elie/debian-cis
1
0
Fork 0
mirror of https://github.com/ovh/debian-cis.git synced 2024-11-22 13:37:02 +01:00
Code Issues Packages Projects Releases Wiki Activity

FIX(99.5.4): fix test (permission denied on authorized_keys)

Browse Source
This commit is contained in:
Thibault Ayanides 2020-11-05 15:05:12 +01:00
parent 7b73eac6d6
commit 03c8e25ff3
2 changed files with 8 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
bin/hardening/99.5.4_ssh_keys_from.sh
View File

@ -24,6 +24,7 @@ AUTHKEYFILE_PATTERN_DEFAULT=".ssh/authorized_keys .ssh/authorized_keys2"
ALLOWED_IPS="" ALLOWED_IPS=""
USERS_TO_CHECK="" USERS_TO_CHECK=""
EXCEPTION_USER=""
ALLOWED_NOLOGIN_SHELLS="/bin/false /usr/sbin/nologin" ALLOWED_NOLOGIN_SHELLS="/bin/false /usr/sbin/nologin"
@ -71,7 +72,7 @@ check_file() {
debug "Treating $file" debug "Treating $file"
FOUND_AUTHKF=1 FOUND_AUTHKF=1
if $SUDO_CMD grep -vqP "$REGEX_OK_LINES" "${file}" ; then if $SUDO_CMD grep -vqP "$REGEX_OK_LINES" "${file}" ; then
bad_lines="$(grep -vnP "$REGEX_OK_LINES" "${file}" | cut -d ':' -f 1 | tr '\n' ' ' | sed 's/ $//' )" bad_lines="$($SUDO_CMD grep -vnP "$REGEX_OK_LINES" "${file}" | cut -d ':' -f 1 | tr '\n' ' ' | sed 's/ $//' )"
crit "There are anywhere access keys in ${file} at lines (${bad_lines})." crit "There are anywhere access keys in ${file} at lines (${bad_lines})."
else else
ok "File ${file} is cleared from anywhere access keys." ok "File ${file} is cleared from anywhere access keys."
@ -128,7 +129,7 @@ audit () {
continue continue
else else
info "User $user has a valid shell ($shell)."; info "User $user has a valid shell ($shell).";
if [ "x$user" = "xroot" ]; then if [ "x$user" = "xroot" ] && [ "$user" != "$EXCEPTION_USER" ]; then
check_dir /root check_dir /root
continue continue
elif $SUDO_CMD [ ! -d /home/"$user" ]; then elif $SUDO_CMD [ ! -d /home/"$user" ]; then
@ -155,6 +156,7 @@ status=audit
# Put authorized IPs you want to allow in "from" field of authorized_keys # Put authorized IPs you want to allow in "from" field of authorized_keys
ALLOWED_IPS="" ALLOWED_IPS=""
USERS_TO_CHECK="" USERS_TO_CHECK=""
EXCEPTION_USER=""
EOF EOF
} }

4
tests/hardening/99.5.4_ssh_keys_from.sh
View File

@ -1,5 +1,8 @@
# run-shellcheck # run-shellcheck
test_audit() { test_audit() {
# shellcheck disable=2154
echo 'EXCEPTION_USER="root"' >> /opt/debian-cis/etc/conf.d/"${script}".cfg
skip_tests skip_tests
# shellcheck disable=2154 # shellcheck disable=2154
run genconf /opt/debian-cis/bin/hardening/"${script}".sh --audit-all run genconf /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
@ -7,6 +10,7 @@ test_audit() {
useradd -s /bin/bash jeantestuser useradd -s /bin/bash jeantestuser
describe Running on blank host describe Running on blank host
register_test retvalshouldbe 0 register_test retvalshouldbe 0
dismiss_count_for_test
register_test contain "[WARN] secaudit has a valid shell but no authorized_keys file" register_test contain "[WARN] secaudit has a valid shell but no authorized_keys file"
register_test contain "[INFO] User jeantestuser has a valid shell" register_test contain "[INFO] User jeantestuser has a valid shell"
register_test contain "[INFO] User jeantestuser has no home directory" register_test contain "[INFO] User jeantestuser has no home directory"