mirror of
https://github.com/ovh/debian-cis.git
synced 2024-12-22 22:15:24 +01:00
FIX(99.5.4): fix test (permission denied on authorized_keys)
This commit is contained in:
parent
7b73eac6d6
commit
03c8e25ff3
@ -24,6 +24,7 @@ AUTHKEYFILE_PATTERN_DEFAULT=".ssh/authorized_keys .ssh/authorized_keys2"
|
||||
|
||||
ALLOWED_IPS=""
|
||||
USERS_TO_CHECK=""
|
||||
EXCEPTION_USER=""
|
||||
|
||||
ALLOWED_NOLOGIN_SHELLS="/bin/false /usr/sbin/nologin"
|
||||
|
||||
@ -71,7 +72,7 @@ check_file() {
|
||||
debug "Treating $file"
|
||||
FOUND_AUTHKF=1
|
||||
if $SUDO_CMD grep -vqP "$REGEX_OK_LINES" "${file}" ; then
|
||||
bad_lines="$(grep -vnP "$REGEX_OK_LINES" "${file}" | cut -d ':' -f 1 | tr '\n' ' ' | sed 's/ $//' )"
|
||||
bad_lines="$($SUDO_CMD grep -vnP "$REGEX_OK_LINES" "${file}" | cut -d ':' -f 1 | tr '\n' ' ' | sed 's/ $//' )"
|
||||
crit "There are anywhere access keys in ${file} at lines (${bad_lines})."
|
||||
else
|
||||
ok "File ${file} is cleared from anywhere access keys."
|
||||
@ -128,7 +129,7 @@ audit () {
|
||||
continue
|
||||
else
|
||||
info "User $user has a valid shell ($shell).";
|
||||
if [ "x$user" = "xroot" ]; then
|
||||
if [ "x$user" = "xroot" ] && [ "$user" != "$EXCEPTION_USER" ]; then
|
||||
check_dir /root
|
||||
continue
|
||||
elif $SUDO_CMD [ ! -d /home/"$user" ]; then
|
||||
@ -155,6 +156,7 @@ status=audit
|
||||
# Put authorized IPs you want to allow in "from" field of authorized_keys
|
||||
ALLOWED_IPS=""
|
||||
USERS_TO_CHECK=""
|
||||
EXCEPTION_USER=""
|
||||
EOF
|
||||
}
|
||||
|
||||
|
@ -1,5 +1,8 @@
|
||||
# run-shellcheck
|
||||
test_audit() {
|
||||
# shellcheck disable=2154
|
||||
echo 'EXCEPTION_USER="root"' >> /opt/debian-cis/etc/conf.d/"${script}".cfg
|
||||
|
||||
skip_tests
|
||||
# shellcheck disable=2154
|
||||
run genconf /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
@ -7,6 +10,7 @@ test_audit() {
|
||||
useradd -s /bin/bash jeantestuser
|
||||
describe Running on blank host
|
||||
register_test retvalshouldbe 0
|
||||
dismiss_count_for_test
|
||||
register_test contain "[WARN] secaudit has a valid shell but no authorized_keys file"
|
||||
register_test contain "[INFO] User jeantestuser has a valid shell"
|
||||
register_test contain "[INFO] User jeantestuser has no home directory"
|
||||
|
Loading…
Reference in New Issue
Block a user