From 0d3c8ec6540361c3fdcddfd063db529670c8d534 Mon Sep 17 00:00:00 2001 From: Charles Herlin Date: Fri, 22 Feb 2019 15:40:01 +0100 Subject: [PATCH] IMP(9.3.2): Add custom configuration management Add create_config to allow user to customize their conf Improve tests Apply shellcheck recommendations --- bin/hardening/9.3.2_sshd_loglevel.sh | 30 +++++++++++++++++++------- tests/hardening/9.3.2_sshd_loglevel.sh | 18 +++++++++++++--- 2 files changed, 37 insertions(+), 11 deletions(-) diff --git a/bin/hardening/9.3.2_sshd_loglevel.sh b/bin/hardening/9.3.2_sshd_loglevel.sh index 0bc5bdb..e835ea7 100755 --- a/bin/hardening/9.3.2_sshd_loglevel.sh +++ b/bin/hardening/9.3.2_sshd_loglevel.sh @@ -1,5 +1,6 @@ #!/bin/bash +# run-shellcheck # # CIS Debian Hardening # @@ -11,17 +12,19 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=2 +# shellcheck disable=2034 DESCRIPTION="Set LogLevel to INFO for SSH." PACKAGE='openssh-server' -OPTIONS='LogLevel=INFO' +OPTIONS='' FILE='/etc/ssh/sshd_config' # This function will be called if the script status is on enabled / audit mode audit () { is_pkg_installed $PACKAGE - if [ $FNRET != 0 ]; then + if [ "$FNRET" != 0 ]; then crit "$PACKAGE is not installed!" else ok "$PACKAGE is installed" @@ -30,7 +33,7 @@ audit () { SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" does_pattern_exist_in_file $FILE "$PATTERN" - if [ $FNRET = 0 ]; then + if [ "$FNRET" = 0 ]; then ok "$PATTERN is present in $FILE" else crit "$PATTERN is not present in $FILE" @@ -42,7 +45,7 @@ audit () { # This function will be called if the script status is on enabled mode apply () { is_pkg_installed $PACKAGE - if [ $FNRET = 0 ]; then + if [ "$FNRET" = 0 ]; then ok "$PACKAGE is installed" else crit "$PACKAGE is absent, installing it" @@ -53,12 +56,12 @@ apply () { SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" does_pattern_exist_in_file $FILE "$PATTERN" - if [ $FNRET = 0 ]; then + if [ "$FNRET" = 0 ]; then ok "$PATTERN is present in $FILE" else warn "$PATTERN is not present in $FILE, adding it" does_pattern_exist_in_file $FILE "^$SSH_PARAM" - if [ $FNRET != 0 ]; then + if [ "$FNRET" != 0 ]; then add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" else info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing" @@ -69,6 +72,16 @@ apply () { done } +# This function will create the config file for this check with default values +create_config() { + cat << EOF +# shellcheck disable=2034 +status=audit +# Put here your loglevel for ssh +OPTIONS='LogLevel=INFO' +EOF +} + # This function will check config parameters required check_config() { : @@ -85,8 +98,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then - . $CIS_ROOT_DIR/lib/main.sh +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then + # shellcheck source=/opt/debian-cis/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/tests/hardening/9.3.2_sshd_loglevel.sh b/tests/hardening/9.3.2_sshd_loglevel.sh index b333419..a12356a 100644 --- a/tests/hardening/9.3.2_sshd_loglevel.sh +++ b/tests/hardening/9.3.2_sshd_loglevel.sh @@ -1,10 +1,22 @@ # run-shellcheck test_audit() { describe Running on blank host - register_test retvalshouldbe 0 - dismiss_count_for_test + register_test retvalshouldbe 1 # shellcheck disable=2154 run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all - # TODO fill comprehensive tests + describe Fix state + sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg + /opt/debian-cis/bin/hardening/"${script}".sh || true + + describe Checking resolved state + register_test retvalshouldbe 0 + run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all + + echo "OPTIONS='LogLevel=DEBUG'" >> /opt/debian-cis/etc/conf.d/"${script}".cfg + sed -i 's/LogLevel INFO/LogLevel DEBUG/' /etc/ssh/sshd_config + + describe Checking custom conf + register_test retvalshouldbe 0 + run customconf /opt/debian-cis/bin/hardening/"${script}".sh --audit-all }