From 1e64a1429964115e97266f83df259870c429dcf3 Mon Sep 17 00:00:00 2001
From: Thibault Ayanides <thibault.ayanides@ovhcloud.com>
Date: Mon, 26 Oct 2020 14:46:42 +0100
Subject: [PATCH] IMP(6.2.2,6.2.3,6.2.4): add purposely failing tests

---
 .../6.2.3_remove_legacy_shadow_entries.sh     |  2 +-
 .../6.2.2_remove_legacy_passwd_entries.sh     | 23 ++++++++++++++++++-
 .../6.2.3_remove_legacy_shadow_entries.sh     | 22 +++++++++++++++++-
 .../6.2.4_remove_legacy_group_entries.sh      | 21 ++++++++++++++++-
 4 files changed, 64 insertions(+), 4 deletions(-)

diff --git a/bin/hardening/6.2.3_remove_legacy_shadow_entries.sh b/bin/hardening/6.2.3_remove_legacy_shadow_entries.sh
index 5b6cece..caa118f 100755
--- a/bin/hardening/6.2.3_remove_legacy_shadow_entries.sh
+++ b/bin/hardening/6.2.3_remove_legacy_shadow_entries.sh
@@ -21,7 +21,7 @@ RESULT=''
 audit () {
     info "Checking if accounts have a legacy password entry"
     if $SUDO_CMD grep '^+:' $FILE -q; then
-        RESULT=$(grep '^+:' $FILE)
+        RESULT=$($SUDO_CMD grep '^+:' $FILE)
         crit "Some accounts have a legacy password entry"
         crit $RESULT
     else
diff --git a/tests/hardening/6.2.2_remove_legacy_passwd_entries.sh b/tests/hardening/6.2.2_remove_legacy_passwd_entries.sh
index b333419..9e6592a 100644
--- a/tests/hardening/6.2.2_remove_legacy_passwd_entries.sh
+++ b/tests/hardening/6.2.2_remove_legacy_passwd_entries.sh
@@ -6,5 +6,26 @@ test_audit() {
     # shellcheck disable=2154
     run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 
-    # TODO fill comprehensive tests
+    local test_user="testetcpasswduser"
+
+    describe Tests purposely failing 
+    useradd $test_user
+    sed -i "s/$test_user:x/+:$test_user:x/" /etc/passwd
+    register_test retvalshouldbe 1
+    register_test contain "Some accounts have a legacy password entry"
+    run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
+
+    describe correcting situation
+    sed  -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
+    /opt/debian-cis/bin/hardening/"${script}".sh --apply || true
+
+    describe Checking resolved state
+    register_test retvalshouldbe 0
+    register_test contain "All accounts have a valid password entry format"
+    run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
+
+    # cleanup
+    groupdel $test_user
+    useradd $test_user
+    userdel $test_user
 }
diff --git a/tests/hardening/6.2.3_remove_legacy_shadow_entries.sh b/tests/hardening/6.2.3_remove_legacy_shadow_entries.sh
index b333419..de2cdc6 100644
--- a/tests/hardening/6.2.3_remove_legacy_shadow_entries.sh
+++ b/tests/hardening/6.2.3_remove_legacy_shadow_entries.sh
@@ -6,5 +6,25 @@ test_audit() {
     # shellcheck disable=2154
     run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 
-    # TODO fill comprehensive tests
+    local test_user="testetcshadowusr"
+
+    describe Tests purposely failing 
+    useradd $test_user
+    sed -i "s/$test_user:/+:$test_user:/" /etc/shadow
+    register_test retvalshouldbe 1
+    register_test contain "Some accounts have a legacy password entry"
+    run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
+
+    describe correcting situation
+    sed  -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
+    /opt/debian-cis/bin/hardening/"${script}".sh --apply || true
+
+    describe Checking resolved state
+    register_test retvalshouldbe 0
+    register_test contain "All accounts have a valid password entry format"
+    run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
+
+    # cleanup
+    userdel $test_user
+
 }
diff --git a/tests/hardening/6.2.4_remove_legacy_group_entries.sh b/tests/hardening/6.2.4_remove_legacy_group_entries.sh
index b333419..68c38d9 100644
--- a/tests/hardening/6.2.4_remove_legacy_group_entries.sh
+++ b/tests/hardening/6.2.4_remove_legacy_group_entries.sh
@@ -6,5 +6,24 @@ test_audit() {
     # shellcheck disable=2154
     run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 
-    # TODO fill comprehensive tests
+    local test_user="testetcgroupuser"
+
+    describe Tests purposely failing 
+    useradd $test_user
+    sed -i "s/$test_user:x/+:$test_user:x/" /etc/group
+    register_test retvalshouldbe 1
+    register_test contain "Some accounts have a legacy group entry"
+    run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
+
+    describe correcting situation
+    sed  -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
+    /opt/debian-cis/bin/hardening/"${script}".sh --apply || true
+
+    describe Checking resolved state
+    register_test retvalshouldbe 0
+    register_test contain "All accounts have a valid group entry format"
+    run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
+
+    # cleanup
+    userdel $test_user
 }