FIX(99.5.4): fix test (permission denied on authorized_keys)

2024-11-22 05:27:01 +01:00 · 2020-11-05 15:05:12 +01:00 · 2020-11-05 15:05:12 +01:00 · 03c8e25ff3
commit 03c8e25ff3
parent 7b73eac6d6
2 changed files with 8 additions and 2 deletions
--- a/bin/hardening/99.5.4_ssh_keys_from.sh
+++ b/bin/hardening/99.5.4_ssh_keys_from.sh
@ -24,6 +24,7 @@ AUTHKEYFILE_PATTERN_DEFAULT=".ssh/authorized_keys .ssh/authorized_keys2"

 ALLOWED_IPS=""
 USERS_TO_CHECK=""
+EXCEPTION_USER=""

 ALLOWED_NOLOGIN_SHELLS="/bin/false /usr/sbin/nologin"

@ -71,7 +72,7 @@ check_file() {
        debug "Treating $file"
        FOUND_AUTHKF=1
        if $SUDO_CMD grep -vqP "$REGEX_OK_LINES" "${file}" ; then
-            bad_lines="$(grep -vnP "$REGEX_OK_LINES" "${file}" | cut -d ':' -f 1 | tr '\n' ' ' | sed 's/ $//' )"
+            bad_lines="$($SUDO_CMD grep -vnP "$REGEX_OK_LINES" "${file}" | cut -d ':' -f 1 | tr '\n' ' ' | sed 's/ $//' )"
            crit "There are anywhere access keys in ${file} at lines (${bad_lines})."
        else
            ok "File ${file} is cleared from anywhere access keys."
@ -128,7 +129,7 @@ audit () {
            continue
        else
            info "User $user has a valid shell ($shell).";
-            if [ "x$user" = "xroot" ]; then
+            if [ "x$user" = "xroot" ] && [ "$user" != "$EXCEPTION_USER" ]; then
                check_dir /root
                continue
            elif $SUDO_CMD [ ! -d /home/"$user" ]; then
@ -155,6 +156,7 @@ status=audit
 # Put authorized IPs you want to allow in "from" field of authorized_keys
 ALLOWED_IPS=""
 USERS_TO_CHECK=""
+EXCEPTION_USER=""
 EOF
 }

--- a/tests/hardening/99.5.4_ssh_keys_from.sh
+++ b/tests/hardening/99.5.4_ssh_keys_from.sh
@ -1,5 +1,8 @@
 # run-shellcheck
 test_audit()  {
+    # shellcheck disable=2154
+    echo 'EXCEPTION_USER="root"' >>  /opt/debian-cis/etc/conf.d/"${script}".cfg
+
    skip_tests
    # shellcheck disable=2154
    run genconf /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
@ -7,6 +10,7 @@ test_audit()  {
    useradd -s /bin/bash jeantestuser
    describe Running on blank host
    register_test retvalshouldbe 0
+    dismiss_count_for_test
    register_test contain "[WARN] secaudit has a valid shell but no authorized_keys file"
    register_test contain "[INFO] User jeantestuser has a valid shell"
    register_test contain "[INFO] User jeantestuser has no home directory"