debian-cis/tests/hardening/99.5.4.5.2_acc_shadow_sha512.sh

# shellcheck shell=bash
# run-shellcheck
test_audit() {
    describe Running on blank host
    register_test retvalshouldbe 0
    register_test contain "There is no password in /etc/shadow"
    dismiss_count_for_test
    # shellcheck disable=2154
    run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all

    cp -a /etc/shadow /tmp/shadow.bak
    sed -i 's/secaudit:!/secaudit:mypassword/' /etc/shadow
    describe Fail: Found unsecure password
    register_test retvalshouldbe 1
    register_test contain "User secaudit has a password that is not"
    run unsecpasswd "${CIS_CHECKS_DIR}/${script}.sh" --audit-all

    sed -i 's/secaudit:mypassword/secaudit:!!/' /etc/shadow
    describe Fail: Found disabled password
    register_test retvalshouldbe 0
    register_test contain "User secaudit has a disabled password"
    run lockedpasswd "${CIS_CHECKS_DIR}/${script}.sh" --audit-all

    mv /tmp/shadow.bak /etc/shadow
    chpasswd -c SHA512 <<EOF
secaudit:mypassword
EOF
    describe Pass: Found properly hashed password
    register_test retvalshouldbe 0
    register_test contain "User secaudit has suitable"
    run sha512pass "${CIS_CHECKS_DIR}/${script}.sh" --audit-all

    chpasswd -c SHA512 -s 1000 <<EOF
secaudit:mypassword
EOF
    describe Pass: Found properly hashed password with custom round number
    register_test retvalshouldbe 0
    register_test contain "User secaudit has suitable"
    run sha512pass "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
}
Adapt all scripts to yescrypt (#216) * Revert "fix: clean obsolete check 99.5.4.5.1, now handled by 5.3.4 (#215)" This reverts commit 670c8c62f512afa562f6f77279341910a7f59181. We still want to verify the preexisting hashes in /etc/shadow, even if the PAM configuration is correct for new passwords (5.3.4). * Adapt 5.3.4, 99.5.4.5.1 and 99.5.4.5.2 to yescrypt 2023-11-21 17:43:31 +01:00			`# shellcheck shell=bash`
			`# run-shellcheck`
			`test_audit() {`
			`describe Running on blank host`
			`register_test retvalshouldbe 0`
			`register_test contain "There is no password in /etc/shadow"`
			`dismiss_count_for_test`
			`# shellcheck disable=2154`
			`run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all`

			`cp -a /etc/shadow /tmp/shadow.bak`
			`sed -i 's/secaudit:!/secaudit:mypassword/' /etc/shadow`
			`describe Fail: Found unsecure password`
			`register_test retvalshouldbe 1`
			`register_test contain "User secaudit has a password that is not"`
			`run unsecpasswd "${CIS_CHECKS_DIR}/${script}.sh" --audit-all`

			`sed -i 's/secaudit:mypassword/secaudit:!!/' /etc/shadow`
			`describe Fail: Found disabled password`
			`register_test retvalshouldbe 0`
			`register_test contain "User secaudit has a disabled password"`
			`run lockedpasswd "${CIS_CHECKS_DIR}/${script}.sh" --audit-all`

			`mv /tmp/shadow.bak /etc/shadow`
			`chpasswd -c SHA512 <<EOF`
			`secaudit:mypassword`
			`EOF`
			`describe Pass: Found properly hashed password`
			`register_test retvalshouldbe 0`
			`register_test contain "User secaudit has suitable"`
			`run sha512pass "${CIS_CHECKS_DIR}/${script}.sh" --audit-all`

			`chpasswd -c SHA512 -s 1000 <<EOF`
			`secaudit:mypassword`
			`EOF`
			`describe Pass: Found properly hashed password with custom round number`
			`register_test retvalshouldbe 0`
			`register_test contain "User secaudit has suitable"`
			`run sha512pass "${CIS_CHECKS_DIR}/${script}.sh" --audit-all`
			`}`