diff --git a/bin/hardening/6.2.3_remove_legacy_shadow_entries.sh b/bin/hardening/6.2.3_remove_legacy_shadow_entries.sh index 5b6cece..caa118f 100755 --- a/bin/hardening/6.2.3_remove_legacy_shadow_entries.sh +++ b/bin/hardening/6.2.3_remove_legacy_shadow_entries.sh @@ -21,7 +21,7 @@ RESULT='' audit () { info "Checking if accounts have a legacy password entry" if $SUDO_CMD grep '^+:' $FILE -q; then - RESULT=$(grep '^+:' $FILE) + RESULT=$($SUDO_CMD grep '^+:' $FILE) crit "Some accounts have a legacy password entry" crit $RESULT else diff --git a/tests/hardening/6.2.2_remove_legacy_passwd_entries.sh b/tests/hardening/6.2.2_remove_legacy_passwd_entries.sh index b333419..9e6592a 100644 --- a/tests/hardening/6.2.2_remove_legacy_passwd_entries.sh +++ b/tests/hardening/6.2.2_remove_legacy_passwd_entries.sh @@ -6,5 +6,26 @@ test_audit() { # shellcheck disable=2154 run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all - # TODO fill comprehensive tests + local test_user="testetcpasswduser" + + describe Tests purposely failing + useradd $test_user + sed -i "s/$test_user:x/+:$test_user:x/" /etc/passwd + register_test retvalshouldbe 1 + register_test contain "Some accounts have a legacy password entry" + run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all + + describe correcting situation + sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg + /opt/debian-cis/bin/hardening/"${script}".sh --apply || true + + describe Checking resolved state + register_test retvalshouldbe 0 + register_test contain "All accounts have a valid password entry format" + run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all + + # cleanup + groupdel $test_user + useradd $test_user + userdel $test_user } diff --git a/tests/hardening/6.2.3_remove_legacy_shadow_entries.sh b/tests/hardening/6.2.3_remove_legacy_shadow_entries.sh index b333419..de2cdc6 100644 --- a/tests/hardening/6.2.3_remove_legacy_shadow_entries.sh +++ b/tests/hardening/6.2.3_remove_legacy_shadow_entries.sh @@ -6,5 +6,25 @@ test_audit() { # shellcheck disable=2154 run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all - # TODO fill comprehensive tests + local test_user="testetcshadowusr" + + describe Tests purposely failing + useradd $test_user + sed -i "s/$test_user:/+:$test_user:/" /etc/shadow + register_test retvalshouldbe 1 + register_test contain "Some accounts have a legacy password entry" + run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all + + describe correcting situation + sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg + /opt/debian-cis/bin/hardening/"${script}".sh --apply || true + + describe Checking resolved state + register_test retvalshouldbe 0 + register_test contain "All accounts have a valid password entry format" + run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all + + # cleanup + userdel $test_user + } diff --git a/tests/hardening/6.2.4_remove_legacy_group_entries.sh b/tests/hardening/6.2.4_remove_legacy_group_entries.sh index b333419..68c38d9 100644 --- a/tests/hardening/6.2.4_remove_legacy_group_entries.sh +++ b/tests/hardening/6.2.4_remove_legacy_group_entries.sh @@ -6,5 +6,24 @@ test_audit() { # shellcheck disable=2154 run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all - # TODO fill comprehensive tests + local test_user="testetcgroupuser" + + describe Tests purposely failing + useradd $test_user + sed -i "s/$test_user:x/+:$test_user:x/" /etc/group + register_test retvalshouldbe 1 + register_test contain "Some accounts have a legacy group entry" + run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all + + describe correcting situation + sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg + /opt/debian-cis/bin/hardening/"${script}".sh --apply || true + + describe Checking resolved state + register_test retvalshouldbe 0 + register_test contain "All accounts have a valid group entry format" + run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all + + # cleanup + userdel $test_user }