contain "^AllowUsers[[:space:]]** is present in /etc/ssh/sshd_config"
    register_test contain "^AllowGroups[[:space:]]** is present in /etc/ssh/sshd_config"
    register_test contain "^DenyUsers[[:space:]]*peterdeny is present in /etc/ssh/sshd_config"
    register_test contain "^DenyGroups[[:space:]]*nobody is present in /etc/ssh/sshd_config"
    run fix_denied_user_mismatch "${CIS_CHECKS_DIR}/${script}.sh" --apply-all

    describe Check and report mismatch for multiple denied users
    useradd -s /bin/bash marrydeny
    sed -i "s/peterdeny/peterdeny marrydeny/" "${CIS_CONF_DIR}/conf.d/${script}.cfg"
    register_test retvalshouldbe 1
    register_test contain "^AllowUsers[[:space:]]** is present in /etc/ssh/sshd_config"
    register_test contain "^AllowGroups[[:space:]]** is present in /etc/ssh/sshd_config"
    register_test contain "^DenyUsers[[:space:]]*peterdeny marrydeny is not present in /etc/ssh/sshd_config"
    register_test contain "^DenyGroups[[:space:]]*nobody is present in /etc/ssh/sshd_config"
    run multi_denied_user_mismatch "${CIS_CHECKS_DIR}/${script}.sh" --audit-all

    describe Correctly apply multiple denied users
    # the previous test checked that DENIED_USERS is set but not correctly applied in sshd_config so we apply it now
    "${CIS_CHECKS_DIR}/${script}.sh" || true
    # and check again that the fix was correctly applied
    register_test retvalshouldbe 0
    register_test contain "^AllowUsers[[:space:]]** is present in /etc/ssh/sshd_config"
    register_test contain "^AllowGroups[[:space:]]** is present in /etc/ssh/sshd_config"
    register_test contain "^DenyUsers[[:space:]]*peterdeny marrydeny is present in /etc/ssh/sshd_config"
    register_test contain "^DenyGroups[[:space:]]*nobody is present in /etc/ssh/sshd_config"
    run fix_multi_denied_user_mismatch "${CIS_CHECKS_DIR}/${script}.sh" --audit-all

    # reset to prevent other test from possibly failing in the future
    sed -i "s/DENIED_USERS='peterdeny marrydeny'/DENIED_USERS=''/" "${CIS_CONF_DIR}/conf.d/${script}.cfg"
    "${CIS_CHECKS_DIR}/${script}.sh" || true
    describe Checking resolved state
    register_test retvalshouldbe 0
    register_test contain "^AllowUsers[[:space:]]** is present in /etc/ssh/sshd_config"
    register_test contain "^AllowGroups[[:space:]]** is present in /etc/ssh/sshd_config"
    register_test contain "^DenyUsers[[:space:]]*nobody is present in /etc/ssh/sshd_config"
    register_test contain "^DenyGroups[[:space:]]*nobody is present in /etc/ssh/sshd_config"
    run cleanup_resolved "${CIS_CHECKS_DIR}/${script}.sh" --audit-all

    # Cleanup
    userdel johnallow
    userdel janeallow
    userdel peterdeny
    userdel marrydeny
}
IMP(shellcheck): add prefix to define shell (SC2148) 2020-11-27 09:22:47 +01:00			`# shellcheck shell=bash`
Add test stub for all audit checks, to tests root/sudo consistency 2019-02-14 18:10:46 +01:00			`# run-shellcheck`
			`test_audit() {`
			`describe Running on blank host`
IMP(5.2.x): add tests and default_config I added tests from 5.2.4 to 5.2.19 and default_config files in the checks. This checks concern sshd conf (ciphers, mac, rootlogin, ...) modifié : bin/hardening/5.2.4_sshd_protocol.sh modifié : bin/hardening/5.2.6_disable_x11_forwarding.sh modifié : bin/hardening/5.2.7_sshd_maxauthtries.sh modifié : bin/hardening/5.2.8_enable_sshd_ignorerhosts.sh modifié : bin/hardening/5.2.9_disable_sshd_hostbasedauthentication.sh modifié : bin/hardening/5.2.10_disable_root_login.sh modifié : bin/hardening/5.2.11_disable_sshd_permitemptypasswords.sh modifié : bin/hardening/5.2.12_disable_sshd_setenv.sh modifié : bin/hardening/5.2.13_sshd_ciphers.sh modifié : bin/hardening/5.2.16_sshd_idle_timeout.sh modifié : bin/hardening/5.2.17_sshd_login_grace_time.sh modifié : tests/hardening/5.2.4_sshd_protocol.sh modifié : tests/hardening/5.2.5_sshd_loglevel.sh modifié : tests/hardening/5.2.6_disable_x11_forwarding.sh modifié : tests/hardening/5.2.7_sshd_maxauthtries.sh modifié : tests/hardening/5.2.8_enable_sshd_ignorerhosts.sh modifié : tests/hardening/5.2.9_disable_sshd_hostbasedauthentication.sh modifié : tests/hardening/5.2.10_disable_root_login.sh modifié : tests/hardening/5.2.11_disable_sshd_permitemptypasswords.sh modifié : tests/hardening/5.2.12_disable_sshd_setenv.sh modifié : tests/hardening/5.2.13_sshd_ciphers.sh modifié : tests/hardening/5.2.16_sshd_idle_timeout.sh modifié : tests/hardening/5.2.17_sshd_login_grace_time.sh modifié : tests/hardening/5.2.18_sshd_limit_access.sh modifié : tests/hardening/5.2.19_ssh_banner.sh 2020-10-29 11:18:31 +01:00			`register_test retvalshouldbe 1`
			`register_test contain "openssh-server is installed"`
Add test stub for all audit checks, to tests root/sudo consistency 2019-02-14 18:10:46 +01:00			`# shellcheck disable=2154`
Replace CIS_ROOT_DIR by a more flexible system (#204) * Replace CIS_ROOT_DIR by a more flexible system * Try to adapt the logic change to the functional tests 2023-09-25 14:24:01 +02:00			`run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all`
Add test stub for all audit checks, to tests root/sudo consistency 2019-02-14 18:10:46 +01:00
IMP(5.2.x): add tests and default_config I added tests from 5.2.4 to 5.2.19 and default_config files in the checks. This checks concern sshd conf (ciphers, mac, rootlogin, ...) modifié : bin/hardening/5.2.4_sshd_protocol.sh modifié : bin/hardening/5.2.6_disable_x11_forwarding.sh modifié : bin/hardening/5.2.7_sshd_maxauthtries.sh modifié : bin/hardening/5.2.8_enable_sshd_ignorerhosts.sh modifié : bin/hardening/5.2.9_disable_sshd_hostbasedauthentication.sh modifié : bin/hardening/5.2.10_disable_root_login.sh modifié : bin/hardening/5.2.11_disable_sshd_permitemptypasswords.sh modifié : bin/hardening/5.2.12_disable_sshd_setenv.sh modifié : bin/hardening/5.2.13_sshd_ciphers.sh modifié : bin/hardening/5.2.16_sshd_idle_timeout.sh modifié : bin/hardening/5.2.17_sshd_login_grace_time.sh modifié : tests/hardening/5.2.4_sshd_protocol.sh modifié : tests/hardening/5.2.5_sshd_loglevel.sh modifié : tests/hardening/5.2.6_disable_x11_forwarding.sh modifié : tests/hardening/5.2.7_sshd_maxauthtries.sh modifié : tests/hardening/5.2.8_enable_sshd_ignorerhosts.sh modifié : tests/hardening/5.2.9_disable_sshd_hostbasedauthentication.sh modifié : tests/hardening/5.2.10_disable_root_login.sh modifié : tests/hardening/5.2.11_disable_sshd_permitemptypasswords.sh modifié : tests/hardening/5.2.12_disable_sshd_setenv.sh modifié : tests/hardening/5.2.13_sshd_ciphers.sh modifié : tests/hardening/5.2.16_sshd_idle_timeout.sh modifié : tests/hardening/5.2.17_sshd_login_grace_time.sh modifié : tests/hardening/5.2.18_sshd_limit_access.sh modifié : tests/hardening/5.2.19_ssh_banner.sh 2020-10-29 11:18:31 +01:00			`describe Correcting situation`
			# `apply` performs a service reload after each change in the config file
			`# the service needs to be started for the reload to succeed`
			`service ssh start`
			`# if the audit script provides "apply" option, enable and run it`
Replace CIS_ROOT_DIR by a more flexible system (#204) * Replace CIS_ROOT_DIR by a more flexible system * Try to adapt the logic change to the functional tests 2023-09-25 14:24:01 +02:00			`sed -i 's/audit/enabled/' "${CIS_CONF_DIR}/conf.d/${script}.cfg"`
			`"${CIS_CHECKS_DIR}/${script}.sh" \|\| true`
IMP(5.2.x): add tests and default_config I added tests from 5.2.4 to 5.2.19 and default_config files in the checks. This checks concern sshd conf (ciphers, mac, rootlogin, ...) modifié : bin/hardening/5.2.4_sshd_protocol.sh modifié : bin/hardening/5.2.6_disable_x11_forwarding.sh modifié : bin/hardening/5.2.7_sshd_maxauthtries.sh modifié : bin/hardening/5.2.8_enable_sshd_ignorerhosts.sh modifié : bin/hardening/5.2.9_disable_sshd_hostbasedauthentication.sh modifié : bin/hardening/5.2.10_disable_root_login.sh modifié : bin/hardening/5.2.11_disable_sshd_permitemptypasswords.sh modifié : bin/hardening/5.2.12_disable_sshd_setenv.sh modifié : bin/hardening/5.2.13_sshd_ciphers.sh modifié : bin/hardening/5.2.16_sshd_idle_timeout.sh modifié : bin/hardening/5.2.17_sshd_login_grace_time.sh modifié : tests/hardening/5.2.4_sshd_protocol.sh modifié : tests/hardening/5.2.5_sshd_loglevel.sh modifié : tests/hardening/5.2.6_disable_x11_forwarding.sh modifié : tests/hardening/5.2.7_sshd_maxauthtries.sh modifié : tests/hardening/5.2.8_enable_sshd_ignorerhosts.sh modifié : tests/hardening/5.2.9_disable_sshd_hostbasedauthentication.sh modifié : tests/hardening/5.2.10_disable_root_login.sh modifié : tests/hardening/5.2.11_disable_sshd_permitemptypasswords.sh modifié : tests/hardening/5.2.12_disable_sshd_setenv.sh modifié : tests/hardening/5.2.13_sshd_ciphers.sh modifié : tests/hardening/5.2.16_sshd_idle_timeout.sh modifié : tests/hardening/5.2.17_sshd_login_grace_time.sh modifié : tests/hardening/5.2.18_sshd_limit_access.sh modifié : tests/hardening/5.2.19_ssh_banner.sh 2020-10-29 11:18:31 +01:00
			`describe Checking resolved state`
			`register_test retvalshouldbe 0`
			`register_test contain "^AllowUsers[[:space:]]** is present in /etc/ssh/sshd_config"`
			`register_test contain "^AllowGroups[[:space:]]** is present in /etc/ssh/sshd_config"`
			`register_test contain "^DenyUsers[[:space:]]*nobody is present in /etc/ssh/sshd_config"`
			`register_test contain "^DenyGroups[[:space:]]*nobody is present in /etc/ssh/sshd_config"`
Replace CIS_ROOT_DIR by a more flexible system (#204) * Replace CIS_ROOT_DIR by a more flexible system * Try to adapt the logic change to the functional tests 2023-09-25 14:24:01 +02:00			`run resolved "${CIS_CHECKS_DIR}/${script}.sh" --audit-all`
allow multiple users in 5.2.18 (#228) * allow multiple exception users for 99.5.2.4 * move clean up part of previous commit * split clean up part of previous commit * add tests for multiple allowed and denied ssh users * fix script to correctly set multiple allowed and denied ssh users * add cleanup resolved check to 5.2.18 * apply shellfmt to 5.2.18 --------- Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com> 2024-01-10 17:07:02 +01:00
			`describe Check and report mismatch for allowed user`
			`useradd -s /bin/bash johnallow`
			`sed -i "s/ALLOWED_USERS=''/ALLOWED_USERS='johnallow'/" "${CIS_CONF_DIR}/conf.d/${script}.cfg"`
			`register_test retvalshouldbe 1`
			`register_test contain "^AllowUsers[[:space:]]*johnallow is not present in /etc/ssh/sshd_config"`
			`register_test contain "^AllowGroups[[:space:]]** is present in /etc/ssh/sshd_config"`
			`register_test contain "^DenyUsers[[:space:]]*nobody is present in /etc/ssh/sshd_config"`
			`register_test contain "^DenyGroups[[:space:]]*nobody is present in /etc/ssh/sshd_config"`
			`run allowed_user_mismatch "${CIS_CHECKS_DIR}/${script}.sh" --audit-all`

			`describe Correctly apply allowed user`
			`# the previous test checked that ALLOWED_USERS is set but not correctly applied in sshd_config so we apply it now`
			`"${CIS_CHECKS_DIR}/${script}.sh" \|\| true`
			`# and check again that the fix was correctly applied`
			`register_test retvalshouldbe 0`
			`register_test contain "^AllowUsers[[:space:]]*johnallow is present in /etc/ssh/sshd_config"`
			`register_test contain "^AllowGroups[[:space:]]** is present in /etc/ssh/sshd_config"`
			`register_test contain "^DenyUsers[[:space:]]*nobody is present in /etc/ssh/sshd_config"`
			`register_test contain "^DenyGroups[[:space:]]*nobody is present in /etc/ssh/sshd_config"`
			`run fix_user_mismatch "${CIS_CHECKS_DIR}/${script}.sh" --apply-all`

			`describe Check and report mismatch for multiple allowed users`
			`useradd -s /bin/bash janeallow`
			`sed -i "s/johnallow/johnallow janeallow/" "${CIS_CONF_DIR}/conf.d/${script}.cfg"`
			`register_test retvalshouldbe 1`
			`register_test contain "^AllowUsers[[:space:]]*johnallow janeallow is not present in /etc/ssh/sshd_config"`
			`register_test contain "^AllowGroups[[:space:]]** is present in /etc/ssh/sshd_config"`
			`register_test contain "^DenyUsers[[:space:]]*nobody is present in /etc/ssh/sshd_config"`
			`register_test contain "^DenyGroups[[:space:]]*nobody is present in /etc/ssh/sshd_config"`
			`run multi_allowed_user_mismatch "${CIS_CHECKS_DIR}/${script}.sh" --audit-all`

			`describe Correctly apply multiple allowed users`
			`# the previous test checked that ALLOWED_USERS is set but not correctly applied in sshd_config so we apply it now`
			`"${CIS_CHECKS_DIR}/${script}.sh" \|\| true`
			`# and check again that the fix was correctly applied`
			`tail -n 5 /etc/ssh/sshd_config`
			`register_test retvalshouldbe 0`
			`register_test contain "^AllowUsers[[:space:]]*johnallow janeallow is present in /etc/ssh/sshd_config"`
			`register_test contain "^AllowGroups[[:space:]]** is present in /etc/ssh/sshd_config"`
			`register_test contain "^DenyUsers[[:space:]]*nobody is present in /etc/ssh/sshd_config"`
			`register_test contain "^DenyGroups[[:space:]]*nobody is present in /etc/ssh/sshd_config"`
			`run fix_multi_allowed_user_mismatch "${CIS_CHECKS_DIR}/${script}.sh" --audit-all`

			`# reset allowed users to default before continuing`
			`sed -i "s/ALLOWED_USERS='johnallow janeallow'/ALLOWED_USERS=''/" "${CIS_CONF_DIR}/conf.d/${script}.cfg"`

			`describe Check and report mismatch for denied user`
			`useradd -s /bin/bash peterdeny`
			`sed -i "s/DENIED_USERS=''/DENIED_USERS='peterdeny'/" "${CIS_CONF_DIR}/conf.d/${script}.cfg"`
			`register_test retvalshouldbe 1`
			`register_test contain "^AllowUsers[[:space:]]** is present in /etc/ssh/sshd_config"`
			`register_test contain "^AllowGroups[[:space:]]** is present in /etc/ssh/sshd_config"`
			`register_test contain "^DenyUsers[[:space:]]*peterdeny is not present in /etc/ssh/sshd_config"`
			`register_test contain "^DenyGroups[[:space:]]*nobody is present in /etc/ssh/sshd_config"`
			`run denied_user_mismatch "${CIS_CHECKS_DIR}/${script}.sh" --audit-all`

			`describe Correctly apply denied user`
			`# the previous test checked that DENIED_USERS is set but not correctly applied in sshd_config so we apply it now`
			`"${CIS_CHECKS_DIR}/${script}.sh" \|\| true`
			`# and check again that the fix was correctly applied`
			`register_test retvalshouldbe 0`
			`register_test contain "^AllowUsers[[:space:]]** is present in /etc/ssh/sshd_config"`
			`register_test contain "^AllowGroups[[:space:]]** is present in /etc/ssh/sshd_config"`
			`register_test contain "^DenyUsers[[:space:]]*peterdeny is present in /etc/ssh/sshd_config"`
			`register_test contain "^DenyGroups[[:space:]]*nobody is present in /etc/ssh/sshd_config"`
			`run fix_denied_user_mismatch "${CIS_CHECKS_DIR}/${script}.sh" --apply-all`

			`describe Check and report mismatch for multiple denied users`
			`useradd -s /bin/bash marrydeny`
			`sed -i "s/peterdeny/peterdeny marrydeny/" "${CIS_CONF_DIR}/conf.d/${script}.cfg"`
			`register_test retvalshouldbe 1`
			`register_test contain "^AllowUsers[[:space:]]** is present in /etc/ssh/sshd_config"`
			`register_test contain "^AllowGroups[[:space:]]** is present in /etc/ssh/sshd_config"`
			`register_test contain "^DenyUsers[[:space:]]*peterdeny marrydeny is not present in /etc/ssh/sshd_config"`
			`register_test contain "^DenyGroups[[:space:]]*nobody is present in /etc/ssh/sshd_config"`
			`run multi_denied_user_mismatch "${CIS_CHECKS_DIR}/${script}.sh" --audit-all`

			`describe Correctly apply multiple denied users`
			`# the previous test checked that DENIED_USERS is set but not correctly applied in sshd_config so we apply it now`
			`"${CIS_CHECKS_DIR}/${script}.sh" \|\| true`
			`# and check again that the fix was correctly applied`
			`register_test retvalshouldbe 0`
			`register_test contain "^AllowUsers[[:space:]]** is present in /etc/ssh/sshd_config"`
			`register_test contain "^AllowGroups[[:space:]]** is present in /etc/ssh/sshd_config"`
			`register_test contain "^DenyUsers[[:space:]]*peterdeny marrydeny is present in /etc/ssh/sshd_config"`
			`register_test contain "^DenyGroups[[:space:]]*nobody is present in /etc/ssh/sshd_config"`
			`run fix_multi_denied_user_mismatch "${CIS_CHECKS_DIR}/${script}.sh" --audit-all`

			`# reset to prevent other test from possibly failing in the future`
			`sed -i "s/DENIED_USERS='peterdeny marrydeny'/DENIED_USERS=''/" "${CIS_CONF_DIR}/conf.d/${script}.cfg"`
			`"${CIS_CHECKS_DIR}/${script}.sh" \|\| true`
			`describe Checking resolved state`
			`register_test retvalshouldbe 0`
			`register_test contain "^AllowUsers[[:space:]]** is present in /etc/ssh/sshd_config"`
			`register_test contain "^AllowGroups[[:space:]]** is present in /etc/ssh/sshd_config"`
			`register_test contain "^DenyUsers[[:space:]]*nobody is present in /etc/ssh/sshd_config"`
			`register_test contain "^DenyGroups[[:space:]]*nobody is present in /etc/ssh/sshd_config"`
			`run cleanup_resolved "${CIS_CHECKS_DIR}/${script}.sh" --audit-all`

			`# Cleanup`
			`userdel johnallow`
			`userdel janeallow`
			`userdel peterdeny`
			`userdel marrydeny`
Add test stub for all audit checks, to tests root/sudo consistency 2019-02-14 18:10:46 +01:00			`}`